The published documents about the NSA’s capabilities have led to a review of cryptographic tools. Mastering SSL/TLS by itself can be tricky. This is especially true if you have to deal with clients that do not take advantage of the latest TLS protocols. System administrators and developers are well advised to keep an eye on the capabilities of libraries and the algorithms available for securing network communication. We recommend to have a look at the publication of the Applied Crypto Hardening project in case you wish to review your crypto deployment.
The standardisation of cryptographic methods has been criticised as well. Apart from the flawed Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) there is a lot of discussion going on where the practices of standardisation are being questioned. Given the design problem in standardised algorithms the term APT hiding in plain sight has been coined. So what is the best advice for the deployment of cryptography in production environments? What are the capabilities of your adversaries? We try to give some answers at the annual Grazer Linuxtage event on 5 April 2014. The talk „NSA und die Kryptographie: Wie sicher ist sicher?“ will address some of the developments of the past months. While we can only deal with the tip of the iceberg, we hope to give a good start for interested people where to start when it comes to reviewing cryptographic tools and protocols in action. We invite you to attend the Grazer Linuxtage and have a chat with us about the problem and possible solutions.