Want To Avoid NSA-Corrupted Crypto? Get Thee To The Geeks

The NSA may have ruined Internet security, but Silent Circle is leading the way in pushing non-standardised encryption. Tom Brewster says this is the way forward

If you break something, you almost always pay a price. Or die before you have to.

The NSA broke encryption algorithms and shoved them out into the world, harming the security of the Internet in general, according to reports. Super slow clap there. But what price will the intelligence agency pay?

It doesn’t care too much about being widely despised. It has always been thus, no? The biggest price will be the degradation of its ability to intercept and decode messages. That’s because anyone who really cares about privacy will never trust anything the NSA puts its mitts on.

That is why Silent Circle, co-founded by PGP legend Phil Zimmerman, is working with insanely smart mathematicians to forge new methods for elliptic curve cryptography.

security malware - Shutterstock: © Marcio Jose Bastos SilvaMoving on from NSA-approved encryption

In a fantastically anti-establishment blog post (one which quotes musician Richard Thompson and fantasy writer James Branch Cabell), Silent Circle’s other co-founder Jon Callas fretted about pieces of cryptography the NSA is believed to have toyed with – Dual Elliptic Curve Deterministic Random Bit Generation and elliptic curve mathematics in NSA Suite B.

The NSA was accused of subverting encryption standards and having them delivered to the world via the National Institute of Standards and Technology (NIST). Silent Circle’s answer to this, Callas said, is to implement a non-NIST cipher suite.

It said it would be replacing its use of AES with a different cipher called Twofish, a symmetric key block cipher that was never adopted as a standard. It will also stop using the SHA-2 hashing algorithms, instead using Skein, which Callas helped design. But the most exciting thing is that it is working on fresh approaches to elliptic curve cryptography, which it will be sharing with the world in the “relatively near future”.

“The old cipher suites will remain in our systems. We’re not going to get rid of them, but the new ones will be the default in our services,” Callas added. “We understand there are gentlepersons who will disagree with our decision, so we’re not completely getting rid of the existing crypto.

“It doesn’t mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims the NSA’s perfidy, along with the rest of the free world.”

Schneier would be impressed

This is exactly the kind of response to the NSA leaks that fellow crypto hero Bruce Schneier, who helped design the Twofish cipher, was calling for. Engineers, removed as far as possible from government, are the ones who can now create and spread ciphers as far and wide as possible, making the Internet secure again.

If they can create new forms of the NSA’s much-beloved elliptic curve cryptography – which is based on the extreme difficulty of finding the “discrete logarithm” of some randomly chosen point on an elliptic curve – the likes of Silent Circle will no doubt be laughing their backsides off.

But Silent Circle remains a small organisation, one that gains a lot of money from private businesses and public sector organisations. To get us to the point where Schneier and many others want us (i.e. where encryption can be trusted again), all vendors with a privacy conscience should either follow in the footsteps of Zimmerman and Callas or get in their own crypto geeks to implement non-standardised encryption, sharing it with whomever they choose.

The answer for those who want to avoid the NSA’s all-seeing eyes, it seems, is for organisations to stop treating encryption as some esoteric art, embrace it and support as many forms as possible. Want to do it right? Do it yourself, or get yourself a geek.

What do you know about Internet security? Find out with our quiz!