Security experts say stronger encryption standards are needed in the wake of revelations that National Security Agency had allegedly worked with technology vendors to have backdoors built into popular platforms.
The findings were contained in reports by the New York Times, The Guardian and ProPublica which claimed the NSA and its UK equivalent engaged in years' long mission to undermine encryption methods widely used to secure communications sent over the web.
The Guardian obtained the files – which were leaked by whistleblower and former NSA contractor Edward Snowden. According to the documents, NSA spends $250 million a year on a program called the Sigint Enabling Project, which subverts methods for securing public data.
The 50,000 pages of leaked documents also revealed that the NSA pressured major tech companies into giving the agency backdoor access to encryption software, and that, when all else failed, the NSA outright stole company encryption keys by hacking organisations' servers, a Thursday article in The Guardian said.
In addition, the documents showed that the Government Communications Headquarters (GCHQ), a British intelligence agency, has been hard at work to figure out how to decipher web traffic encrypted by Google, Facebook, Yahoo and Hotmail, the world's major service providers for email, instant messaging and other social media communications.
On Friday, Pravin Kothari, founder and CEO of cloud encryption firm told SC US that the widely accepted encryption protocol on the internet has been RSA 1024-bit encryption, which security experts have continued to warn could be easily broken by those with the enough skill and computer power.
NSA can monitor internet traffic by exploiting compromised encryption software, Kothari explained. "And the second problem is, NSA can ask the provider for their decryption keys, so they decrypt it automatically,” he emphasized.
Kothari added that many companies have dragged their feet in adopting more secure encryption methods for fear that it could negatively affect services.
“Experts have been advising to increase the key length to 4096-bit or longer for some time, but many internet providers are slow to upgrade due to significant performance impact,” Kothari wrote.
In a recent blog post, security expert and cryptographer Bruce Schneier suggested similar steps for widespread adoption of better security.
“It's pretty easy to stay a few steps ahead of the NSA by using even-longer keys,” Schneier wrote. “We're already trying to phase out 1024-bit RSA keys in favor of 2048-bit keys. Perhaps we need to jump even further ahead and consider 3072-bit keys. And maybe we should be even more paranoid about elliptic curves and use key lengths above 500 bits,” he said.