New documents leaked by former US National Security Agency (NSA) contractor Edward Snowden point to the American spy agency deploying vast resources to break encryption, and in some cases, it has succeeded in doing so.
According to a joint effort story published by ProPublica, the Guardian and The New York Times, the NSA has "secretly and successfully worked to break many types of encryption" as part of project called Bullrun.
Most of the work to break encryption has been focused on the widely-deployed Secure Sockets Layer according to the documents leaked by Snowden.
A British counter-encryption programme, Edgehill, is said to have been able unscramble virtual private network (VPN) traffic for thirty targets in 2010.
The extent to which NSA and its Five-Eyes partners in the UK, Australia, New Zealand and Canada have been able to break encryption is unclear however, as the story does not specify which protocols were compromised.
@chriseng basically dual_ec_dbrg confirmed backdoored, a big passive break of SSL in 2010, lotsa VPNs owned (somehow)— Dan Kaminsky (@dakami) September 5, 2013
A 2010 memo boasted about the US and UK spy agencies' ability to decrypt data.
“Cryptanalytic capabilities are now coming online. Vast amounts of encrypted internet data which have up till now been discarded are now exploitable,” the memo said.
Some forms of encryption are still unbreakable for the NSA, according to Snowden. Instead, the NSA attempts to bypass encryption by capturing data before it is scrambled, obtaining access to provider services such as Microsoft's Outlook email, Skype calls and chats and Skydrive cloud storage.
The NSA is also maintaining an encryption key database for commercial products and tried to obtain others not available, possibly by breaking into companies' servers, the report said. Fast computers are also used to brute-force crack encryption, with billions of dollars invested in the program.
Furthermore, the NSA has also deliberately weakened the encryption standards it has worked on and which have become officially adopted by government users and private enterprise, by planting vulnerabilities into these.
Again, the standards in question were not named. The NSA has been involved the development of several cipher protocols, including the Advanced Encryption Standard (AES), Data Encryption Standard (DES) and Secure Hash Algorithm (SHA-1, 2, and 3) which are now commonly used around the world.
Weaknesses have also been introduced into unspecified commercial products, as the NSA has worked with US and overseas tech companies to ensure backdoor access to data.