More evidence has crept out from the mass of government information revealed by whistle-blower, Edward Snowden, on the National Security Agency (NSA) PRISM program. In the latest papers - revealed to the Guardian Newspaper, the New York Times and ProPublica - it is shown that the NSA has a $255 million per year program against the defences offered by encryption products used for PCs and mobile phones on the internet. Apparently, 4G phones are a particular target of this research. This newly revealed program dwarfs the $20m PRISM program which collects data directly by demands to the appropriate internet companies such as Google.
According to reports obtained from the Guardian, these papers reveal:
This is a technically correct way of saying; don't bother with the front door because it is too strong. But as with all security there is no such thing as perfection and conceptually anything can be broken if you have enough time and resources. The better cryptographic algorithms behind SSL, if correctly implemented, will withstand an attack by any known computer resources and will not be routinely broken by any organisation, governments included.
However, and here comes the big 'but', these protocols must be correctly implemented and used. It is no good using the best cryptography if you allow the protocol to default to no cryptography or a chosen weak algorithm, as can be done when establishing an SSL session. It actually gets worse than this, from personal experience I have regularly encountered SSL gateways where the server has been left in default password mode. Who needs to break the cryptography if you can just break into the computer? It goes without saying that if you can get the keys then the cryptographic algorithm is irrelevant. The basis of all modern cryptography is that the security is dependent on the key and that the algorithm is assumed to be public knowledge.
The other concept, that is vital when looking at internet security, is to understand the required security service drawn from confidentiality, integrity and availability. In the payments world, for example, the core requirement is integrity and authentication. The bank needs to be assured that the correct payment instructions are actually from their authentic user and are of course authorised. The most popular way of achieving this today is to use digital signatures. This is not the prime interest of governments who receive all the necessary reporting from the FIs, who are appropriately regulated. In fact, it is the opposite as no government would want major electronic payment systems to be compromised because that would destabilise the economy. I would suggest that if they were aware of any such failing in the security used by electronic payment schemes that they are more likely to make such knowledge available to the operators.
The papers obtained from Snowden and revealed by the Guardian also suggest that there is a core focus of the programs on mobile phones. The 4G phones were mentioned in particular as if the cryptography is deeply flawed. The reality is far more likely to be around the security of the smart mobile phones and not the particular algorithms. Although there have been some weaknesses identified, this is unlikely to be the major problem.
In July, the US Department of Homeland Security warned police officers, fire fighters, emergency medical services and security personnel about the security issues in earlier versions of the Android operating system, subsequently patched by Google. One example cites the possibility of making secret charges to a user's phone bill due to unauthorised premium text messages. This was the primary attack of early Android malware that was loaded down from the internet from non-authorised sites. However, in early July the security research firm BlueBox discovered a way to make changes to an applications code without affecting the signature used to protect the phone from installing unapproved applications. Apparently, hackers have now exploited this vulnerability to install malware called Android Skullkey which steals data from the phone, monitors SMS messages and sends premium SMS messages at a cost to the user.
The activities of the NSA and GCHQ may be of concern to some, but really the problem is not to do with the cryptographic algorithms but the surrounding platforms and their implementation - including key management.
The greater concern is that many modern mobile phone platforms do not offer adequate security and that the industry is moving rather slowly to address these concerns.
Dr David Everett, SCN Technical Researcher.