back to article Not all data encryption is created equal

I've written a recent spate of articles channelling the tinfoil hat industry that triggered some interesting conversations. Most interesting was a debate about whether or not an organisation like the National Security Agency could take over my home network if it so chose. I suspect any decent hacker with access to the right …


This topic is closed for new posts.


  1. Anonymous Coward
    Anonymous Coward

    good article....I think TrueCrypt really is worthwhile - it's open source and they provide alternative algorithms that most software don't even use - even though they are really robust (Twofish and Serpent come to mind). The plausible deniability function is great for those that plan on getting taken hostage one day. :)

  2. Anonymous Coward
    Anonymous Coward


    Thank 'insert deity here' for that, there's no way MS would put an NSA backdoor in there, it'd be unpatriotic!

  3. Anonymous Coward
    Anonymous Coward

    FIPS 140-2

    Do you really trust a security standard endorsed by the US government (Federal Information Processing Standard). to not have a backdoor.

    1. Velv Silver badge

      Re: FIPS 140-2

      Nothing wrong with the standard. It's the implementation that might be susceptible to containing a back door.

      1. Androgynous Crackwhore

        Re: FIPS 140-2

        I'm inclined to side with AC! While the standard may be adequate, to infer this certainly isn't:

        A FIPS 140-2 certificate confirms that the encryption has been implemented in a way that cannot be circumvented.

        Also, while I'm under the silly hat: Assuming our Trev understands the difference between a cipher and digest, he might like to rephrase this...

        Not all encryption is made equal. SHA-1 and MD5 are common encryption methods and are about as safe as plaintext. Cracking them is beyond easy. AES-256 is better – probably the minimum that should be used – but how to be sure the implementation is sound?

        ...'cos it mikes him sound like a bit of a tit. A SHA-256 typo?

    2. tony2heads


      Maybe the Chinese manufacturer make a firmware backdoor in the US designed backdoor?

      Yo dawg I heard you liked backdoors, so I put a backdoor in your backdoor

      1. Tony Haines

        Re: backdoors

        "...I put a backdoor in your backdoor"

        This should have a name. I suggest 'catflap'

    3. Tomato42 Silver badge

      Re: FIPS 140-2

      standard that is made of algorithms created by people outside NSA or NIST, and vetted secure by NSA for use for Top Secret data

      if NSA thinks that a 3rd party algorithm is good enough to protect state secrets, it's good enough to protect my junk

      seriously, only tinfoils consider AES or SHA-3 insecure

  4. Anonymous Coward
    Anonymous Coward

    The NSA has either authored, or been deeply involved in the development of, every major Internet security and encryption protocol.

    AES-256 is the only "US Government officially approved" encryption method. It was certified by the NSA. As was SSL.

    Connect the dots.

    1. Steve Knox Silver badge

      Show me the backdoor

      These security and encryption protocols have also been investigated and tested by the best academics and independent experts.

      Many of these experts have been outspoken critics of the NSA and advocates for privacy.

      None of them have found a backdoor.

      The Russian government, the Chinese government, the executives of every major multinational corporation, the Pirate Bay, and the creators of TOR (to name but a few) have the resources and the reasons to find and publicize any NSA backdoors in these standards.

      None of them have.

      It's fucking hard to connect your dots with these encrypted firewalls between them.

      1. Anonymous Coward

        Re: Show me the backdoor

        The weakness in your argument is "publicize". The counter example is Stuxnet and its children.

        Do you really believe that Chinese military hackers, or the Russians, or the NSA would publicize the holes/backdoors they find, i.e., show YOU or anyone else their backdoors?

        1. Steve Knox Silver badge

          Re: Show me the backdoor

          The weakness in your argument is "publicize". The counter example is Stuxnet and its children.

          Do you really believe that Chinese military hackers, or the Russians, or the NSA would publicize the holes/backdoors they find, i.e., show YOU or anyone else their backdoors?

          The weakness in your argument is in selecting only the weakest examples I have given.

          The NSA probably would not but that's why the OP painted them as the baddies and why I didn't cite them as a party who would publicize.

          The Russians and Chinese are a different story. The Chinese might if it were politically expedient, but they're equally likely to lie and say they have found an exploit when they haven't, in order to keep their populace scared of speaking out. The Russians may keep it secret for a time, or they may sell it to some of their hackers.

          But the other examples I cited (and you conveniently left out), the independent privacy advocates, some of whom had a part in creating these algorithms, certainly would publicize any holes and backdoors they found.

      2. Mookster

        Re: Show me the backdoor

        it's in the random number generator that's used to make your key...

      3. Charles Manning

        How much tin foil have you got?

        A problem with any of these discussions is that they never educate, they only serve to amplify paranoia.

        For example, people could argue that Pirate Bay is just an NSA front to make people think there is a dissenting voice out there, when instead it is just an NSA arm that monitors activity. NSA in deep cover if you will...

        Ultimately though, even if the NSA had the resources to hack my network why would they? The cops could in theory also be staking my house out, recording who comes and goes. Or they might have a wire tap. Or a drone circling my house.

        Like 99.9% of the people on the planet I'm completely boring to the authorities. Nothing of value to be gleaned from snooping my network except for a look at where I keep my stash of tin foil.

    2. Velv Silver badge
      Black Helicopters

      It's also a published algorithm and therefore subject to open review by the finest mathematicians in the world. It *may* have weaknesses, but none have been found yet.

      Your choice then is the implementing application. Again most Security bods would advise choosing an open source application that is subject to open review. You chose a vendor from the USA? Now you can put your hat back on.

      1. hj

        implementing security applications

        Check out the "nice" service of HP:

    3. Daniel B.

      AES has been tested.

      The algorithm has been pounded everywhere, even by security bods who don't trust the NSA and it hasn't been cracked. Yes, the implementation even in FIPS 140-2 certified implementations might be considered "NSA 0wnable" but those that aren't should be moderately secure.

      Also, take into account that at least in some FIPS 140-2 revisions, the ghastly TDES is still "certified" ... which I actually distrust. DES was cracked 10+ years ago, and it is pretty possible that GPU/FPGA hardware in the "chump change" range might be able to crack DES within hours; TDES is simply doing DES three times with three different keys. But theoretically, throwing hardware at it should eventually crack it... and it probably has been cracked already.

      1. Fred Flintstone Gold badge

        Re: AES has been tested.

        It may also be worth observing that AES is a bit of a rebadge - the original cipher was called "Rijndael", and was developed by two Belgian cryptographers.

    4. Ru
      Paris Hilton

      AES-256 is the only "US Government officially approved" encryption method. It was certified by the NSA. As was SSL.

      Connect the dots.

      It isn't really in the interests of the NSA to have widely used encryption algorithms with exploits, because you are basically gambling on there being no-one in the whole of the rest of the world who will be clever enough to find out, and nor will the details of the backdoor be leaked within the expected lifetime of the cipher.

      Ultimately, if US citizens and businesses are shafted as a result of inept cloak'n'dagger games by their own government security services, the enemies of the US will be the ones who benefit most, which rather defeats the point of the whole exercise.

    5. Jaybus


      Firstly, the 5 year long AES process was a NIST (National Institute of Standards) program. There is no evidence that NSA had anything to do with the selection of the winner. All NSA cryptographic work is classified and will never be published. The NSA did, however, publicly approve the use of AES by the US government. AES-256 is NOT the only method approved by NSA. In fact, their are two suites of algorithms (Suite A and Suite B) approved for various different purposes, one of which uses AES-128.

      And btw, the winning algorithm selected by NIST was called the Rijndael cypher and was developed by a pair of Belgian cryptographers. To my knowledge neither Professor Rijmen nor Dr. Daemen have ever worked for the NSA.

      The only reason it was a big deal to begin with is because Rijndael was the very first open and publicly available cypher that was approved by the NSA for the top secret classification. The NSA were actually the late comers. AES was first approved for Dept. of Commerce use by the Secretary of Commerce in 2002. It took the NSA 3 more years to clear it for top secret use.

      All AES contestant cyphers, especially Rijndael, have since been examined by mathematicians worldwide, but if you don't want to use AES, then by all means try the Twofish cypher, a runner up in the AES process that also has never been broken and doesn't have patent issues. The mcrypt open source software is quite good and can use a number of the AES contestants, including Rijndael and Twofish. An open source implementation and an open, published algorithm, together with a tin foil hat, should help keep your dots disconnected.

    6. Yet Another Anonymous coward Silver badge

      The guarantee is inter-service rivalry.

      The CIA wouldn't use an encryption that the NSA could break - the secret service wouldn't use something the CIA could read and so on.

  5. Velv Silver badge
    Black Helicopters

    Flawed assertions

    Encryption is important, don't underestimate that. It does provide some level of protection against some attacks.

    However you should never forget that no matter how strong the encryption algorithm is, it is completely useless if you are authorised to access the data. It's often easier to capture or crack the user ID or even the user.

    From a business perspective, 85% of hack activities and data leakage occur by staff. Staff who have a user ID which will grant them access to the data (otherwise how would they do their job). It might not be raw access, they might not be able to walk out with a disk from a server, but they have legitimate access to the data. Or whoever has stolen their ID has access to the data.

    So the encryption is only as strong as the weakest link.

  6. Anonymous Custard Silver badge

    Your average consumer

    It is not something your average consumer can do, but your average consumer wouldn't even think about the vulnerability of an IPv6 light bulb in the first place

    Given their current price, your average consumer probably wouldn't buy one in the first place either...

  7. JimmyPage Silver badge

    *Properly* implemented encryption ...

    8192 bit encryption is worthless if a user chooses "password" as .... well, as their password.

    1. Fred Flintstone Gold badge

      Re: *Properly* implemented encryption ...

      I use 8 stars. It's the only thing the computer seems to accept..

      TGIF, and no, I don't have a coat - with this weather?!?

    2. Anonymous Coward
      Anonymous Coward

      Re: encryption is worthless if a user chooses "password" as .... well, as their password.

      And when you choose something suitably obscure as your password, the encryption is still worthless when you forget/lose it. No, wait - the encryption isn't worthless, your encrypted "data" is. And possibly your miserable existence also, when the other half finds out that n-years of photos/financial records/etc are likewise gone.

    3. Daniel B.

      Re: *Properly* implemented encryption ...

      Indeed. That's why I consider most iPhones insecure, because the "password" is actually a 4-digit PIN. So instead of 2^256 guesses at an AES key, you only need to try 10000 "password" combinations to crack the crypto.

      1. Anonymous Coward
        Anonymous Coward

        Re: *Properly* implemented encryption ...

        <That's why I consider most iPhones insecure, because the "password" is actually a 4-digit PIN>

        Settings - general - passcode lock - simple password off. Oh, and "erase data on" (zap the phone after 10x failure).

        You can set the iPhone to accept a longer, complex password as well. If you're paranoid about it showing the characters one by one or you want to be deceptive, you can even set a long digit-only one and it will go present a digital keyboard and not mirror the digits to the screen. The main benefit of that is deception: most people will assume it's a 4 digit code and run into the 10x failure limit without ever coming near the right password.

        Deception is fun. I had one of those Samsonite briefcases with electronic lock, and someone tried to open it on an hacking event - he spent the entire weekend trying. He must have tried every 4 digit combination, but being an evil sod I'd already worked out that you didn't need to use all 4 digits - I just pretended to hit 4 keys. The actual code was just a simple "9" :)

  8. Anonymous Coward

    SHA1 and MD5 are not encryption methods

    Hate to trouble you, but those are cryptographic hashes … not encryption methods.

    Encryption can be revered through a process called decryption. Cryptographic hashes can not be reversed (in theory — in practice it is possible to guess a cleartext that matches a given hash, but in most cases it's computationally expensive).

    1. diodesign (Written by Reg staff) Silver badge

      Re: SHA1 and MD5 are not encryption methods

      Yes, honest, we do know SHA-1 and MD5 are one-way. I've fixed the article.


  9. Jim 59

    Good article - but you worry too much!

    Of all the on-line activities open to a hacker, breaking into someone's home network is surely the least interesting and poorly rewarded. He might spend 18 hours getting through your router, only to find that all the internal systems are switched off. He just doesn't know until he tries it. And if your NAS is on, is he really going to spend another 20 hours getting into it, only to find a slew of encrypted data ? If at last he gets the goods, will he really be that thrilled to be reading your wife's PDF of a flyer for last year's church garden fete ?

    Somewhere on your network may be the holy grail - say a spreadsheet of your banking passwords. But you know and I know that it is probably on a powered-off system, in an encrypted password app in an encrypted container on an encrypted disk and you have put up so many other obstacles in the way that sometimes even you have trouble accessing it, what with those funny ports, key files, loooooooong passphrases and all.

    All the hacker is going to discover is that you run one of the most secure home networks in Britain.

    I think the key is to have many levels of diverse security, even within the network, so that the "egg" is hard boiled. Regarding cloud - unless you would happily give your front door key to Cloud Ltd, don't give them your data either. Regarding smart phones - I don't see why these should carry personal data, except for a few songs and pictures.

  10. Cliff

    outrun the raptor?

    Do you need to outrun the raptor? Or outrun the fat guy in your tour group?

    For most of us, not being the lowest hanging fruit is as good as we actually need.

    1. Destroy All Monsters Silver badge

      Re: outrun the raptor?

      Kim Dotcom?

  11. Joe Montana


    "The simple reality is that most networks are like eggs – protected by a relatively strong shell but the inside is soft and gooey. If you manage to compromise any one thing on my network the rest will fall like dominoes."

    And this is the whole problem, fundamentally flawed design.

    Every device should be as hardened and closely monitored as necessary given the data on it, and every device should be configured as if it was directly exposed to the internet. If you then choose not to expose such devices you are doing so as an extra line of defence, not as your only line. And you should not accept devices which are fundamentally broken and unfixable.

    Encryption is also not the answer, encrypting your hard drive is great until your machine gets compromised via a network level attack, at which point the encryption key has already been entered and the running system can access all the data.

    Encryption is often misused, for instance DRM schemes where both the encrypted data and the key are provided to the user which means its mere obfuscation as opposed to proper encryption. Similarly many security standards and guidelines say you must encrypt data, but if you also need to access that data then the key must be available too... Quite often convenience wins out, and the key is kept on the same machine.

    In these situations your security is not as strong as your encryption, it is only as strong as the effort required to work out how the data is obfuscated and extract the key - which for a widespread/common system only has to be done once.

    1. Fred Flintstone Gold badge

      Re: WTF

      Every device should be as hardened and closely monitored as necessary given the data on it, and every device should be configured as if it was directly exposed to the internet. If you then choose not to expose such devices you are doing so as an extra line of defence, not as your only line. And you should not accept devices which are fundamentally broken and unfixable.

      Hmm. Be careful not to treat security as an absolute. It's a balance between budget and risk tolerance. Sure, you can nail every single device down - I sometimes have to because of my job, but I also know what that means in terms of maintenance overhead and impact on usability. When I'm onsite, my machines all have a bluetooth lock so the moment I'm away from my desk they lock. They have full disk crypto because that's easier than trying to protect each segment individually, but it means I must fully shut down the box at the end of the day or I'm wasting my time.

      Etc etc etc. So, yes, ideally you lock everything down individually so none can become a bridge head, in practice it tends to be easier to manage the residual risk of not being 100% locked down but have easier to use machines.

  12. Anonymous Coward
    Anonymous Coward

    Can't even get into my router to monitor it as its locked down by the ISP....

    ....To add insult to injury they're using WEP for their entire customer base. What donkeys!

    1. an it guy

      Re: Can't even get into my router to monitor it as its locked down by the ISP....

      and you're not allowed/bothered to pick up a router yourself? They're not that expensive (<£40 for a cheap one) where you can alter the encryption.

      1. Anonymous Coward
        Anonymous Coward

        Re: Can't even get into my router to monitor it as its locked down by the ISP....

        Can't with my ISP. It simply doesn't work. Whatever configuration, handshaking or screening they are doing on their end, they are blocking user connected routers. If I was a cynic I'd say that it was a deliberate decision to stop people in apartments or condos sharing the pipe by using additional routers to widen and boost the signal to neighbours etc. In addition they place a seal over the coax to stop you even unscrewing it. I had to break one of the outlets to even try....

        1. Long John Brass Silver badge

          Re: Can't even get into my router to monitor it as its locked down by the ISP....

          Then treat the router as part of the internet.

          Place a router of your choosing between your and the ISP supplied one and harden that

        2. Anonymous Coward

          Re: Can't even get into my router to monitor it as its locked down by the ISP....

          "Can't with my ISP. It simply doesn't work. Whatever configuration, handshaking or screening they are doing on their end, they are blocking user connected routers."

          Urgh… my condolences. My advice... if you can't convince those peanuts to implement real security on those routers… get a suitable 50ohm dummy load with the right fitting and swap it with the Wi-Fi antenna(s). Ensure the ERP is well and truly below the receive sensitivity of any Wi-Fi equipment within close proximity, then get a Wi-Fi AP that you control if you need Wi-Fi.

          Whatever dimwit thinks WEP is anything other than blatent false advertising (RC4 encryption, no key management, flawed authentication and CRC32 hashes, don't make me laugh) should be shot.

          I also think there's a lot said for having a dedicated access point separate to the router. We recently replaced a dickey 3G Netcomm router that we were just using as an AP which had been trouble from day one… The Cisco WAP4410N might've been more than triple the price of some wireless routers, but we wouldn't be using the routing function if it had one, and this device does one thing, and one thing well rather than trying to do everything mediocre.

  13. David Ireland

    Category error: SHA-1 and MD5 are Digests, AES256 is a Cipher

    SHA-1 and MD5 are used to Digest passwords. Digests are one way functions: you don't ever need the password back.

    There is a reason for the confusion BTW: there are sound ways to use a Digest as a cipher, and vice versa, but the result is always less good (usually the computational advantage of the defender over the attacker is less) than a best of bread function designed for it's purpose, which shouldn't come as a surprise.

    The arstechica article you link to might leave people thinking that the low cost of calculating a digest is a problem, which should be fixed by making the category error of using a cipher instead, but that's not the case: digests are designed to be collision resistant. You can prove that if a digest is collision resistant, then repeating the digest N times (I.e. digest then digest the digest, ...) is the cheapest way to arrive at that answer, so you can make an arbitrarily slow digest, given a collision resistant digest.

    The problem is the way the digest is used. You can equally make the mistake of not salting the digest.

    MD5 is not all that collision resistant, that's it's problem. SHA1 is not as collision resistant as it's designers thought, but no one has actually found one yet. By all means use SHA2, or SHA3.

    More complicated schemes are harder to prove things about: an implementation may be slow, but without a proof that that's the cheapest way to get the answer, the scheme may later prove to be weak.

    People bang on a lot about how GPUs are being used to crack passwords, but attackers and defenders have access to GPUs to calculate digests, and because hackers benefit from economies of scale, they will always use commodity hardware.

  14. Anonymous Coward
    Anonymous Coward

    "The OpenWRT project doesn't exactly seem to be screaming along, which means that any number of vulnerabilities in that device could be exploited if someone knew where to look.

    The OpenWRT firmware running the router is essentially a Linux distribution. The radio has its own firmware as well. I don't even know how to update that.

    It could have a vulnerability in it that allows a privilege escalation within the router and all of a sudden a knowledgeable attacker owns my Linux-based Wi-Fi router. "

    No one was sacked for purchasing MS,Cisco, etc.... But a Linux distro with no support? No thanks.

    1. Anonymous Coward

      "No one was sacked for purchasing MS,Cisco, etc.... But a Linux distro with no support? No thanks."

      No support? You must be a Microsoft "Technical Evangelist".

      You will be hard pressed to find a modern and popular Linux distro that doesn't have support, either free or purchased. Of course, you could be a troll and pick a Linux distro that few have ever heard of or has been abandon.

      For most major commercial software the paid support is often inferior to the support freely available online. Free online support forums are usually started by users who are frustrated with the quality of the paid support, or its exorbitant cost.

    2. Beecause

      Support - what support

      There have definitely been security holes in commercial home network gear.

      So how good is the support? Anyone ever had an email to say they need to update their home router?

      It's always good to check if an opensource project is alive in making decisions but if it is, security normally gets attention. Commercial support often only lasts so long, often not long on home kit.

  15. John Smith 19 Gold badge

    The bottom line is it's damm hard work for *experts* to ensure their privacy. *but*

    That is not an argument to give up.

    The internet protocols made some assumptions which are no longer valid.

    All users were authorized to use the internet by default (no bad guys) and all users knew what they were doing and the operator (back then mostly governments) is not interested in peeking.

    None of these can be relied upon any more, despite the fact there is no legitimate reason for 24/7/365 surveillance of all internet traffic in a country that still believes in the presumption of innocence.

    It's time for a new generation of protocols which support privacy and security. So I don't have to say who I am all the time but when I identify myself it really can only be me.

    IOW it's time to make the egg "hard boiled"

  16. Duncan Macdonald Silver badge

    Easy for the NSA and friends to make "strong" security actually be weak

    A number of protocols (SSL being a major example but also PGP) have one side chosing a long random key and sending that key via public key encryption to the other party. An easy backdoor for the suppliers of the software is to make the apparently 128bit (or 256bit) random key have only 32bits of randomness and the other bits derived by an algorithm from those 32bits. An ordinary user would not notice any difference but for the NSA it would reduce the crack time down to insignificence as they would only have a 32 bit key space to search.

    If such a backdor is present in Windows or the commercial version of PGP, it would be almost invisible to users who think that they have strong steel armour but instead have wet tissue paper. (Linux and OpenPGP should be secure as the sources are published and any backdoors would be rapidly found.)

    1. Jaybus

      Re: Easy for the NSA and friends to make "strong" security actually be weak

      True, such a back door would be trivial to implement. But it would be a really stupid move. The NSA equivalent in all other nations would also trivially discover the back door. Although it is a government agency, I think the NSA is at least more clever than that.

  17. Beecause

    What are the chances...

    '''"To be clear: the chances of a vulnerability existing, someone knowing about it and having both the skill and equipment to compromise such a device are vanishingly... "'''

    But then you don't need everyone to know you just need an efficient scanner and devices to be visible.

    I remember people thinking what are the chances of a modem connecting to my phone number - there are millions of phone numbers... Then war dialing became popular and people started using passwords...

  18. Anonymous Coward
    Anonymous Coward

    Ken Thompson - Reflections on Trusting Trust

    "Ken Thompson's Reflections on Trusting Trust, his Turing Award acceptance speech in 1984, was the first major paper to describe black box backdoor issues, and points out that trust is relative.[5] It describes a very clever backdoor mechanism based on the fact that people only review source (human-written) code, and not compiled machine code. A program called a compiler is used to create the second from the first, and the compiler is usually trusted to do an honest job.

    Thompson's paper describes a modified version of the Unix C compiler that would:

    Put an invisible backdoor in the Unix login command when it noticed that the login program was being compiled, and as a twist

    Also add this feature undetectably to future compiler versions upon their compilation as well.

    Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept implementation, the subverted compiler also subverted the analysis program (the disassembler), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead. This version was, officially, never released into the wild. It is believed, however, that a version was distributed to BBN and at least one use of the backdoor was recorded.[6]

    This attack was recently (August 2009) discovered by Sophos labs: The W32/Induc-A virus infected the program compiler for Delphi, a Windows programming language. The virus introduced its own code to the compilation of new Delphi programs, allowing it to infect and propagate to many systems, without the knowledge of the software programmer. An attack that propagates by building its own Trojan horse can be especially hard to discover. It is believed that the Induc-A virus had been propagating for at least a year before it was discovered.[7]"

  19. Eugene Crosser

    NAS encryption

    Arguably, encrypting data on a NAS is pointless.

    Encrypting an Android device is mostly useless too.

    Encrypting all data on a device makes sense if that device spends most of the time turned off. Such as a thumb drive, for instance. When "they" get the device, it does not contain the decryption key, so your data is safe. Ditto a laptop with FDE if you turn it off while not in use.

    Encrypting data on a NAS device only helps against burglary, while the most probable attack is to take over the running device. While it is running, the decryption key is in its memory, and all data is accessible. Ditto Android device in your pocket that has dark screen, but running CPU. Encrypting it may be useful to comply with some stupid corporate policy, but does very little to protect the data from leakage.

    What makes sense is to keep select sensitive bits encrypted, such as to keep passwords in a "crypto wallet". In such applications, the decryption key and decrypted data only stays in memory for a few minutes after you've entered the password, and is safely encrypted for the most of the lifetime of the device that carries it.


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019