Earlier this week my colleague Garry talked about his experiences attending the TCG conference recently and the ‘hallway talk’ about the NSA. It raised some good observations and had me thinking about a recent blog from the NY Times about the NSA and their relationship with the National Institute of Standards and Technology (NIST).
When dealing with Encryption there are a lot of factors at play when securing systems, key files, Random Number Generators (RNGs) and a whole host of other complexities that exist ‘under the hood.’ The vast majority of data encryption providers work with the NIST to ensure their cryptographic engines are FIPS validated as it’s typically a requirement for many customer RFPs.
But what has come to light recently (as highlighted in that NYT blog post) is that there are now questions about the relationship between the NSA and NIST. According to the blog:
“But internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a back door for the N.S.A. In publishing the standard, N.I.S.T. acknowledged ‘contributions’ from N.S.A., but not primary authorship.”
As a security company, this is a very disturbing revelation. It brings into question the validity and security of how we encrypt data. Needless to say, I looked into this pretty quickly to find out if we used the Dual EC DRBG standard in SecureDoc. The last thing you want to discover is you’ve left the back door to the house in unlocked.
The good news? SecureDoc doesn’t use the Dual EC DRBG standard. This means that we can assure customers that we are not vulnerable to the alleged back door that has been identified.
In addition to this, there’s been a lot of speculation about the ability of the NSA to hack 256-bit AES encryption. This really isn’t something that can be done quickly, easily or cost-effectively. It would take multiple servers dedicated to cracking one system a huge amount of effort and resources to accomplish this, and it could take years to actually complete.
So despite all the rampant speculation and fear and loss of trust, most users of full-fledge data encryption solutions should feel at ease knowing that their data cannot and should not be easily compromised when using solutions based on AES 256-bit encryption.