NSA Revelations Leave Encryption Experts In A Quandry

Documents leaked by former contractor Edward Snowden indicate the NSA may have installed backdoors on encryption products. It's not clear exactly what's going on but the stories have unleashed plenty of fear and loathing in the closed world of encryption researchers.

Copyright © 2013 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

ROBERT SIEGEL, HOST:

The technology world is reeling. That's after press reports earlier this month that the National Security Agency may have weakened computer software. The reason - to make it easier for the government to read encrypted messages.

The stories have upset many encryption experts, the very people who help scramble digital communications to keep those messages secure. NPR's Larry Abramson reports.

LARRY ABRAMSON, BYLINE: When Professor Matt Green, of Johns Hopkins University, chats online with his students, he takes an extra step to make sure no one else listens in.

MATT GREEN: Let me see if I can find somebody who is online, who will talk to me. There's one of my grad students.

ABRAMSON: Green is an expert in encryption, the science of using powerful math to encode messages. For his online chats, Green turns to Off the Record Messaging.

GREEN: What I would do is, I would just choose initiate encrypted OTR chat.

ABRAMSON: Green and his student must first exchange digital fingerprints, to verify their identities.

GREEN: But if I do that, I can click accept. And then, from now on, all of our communications will be protected. And you can see that by the lock up in the corner.

ABRAMSON: Strong encryption like this makes it extremely difficult, even for the National Security Agency, to unravel messages like these. That's why, according to reports based on leaks from Edward Snowden, the agency had to find another way in. The reports say NSA workers installed back doors in encryption programs so they could gain access when necessary. Security technologist Bruce Schneier has seen some of the encryption documents leaked by Snowden that have not been made public.

Schneier says, imagine if you installed a lock on your front door that appears to be solid.

BRUCE SCHNEIER: But if someone, a locksmith, goes in during install and, you know, makes it a lousy lock, you won't be able to tell the difference. It'll still work normally, but a burglar can get in. And it turns out the NSA is doing similar things with mathematics.

ABRAMSON: Cryptographers are not just worried that the NSA will spy on them, more important, they say, is the chance that identity thieves, rival companies, even foreign governments might exploit that same back door. Matt Green says, once the door is open, you never know who will get in.

GREEN: Turns out that for a whole bunch of technical reasons, it's very hard to build back doors that only you can find and only you can exploit.

ABRAMSON: The National Security Agency won't comment directly on the allegation it is creating back doors, but it points out that breaking encryption is one of its chief roles. Richard Ledgett currently runs the NSA taskforce looking into the Snowden leaks. He points out that terrorists and spies use the same Internet to communicate as ordinary Americans.

RICHARD LEDGETT: We have to be able to work against the technologies that that Internet uses. It doesn't mean that we're using that to go against Americans.

ABRAMSON: Because the law forbids the agency from spying on U.S. persons and there's no evidence that the NSA has been decoding messages between innocent people. Still, the news stories have created anxiety across the tech world. Because of those concerns, the National Institute of Standards and Technology has reopened a widely used encryption standard for public comment and the security company RSA has told its clients to stop using that same standard.

At the same time, the encryption kerfuffle may have created a new demand for more security technologies. Vic Hyder(ph) is chief operations officer for Silent Circle, which offers secure communications services. Hyder says Silent Circle creates and then quickly destroys a new encryption key for each conversation.

VIC HYDER: At the end of the conversation, the key is deleted. It's dissolved and gone. There's nothing to pick up.

ABRAMSON: Hyder says his company has never been approached by the NSA to install a back door in its software but media reports indicate other companies may have worked with the agency or been forced to. Former NSA general counsel Stewart Baker says the government has a powerful interest in making sure it can decode any messages.

STEWART BAKER: And it will find a way to impose a requirement on manufacturers of a product.

ABRAMSON: Among cryptographers, there is a sense that they have been betrayed by fellow code writers at the NSA. Matt Green of Johns Hopkins University takes the whole thing pretty personally.

GREEN: That kind of offends me. And it offends me because it makes Americans less secure, not just because it facilitates the NSA's job.

ABRAMSON: Still, despite all the suspicion, Green says encryption is essential. The answer, he says, is to keep coming up with products that are as secure as they can be. Larry Abramson, NPR News.

Copyright © 2013 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

Support comes from: