|By Zafar Khan||
|June 29, 2013 07:00 AM EDT||
There has been quite a buzz around the power of the alleged NSA eavesdropping considering the insights that the NSA Whistleblower, Edward Snowden, presented to the American public.
The NSA Whistleblower exposed how our digital identities are being captured, stored, analyzed, and categorized, allegedly by NSA, as well as companies that publicly state that they store and analyze your data (Facebook, Linkedin, Google email, etc.). The power of the NSA system, according to Snowden, is that they aggregate your digital communications across telephone, internet, web, mobile app, and email data.
With regards to email, email encryption works, to keep your email message content private. As The Guardian reported on Monday, June 17, the NSA Whistleblower said:
"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on."
But, encryption is a broad term. Not all email encryption and methods of use are the same, in terms of privacy. Not all are "strong crypto systems".
What type of "encryption" works, for whom, what, and when?
"Caesar Cipher" and "Pig Latin" are Forms of Encryption
Suppose Alice wants to send a secret message to her friend Bob but worries that her snoopy Big Brother may intercept it. Alice needs a way to scramble her message so that only Bob can read it. A simple way to do this would be for Alice to replace each letter in her message with the next highest letter; shifting it by one (think "Caesar Cipher" or "Pig Latin").
But, of course, that is too simple. If Big Brother intercepts the message he'll be able to easily decipher it by looking for hidden patterns in the letters it contains. All it will take to crack the code is a little mathematics and a little trial and error.
And, of course, if Big Brother uses a computer he'll be able to crack the code even faster. So just shifting the first letter to the end and adding "ay" as a suffix (turning "HELLO" into "ELLOHAY" for example) isn't a very strong cipher. What can Alice do?
Well, she can try to think up a more complicated mathematical formula to scramble the letters and numbers. And maybe she could use a computer herself to apply the formula. This will help, but the problem is still that if Big Brother hires clever mathematicians, or if he just has a big enough computer, he will be able to crack the code eventually. So it looks like it's going to be an arms race with Big Brother to see who can come up with the biggest computers and the most complicated formula. But because Big Brother is big, it is a race Alice and Bob are bound to lose.
What is Considered "Strong Crypto"?
Then, what did the NSA Whistleblower mean by "strong crypto systems" when he said, according to The Guardian, "Properly implemented strong crypto systems are one of the few things that you can rely on."
We have established that more complex patterns used to encrypt are harder to read by Big Brother but capable of being read if Big Brother has a powerful computer to figure out the pattern; yet easy for Bob to read with knowledge of the pattern (the decryption key). Most technicians understand that more complex algorithms are harder to "crack", or said another way, take more computing power to crack.
How does Computing Power Impact the Time to Crack the Encryption?
Let's consider the example of using computing power to try to guess a 10 digit seemingly random alpha numeric password, such as: tjo9i0982d using a "Brute Force" attack (i.e. trial and error). This would be similar to trying to find a pattern in a universe of combinations of 36 digits (26 possible letters and 10 possible numbers). According to Gibson Research Corporation, in this example, there are 3700 trillion combinations, and the time to guess and test the right combination using trial and error in an online environment is one thousand centuries (assuming one thousand guesses per second). However, in what Gibson Research calls a "Massive Cracking Array Scenario" with one hundred trillion guesses per second offline, this password can be guessed in just 38 seconds.
Computing power does matter. But, not many, if any (today), can implement a "Massive Cracking Array Scenario".
Is Today's Commercial Encryption Readable by the NSA with its Computing Power?
This is a question that clearly some people know the answer to. I do not. Most commercial encryption uses algorithms that the NSA has "approved" for "civilian, unclassified, non-national security systems". These algorithms are what encrypt your email or financial transactions when using email encryption or secure HTTP web based connections with commercially available systems. Some of these NSA approved (unclassified) algorithms include DES, Triple DES, AES, DSA and SHA.
Note: it is not only use of encryption that is important, but as Snowden added, "properly implemented strong crypto systems". Those who encrypt email should be sure to use "properly implemented strong crypto systems".
So, let's explore this notion of "properly implemented strong crypto systems".
Security by Obscurity
Bringing this back to Bob and Alice, or you and me, would our use of commercial (NSA approved for unclassified use) encryption be strong enough for our general commercial purposes? I suppose you could consider it so, as long as those who you think may be trying to read your information do not have the computing power, financial resources, and incentive to try to crack the method of encryption you use in your correspondence. To get a sense of the scale in terms of NSA computing power, NPR reported that the NSA is putting the finishing touches on its biggest data farm yet, a $1.2 billion complex in Utah with 1.5 million square feet of top secret space including high-performance NSA computers alone filling up 100,000 square feet.
So, unless (or until, since the NSA Whistleblower says your messages are saved just in case they later need to be read) you elevate yourself the importance of your electronic correspondence to the level that makes your information interesting to the people with this power, your commercially encrypted email should remain private enough...
But if private enough is not good enough, if you are encrypting FOR personal privacy, you should use "properly implemented strong crypto systems" that also consider endpoint security.
As The Guardian reported, the NSA Whistleblower added, "Encryption works... Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." What does Snowden mean by this? A properly implemented strong crypto system should take into account the endpoints, as well as the transmission.
Google Has an Easier Way to Read Your Email
So, for example, if you take great care to type your email in a Gmail compose page, encrypt the transmission, and then send, you are forgetting that Google may be recording, storing, analyzing, and cross referencing the content of the message you type before you encrypt it (as well as perhaps other personal information on your computer or mobile device).
So, for those encrypting for privacy, endpoint security should be evaluated. Note, you can somewhat control your endpoint security by choices you make, but what about the encrypted email recipient's endpoint security?
What to Do to Keep Your Email Private
So, where does this leave us in the new light of the NSA Whistleblower (and Google privacy disclosures)?
The endpoint security is the most likely source of data exposure; meaning, it may be far less computer intensive to access the metadata stored on your computer hard drive every time you type, or access the messages stored in your mailbox on your desktop, mobile device, email server, or internet mail service provider host before encryption when composing, or after decryption, after reading.
If you use commercial encryption for email, you should consider strong crypto systems that take into account providing endpoint security, in particular at the recipient's end, which is out of your control.
There are generally three types of systems to commercially encrypt email today.
1. Public Key Exchange - Secure but Complex for Many. Exchanging public encryption keys among your contacts (PKI Digital Certificates) and using Microsoft Outlook on your desktop computer is a "strong crypto system", but has proven to be too cumbersome for most to purchase and install these certificates, manage the expiration, ensure your recipients have a copy of your public key and you theirs, and all are using a compatible email program such as Microsoft Outlook desktop software.
2. Secure Store and Forward - "Man in the Middle" Problems. Systems that store your message content in the middle, and send a link to the recipients to download the content, are often used, but are not considered "strong crypto systems", as your most sensitive information is now stored on a third party server with unknown data security and message purge practices (which may differ from their stated policies). Further, there is no protection from unknown recipient endpoint security or lack thereof. Note, systems that wrap your email in an encrypted HTML file and send, often purport themselves to be "direct delivery" but leave out the important point that the process of decrypting, is often sending the data back to the server in the middle, and that server storing the decrypted message and displaying it in a web browser (with the same Man in the Middle storage purge concerns). Further, there is no protection from unknown recipient endpoint security or lack thereof. This is better than simple Secure Store and Forward but still has Man in the Middle issues, and for these reasons, these are also not considered "strong crypto systems".
3. True Direct Delivery - Best Method. Systems that wrap the message in an encrypted PDF file are "strong crypto systems" as (a) the message content is not stored in the middle, (b) content is truly delivered to the recipients' desktops encrypted, AND (c) the content remains encrypted at the recipient endpoint to prevent potential disclosure regardless of the recipient endpoint security. Systems that make this method easy to use and implement for both sender and recipient become the true best method "strong crypto systems" for email encryption (for both compliance and personal privacy).
"My role is working with customers, helping them go through this digital transformation. I spend a lot of time talking to banks, big industries, manufacturers working through how they are integrating and transforming their IT platforms and moving them forward," explained William Morrish, General Manager Product Sales at Interoute, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jul. 30, 2016 04:30 PM EDT Reads: 2,267
To leverage Continuous Delivery, enterprises must consider impacts that span functional silos, as well as applications that touch older, slower moving components. Managing the many dependencies can cause slowdowns. See how to achieve continuous delivery in the enterprise.
Jul. 30, 2016 04:30 PM EDT Reads: 541
WebRTC is bringing significant change to the communications landscape that will bridge the worlds of web and telephony, making the Internet the new standard for communications. Cloud9 took the road less traveled and used WebRTC to create a downloadable enterprise-grade communications platform that is changing the communication dynamic in the financial sector. In his session at @ThingsExpo, Leo Papadopoulos, CTO of Cloud9, discussed the importance of WebRTC and how it enables companies to focus...
Jul. 30, 2016 04:30 PM EDT Reads: 1,104
Up until last year, enterprises that were looking into cloud services usually undertook a long-term pilot with one of the large cloud providers, running test and dev workloads in the cloud. With cloud’s transition to mainstream adoption in 2015, and with enterprises migrating more and more workloads into the cloud and in between public and private environments, the single-provider approach must be revisited. In his session at 18th Cloud Expo, Yoav Mor, multi-cloud solution evangelist at Cloudy...
Jul. 30, 2016 04:15 PM EDT Reads: 605
Aspose.Total for .NET is the most complete package of all file format APIs for .NET as offered by Aspose. It empowers developers to create, edit, render, print and convert between a wide range of popular document formats within any .NET, C#, ASP.NET and VB.NET applications. Aspose compiles all .NET APIs on a daily basis to ensure that it contains the most up to date versions of each of Aspose .NET APIs. If a new .NET API or a new version of existing APIs is released during the subscription peri...
Jul. 30, 2016 02:30 PM EDT Reads: 1,055
Security, data privacy, reliability, and regulatory compliance are critical factors when evaluating whether to move business applications from in-house, client-hosted environments to a cloud platform. Quality assurance plays a vital role in ensuring that the appropriate level of risk assessment, verification, and validation takes place to ensure business continuity during the migration to a new cloud platform.
Jul. 30, 2016 02:00 PM EDT Reads: 511
SYS-CON Events announced today that 910Telecom will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Housed in the classic Denver Gas & Electric Building, 910 15th St., 910Telecom is a carrier-neutral telecom hotel located in the heart of Denver. Adjacent to CenturyLink, AT&T, and Denver Main, 910Telecom offers connectivity to all major carriers, Internet service providers, Internet backbones and ...
Jul. 30, 2016 01:30 PM EDT Reads: 969
Ovum, a leading technology analyst firm, has published an in-depth report, Ovum Decision Matrix: Selecting a DevOps Release Management Solution, 2016–17. The report focuses on the automation aspects of DevOps, Release Management and compares solutions from the leading vendors.
Jul. 30, 2016 01:00 PM EDT Reads: 1,854
Continuous testing helps bridge the gap between developing quickly and maintaining high quality products. But to implement continuous testing, CTOs must take a strategic approach to building a testing infrastructure and toolset that empowers their team to move fast. Download our guide to laying the groundwork for a scalable continuous testing strategy.
Jul. 30, 2016 01:00 PM EDT Reads: 2,122
Adding public cloud resources to an existing application can be a daunting process. The tools that you currently use to manage the software and hardware outside the cloud aren’t always the best tools to efficiently grow into the cloud. All of the major configuration management tools have cloud orchestration plugins that can be leveraged, but there are also cloud-native tools that can dramatically improve the efficiency of managing your application lifecycle. In his session at 18th Cloud Expo, ...
Jul. 30, 2016 12:00 PM EDT Reads: 1,360
SYS-CON Events announced today that LeaseWeb USA, a cloud Infrastructure-as-a-Service (IaaS) provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LeaseWeb is one of the world's largest hosting brands. The company helps customers define, develop and deploy IT infrastructure tailored to their exact business needs, by combining various kinds cloud solutions.
Jul. 30, 2016 11:30 AM EDT Reads: 1,400
StackIQ has announced the release of Stacki 3.2. Stacki is an easy-to-use Linux server provisioning tool. Stacki 3.2 delivers new capabilities that simplify the automation and integration of site-specific requirements. StackIQ is the commercial entity behind this open source bare metal provisioning tool. Since the release of Stacki in June of 2015, the Stacki core team has been focused on making the Community Edition meet the needs of members of the community, adding features and value, while ...
Jul. 30, 2016 11:00 AM EDT Reads: 629
Qosmos has announced new milestones in the detection of encrypted traffic and in protocol signature coverage. Qosmos latest software can accurately classify traffic encrypted with SSL/TLS (e.g., Google, Facebook, WhatsApp), P2P traffic (e.g., BitTorrent, MuTorrent, Vuze), and Skype, while preserving the privacy of communication content. These new classification techniques mean that traffic optimization, policy enforcement, and user experience are largely unaffected by encryption. In respect wit...
Jul. 30, 2016 11:00 AM EDT Reads: 544
For basic one-to-one voice or video calling solutions, WebRTC has proven to be a very powerful technology. Although WebRTC’s core functionality is to provide secure, real-time p2p media streaming, leveraging native platform features and server-side components brings up new communication capabilities for web and native mobile applications, allowing for advanced multi-user use cases such as video broadcasting, conferencing, and media recording.
Jul. 30, 2016 10:45 AM EDT Reads: 1,110
SYS-CON Events announced today that Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity – cryptographic keys and digital certificates – so they can’t be misused by bad guys in attacks...
Jul. 30, 2016 10:15 AM EDT Reads: 1,516