Everyone needs to calm down: The National Security Agency HAS NOT"cracked" common internet encryption.
"Cracking" conveys that they have found a way to break down encryption codes, prime among them being RSA, the cracking of which would lead to the catastrophic collapse of trust in internet communications and transactions.
BoingBoing tech writer Cory Doctorow summed the mistake up best:
All the headlines saying "#NSA breaks encryption" are wrong; correct phrase is "NSA works with vendors to sabotage security technology"
— Cory Doctorow (@doctorow) September 6, 2013
What the NSA has done, according to leaked documents, is (1) undermine encryption by coercing companies to put backdoors into their software and (2) hack into tech company servers to steal encryption keys.
The misconception has spawned as a result of major news organizations like The Guardian, Propublica, and New York Times conflating the two ideas of "exploiting" and "cracking." For example:
New Snowden documents say NSA can break common Internet encryption http://t.co/DfoS0AynyD
— Reuters Top News (@Reuters) September 5, 2013
DOCUMENT: Project #Bullrun– classification guide to the NSA's decryption program http://t.co/SLehopVCCQ
— GuardianUS (@GuardianUS) September 5, 2013
Revealed: The NSA's secret campaign to crack, undermine Internet encryption http://t.co/HnEsfdCPTM
— ProPublica (@ProPublica) September 5, 2013
The New York Times states: "The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show."
This latest leak is plenty scary, but it doesn't mean that web encryption is broken.
This from Bruce Schneier, cyber security expert, just days ago in Wired:
Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system.
It’s very probable that the NSA has newer techniques that remain undiscovered in academia. Even so, such techniques are unlikely to result in a practical attack that can break actual encrypted plaintext.
Now everyone talks about supercomputers running trillions of passwords a second — called "Brute Force" attacks — but "right now the upper practical limit on brute force is somewhere under 80 bits," reports Schneier.
The least of encryption stands at 128, but most of the internet is phasing out 1024-bit keys in preference for 2048-bit keys. Put simply, brute force might yield a decrypted message once every million years.
There is a dangerous side, however, to what the NSA is doing.
Backdoors are something called "exploits," in particular, "zero-day" exploits. Zero-days are exploits that only one party knows about, and the rest of the world doesn't. Backdoors do not allow for streaming information gathering, but rather, targeted exploitation of networks or software, often on a particular user's computer.
The problem with zero-days is that hackers rapidly and regularly find them — so pretty soon they're worthless, or in the wrong hands.
"We lose our security not just from the NSA, but from other actors who could subvert" the back doors and so on for which the agency is responsible," Eva Galperin, a Global Policy Analyst with the Electronic Frontier Foundation, told CNET.
The other problem — as has been pointed out several times to Business Insider by tech experts — is that coercing tech companies to install backdoors is essentially baking security weaknesses into software that advertises itself as secure.
Another weakening of public trust.