Skip Links

Is open source encryption the answer to NSA snooping?

Going the open source route to encrypt enterprise data has its own potential pitfalls

By Maria Korolov, Network World
November 25, 2013 06:02 AM ET

Network World - When Unisys CISO John Frymier came in to work on Friday, Sept. 6, the phones were ringing, and continued to ring all day. Customers were panicking over the news headlines of the day before.

NSA spying
Credit: Flickr: Mlcastle

The NSA had cracked Internet encryption.

The NSA was listening in to everything.

European customers were especially concerned, he says.

Fortunately, many of the headlines had been unnecessarily alarmist.

“The earlier types of encryption, with 64 bits or less, the NSA has figured out how to brute force decrypt at least some of that traffic,” he says. “But the more modern, strong encryption, with 128 or 256 encryption units, they can't decrypt that. And it bothers them no end.”

Customers can still trust it, he says.

[ALSO: Should the NSA be reformed?]

“Modern encryption implemented well is perfectly secure and nobody can crack it,” he says. “Strong encryption is still safe.”

But what exactly does “implemented well” mean? And what about back doors deliberately installed by the NSA in commercial encryption software?

According to encryption expert Bruce Schneier, a fellow at Harvard's Berkman Center for Internet and Society, one solution is to use open source encryption algorithms.

But open source encryption, while publicly vetted by security experts, academics, and a global community of paranoid code wranglers, has its pitfalls as well. In particular, open source encryption requires a higher level of in-house expertise to implement, and there may be a shortage of encryption experts to go around. In addition, open source products may not offer the same level of functionality and support as commercial offerings.

According to Schneier, who had direct access to the leaked NSA documents, the NSA asks vendors to make subtle changes to their encryption software to make it more vulnerable. For example, a random number generator might not be as random as it should be. Or the software could leak keys in some undetectable way.

And if the problem is detected, the vendor can explain it away as a mistake, he says.

Though that may be changing.

“Thankfully, companies that colluded with the NSA are being penalized in the marketplace,” says Schneier.

One of his recommendations is to be suspicious of commercial encryption software and to opt for open-source alternatives.

In particular, open-source alternatives that have to be compatible with multiple implementations, since changes to the core code base have to undergo extra scrutiny to ensure that they don't break compatibility with the various implementations.

Now that there's so much attention focused on the possibility of backdoors sponsored by the NSA, or other players, the level of attention open source encryption software receives will only increase.

In fact, encryption is pretty much the only area in information security where the more the public knows about a process, the better.

“To think that a proprietary algorithm can be better simply because its source code is unknown is, to put it mildly, ludicrous,” says Pierluigi Stella, CTO of network security vendor Network Box USA. “There’s no way anyone can write an algorithm and sufficiently test it to ensure no one will ever find a small crack in the code to render its encryption completely useless. These algorithms need to be tested, tested and tested yet again, to ensure they really work and are strong. And the only way to do so is to make them public. I don’t know with certainty if there’s been a surge of interest in open source. All I know is that I would never use anything else.”

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News