Latest posts by Alvin Bryan (see all)
- Millionaire Tyupkin Malware ATM Hackers May Come to US, India After Hitting Europe - October 23, 2014
- BitLicense Will Allow Bitcoin Spying in New York - October 22, 2014
- Australians are Fighting Data Retention Laws - October 22, 2014
The NSA has long been working with many major Internet companies. Their goal has been to have access to the multitude of data that these companies handle day to day. One of these companies is Microsoft, which helped to develop the VPN protocols PPTP and encryption standards like IPSec. The National Institute of Standards and Technology (NIST) is also involved and may have built weaknesses into other encryption standards that they certify. The point of this is to allow the NSA to get through. The NSA’s continued attacks on encryption standards weakens the protection that Internet users have come to expect from VPN encryption. But there is still hope with providers offering OpenVPN, the only protocol that is considered totally secure regardless of VPN encryption attacks.
VPN Encryption Key Length and Algorithms
The standard for most VPN encryption is using 128-bit encryption keys. Some providers offer 256-bit encryption for very sensitive data, authentication, and handshakes. But 256-bit encryption tends to make connections very slow if used for general data and traffic encryption. In any case, 128-bit encryption is considered secure. To illustrate, with current computing power, it would take about 300 million years to crack a 128-bit encryption key through brute force attack. This is too long to be worth it. The NSA of course does not prefer brute force attacks simply because it takes too much time and computing power.
Encryption algorithm weaknesses are a better bet for cracking encryption. The most common ciphers used today for VPN encryption are Blowfish and AES, with RSA for cipher keys and SHA-1 and -2 for hash and authentication. Blowfish is older and used 64-bit encryption. AES is newer, and is what the government uses. So it is the most secure. But it is likely compromised and therefore unreliable for Internet users suffering under NSA surveillance.
NIST Certified Encryption Standards
AES, RSA, SHA-1 and SHA-2 are all NIST products. The NIST has been very open about working in close cooperation with the NSA. This means that these ciphers most likely have weaknesses built in for the benefit of the NSA. The NSA has been working for years to gain access to encryption standards. So, for an institute that is already very friendly with them, granting access to the NSA is almost a certainty. The NIST denies this, but RSA has already advised people to stop using a certain cipher that they admitted had been coded to allow NSA access. RSA encryption used for certificates has also been reported vulnerable to attacks. This has been done by the British GCHQ, allies of the NSA in their Internet surveillance program. One cracked code makes all exchanges vulnerable if ephemeral keys are not used. Other encryption standards like Dual_EC_DRBG are confirmed to be flawed but are still offered because NIST certification is a requirement.
There is hope that companies will give up the benefits of NIST certification. This is the only way that people can be sure that they are getting more secure options. Independent developers and private companies immune to NSA threats can deliver encryption standards that are not compromised. Silent Circle has already announced that they will stop using NIST certified ciphers. And there is hope for Internet users who choose providers that offer the OpenVPN protocol with key encryption of at least 2048 bits. OpenVPN uses ephemeral keys that are immune to RSA attacks.