NSA e criptografia na internet

Um excelente artigo sobre o tema: On the NSA, Matthew Green, Johns Hopkins University

Um par de excertos:

The TL;DR is that the NSA has been doing some very bad things. At a combined cost of $250 million per year, they include:

  • Tampering with national standards (NIST is specifically mentioned) to promote weak, or otherwise vulnerable cryptography.
  • Influencing standards committees to weaken protocols.
  • Working with hardware and software vendors to weaken encryption and random number generators.
  • Attacking the encryption used by 'the next generation of 4G phones'.
  • Obtaining cleartext access to 'a major internet peer-to-peer voice and text communications system' (Skype?)
  • Identifying and cracking vulnerable keys.
  • Establishing a Human Intelligence division to infiltrate the global telecommunications industry.
  • And worst of all (to me): somehow decrypting SSL connections.

there are basically three ways to break a cryptographic system. In no particular order, they are:
  • Attack the cryptography. This is difficult and unlikely to work against the standard algorithms we use (though there are exceptions like RC4.) However there are many complex protocols in cryptography, and sometimes they are vulnerable.
  • Go after the implementation. Cryptography is almost always implemented in software -- and software is a disaster. Hardware isn't that much better. Unfortunately active software exploits only work if you have a target in mind. If your goal is mass surveillance, you need to build insecurity in from the start. That means working with vendors to add backdoors.
  • Access the human side. Why hack someone's computer if you can get them to give you the key?