Thales Blog

Trusted Encryption

September 11, 2013

Trusted EncryptionThe recent NYT article, N.S.A. Able to Foil Basic Safeguards of Privacy on Web, has caused quite a commotion in our industry.  The revelations in it are indeed scary.  The initial title of the article was very provocative: "NSA Foils Much Internet Encryption", which implies that they have fundamentally broken the cryptography in use today.  That does not appear to be the case.  The title of the article has since changed to "N.S.A. Able to Foil Basic Safeguards of Privacy on Web" which is more accurate although not as provocative.

Nonetheless, another of the NSA’s cats is out of its bag.  It's now a completely reasonable question to ask: "Vormetric uses encryption.  Does the government have a backdoor into everything encrypted by Vormetric?"

The answer is an unequivocal NO.  Of course, it may be difficult to convince you of this, since if it were true I would be compelled by our government to lie to you.    I assure you that the encryption is sound, we have not inserted any back doors, and we are not a likely target of the NSA.  But assurances are cheap, so let’s look at the facts:

First, the cryptography.  The crypto we use hasn't been broken.  Why do I believe this? The words of Snowden himself, from the long-form Q and A at the Guardian

Question: "Is my data protected by standard encryption?"

Answer (Snowden): "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

Snowden has no reason to lie about this.  Moreover, he protected his own communication to journalists with industry-standard encryption.  And he is completely correct about endpoint security.  A truism of security is that "cryptography is bypassed, not broken", and that's what the NSA has done.  Looking closely at the rest of the article, it appears that the NSA has had the most success capturing the data over the network, not at rest, either obtaining cryptographic keys with the cooperation of service providers or obtaining data in the clear before it's encrypted.

This is confirmed by Bruce Schneier’s response to the Times article, where he says

 "The primary way the NSA eavesdrops on internet communications is in the network... Leveraging its secret agreements with telecommunications companies, the NSA gets access to the communications trunks that move internet traffic."

The NSA does have many cryptographers, and they do publish recommendations for cryptography.  I was disturbed by the article's mention of vulnerabilities they planted in a NIST standard:

 "Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

 Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”'

The article is maddeningly silent on exactly which standard they're referring to.  So what is the standard, and are we using it?  A little bit of googling turns up an article written by Bruce Schneier in Wired Magazine in 2007.  It describes the controversy over the "Dual_EC_DRBG" mode of the "SP 800-90 DRBG" document, which describes techniques for Deterministic Random Bit Generation - in other words, random numbers.  The standard was coming out in 2006, and in 2007 Dan Shumow and Niels Ferguson (from Microsoft) publicized the vulnerability.  I can't prove this is the same standard mentioned in the article, but all the data points fit perfectly.

The SP 800-90 document describes four different techniques for generating random numbers, and Dual_EC_DRBG is just one of them.  While we do follow SP 800-90, we use the "CTR_DRBG" mode, which is based on AES-256.  Given that AES-256 is believed to be safe, I'm comfortable using it.

This backdoor-in-a-standard fiasco highlights the advantages of open standards.  There are a lot of really, really smart cryptographers out there, and many of them are trying to break encryption standards.  On the other side we have the government, with some of the smartest minds in cryptography behind closed doors, and they're trying to insert a backdoor into a standard.  The government's efforts were detected inside of a year, and failed miserably.

Enough on the crypto side.  There are more arguments for why the government doesn't have a backdoor into Vormetric.  The first one being that our customers receive our Data Security Manager (DSM) in a "blank" state.  It contains no keys, and it has no mechanism to "phone home" to us.  If the government called and asked for the keys of one of our customers, we could not help them.  And for that matter, the keys themselves aren’t shown or exportable in the clear.

We also have no backdoors into the DSM.  If we did, and it were discovered, the taint on the company would be so great that it would fundamentally threaten our business.  Vormetric is not (yet) so large that we can shrug off allegations of insecurity in our bread-and-butter product.

Finally, the focus of the NSA programs seems to be on more service oriented companies, and around data in motion on the network.  They work with large solution providers and with service oriented companies to collect data.  We're neither of those things, and we protect data at rest, not data in motion.  In other words, the profile of Vormetric doesn't fit what the NSA has been traditionally targeting.

I hope I've been able to inject a little moderation into the story.  All of cryptography is not broken.  Vormetric is not backdoored by the NSA.  And with our strong, secure encryption we'll still help you keep your data safe - from hackers, insider threats, auditors, and even governments.