In a comment on an earlier post of mine about how Princeton researchers cracked disk encryption on computers, John Hollingsworth asks how this sort of thing happens when encryption technology undergoes government scrutiny.
It’s true that the U.S. government was deeply involved in the development of the two most widely used algorithms for encryption of large blocks of data. The Data Encryption Standard was developed by the National Security Agency as a modification of an IBM project and the Advanced Encryption Standard came out of a National Institute of Standards & Technology competition to find a successor to DES. And encryption technology gets a government seal of approval through NIST’s Federal Information Processing Standards, which make AES the algorithm of choice for sensitive but unclassified government data (classified stuff uses military algorithms which NSA keeps very close to its vest.)
With such good technology freely available, it shouldn’t be surprising that the failures of encryption that do occur almost never are caused by the encryption algorithm itself but by the way the entire encryption system is implemented. This is a much trickier business and each installation is more or less a custom deal. The hardest piece of any crypto system is the management of the keys. The Princeton attack succeeded because it allows the researchers to extract the keys from a computer’s memory. And once an attacker has the key, it doesn’t matter how good the lock is.