December 29, 2013

Why Encryption Doesn't Make Our Lifes Secure (Yet)

Major learning from 2013 is that our data are with the NSA. We dislike this and we all agree that it is not fair but over all the mistake of the secret services (AKA governments).

As proven this month by Jonathan Mayer, a grad student at Stanford in his article ‘MetaPhone: The NSA’s Got Your Number‘ it seems that most people are not contributing too much either in making life difficult for NSA and any other party interested in your data.

Gizmodo added more food to the bone in their article ‘Surprise! It’s Super Easy to Identify People From Metadata‘.

The one being interested in IT a bit more than average will now have a good laugh: How stupid can someone be to show his private data online? Encryption will solve the problem!

First in a digital life even the smart one is not really protected, not even with the best known encryption of the universe. The IT addicted does most likely not use different passwords for all different accesses. If so, there is probably at least a certain pattern used, like main password and a certain prefix per account. Or we are using tools like 1Password or LastPass, which are excellent and encrypted but a single source of failure. Once someone will get into this database, well, they will obviously have all your accesses at their finger tips and encryption is not helping you a lot on this if you are continuing to read.

You can add extra security to these tools with two-factor authentication, but honestly does it really make you more secure or at 100 percent secure? The truth is that currently it still does not, as much as all the advertisements that encryption is the key to your privacy are just not true.

Without entering too much into details, all encryption is based by nature to the need of working with random numbers. Those numbers are either very random or pseudo-random. Common sense tells you that if you are playing with dices or cards you are getting more likely a random outcome than using an algorithm in IT, as the algorithm in IT will be known.

Indeed, often random number generators in IT are producing pseudo random number only. The challenge is that the algorithm and the variables such a generator is using can be known by a third party to allow higher predictability than desired of the generated numbers. The following Wikipedia article ‘Random Number Generator‘ gives you more details.

Briefly, random number generators are key for any encryption, if the random numbers can be made predictable your encryption can be easily misused and is — well, yes — useless.

Shortly before Christmas Prof. Edward Frenkel explained on YouTube how the NSA did hack our e-mails:

It is worth to watch as well the follow-up movie with some extra bits on the NSA surveillance:

EMC owned RSA’s Deal With The NSA Reflects A General Mistrust but I bet this is the top of the iceberg only. Even though a trustful random generator can be programmed, there will always be an interest by someone to have a backdoor implemented.

‘Funny’ enough the NIST standard was heavily used as well by open source solutions, as a free resource and a recognized institute. Consequently forget all encryption you might now be using, it might not add much more benefit than avoiding your little ones reading protected content and keeping your CPU busy but it will not give you the level of security you might expect from it.

NIST published already in September a recommendation not to use their standard any longer (‘SUPPLEMENTAL ITL BULLETIN FOR SEPTEMBER 2013‘). Is it not a surprise that it takes almost 3 months and just before the holidays until the topic is getting finally discussed by a broader audience?

In closing I am recommending the following article from MIT ‘Encryption is less secure than we thought‘. Because this says it all, most of the now used encryption methods are weak and either they have yet a backdoor or it will be a question of time only.

The big question remains unsolved. Which organization will set up in future a new secure global standard and who will be able to guarantee that this one will not have a backdoor? A dreamer might believe into such a solution … in theory it is doable but I have my strong doubts that it will ever happen.

As such encryption is continuing to add value in making access to the average more complicated and adding minimal security against average criminals, but it does not add much to the privacy of your own data. What is leaving your own brain will be less secure than the stuff you keep for yourself.

Nothing has changed and nothing on this will probably ever change.

Jeannot Muller

Entrepreneur, developer, author.

Click Here to Leave a Comment Below

Leave a Reply: