Yesterday, there was news that The Guardian had shared 50,000 pages of NSA documents released by Edward Snowden with the New York Times, some of which showed that the NSA are able to foil basic safeguards of privacy on the web.

Following this, Dave Anderson, senior director at Voltage Security, responded:

To quote Snowden himself, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

In the light of this, it seems likely that any possible way that the NSA might have bypassed encryption was almost certainly due to a flaw in the key management processes that support the use of encryption, rather than through the cryptography itself.  So, is it possible that the NSA can decrypt financial and shopping accounts?  Perhaps, but only if the cryptography that was used to protect the sensitive transactions was improperly implemented through faulty, incomplete or invalid key management processes or simple human error.

When properly implemented, encryption provides essentially unbreakable security.  It’s the sort of security that would take implausibly-powerful supercomputers millions of years to crack. But if it’s carelessly implemented, and the key management processes are not sound, this security can be reduced to the level where a hacker with a mid-market PC can crack in a few hours at most.

A more likely way that the NSA is reading internet communications is through exploiting a weakness in key management.  That could be a weakness in the way that keys are generated, or it could be a weakness in the way that keys are stored.   And because many of the steps in the lifecycle of a key often involve a human user, this introduces the potential for human error, making key lifecycle management never as secure as the protection provided by the encryption itself.

General Robert Barrow (USMC) once said that amateurs think about tactics while professionals think about logistics. An appropriate way to update this to the Internet age might be that amateurs talk about encryption while professionals talk about key management.

About the Author:

Voltage

Dave Anderson | @Voltagesecurity | Voltage Security

Dave Anderson currently serves as the Senior Director for Voltage Security, where he is responsible for developing market strategy, delivering new technology solutions to market, and managing global campaigns and programs for Voltage’s data protection and encryption solutions. Prior to Voltage, Dave led marketing and program strategy for McAfee, SAP, and VeriSign.

Dave has 20 years of experience within business strategy, marketing, and product development at leading technology and services firms, including SAP, ArcSight/HP, KPMG, and VeriSign, and has worked extensively across Asia and Europe in delivering market and industry security solutions. His expertise focuses on strategy and planning, marketing, and operational governance.

Dave received his MBA from Duke University, the Fuqua School of Business in 2010. He has been published in multiple industry and technical journals, and is a frequent speaker on risk management, corporate governance, security, and strategy.