Everyone knows the big splash of news about the NSA revealed by Edward Snowden: “the NSA Is Breaking Most Encryption on the Internet,” in the words of foremost security/cryptography expert Bruce Schneier. This was a matter of great interest here at Weston High School, where all sophomores study cryptography as part of Algebra II. They all learn that RSA is fundamentally unbreakable. Yet here are these headlines….
Schneier, however, goes on to point out that the NSA is “doing it primarily by cheating, not by mathematics.” In a subsequent article, he adds the following:
Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts.
Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.
Someone needs to be teaching students about this — if not the Math Department, then maybe the Social Studies Department. The math is safe…and correct. So we’re not lying, not even inadvertently, when we teach kids that public-key crypto is safe and secure. But all the math in the world won’t help against those who want and are able to subvert the Internet through back doors, through legal and illegal abuses. “But that’s an invasion of privacy!” exclaimed one of my sophomores. Yes, indeed.