The NSA designed AES. You do the math.
Uhm... no it didn't. Although the NSA played a role in the
review process of the competition that resulted in an algorithm called Rijndael (developed by people completely unrelated to the agency: two
Belgian cryptographers) becoming annointed as a standard called AES (short of “Advanced Encryption Standard” by the way).
It's
possible that the NSA has cryptographic techniques that are not widely known that allow it to perform attacks against AES that improve on the attacks that we already know, but unless the attacks are truly revolutionary then, frankly, AES is still secure. Even AES-256 with its slightly weird key schedule.
As to Schneier's suggestion about avoid ECC because of NSA constants, two comments on that. I respect Bruce Schneier tremendously as a cryptographer and security expert. But I disagree with what he's saying here slightly:
Historical evidence suggests that when the NSA made changes to a crypto system by tweaking numbers, the changes strengthened the cipher rather than weakened it. Don't take my word for it, look at the case of DES. After Coppersmith and his team spend weeks cooking up S-boxes for DES, they sent them to NSA which
quickly came back with changes (with no reason provided) that were adopted.
It took a long time before the community discovered differential cryptanalysis. But when it did, lo... those NSA changes actually strengthened the algorithm instead of weakening it!
Second, nobody is forcing you to use the particular elliptic curves the NSA recommends. If you are worried that they are specially picked to facilitate some unknown attack, simply use different curves. Elliptic curve cryptography offers tremendous advantages and it seems silly to not leverage it.
No key in the cryptographic community argues that liltic curve cryptography has some fundamental flaw and no key has a serious attack against it. It's true that some curves are better than others, and although it's tempting to suggest that the NSA "chose" the weaker ones for their own purposes, it's more likely that they chose better ones.
Of course, I understand that trusting the NSA isn't in vogue now, and blind trust is silly. So yes, if you're worried about elliptic curves, used discrete log based systems. Not that you know what either of those are.
And that's why Schneier's advice in this instance is not quite as spot on as it usually is. Suggesting the use of air-gapped computers, good physical security, and crypto-suites that must interoperate with others are great, practical suggestions. The discrete log vs ECC distinction, eh, not so much.
Please note that I don't dispute that NSA is years ahead of the community in cryptanalytic and cryptographic techniques, or that they have the ability to decrypt algorithms that we consider secure. But I do not believe they have the ability to decrypt
modern ciphers with abandon, rendering
all encryption obsolete.
On the issue of decrypting SSL, for example, most connections secured by SSL, even today, are encrypted using the RC4 stream cipher, which has a number of known weaknesses; couple that with exploits like BEAST, and it could make a lot of "secure" traffic insecure. That's a very real issue.
An even bigger issue is idiots who implement "custom" encryption. They hide behind bullshit phrases like "military grade encryption" or "proprietary unbreakable encryption" etc. When it comes to encryption you want open. Not proprietary. The security should rest in the key, not the algorithm.
Now, for whatever it's worth, my suggestions are to:
Prefer open-source solutions; open-source isn't a panacea (as the Debian OpenSSL fiasco will readily prove) the fact that the code is open to review makes it less likely to have hidden functionality or exploits hidden within.
Encrypt your computers using some kind of whole-disk encryption. Bitlocker is very good and easy to use, but if you do use it, use it in conjunction with EFS. TrueCrypt is also excellent. On a Mac, File auto is good but has a history of poor design decision. Linux solutions are pretty good. But anything. Is better than nothing.
Depending on the level of security you need, air-gap your machines; process your most secure data on machines that are not connected to any network and very carefully transfer files across the gap manually only when absolutely necessary.
Don't trust a machine that others have had physical access to. Physical access to your laptop means the laptop is potentially compromised. Depending on your security requirements, this may mean that the laptop goes to the thrash. So be it. Just wipe the disk first.
When traveling internationally,
never keep confidential data in a laptop or other electronic device, even if encrypted. They can be searched and copied without a warrant, and you may be going to a country that requires you to divulge your password(s).
If the crypto-products you use have a "duress password" facility, then use it and use it properly. TrueCrypt does (by way of hidden volumes) and it can be great. But read the manual carefully to maximize the protection the duress password affords you.
Lastly, just practice good operational security: pick good passwords, eliminate password reuse and sharing between sites. Watch out for shoulder-surfers. And don't trust the integrity of unencrypted connections routed via wired and especially wireless networks.
If there are specific questions you guys do have, let's get a conversation started. Just ask yourself: can this unknown guy on a body building forum, who I know nothing about, be trusted to dispense security advice? Also, does he even lift?
