As one of the architects of the popular PGP program, you’d expect Peter Gutmann from the Department of Computer Science at the University of Auckland to be extolling the virtues of encryption for protecting out data. Instead, he says “Encryption is the chicken soup of security, feel free to apply it if it makes you feel batter because it’s not going to make things any worse, but it may not make things any better either”.
Gutmann’s talk, which closed out the security stream at the Technology in Government summit held in Canberra during August 2015, took attendees through a tour of recent encryption “hacks” and history. He looked at how over the last decade crypto had ultimately failed. Even when the crypto was weak it was much easier to just bypass it.
During his lightning fast presentation Gutmann looked at some of the data exposed by Edward Snowden – in particular, documents relating to Project BULLRUN. Funded to the tune to of between $250M to $300M, this US government initiative was designed to develop "capabilities against a technology". Compared to other security programs BULLRUN was relatively inexpensive and delivered stunning results.
BULLRUN developed the capability to thwart TLS/SSL, HTTPS, SSH, VPNs, VoIP and webmail.
Gutmann's told attendees how sophisticated cryptography has been overcome. For example, he described how most of the major gaming consoles use crypto as a way of securing systems and limiting access to user data. However, all have been hacked to some degree. He noted that just a few years ago, the type of encryption applied to data within gaming consoles was reminiscent of systems governments and security agencies used.
Despite that sophistication, every gaming console, smartphone platform and, computer system had been hacked. And in every case it wasn’t the encryption that was broken but the systems surrounding the encryption.
This was highlighted by the revelation of how the NSA was intercepting communications shipped by Cisco to customers and installing surveillance equipment into the routers and switches. Gutmann noted Cisco CEO John Chambers had written to President Obama asking for this to be stopped and that Cisco was in no way compliant with the program.
Encryption tells bad guys what to target
Gutmann says that many hackers look at system, ignore the encrypted elements and simply attack the rest of the system. In fact, the presence of encrypted data is used as a pointer to where the “good stuff” he says.Read more: Security skills deficit even hits ACCS as momentum builds industry, research collaborations
In summing up, Gutmann put a simple data point on the screen for everyone to reflect on:
Number of attacks that broke the crypto: 0
Number of attacks that bypassed the crypto: All the rest
"No matter how strong the crypto was, or how large the keys were, the attackers walked around it," he added.