Using encryption like a pro

In a recent Patriot Privacy & Security Society Alert, I said I’d provide you with more information on how to use encryption in the near future.

The future is today.

Truth be told, I wanted to continue to follow the unfolding revelations from former National Security Agency contractor Edward Snowden about how the NSA was collecting and penetrating all forms of electronic communications to see if those revelations provided more insight into how the NSA cracks encryption.

I’m glad I waited because, as I suspected, more critical information about how the NSA breaks into encrypted communications has been revealed.

Importantly, not only has more been revealed, the group of reporters who are digging through the Snowden files has expanded to include one of America’s brightest security experts when it comes to technical issues like encryption. His name is Bruce Schneier.

In a recent blog post, Schneier gave an advance look at what he’s been learning.

To understand what Schneier has been examining, here’s Schneier in his own words.

“Now that we have enough details about how the NSA eavesdrops on the Internet, including today’s disclosures of the NSA’s deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.

“For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden.

“…At this point, I feel I can provide some advice for keeping secure against such an adversary (meaning, the NSA).”

Schneier than provides some technical and procedural information about how the NSA penetrates encrypted information – including secret agreements with telecommunications companies. If you’re interested, you can read that information by following the link at the conclusion of this advisory. But, for now, I want to give you the important information from Schneier on how to protect your communications.

I will tell you up front that, based on what I learned working on several national security cases when I was a private detective in Washington, D.C., I agree with Schneier when he states, “What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.”

But, the likelihood that you have information the NSA is interested in is very low. Therefore, you can protect your communications from just about anyone else with relative certainty.

To do that, Schneier offers five recommendations.

1. Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.

2. Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you’re much better protected than if you communicate in the clear.

3. Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the Internet. If I want to transfer a file, I encrypt the file on the secure computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.

4. Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large U.S. companies have NSA-friendly backdoors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5. Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than Bitlocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while Bitlocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because Bitlocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.”

OK. Admittedly that some pretty technical information. But, I wanted you to appreciate what’s involved and how an expert like Schneier approaches encryption issues.

So what does Schneier use? Here’s his answer.

“Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, and BleachBit.”

Now remember, this is what Schneier is using to protect the security of the NSA documents he’s reviewing. I assume your level of security will never need to be that high. So, by taking just a few of the steps Schneier recommends and using one of the encryption programs he suggests, you will be able to defeat almost any threat to the security and privacy of your electronic communications.

And by having this invaluable information, you’ll understand what is available and how some forms of encryption are far more secure than others.

Be safe and secure,

Rob Douglas

If you’d like to read the entire article by Schneier, click here à How to remain secure against the NSA.