Just
when we thought the NSA/NIST crypto revelations could not get any worse, there
are now reports about smart cards in Taiwan having bad random number
generators. This makes it relatively easy for hackers to guess what encryption
keys are being generated and to tap into what was previously thought to be secure
communications. These reports are coming out despite the fact that the smart
cards had two international certifications. With that in mind, you may be
wondering what the NSA and NIST have to do with all of this. Apparently, NIST and
its counterparts worldwide manage the certifications in question. All required tests
supposedly passed, yet a smart card maker now apparently has worthless certifications.
As many as 10,000 people could be affected Ars Technica is reporting, and
people are starting to questions whether or not this is further evidence of the
NSA having weakened encryption standards.
For
people who are unaware of what a smart card is, here is a basic run down. A
smart card is any pocket-sized piece of electronics with integrated circuits. In
most cases, the cards are usually used for authentication. In this case, it is
a card that is used to identify citizens and do tasks like file taxes and
register cars. Rather than have to go about remembering a password or risk
losing a random file on your computer, smart cards will store generated encryption
keys for you. Since the keys are stored on the card, it is both harder for
attackers to get ahold of them in addition to having other additional
protections.
Based
on what was discovered, a Royal Holloway scientist told Ars Technica that there
was no way for the smart cards to somehow have passed certifications without
this problem with random numbers being found out. The tests were either not run
for some reason, or NIST purposefully allowed bad encryption to be used so that
it could later be taken advantage of. The NSA revelations have caused many to
question NIST approved random number generator algorithms and some news sources
have hinted that our government is saying we should avoid the algorithms
altogether. The close ties between the two organizations only adds more
concerns as time goes on and more evidence is found.
Although
the NSA claims it is protecting America, these malicious acts that we keep
hearing about seem to be more damaging than anything else. It is no secret that
other countries spy on us, so why is the NSA making their job easier? Why is my
personal information at risk solely to appease the NSA’s paranoia with no noticeable
benefit for myself? I have used an
encryption hard token to remotely connect to my work computer in the past. Is
my work now in danger of being stolen by competitors? The only non-bad news
that came out of these revelations is these specific smart cards only seem to
be in use overseas. That does not mean that other technologies I may
unknowingly use are safe though. I don’t think anyone but the NSA knows just
how many different technologies have been compromised.
Regardless
of whether or not the NSA is involved with this specific case, there are some
important lessons to learn from this. What is important to know is that this
further highlights the need for international review of our standards and for
more scrutiny when governments suggest changes to existing cryptography. We
also need for cryptography implementations to be open. Security through
obscurity does not work and is not all that trustworthy in the first place. Hopefully
news like this will get people to think twice about the technology they use and
to be more careful in the first place about where they are storing their data.
No comments:
Post a Comment