As stated recently by Edward Snowden, the former National Security Agency (NSA) contractor who leaked highly classified documents leading to the reports, "Encryption works. Properly implemented strong crypto systems are one of the few things you can rely on." How is it, then, that agents from the NSA and its British counterpart, known as the Government Communications Headquarters (GCHQ), are reportedly able to bypass the crypto protections provided by Internet companies including Google, Facebook, Microsoft, and Yahoo?
The short answer is almost certainly by compromising the software or hardware that implements the encryption or by attacking or influencing the people who hold the shared secrets that form one of the linchpins of any secure cryptographic system. The NYT alludes to these techniques as a combination of "supercomputers, technical trickery, court orders, and behind-the-scenes persuasion." The paper went on to refer to technologies that had been equipped with backdoors or had been deliberately weakened. Snowden put it slightly differently when he said: "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around" encryption. Exploiting the implementations or the people behind these systems can take many forms. What follows are some of the more plausible scenarios.
It goes on to say the compromises can be done by
* Getting a hardware vendor to ship a subtly flawed random number generator chip
* Getting on to a software standards committee and introducing a subtle flaw that makes it easier to break the standard
* Getting the crypto keys via theft, coercion or court order
So, in short, the math behind encryption works, yet the keys (data) and the implementations (software, hardware) are vulnerable to attack. The NSA has the time and the money to work on all aspects of these things. One thing to keep in mind is that the US government is certainly one of the world's largest purchasers of computers, and thus vendors will always try to do provide implementations that meet the US Federal standards, and the NSA has responsibility to ensure that the US government computers are secure, so they have a big hand in defining these US Federal standards.