A new leak appearing in The Guardian and The New York Times today details the NSA and GHCQ efforts to circumvent, undermine, and crack various forms of web encryption, based on documents leaked by Edward Snowden. If the details in the document are accurate, the HTTPS and SSL encryption used by most email and banking services offers little to no protection against NSA surveillance.
An aggressive effort to collect and store decryption keys
The articles detail a decade-long NSA project to attack encryption standards from every angle, employing server farms for brute-force decryption, using malware to intercept messages before encryption could take place, and working from within the tech industry to ensure the adoption of protocols that would be easier to circumvent. In one 2006 incident, the NSA even became sole editor of an encryption standard, able to insert backdoors and workarounds at will. The resulting code was often suspected of government tampering, but never proven until now.
As a result, a 2010 GHCQ memo says, "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable." The decryption effort was particularly important to the UK's surveillance efforts, as it allowed them to make sense of the torrents of encrypted data they collected from tapping into undersea web cables. Without some method of decoding the data, collection would have been useless.
"Vast amounts of encrypted internet data...are now exploitable."
The leaked documents also show an aggressive effort to collect and store decryption keys for the NSA's Key Provisioning Service, which the documents say is capable of decrypting many messages outright. The keys are reportedly gathered through both legal and extra-legal means, although experts told the Times it was likely the agency was hacking into corporate servers to obtain many of them.
It also answers many of the questions raised by the NSA's PRISM program. After the details of the program leaked, companies lined up to deny bulk decryption of user data, leading many to wonder how the NSA was able to access the data without the companies' help. While today's leaks don't answer the question definitively, they help explain many of the contradictions involved, and raise troubling new questions about the encryption standards protecting everything from private emails to credit card transactions.