Welcome!

Government Cloud Authors: Elizabeth White, Liz McMillan, Gopala Krishna Behara, Raju Myadam, Kevin Jackson

Related Topics: Government Cloud

Government Cloud: Article

Email, Privacy, Strong Cryptography and the NSA Whistleblower

Encryption is a broad term. Not all email encryption and methods of use are the same, in terms of privacy

There has been quite a buzz around the power of the alleged NSA eavesdropping considering the insights that the NSA Whistleblower, Edward Snowden, presented to the American public.

The NSA Whistleblower exposed how our digital identities are being captured, stored, analyzed, and categorized, allegedly by NSA, as well as companies that publicly state that they store and analyze your data (Facebook, Linkedin, Google email, etc.). The power of the NSA system, according to Snowden, is that they aggregate your digital communications across telephone, internet, web, mobile app, and email data.

With regards to email, email encryption works, to keep your email message content private. As The Guardian reported on Monday, June 17, the NSA Whistleblower said:

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on."

But, encryption is a broad term. Not all email encryption and methods of use are the same, in terms of privacy. Not all are "strong crypto systems".

What type of "encryption" works, for whom, what, and when?

"Caesar Cipher" and "Pig Latin" are Forms of Encryption

Suppose Alice wants to send a secret message to her friend Bob but worries that her snoopy Big Brother may intercept it. Alice needs a way to scramble her message so that only Bob can read it. A simple way to do this would be for Alice to replace each letter in her message with the next highest letter; shifting it by one (think "Caesar Cipher" or "Pig Latin").

But, of course, that is too simple. If Big Brother intercepts the message he'll be able to easily decipher it by looking for hidden patterns in the letters it contains. All it will take to crack the code is a little mathematics and a little trial and error.

And, of course, if Big Brother uses a computer he'll be able to crack the code even faster. So just shifting the first letter to the end and adding "ay" as a suffix (turning "HELLO" into "ELLOHAY" for example) isn't a very strong cipher. What can Alice do?

Well, she can try to think up a more complicated mathematical formula to scramble the letters and numbers. And maybe she could use a computer herself to apply the formula. This will help, but the problem is still that if Big Brother hires clever mathematicians, or if he just has a big enough computer, he will be able to crack the code eventually. So it looks like it's going to be an arms race with Big Brother to see who can come up with the biggest computers and the most complicated formula. But because Big Brother is big, it is a race Alice and Bob are bound to lose.

What is Considered "Strong Crypto"?

Then, what did the NSA Whistleblower mean by "strong crypto systems" when he said, according to The Guardian, "Properly implemented strong crypto systems are one of the few things that you can rely on."

We have established that more complex patterns used to encrypt are harder to read by Big Brother but capable of being read if Big Brother has a powerful computer to figure out the pattern; yet easy for Bob to read with knowledge of the pattern (the decryption key). Most technicians understand that more complex algorithms are harder to "crack", or said another way, take more computing power to crack.

How does Computing Power Impact the Time to Crack the Encryption?

Let's consider the example of using computing power to try to guess a 10 digit seemingly random alpha numeric password, such as: tjo9i0982d using a "Brute Force" attack (i.e. trial and error). This would be similar to trying to find a pattern in a universe of combinations of 36 digits (26 possible letters and 10 possible numbers). According to Gibson Research Corporation, in this example, there are 3700 trillion combinations, and the time to guess and test the right combination using trial and error in an online environment is one thousand centuries (assuming one thousand guesses per second). However, in what Gibson Research calls a "Massive Cracking Array Scenario" with one hundred trillion guesses per second offline, this password can be guessed in just 38 seconds.

Computing power does matter. But, not many, if any (today), can implement a "Massive Cracking Array Scenario".

Is Today's Commercial Encryption Readable by the NSA with its Computing Power?

This is a question that clearly some people know the answer to. I do not. Most commercial encryption uses algorithms that the NSA has "approved" for "civilian, unclassified, non-national security systems". These algorithms are what encrypt your email or financial transactions when using email encryption or secure HTTP web based connections with commercially available systems. Some of these NSA approved (unclassified) algorithms include DES, Triple DES, AES, DSA and SHA.

Note: it is not only use of encryption that is important, but as Snowden added, "properly implemented strong crypto systems". Those who encrypt email should be sure to use "properly implemented strong crypto systems".

So, let's explore this notion of "properly implemented strong crypto systems".

Security by Obscurity

Bringing this back to Bob and Alice, or you and me, would our use of commercial (NSA approved for unclassified use) encryption be strong enough for our general commercial purposes? I suppose you could consider it so, as long as those who you think may be trying to read your information do not have the computing power, financial resources, and incentive to try to crack the method of encryption you use in your correspondence. To get a sense of the scale in terms of NSA computing power, NPR reported that the NSA is putting the finishing touches on its biggest data farm yet, a $1.2 billion complex in Utah with 1.5 million square feet of top secret space including high-performance NSA computers alone filling up 100,000 square feet.

So, unless (or until, since the NSA Whistleblower says your messages are saved just in case they later need to be read) you elevate yourself the importance of your electronic correspondence to the level that makes your information interesting to the people with this power, your commercially encrypted email should remain private enough...

But if private enough is not good enough, if you are encrypting FOR personal privacy, you should use "properly implemented strong crypto systems" that also consider endpoint security.

As The Guardian reported, the NSA Whistleblower added, "Encryption works... Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." What does Snowden mean by this? A properly implemented strong crypto system should take into account the endpoints, as well as the transmission.

Google Has an Easier Way to Read Your Email

Take Google as an example with your laptop as the endpoint. Google allegedly provides information to NSA and other government organizations upon request, and also perhaps others, depending on how you interpret what they disclose on their website privacy policies. (A quick glance at Google's privacy policies are revealing.) Google discloses: "Local storage: We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches" and further "may combine personal information from one service with information, including personal information, from other Google services." With all of the hype about NSA computing power, we believe endpoint security should be of greater concern - Google is telling you (in our opinion based on our interpretation of their privacy policy disclosure) that they record, analyze, cross reference your personal information, not only what you type into a Google application, but potentially all application data that is stored on your device (the endpoint) that they can access using their techniques.

So, for example, if you take great care to type your email in a Gmail compose page, encrypt the transmission, and then send, you are forgetting that Google may be recording, storing, analyzing, and cross referencing the content of the message you type before you encrypt it (as well as perhaps other personal information on your computer or mobile device).

So, for those encrypting for privacy, endpoint security should be evaluated. Note, you can somewhat control your endpoint security by choices you make, but what about the encrypted email recipient's endpoint security?

What to Do to Keep Your Email Private

So, where does this leave us in the new light of the NSA Whistleblower (and Google privacy disclosures)?

The endpoint security is the most likely source of data exposure; meaning, it may be far less computer intensive to access the metadata stored on your computer hard drive every time you type, or access the messages stored in your mailbox on your desktop, mobile device, email server, or internet mail service provider host before encryption when composing, or after decryption, after reading.

If you use commercial encryption for email, you should consider strong crypto systems that take into account providing endpoint security, in particular at the recipient's end, which is out of your control.

There are generally three types of systems to commercially encrypt email today.

1. Public Key Exchange - Secure but Complex for Many. Exchanging public encryption keys among your contacts (PKI Digital Certificates) and using Microsoft Outlook on your desktop computer is a "strong crypto system", but has proven to be too cumbersome for most to purchase and install these certificates, manage the expiration, ensure your recipients have a copy of your public key and you theirs, and all are using a compatible email program such as Microsoft Outlook desktop software.

2. Secure Store and Forward - "Man in the Middle" Problems. Systems that store your message content in the middle, and send a link to the recipients to download the content, are often used, but are not considered "strong crypto systems", as your most sensitive information is now stored on a third party server with unknown data security and message purge practices (which may differ from their stated policies). Further, there is no protection from unknown recipient endpoint security or lack thereof. Note, systems that wrap your email in an encrypted HTML file and send, often purport themselves to be "direct delivery" but leave out the important point that the process of decrypting, is often sending the data back to the server in the middle, and that server storing the decrypted message and displaying it in a web browser (with the same Man in the Middle storage purge concerns). Further, there is no protection from unknown recipient endpoint security or lack thereof. This is better than simple Secure Store and Forward but still has Man in the Middle issues, and for these reasons, these are also not considered "strong crypto systems".

3. True Direct Delivery - Best Method. Systems that wrap the message in an encrypted PDF file are "strong crypto systems" as (a) the message content is not stored in the middle, (b) content is truly delivered to the recipients' desktops encrypted, AND (c) the content remains encrypted at the recipient endpoint to prevent potential disclosure regardless of the recipient endpoint security. Systems that make this method easy to use and implement for both sender and recipient become the true best method "strong crypto systems" for email encryption (for both compliance and personal privacy).

More Stories By Zafar Khan

Zafar Khan is the chief executive officer of RPost (www.rpost.com). RPost, winner of the World Mail Award for best in security, provides what is described here as True Direct Delivery strong crypto systems that are simple to use and install with no storage by RPost. Both government and commercial organizations have relied on RPost email encryption all over the world, as part of its RMail® service offering (video and free trial click here). RPost has been offering secure electronic messaging services for more than 10 years.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
The best way to leverage your CloudEXPO | DXWorldEXPO presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering CloudEXPO | DXWorldEXPO will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at CloudEXPO. Product announcements during our show provide your company with the most reach through our targeted audienc...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. All In Mobile is a mobile app development company from Poland. Since 2014, they maintain passion for developing mobile applications for enterprises and startups worldwide.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
JETRO showcased Japan Digital Transformation Pavilion at SYS-CON's 21st International Cloud Expo® at the Santa Clara Convention Center in Santa Clara, CA. The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get...
"We view the cloud not as a specific technology but as a way of doing business and that way of doing business is transforming the way software, infrastructure and services are being delivered to business," explained Matthew Rosen, CEO and Director at Fusion, in this SYS-CON.tv interview at 18th Cloud Expo (http://www.CloudComputingExpo.com), held June 7-9 at the Javits Center in New York City, NY.
DXWorldEXPO LLC announced today that the upcoming DXWorldEXPO | CloudEXPO New York event will feature 10 companies from Poland to participate at the "Poland Digital Transformation Pavilion" on November 12-13, 2018.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...
Major trends and emerging technologies – from virtual reality and IoT, to Big Data and algorithms – are helping organizations innovate in the digital era. However, to create real business value, IT must think beyond the ‘what’ of digital transformation to the ‘how’ to harness emerging trends, innovation and disruption. Architecture is the key that underpins and ties all these efforts together. In the digital age, it’s important to invest in architecture, extend the enterprise footprint to the cl...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and ...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...