What’s Not to Trust?It's a complicated issue, especially because it appears that math behind encryption is still solid. What has been called into question over the past year is how encryption has been implemented. Organizations, such as the National Institute of Standards and Testing (NIST) and Microsoft, are in the hot seat for allegedly compromising encryption standards and colluding with government agencies.
In November 2013, Snowden-released documents that accused NIST of weakening its encryption algorithm, allowing other government agencies to carry out surveillance. Upon being accused, NIST took steps to vindicate itself. According to Donna Dodson, NIST's chief cybersecurity advisor in this blog, "news reports about leaked classified documents have caused concern from the cryptographic community about the security of NIST cryptographic standards and guidelines. NIST is also deeply concerned by these reports, some of which have questioned the integrity of the NIST standards development process."
NIST is rightfully concerned - not having the trust of the world’s cryptographic experts would shake the Internet’s foundation. NIST updated its blog on April 22, 2014, adding Public Comments Received on NISTIR 7977: NIST Cryptographic Standards and Guidelines Development Process, commentary from experts who studied the standard. Hopefully, NIST and the cryptographic community can come to an agreeable solution.
What happened with the giant software provider Microsoft was a bit more nebulous. According to Redmond Magazine, both the FBI and NSA asked Microsoft to build in a backdoor to BitLocker, the company’s drive-encryption program. Chris Paoli, author of the article, interviewed Peter Biddle, head of the BitLocker team, who mentioned Microsoft was placed in an awkward position by the agencies. However, they found a solution.
"While Biddle denies building in a backdoor, his team worked with the FBI to teach them how they could retrieve data, including targeting the backup encryption keys of users," Paoli explained.
What About TrueCrypt?The dust almost settled around Microsoft’s BitLocker. Then, in May 2014, the secretive TrueCrypt development team shocked the cryptography world, announcing that TrueCrypt, the premier open-source encryption software, was no longer available. Any attempt to get to the TrueCrypt website was redirected to this SourceForge.net Web page that displayed the following warning:
Even before the Snowden document release, this type of announcement would have shocked those who rely on TrueCrypt to protect their data. Add in questionable encryption practices, and the shock turns into serious angst. Plus, open-source advocates who backed TrueCrypt now face the fact that TrueCrypt developers are recommending that everyone use Microsoft’s proprietary BitLocker.
Needless to say, the conspiracy theorists have had a field day with this. There are many different opinions as to reasons behind the decision. At first, experts such as Dan Goodin and Brian Krebs thought the website had been hacked, but after some checking both dismissed that notion.
Two popular theories that align themselves with this discussion:
- Microsoft bought TrueCrypt to eliminate the competition (BitLocker migration directions fueled this theory).
- Government pressure forced TrueCrypt’s developers to close the website (similar to what happened to Lavabit).
That lack of faith in the code continues today. The fact that cryptographers are performing an intense review of TrueCrypt (IsTrueCryptAuditedYet) is a prime example of the uncertainty that continues to exist.
What Can We Trust?Both Edward Snowden and Bruce Schneier have both said that encryption is still the best solution for keeping prying eyes away from sensitive personal and company information.
Snowden, during his SXSW interview with ACLU principal technologist Christopher Soghoian and Ben Wizner, also of the ACLU said, "The bottom line is that encryption does work. We need to not think of encryption as an arcane, dark art, but as basic protection for the digital world."
Snowden then offered a personal example. The NSA has been working hard to figure out what documents he leaked, but they have no idea, simply because they are unable to decrypt his files. Bruce Schneier is also all in when it comes to encryption. Still, Schneier tempered his support with a warning.
"Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means," he said.
In a bit of irony, Schneier’s comment was also made way before TrueCrypt was shuttered, and before TrueCrypt developers began suggesting that people use BitLocker. The irony: TrueCrypt is open source, whereas BitLocker is closed source.