Some call it the intelligence coup of the 20th century: According to media reports, the US foreign intelligence service CIA and the German Federal Intelligence Service (BND) have been spying on governments for decades by selling manipulated encryption devices to countries via a company called "Crypto AG". Professor Dr. Gregor Leander from the Chair of Cryptography at the RUB explains how these machines were used and how secure today's encryption methods are.
According to reports by the Washington Post and ZDF, the secret services CIA and BND have been able to read encrypted diplomatic communications across the board by manipulating encryption devices in the past. Are such devices still used today?
The devices made by Crypto AG, the company at the center of the Cryptoleaks, were rotor machines, at least initially. These electromagnetic devices functioned as cryptographic typewriters and were used to encrypt messages. But just like conventional typewriters, these devices are no longer in use today. Cryptographic typewriters were a further development of Enigma, which was used by the Germans during World War II. Enigma was not secure; it could be cracked by the Allies. But mechanical encryption machines can be secure, and there are some that, even with today's knowledge, could be broken only with relatively great effort.
What methods of encryption are used today?
Nowadays, we no longer use typewriters, but computers. With this advancement, machine encryption techniques have become algorithms. Where hardware was once needed, software is now increasingly in use. Most common encryption software uses symmetric and asymmetric key methods.
In the first case, only a common key is used between the sender and the recipient to decrypt the contents of the messages. The asymmetric method, also known as public-key encryption, requires a key pair consisting of a private key and a public key.
Would manipulations like in the case of Cryptoleaks be possible at all with today's standards?
A distinction must be made here between manipulations in cryptographic algorithms and in devices. Manipulating today's encryption standards is difficult and the risk of being discovered is great. However, attempts have been made. For example, the U.S. National Security Agency, NSA, intentionally equipped the Dual-EC random number generator with a vulnerability that has been uncovered by scientists. In addition to technical resources, some intelligence agencies also have the necessary influence on standardization bodies.
Manipulating devices, on the other hand, is much easier because it is easier to hide backdoors in more complex devices. This is precisely what the current discussion revolves around, with the reservations that exist about Huawei's devices.
A research focus of the Cluster of Excellence "Cyber Security in the Age of Large-Scale Adversaries" Casa is to develop fundamental cryptographic solutions against such attack possibilities. How do you intend to achieve this?
In Casa, we are working on precisely these questions in particular: How can you ensure that there are no backdoors - and test devices in such a way that they are detected? How can cryptographic algorithms be protected against such attacks? To this end, researchers from different areas of IT security are working together in an interdisciplinary approach, for example from cryptography, embedded security at the hardware level and secure systems at the software level. The latest findings from the Cryptoleaks show once again the relevance of these issues and what high practical and political significance they encompass.
Click here for the original article.