Report: NSA cracked most online encryption

Sep 05, 2013 by Jack Gillum
The National Security Agency (NSA) headquarters at Fort Meade, Maryland, as seen from the air, January 29, 2010. US and British intelligence agencies have cracked the encryption that secures a wide range of online communications including emails, banking transactions and phone conversations, according to newly leaked documents.

The National Security Agency, working with the British government, has secretly been unraveling encryption technology that billions of Internet users rely upon to keep their electronic messages and confidential data safe from prying eyes, according to published reports based on internal U.S. government documents.

The NSA has bypassed or cracked much of the digital encryption used by businesses and everyday Web users, according to reports Thursday in The New York Times, Britain's Guardian newspaper and the nonprofit news website ProPublica. The reports describe how the NSA invested billions of dollars since 2000 to make nearly everyone's secrets available for government consumption.

In doing so, the NSA built powerful supercomputers to break encryption codes and partnered with unnamed technology companies to insert "back doors" into their software, the reports said. Such a practice would give the government access to users' digital information before it was encrypted and sent over the Internet.

"For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies," according to a 2010 briefing document about the NSA's accomplishments meant for its UK counterpart, Government Communications Headquarters, or GCHQ. Security experts told the news organizations such a code-breaking practice would ultimately undermine Internet security and leave everyday Web users vulnerable to hackers.

The revelations stem from documents leaked by former NSA contractor Edward Snowden, who sought asylum in Russia this summer. His leaks, first published by the Guardian, revealed a massive effort by the U.S. government to collect and analyze all sorts of digital data that Americans send at home and around the world.

Those revelations prompted a renewed debate in the United States about the proper balance between civil liberties and keeping the country safe from terrorists. President Barack Obama said he welcomed the debate and called it "healthy for our democracy" but criticized the leaks; the Justice Department charged Snowden under the federal Espionage Act.

Thursday's reports described how some of the NSA's "most intensive efforts" focused on Secure Sockets Layer, a type of encryption widely used on the Web by online retailers and corporate networks to secure their Internet traffic. One document said GCHQ had been trying for years to exploit traffic from popular companies like Google, Yahoo, Microsoft and Facebook.

GCHQ, they said, developed "new access opportunities" into Google's computers by 2012 but said the newly released documents didn't elaborate on how extensive the project was or what kind of data it could access.

Even though the latest document disclosures suggest the NSA is able to compromise many encryption programs, Snowden himself touted using encryption software when he first surfaced with his media revelations in June.

During a Web chat organized by the Guardian on June 17, Snowden told one questioner that "encryption works." Snowden said that "properly implemented strong crypto systems" were reliable, but he then alluded to the NSA's capability to crack tough encryption systems. "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it," Snowden said.

It was unclear if Snowden drew a distinction between everyday encryption used on the Internet—the kind described in Thursday's reports—versus more-secure encryption algorithms used to store data on hard drives and often requires more processing power to break or decode. Snowden used an encrypted email account from a now-closed private email company, Lavabit, when he sent out invitations to a mid-July meeting at Moscow's Sheremetyevo International Airport.

The operator of Lavabit LLC, Ladar Levison, suspended operations of the encrypted mail service in August, citing a pending "fight in the 4th (U.S.) Circuit Court of Appeals." Levison did not explain the pressures that forced him to shut the firm down but added that "a favorable decision would allow me to resurrect Lavabit as an American company."

The government asked the news organizations not to publish their stories, saying foreign enemies would switch to new forms of communication and make it harder for the NSA to break. The organizations removed some specific details but still published the story, they said, because of the "value of a public debate regarding government actions that weaken the most powerful tools for protecting the privacy of Americans and others."

Such tensions between government officials and journalists, while not new, have become more apparent since Snowden's leaks. Last month, Guardian editor Alan Rusbridger said that British government officials came by his newspaper's London offices to destroy hard drives containing leaked information. "You've had your debate," one UK official told him. "There's no need to write any more."

Explore further: UN moves to strengthen digital privacy (Update)

4.8 /5 (43 votes)
add to favorites email to friend print save as pdf

Related Stories

German companies to automatically encrypt emails (Update)

Aug 09, 2013

Two of Germany's biggest Internet service providers said Friday they will start encrypting customers' emails by default in response to user concerns about online snooping after reports that the U.S. National Security Agency ...

Report: UK spies hacked foreign diplomats

Jun 17, 2013

The Guardian newspaper says the British eavesdropping agency GCHQ repeatedly hacked into foreign diplomats' phones and emails when the U.K. hosted international conferences, even going so far as to set up ...

Secret court opens door to unsealing Yahoo! documents

Jul 16, 2013

The secret US court overseeing national security investigations has opened the door to declassifying documents related to the government's data collection program in a case involving Internet giant Yahoo!

Recommended for you

UN moves to strengthen digital privacy (Update)

Nov 25, 2014

The United Nations on Tuesday adopted a resolution on protecting digital privacy that for the first time urged governments to offer redress to citizens targeted by mass surveillance.

Spotify turns up volume as losses fall

Nov 25, 2014

The world's biggest music streaming service, Spotify, announced Tuesday its revenue grew by 74 percent in 2013 while net losses shrank by one third, in a year of spectacular expansion.

Virtual money and user's identity

Nov 25, 2014

Bitcoin is the new money: minted and exchanged on the Internet. Faster and cheaper than a bank, the service is attracting attention from all over the world. But a big question remains: are the transactions ...

User comments : 16

Adjust slider to filter visible comments by rank

Display comments: newest first

salf
not rated yet Sep 05, 2013
Which algorithm(s) have/has been cracked? RSA? Diffie-Hellman? ECC? All of the above? I'd be grateful to anybody who has details.
kochevnik
2.3 / 5 (9) Sep 05, 2013
NSA steals keys in web servers and stores them. They also have root certificates from Thawte and Versign enabling them to decrypt 98% of SSL encrypted Internet communications.

"N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which "actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" to make them "exploitable." Sigint is the abbreviation for signals intelligence, the technical term for electronic eavesdropping."

Link to the article: http://www.propub...cryption
salf
5 / 5 (2) Sep 05, 2013
Stealing keys is quite different from cracking. Sentence # 1 with my emphasis:

"US and British intelligence agencies have *cracked* the encryption that secures a wide range of online communications including emails, banking transactions and phone conversations, according to newly leaked documents."
PhyOrgSux
1 / 5 (7) Sep 05, 2013
check Bruce Schneier's blog (schneier.com) for some more thoughts on this.
ODesign
3 / 5 (2) Sep 06, 2013
Connect the dots and it looks like the NSA spent taxpayer money to break https security using lots of different techniques. But of course tech people leek to hackers who use the research meant to spy on people for steeling from people. So then NSA, they have to cover up hacker exploits that succeed using their techniques in the interest of national security to keep the secret. The public experiences rampant "identity theft" that is never preventable because explaining it would admit NSA broke https security and thats what the better hackers are using, strait from the NSA research.

Identity theft victims are collateral damage. Those fees so many people pay for identity theft protection are an "acceptable to NSA" cost of creating the technology to break encryption. In 2010, about 8.1 million Americans were reportedly victims of identity fraud, and the average identity fraud victim incurred a mean of $631 in costs as a result.
Kedas
2.3 / 5 (3) Sep 06, 2013
They adapt source code of encryption programs to build in back doors.
Without the knowledge of those that are making/selling this software
antialias_physorg
1 / 5 (1) Sep 06, 2013
and partnered with unnamed technology companies to insert "back doors" into their software, the reports said. Such a practice would give the government access to users' digital information before it was encrypted and sent over the Internet.

Anyone taking bets that one of those partners is Microsoft? (Probably a few antivirus/firewall providers on that list, too)

"Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it,"

Which is really the point. Encryption doesn't matter if you can read it at either end where it HAS to be present in an unencrypted from at some time. If your system is compromised to the point where someone can see what's on your screen then even encrypting your own harddrive means nothing.
alfie_null
not rated yet Sep 06, 2013
A conundrum, as the U.S. government also encourages business to use suitably strong encryption as a defense from espionage by foreign governments.
antialias_physorg
3.5 / 5 (2) Sep 06, 2013
A conundrum, as the U.S. government also encourages business to use suitably strong encryption as a defense from espionage by foreign governments.

If only they know about the backdoor in the OS? Not so much of a conundrum.

Encryption only safeguards during transmission. Not during use. If you can get at the data during use then encryption schemes don't matter. (E.g. you can copy a video by grabbing the output of your video card. No encryption or DRM scheme - no matter how fiendishly clever - can prevent that)

Spaced out Engineer
1.8 / 5 (10) Sep 06, 2013
I am glad the government is paranoid of its people. It is safe to say that rights are being impeded. Our forefathers who founded this country would be dissappointed.

Its hilarious too because I bet the vast majority of the seized data was porn or other useless information. Most people are not bad. It is circumstance and the fight for survival that causes both destruction and creation.

In my opinion oppression of people began in the local doctors office when instead of working on our lives we sought to pop a pill to feel happy. Life is tough if even definable.

Change will happen. The question is does the law of the people's large numbers overthrow the powers that be or do we actually get off our rears and vote for representatives who actually posses integrity.

I try not to live in hopes, but I would like to will a slow change for the better meant of all people. The problem lies in helping but not over aiding. You need to motivate and provide. Be thankful you had nothing to hide.
NikFromNYC
1.4 / 5 (11) Sep 06, 2013
The maxim that "encryption always wins" still holds that as computing power eventually multiplies, the minor jump in consumer grade performance mathematically trumps even the biggest jumps in supercomputer cracking capability. Quantum computing has been spoken of as if it has already been proven in concept, which is great for grant proposals at least until the hype becomes embarrassing. Currently it's just a five minute download and setup for anybody to chat or even speak securely between smart phones, even though the standard software is compromised. The pivot point in all this was the mid 1990s congressional attempt to not only outlaw such third party software but also dictate a *hardware* backdoor they called the "Clipper Chip." In 1994 as -=Xenon=- I created the Macintosh Cryptography Interface Project to help raise awareness by helping PGP use go viral enough to alert nerds that Big Brother was at their doorstep.

-=Xenon=- (qwerty@netcom.com)
drhoo
4 / 5 (5) Sep 06, 2013
someone write an open source noise file generator. Send these files over the internet to drive big bro crazzzzyy.
ODesign
5 / 5 (1) Sep 06, 2013
@NikFromNYC

true about encryption winning, but that's only in a direct attack. Realistically the better attack strategy is a large number of techniques to indirectly break security. You don't need to know the content of a phone call to know someone who calls every relative of osama bin laden gets a hardware listening device added to their phone or person sooner or later.
Captain Stumpy
1.4 / 5 (10) Sep 06, 2013
Anyone taking bets that one of those partners is Microsoft? (Probably a few antivirus/firewall providers on that list, too)


don't forget to add Google, facebook, and apple to that list.
baudrunner
1.4 / 5 (9) Sep 07, 2013
What I read into the state of things which this article implies depresses me. There appears to be an unhealthy relationship developing between Britain and the U.S., one founded on suspicion and subterfuge, which serves to coalesce it while others feel alienated. Americans of European descent number about 30% greater than their British counterparts and I think the bond should be stronger between them and American policy makers, because I don't see them wanting the kind of paranoia which is currently developing in England because of their obsession with public surveillance. Don't bring 1984 to America. See England for what it is, which is still essentially what it was when Americans threw them out of America. I've said it before and I'll say it again, "So long as there is monarchy in Britain, England will always be a threat to world peace". Mark my words.
geokstr
1 / 5 (10) Sep 08, 2013
Anyone taking bets that one of those partners is Microsoft? (Probably a few antivirus/firewall providers on that list, too)


don't forget to add Google, facebook, and apple to that list.

Note how you got 4 1s for a perfectly reasonable post, and google and facebook are already on record for being big Obama supporters and have been implicated in the NSA database information gathering. You must have shown in the past that you're not a radical leftist, and now you'll be punished here no matter what you say.

I'll get my 1s on this comment as well. Ask me if I give a rat's derriere.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.