In the wake of the American whistleblower’s revelations of wholesale government spying, the public is increasingly concerned about the safety of personal data. The market is responding with new encryption products that are easy to use.
When the NSA played into the hackers’ hands
Among Edward Snowden’s numerous revelations, few bothered the cryptography community as much as the “Dual EC DRBG” affair.
The NSA was involved in the design of Dual EC DRBG, a random-number generator standardised by the U.S. National Institute of Standards & Technology, slipping in a “backdoor” that significantly weakened the encryption protocols.
“The Dual EC method is clearly compromised,” says Eindhoven University of Technology (TU/e) researcher Tanja Lange, who is a member of a group of experts that studied the breach.
“We found 720 seemingly secure servers that used it, as well as 2.7 million servers that included it as one of their possible options. And these numbers are conservative because we did a very quick survey.”
Most encryption protocols need random numbers to generate encryption keys. The Dual EC method, however, generates numbers that are not completely random, allowing the entity implementing it – here the NSA – to crack the code.
“We tested how hard it would be to launch an attack,” says Lange. “It was incredibly easy. It took us less than two hours – often only a few seconds – and the NSA’s computers are much more powerful than ours.”
Even so, two months after publication of the TU/e team’s results, former NSA director Richard George claimed in public that the breach was difficult to exploit and that no one had demonstrated a successful attack. The NSA clearly knows when not to listen.
Cryptography is coming out of the woodwork.
June saw the release of the Blackphone on the shelves of Dutch telecoms operator KPN. Designed for the general public, this secure smartphone is based on a modified, secure version of the Android operating system. It comes with pre- installed apps that guarantee security for calls (Silent Phone), texts (Silent Text) and contacts (Silent Contacts). But privacy doesn’t come cheap: the phone retails for $629.
Encryption has also made its way into television programs, with the omniscient machine in Person of Interest. And in this year’s blockbuster video game, Watch Dogs, set in a dark version of Chicago, a lone hacker takes on a company that spies on phones, laptops and cameras. Even jargon that was traditionally understood only by geeks – Trojan Horses, viruses and backdoors – is now common parlance.
All thanks to Edward Snowdon’s revelations of wholesale U.S. and British government spying on individuals around the world.
Cryptography for the masses
Stepping in quickly to profit from the trend, companies are offering a variety of user-friendly encryption products to guarantee personal privacy for the masses.
Enigmabox, released in Switzerland in 2013, promises to make digital lives anonymous, allowing its users to remain “under the radar”. The plug-and-play device is installed between a router and a computer, where it diverts Internet traffic to one of the company’s VPN servers, which keep no records of their connections. Data is encrypted within the device and protected by a key known only to the user.
Web sites visited and user-entered data are secure, as are Internet calls and email messages – as long as those on the receiving end also have an Enigmabox.
ProtonMail, released in May, is a secure online messaging service developed by researchers at Harvard, MIT and CERN. Its developers claim that it is as easy to use as Gmail and works with any browser. ProtonMail is compatible with other messaging systems, allowing users to send and receive encrypted email even if their contacts are not using the service.
It did not take long, though, for ProtonMail to hit a wall. Two months after its release, the start-up’s PayPal account was frozen; PayPal questioned whether or not it had “obtained government permission” to encrypt email messages.
Blackphone, manufactured by a Spanish company, has installed its headquarters in Switzerland, along with ProtonMail and Enigmabox. This is no coincidence: Switzerland has a reputation for discretion, a favourable legal framework and technical expertise. The country is also making a name for itself in the market for secure data centres; some servers are even buried in a former military bunker deep beneath the Alps.
Unlike previous systems understood only by experts, the new projects hope to make encryption widely accessible thanks to user-friendly interfaces that hide the technical details. The best-known email encryption software, PGP, is still usable only by a limited audience because it is austere, complex and lacks such basic functions as searching through old messages.
“There’s no reason to deny people the possibility of protecting their devices,” says Lars Ramkilde, professor at the Technical University of Denmark (DTU) in Copenhagen. “The systems just have to be efficient enough that users are unaware that their data are constantly being encrypted.” Ramkilde has created Dencrypt, a smartphone app for secure Internet conversations. “The climate has changed, and the demand for privacy is increasing. To a certain extent, Snowden has created a new market.”
Dencrypt is based on a dynamic encryption technique: the app changes its encryption protocol with each new use, instead of always using the same standard method. “By far the most commonly used algorithm is the Advanced Encryption Standard (AES),” says Ramkilde. “It was developed in the U.S. in the 2000s, and hackers have had plenty of time since then to improve their decryption programs. If your encryption method changes every time you use it, it becomes much more difficult to get around.”
Even with the advent of these new products geared for the public, the most lucrative target for specialised companies remains the professional world. “One of the lessons of the Snowden affair was that even governments were involved in industrial espionage,” says Tanja Lange, a cryptography expert at the Eindhoven University of Technology (TU/e) in the Netherlands. “Company executives realised that investing in secure phones would protect their strategies and innovations.”
Fabien Jacquier, founder of the Swiss information-security company Kyos, agrees. “We have a few wealthy individuals among our clientèle, but our main market is companies. Developing high-end solutions for the public would entail huge development costs and considerable marketing effort.”
Confidence and concern
For now, “most people still think their exchanges are secure, even though an email is more like a postcard than a letter in an envelope,” says TU/e researcher Lange.
École Polytechnique Fédérale de Lausanne (EPFL) cryptography expert Arjen Lenstra believes that caution is a good thing. “As soon as you type any kind of data into a keyboard of an electronic device you instantly lose control of that data. Making the public aware of this is scary but healthy.”
And the NSA’s breaches of privacy are only the tip of the iceberg. “The HeartBleed bug discovered in the spring of 2014 compromised the security of one third of the planet’s passwords over a two-year period,” says Kyos’ Jacquier. “It was a massive security breach.”
Encryption protocols are based on mathematics, making them in principle almost impossible to break. But in practice, security is never guaranteed. “Encrypting data can make things more complicated, but it would be naïve to believe that you can keep a secret for a long time from a truly motivated hacker,” says EPFL’s Lenstra. “No one can guarantee absolute security,” adds DTU’s Ramkilde.
Nonetheless, even limited protection is important. “The goal is not to insist on building an inviolable system, that’s illusory,” says Jacquier. “It’s more about sufficiently complicating the hacker’s job so that he moves on to an easier target. Just like you discourage a thief by putting up an armoured door.”
– By Jean-Christophe Piot