The crypto world is in total upheaval. We have articles claiming the NSA can read the entire Internet at will, encrypted or not, with several rumors circulating that the NSA has cracked our most popular crypto algorithms. We have unsubstantiated stories saying the NSA and other spy agencies have placed secret backdoors within many, if not most, popular encryption products. Even yours truly has said that Quantum ciphers will likely render most past encrypted secrets into plaintext. It all sounds so bad, you might think encryption is a feckless exercise to make the public feel falsely secure.
How bad is it, really? Well, if your life is nothing but crypto all the time, last week was not a good week. To hear some people tell it, it hasn't been a good past decade -- we just didn't know it.
[ Build and deploy an effective line of defense against corporate intruders with InfoWorld's Encryption Deep Dive PDF expert guide. Download it today! | For quick, smart takes on the news you'll be talking about, check out InfoWorld TechBrief -- subscribe today. ]
But here's why I can't get overly upset. Note, however, that the following post represents my personal opinion and does not reflect the opinion of my employer, nor is it informed by any information gained through my employment at Microsoft.
1. The reliability of the source
Many of the revelations have come from information released by one guy, currently hiding out in Russia. He's one former NSA employee who worked on one job. I have no doubt much of what he has said and released is true. As I've stated in previous columns, he hasn't revealed much that we didn't already know (or assumed was happening, especially if you follow the author James Bamford). But we haven't seen a single detail or example for most of the disclosures. In the era of "yellow cake uranium" and "weapons of mass destruction," I need a little more proof.
Has the NSA broken all popular crypto, one cipher, or one cipher with small key sizes that should have been upgraded a long time ago? We don't know. And how those questions are answered makes a big difference.
2. What changes if the NSA can crack anything?
Let's suppose that the NSA can break all popular crypto with everyday key sizes. That's a big assumption to make, but let's suppose it's true. How much harm is it doing at this particular moment in time?
I mean, 99.9999 percent of encrypted stuff isn't all that exciting and doesn't need encrypting. We're talking encrypted financial transactions, emails, and VPN traffic. If they see what I buy and pay, it's not terribly important. We encrypt private emails, most of the time to avoid the eyes of coworkers and competitors. We might care if the NSA saw them, but there is unlikely to be much fallout.
A lot of what's encrypted that other law enforcement agencies would actually care about involves illegal transactions: the logistics of drug trafficking, child pornography, and so on. The NSA isn't interested in that, but if the agency happens to take down those sorts of items -- well, they are illegal. Personally, I'd be pretty happy if all the child pornographers in my town were arrested.
I'm not saying good encryption isn't needed -- it is. It's the basis for all serious global and local digital communications you can trust. We have people around the world fighting against evil regimes that are mass murdering their own citizens. We have individuals being deprived of basic human rights on a daily basis. We have intellectual property and patents that need protecting. We have medical records, bank records, real estate ownership transactions, and lots of other topics that need to remain private. But the NSA isn't interested in most of that. It's interested in spies, foreign governments, and terrorists.
My larger fear is that the same cracking capabilities trickle down to common criminals and foreign governments. Let's be clear: That will happen. Most of those supersecret crypto cracking shortcuts will make it into the wild. Heck, right now, we have no idea who might have similar capabilities or whether they're already using them.