Making and breaking encryption is one of the main roles of a signals intelligence agency. That the National Security Agency (NSA) engages in such activities is not surprising. Aspects of this work aren't even secret: NSA involvement in the development of some cryptographic standards was legally mandated and openly acknowledged.

What we don't know, in general, are any specific details. Recent headlines, both here at Ars and elsewhere, paint a grim picture, suggesting that many or all of the cryptographic safeguards that people use to protect their privacy have been undermined. Simultaneous with this, cryptographic experts have said that the mathematics underpinning crypto is still basically sound. These attacks instead depend on implementation flaws, bad passwords, weak algorithms, corporate cooperation, and, perhaps, backdoors.

These mixed messages and ill-defined capabilities sound scary but perhaps scarier than they really are.

Consider, for example, a report from Spiegel Online that "NSA can spy on smartphone data," with the iPhone, BlackBerry, and Android all reported to be vulnerable.

There have long been questions about data extraction from smartphones. We know, for example, that there are standard forms used by law enforcement agencies to demand assistance with unlocking phones from Apple and Google. What we don't know is whether these companies can actually comply with such demands. In any well-designed encryption system, law enforcement could ask until they're blue in the face. The companies shouldn't, in fact, be able to help.

Does the Spiegel piece provide the answers that have long been sought about these capabilities? Not really. The only data extraction it describes in detail concerns taking data from the iPhone. The technique it describes is a technique available to any reasonably skilled computer user. When an iPhone is paired to a PC running iTunes, the iPhone trusts the PC and will allow the PC to perform certain operations—such as making a full backup of the iPhone that includes all the data stored on it.

The NSA apparently takes advantage of this trust: malware is installed on the PC of any person of interest, and that malware is used to extract data from any iPhones that trust the PC. We've written before of attacks that depend on exploiting this kind of trust. The technique isn't secret, isn't particularly advanced, and it would frankly be extraordinary if the US' spy agencies weren't using this approach. It's possible that the systems used to extract data from BlackBerry and Android phones are more advanced, but judging by the iPhone example, it's certainly not safe to assume so.

Similar uncertainty surrounds reports that the NSA can crack some VPNs to eavesdrop on their traffic. At one end of the spectrum, this could mean that the NSA can crack properly configured VPNs using strong encryption and protocols such as IPSec, ssh, or TLS. The other end of the scale is cracking Microsoft PPTP VPNs using MS-CHAP authentication. Flaws in this protocol have been known for a long time, and in 2012 a cloud service for cracking the protocol was published.

Where do the NSA's capabilities lie? We don't know, and there's a huge difference between the two extremes. The NSA could have some significant advantage over the techniques that are well-known and documented. Or it could be using standard attacks against protocols that are known to be insecure.

The same story could be repeated in other contexts. We've covered numerous attacks against SSL-protected HTTP with catchy names like BEAST and CRIME. Making practical use of these attacks is perhaps tricky, as they require a particular set of circumstances, but it's probably not impossible.

Even among protocols that can't, generally, be cracked, there are known limitations. RSA asymmetric encryption with 1024 bit keys—widely used in SSL/TLS connections—can't be broken by a common or garden-variety hacker. Though algorithms for cracking RSA are known, they're out of reach to individuals, because they require massive computational resources. But that's not a problem for the NSA (or any other organizations that have or can afford large supercomputers). Nobody knows with absolute certainty if the NSA has supercomputers that can be used to attack 1024-bit RSA in a reasonable timeframe, but it's certainly well within the realm of possibility.

A big clue as to susceptibility of 1024-bit RSA to cracking can be found in the government's own recommendations. In its SP 800-57 document, NIST, whose responsibilities include developing standard rules for use of encryption, it says that use of 1024-bit RSA is deprecated through to the end of this year and disallowed subsequently, precisely because it is susceptible to being broken. 2048-bit RSA, in comparison, is approved until 2030 and disallowed thereafter.

SP 800-57 was last revised in 2012, and academic researchers have been saying that 1024-bit RSA is vulnerable since at least 2007.

As such, if the NSA can crack this level of encryption, it's not a big surprise and it's not a big revelation. It's rather what we would expect to see. It's also a capability that's easy to defeat. Switching to 2048-bit keys is a minor reconfiguration, and it would render the ability to crack 1024-bit keys irrelevant.

The exact limits on what the NSA can and can't do are unlikely to be known any time soon. It's possible that Ed Snowden has revealed this information to the newspapers, but the coverage of his leaks has thus far consistently excluded such specifics for one reason or another (Snowden et al. may simply not know the details, or there may be some level of editorial constraint at work). Measured responses, such as upgrading RSA keys from 1024- to 2048-bits, are a logical enough reaction.

But there should nonetheless be some circumspection. Headlines and mainstream coverage can obscure important details. The NSA has access to all the same public research that everyone else does, and anyone with access to that research can—at least some of the time—crack VPNs, crack HTTPS, and extract data from iPhones. They can do lots more besides. We know that various full-disk encryption systems, for example, can be defeated by supercooling RAM chips on recovered machines. Give them a sufficiently large budget, and they can crack some SSL/TLS too. We've known this implicitly since the research, official techniques, and guidance were first published.

Is it possible that the NSA can go far beyond the state of the art, breaking even encryption believed to be secure? Sure. It can't be ruled out. But it's not the only interpretation of the information that's been leaked so far—and if experts remain confident that the basics of cryptography are all still sound (a belief that appears to be shared by Snowden himself), it's arguably not even the most likely one.