Recent documents released by NSA leaker Edward Snowden have revealed the existence of a classified NSA program, codenamed Bullrun, which purports to be be able to defeat the encryption standards, such as SSL, that underlie commerce and confidentiality on the world wide web. The exact methods of the program remain unclear, though there are tantalizing indicators that the root problems may lie with the methods used to generate random numbers for cryptographic keys; specifically an algorithm known as Dual_EC_DRBG which was inserted into the standard at the insistence of the NSA. Bullrun, and the related GCHQ program Edgehill, appear to have operated by ensuring through government pressure that vulnerabilities were inserted into the standards used to develop cryptographic systems.
Somewhat disturbingly, the programs are both named for the first battles in their respective nation’s civil wars. The irony here is that these programs have almost certainly permanently damaged the relationship between government security agencies and government and civilian groups responsible for creating technology standards. And while we are not yet at the point of brother fighting against brother, it is obvious that any future cyber-security recommendations made by the NSA will be regarded as highly suspect.
- Dan Gifford, MCySec Media Manager/ Graduate Research Assistant
A more technical analysis:
Bruce Schneier’s advice on maintaining security in light of these developments: