(Newswire.net — July 2, 2013) Portland, OR — NSA Whistleblower, Edward Snowden, revealed that our digital identities are being captured, stored, analyzed, and categorized, not only by the NSA, but by other companies as well (review the privacy policies of Facebook, Linkedin, Google email, etc.). What the NSA system does is combine ALL your communications across telephone, internet, web, mobile app, and email.
However, email encryption works in keeping your email message private. As The Guardian reported on Monday, June 17, the Snowden said:
“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
So what type of “encryption” works, for whom, what, and when?
While “Pig Latin” may have worked in the past, it is far too simple. If Big Brother intercepts the message he’ll be able to easily decipher it by looking for hidden patterns in the letters it contains. All it will take to crack the code is a little mathematics and a little trial and error. And if you use a computer you can crack it even faster.
You could try dreaming up a complicated mathematical formula to scramble the letters and numbers. A perfect job for a computer. But Big Brother has Big Bucks and can hire clever mathematicians, or a buy a bigger computer and will eventually crack the code. if he just has a big enough computer, he will be able to crack the code eventually.
So what did Snowden refer to by “strong crypto systems”? Complex encryption patterns are harder to read but are still capable of being read with enough brute force.
Let’s use a super computer to “guess” a 10 digit seemingly random alpha numeric password, such as: tjo9i0982d using the “Brute Force” method. According to Gibson Research Corporation, that example provides 3700 trillion combinations, and the time to guess and test the right combination using trial and error in an online environment is one thousand centuries (assuming one thousand guesses per second). However, in what Gibson Research calls a “Massive Cracking Array Scenario” with one hundred trillion guesses per second offline, this password can be guessed in just 38 seconds.
In this case, size does matter. But how many of us can deploy a “Massive Cracking Array Scenario”?
So if commercial encryption used by email and financial institutions is NSA “approved” for “civilian, unclassified, non-national security systems”, can the NSA read your encrypted data?
Is your encryption strong enough in light of a“properly implemented strong crypto systems?” Possibly but to understand how many resources the NSA has in terms of computing power, NPR reported the NSA is just finishing its largest data farm yet, a $1.2 billion complex in Utah with 1.5 million square feet of top secret space including high-performance NSA computers alone filling up 100,000 square feet.
Google allegedly provides information to NSA and other government organizations upon request, and also perhaps others, depending on how you interpret what they disclose on their website privacy policies. Google’s privacy policies disclose that … “Local storage: We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches” and further “may combine personal information from one service with information, including personal information, from other Google services.”
With all of the hype about NSA computing power, endpoint security may be a greater concern – Google is telling you that they record, analyze, cross reference your personal information, not only what you type into a Google application, but potentially all application data that is stored on your device (the endpoint) that they can access using their techniques.
So where does that leave us?
Endpoint security is the most likely source of exposure; meaning, it may be far less computer intensive to access the metadata stored on your computer hard drive every time you type, or access the messages stored in your mailbox on your desktop, mobile device, email server, or internet mail service provider host before encryption when composing, or after decryption, after reading.
If you use commercial encryption for email, consider using strong crypto systems that take into account providing endpoint security, in particular at the receiving end, which is out of your control.
1. Public Key Exchange – Secure but Complex. Exchanging public encryption keys among your contacts (PKI Digital Certificates) and using Microsoft Outlook on your desktop computer is a “strong crypto system”, but is too cumbersome to install the certificates, manage the expiration, ensure your recipients have a copy of your public key and you theirs, and all are using a compatible email program such as Microsoft Outlook desktop software.
2. Secure Store and Forward – “Man in the Middle” Problems. Systems that store your message content and send a link to the recipient to download the content, are not considered “strong crypto systems”, since your sensitive information is now stored on an unknown third party server. This is better than simple Secure Store and Forward but still has Man in the Middle issues, and for these reasons, these are also not considered “strong crypto systems.”
3. True Direct Delivery – Best Method. Systems that wrap the message in an encrypted PDF file are “strong crypto systems” as;
- the content is not stored in the middle,
- content is truly delivered to the recipients’ desktops encrypted, AND
- the content remains encrypted at the recipient endpoint to prevent potential disclosure regardless of the recipient endpoint security.
Systems using the “True Direct Delivery” are easy to use and implement for both sender and receiver becoming a “strong crypto system” for email encryption.
Source: http://www.rpost.com/blog/896-independence-day-the-revolution-for-digital-privacy-begins-now
Related news: http://www.newswire.net/newsroom/financial/74902-online-security-how-to-protect-your-identity.html
RPost, winner of the World Mail Award for best in security, provides what is described here as True Direct Delivery strong crypto systems that are simple to use and install with no storage by RPost. Both government and commercial organizations have relied on RPost email encryption all over the world, as part of its RMail® service offering. RPost has been offering secure electronic messaging services for more than 10 years.
Author: Google+ Jan Johansen