- New Issue
- Books & Reviews
- About Us
Tales from the Crypto Community
The NSA Hurt Cybersecurity. Now It Should Come Clean.
NADIA HENINGER is an assistant professor of computer and information science at the University of Pennsylvania, where her research focuses on cryptography and security. J. ALEX HALDERMAN is an assistant professor of computer science and engineering at the University of Michigan, where his research focuses on computer security and public policy.See more by Nadia HeningerSee more by J. Alex Halderman
Of all of the revelations about the NSA that have come to light in recent months, two stand out as the most worrisome and surprising to cybersecurity experts. The first is that the NSA has worked to weaken the international cryptographic standards that define how computers secure communications and data. The second is that the NSA has deliberately introduced backdoors into security-critical software and hardware. If the NSA has indeed engaged in such activities, it has risked the computer security of the United States (and the world) as much as any malicious attacks have to date.
No one is surprised that the NSA breaks codes; the agency is famous for its cryptanalytic prowess. And, in general, the race between designers who try to build strong codes and cryptanalysts who try to break them ultimately benefits security. But surreptitiously implanting deliberate weaknesses or actively encouraging the public to use codes that have secretly been broken -- especially under the aegis of government authority -- is a dirty trick. It diminishes computer security for everyone and harms the United States’ national cyberdefense interests in a number of ways.
Few people realize the extent to which the cryptography that underpins Internet security relies on trust. One of the dirty secrets of the crypto world is that nobody knows how to prove mathematically that core crypto algorithms -- the foundations of online financial transactions and encrypted laptops -- are secure. Instead, we trust that they are secure because they were created by some of the world's most experienced cryptographers and because other specialists tried diligently to break them and failed.