logo slogan

NSA at it again

By Gareth Greenwood

A recent article in ArsTechnica reports that NSA can break 512-bit elliptic curve cryptographic keys to facilitate “man-in-the-middle” attacks on internet communications. Apparently, to initiate key-exchange dialogues, most internet servers use numbers generated from only a limited set of elliptic curves. Knowing which curves have been commonly used, NSA can, albeit after some lengthy pre-calculations, then decrypt a large percentage of internet communications. Fort Meade has probably achieved this by throwing computing resources against the small set of elliptic curves that most net servers actually use.

Your author considers this no great surprise. Many previous, allegedly strong cryptosystem have been broken as a result of poor working practices by their users. (After all, it was U-boat commanders' over-frequent transmission and repeated use of “Heil Hitler” in messages that helped Bletchley Park break the U-boat Enigma cipher). Elliptic curve cryptography gives, theoretically, better security than RSA cryptography for a given key length. The snag is that the user must decide which elliptic curve to use. Since most users lack the mathematical wherewithal to choose suitable curves for themselves, bodies such as NIST have published recommended curves. This has created the opening that NSA has, apparently, exploited. Using one of a small number of recommended curves is, to professional cryptanalysts, exceptionally poor operational discipline. Needless to say this tends to be lost on the great unwashed of commercial IT departments.

Should we worry? The author thinks not – at least not yet. Even NSA has finite resources and they have to be prioritised on the worst and most imminent threats. The critical resource in signals intelligence is not data-gathering assets but intelligence analysis staff. Put crudely, NSA is not interested in your membership of a fetish bulletin board unless it would give them leverage in persuading you to help them in other, weightier matters. A quick sanity check on likely scenarios and numbers ought to persuade most people not to fret too much.

On the other hand, things are potentially far more worrying with the Internet of Things (IoT). Developers of network-connected things will typically be small companies unable to afford their own crypto staff. There will be price pressure to keep things simple, if only because the “things” may have only small microcontrollers within. Here NSA's antics are a clear warning. The danger is that nobody knows how soon the ability to break the weaker kinds of public-key cryptography will end up in the hands of criminal gangs. If that happens, having driverless cars getting hacked might be the least of our problems. Think what you could do if you could hack an IoT-based logistics system to change the routing details of an air-freight parcel. A cyber-attack here could have massive repercussions for world trade.

The time can't be far off when IoT developers will have to consider within their quality management systems whether a device will get hacked within its service lifetime.


The Ars Technical article can be found at:




Dec 2015