Last updated Friday, Jan 10, 2014

Encryption climate shows the value of Open Source

Estimated reading time: 2 minutes

Table of contents

The Snowden revelations have thrown the surveillance climate wide open and some have suggested that the behaviour of the NSA has broken the web’s security model for everyone.

At the 30th Chaos Communication Congress [30c3] Nadia Heninger, djb and Tanja Lange delivered a brilliant talk about The Year in Crypto. Although there are some very technical sections I highly recommend that you watch it.

They cover a lot here.

• In 2013 TLS was compromised meaning attackers could steal cookies over https.
• RSA keys were factored because of bad random number generators
• There were 8 submissions of papers to the Fast Software Encryption Workshop on NSA Ciphers with the tacit suggestion that the NSA did this to distract the community.
• Lavabit received a Grand Jury Summons to hand over the encryption keys for Lavabit. The suggestion is that the Government can request private keys from an internet provider at will. Once Government Organisations have the keys they can decrypt any traffic either now or in the past for traffic they have collected for everyone.
• It was revealed that the random number generator in Intel Chips could have a backdoor.
• The NSA Bullrun programme suggests that commercial encryption software can have backdoors inserted
• NIST standards in general are thrown into question including SHA-3.
• Bad randomness in bitcoin transactions can allow bitcoins to be stolen
• NSA’s MUSCULAR programme allowed the NSA to remove the SSL layer from Google’s Front End granting them access to clear text traffic.
• The XCB standard for encrypting hard drives was suggested as being not secure as a Disk Encryption System.
• Acoustic attacks allowed an attacker to steal private keys via listening to audio signals. They also achieved this with a smartphone microphone.
• RSA accepted a payment of $10 million around 2004 in order to implement a random number generator with a backdoor.

Where open source wins

In this talk it is clear that Commercial encryption software has become generally less secure in the current climate. The strength of open source encryption is that because it is open source many developers can review the code and find any backdoors that anyone is trying to add.

Better Encryption

The bettercrypto.org site has a paper outlining practical ways to improve the way you use crypto both personally and in the software you create. It has recommendations and configuration for major web servers and best practice for using software.

If you are developing software for the web or value your privacy you should read it.

Have an update or suggestion for this article? You can edit it here and send me a pull request.

Tags

Recent Posts

• Using HashiCorp Vault with LDAP
  How to use HashiCorp Vault to setup an LDAP backed secret store with read-only access for users in groups and read-write access for specific users

• Linux and Unix xargs command tutorial with examples
  Tutorial on using xargs, a UNIX and Linux command for building and executing command lines from standard input. Examples of cutting by character, byte position, cutting based on delimiter and how to modify the output delimiter.

• Copy a file in Go
  How to copy a file in Go. The ioutil package does not offer a shorthand way of copying a file. Instead the os package should be used.