In the past few months, we’ve seen more and more coverage of how existing laws have been used to gain access to cloud-based data without the data owner’s knowledge or consent. What’s different with the latest revelation, as highlighted in The New York Times recently, are reports of the National Security Agency actively trying to undermine encryption technology and standards, including those adopted by National Institute of Standards and Technology, such as the Dual EC DRBG standard.
Does this mean that the NSA’s reach into electronic communications is so profound, and its abilities to dig into our communications so extensive, that businesses must come to terms with two equally unattractive options: accept that there is no way to control their own data even when they encrypt it, or avoid using cloud services?
In short, no. Peeling back the layers, the situation is not as dire as heated coverage suggests. In fact, security experts say that the reports, while critical to fostering a debate on policy and law, could have overstated the NSA’s capabilities. While basic precautions are unlikely to stand in the way of the NSA’s surveillance efforts, as cryptography expert Bruce Schneier notes: “The defense is easy, if annoying: stick with symmetric cryptography based on shared secrets, and use 256-bit keys.” Without access to the keys or the ability to crack the encryption, the NSA must directly approach the data owner who holds the keys to access the data.
The Key Is The Key
Internet encryption is simply keys and locks: We understand that when we lock a door, the level of protection depends on how strong and complex the lock is and whether we store the keys safely. If we hold tight to the keys, and the encryption equivalent of the lock is impervious to hammer blows or even a master safecracker, it’s less critical how the encrypted data moves through the network. But as long as the attacker has access to the keys, the protection of the lock has no relevance.