Forgot your password?
typodupeerror
Encryption Government Privacy United States

NSA Foils Much Internet Encryption 607

Posted by timothy
from the do-your-taxes-buy-civilization? dept.
An anonymous reader writes "The New York Times is reporting that the NSA has 'has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. ... The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.'" You may prefer Pro Publica's non-paywalled version, instead, or The Guardian's.
This discussion has been archived. No new comments can be posted.

NSA Foils Much Internet Encryption

Comments Filter:
  • by ackthpt (218170) on Thursday September 05, 2013 @04:02PM (#44769059) Homepage Journal

    For awesome powa [rot13.com]

  • SSH? (Score:4, Insightful)

    by Phibz (254992) on Thursday September 05, 2013 @04:04PM (#44769095)

    I wonder if their list includes SSH

    • Re:SSH? (Score:5, Informative)

      by Yaur (1069446) on Thursday September 05, 2013 @04:11PM (#44769187)
      The claim is VPNs and SSL... so either a break in RSA or AES, either way SSH would be covered. But there are so few details in the story its hard to know how technically competent the staff who reviewed the documents and therefore how serious the threat is.
      • Re:SSH? (Score:5, Informative)

        by amorsen (7485) <benny+slashdot@amorsen.dk> on Thursday September 05, 2013 @04:42PM (#44769543)

        The claim is VPNs and SSL... so either a break in RSA or AES, either way SSH would be covered.

        You do not need to break RSA or AES to break a lot of VPNs. I.e. if you use aggressive mode IKEv1 PSK (typically plus XAUTH, but that does not actually help), the shared private key can be recovered by offline attacks. NSA supercomputers should have no problem handling most keys. Alternatively, if certificates are used, many organizations buy premade certificates including secret keys instead of going through the trouble of generating their own secret keys. That means the NSA only has to compromise the few certificate vendors.

        And this is just the passive attacks the NSA can do. If they actively interfere, they can use downgrade attacks or (for HTTPS) the various TLS vulnerabilities or use proper fake vendor certificates or all sorts of other mischief. That is harder to pull off unnoticed of course.

        Very little equipment supports IKEv1 with "raw" RSA keys (no certificates), even though that takes the whole PKI problem away and avoids aggressive mode. I'm only aware of (free|open|libre|strong)SWAN and RouterOS. IKEv2 is almost non-existent, and what little equipment supports it tends to only support the equivalent of IKEv1 main mode with PSK or certificates -- precisely the areas where IKEv1 is already good enough.

        For those of us who use proprietary encryption acceleration: how do we know that the session keys are chosen securely and not divulged with steganography somehow? I know that products have existed which did exactly that, revealing part of the encryption key in the encrypted data stream (and I know that because the vendor was fairly open about the practice).

      • Re:SSH? (Score:5, Informative)

        by Anonymous Coward on Thursday September 05, 2013 @05:18PM (#44769877)

        Bruce Schneier should be technically competent enough for you, see his articles today at the Guardian.

        http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

        http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

      • Re:SSH? (Score:5, Insightful)

        by mspohr (589790) on Thursday September 05, 2013 @05:26PM (#44769965)

        The article states that they are working with commercial software vendors to insert back doors, vulnerabilities, etc. into their software. This is much easier than trying to break RSA or AES by brute force.
        I think we have to assume that all commercial software has been compromised and is vulnerable.
        Only trust open source software where the code has been audited carefully.

      • by gweihir (88907)

        Vulnerabilities in AES are very, very unlike. Vulnerabilities in RSA can only be introduced by changing the universe. What is far more likely is back-doors or intentionally weak key generation in commercial SSL and VPN products. I already have seen commercial encryption that was incompetently done. Now I am wondering whether that was intentional. However it was grossly obvious, so I guess not, even though it was a well-known US company.

    • Re:SSH? (Score:5, Informative)

      by Anonymous Coward on Thursday September 05, 2013 @04:12PM (#44769205)

      I wonder if their list includes SSH

      OpenSSL came from SSLeay, which was created outside of the US specifically for this reason.

      Its not a technical attack in the first round;

          The long, strong arm of the NSA
          July 27, 1998
          Web posted at: 4:15 PM EDT
          http://edition.cnn.com/TECH/computing/9807/27/security.idg/ [cnn.com]

          [..]

          It's gotten to the point where no vendor hip to the NSA's power will
          even start building products without checking in with Fort Meade first.
          This includes even that supposed ruler of the software universe,
          Microsoft Corp. "It's inevitable that you design products with specific
          [encryption] algorithms and key lengths in mind," said Ira Rubenstein,
          Microsoft attorney and a top lieutenant to Bill Gates. By his own
          account, Rubenstein acts as a "filter" between the NSA and
          Microsoft's design teams in Redmond, Wash. "Any time that you're
          developing a new product, you will be working closely with the NSA,"
          he noted.

          [..]

          Clearly wary of granting the government supervision over its products,
          Microsoft has stubbornly refused to submit a data-recovery plan, even
          though the Redmond giant already includes a data-recovery feature in
          its Exchange Server.

          "The Exchange Server can only be used when this feature is present,"
          Rubenstein said. "Because we haven't filed a product plan, it's harder
          for us to export this than for companies that have filed plans."

          [..]

    • Re:SSH? (Score:4, Interesting)

      by sneakyimp (1161443) on Thursday September 05, 2013 @05:21PM (#44769905)
      I'm more inclined to trust Bruce Schneier who says "I trust the mathematics [wired.com]," than the authors of this sensationalist NYTimes article. To me, it seems like they completely lack any nuanced understanding of the information flow and its vulnerabilities and are merely depending on whatever third-hand analysis they might have gleaned from reading other amateur blogs.

      I agree that going to the service providers (e.g., google, yahoo, apple, phone companies, etc.) or building a backdoor into the software is a good way to go about it, but I hardly think that means that the NSA is "winning the war on encryption."
      • Re:SSH? (Score:5, Insightful)

        by Frobnicator (565869) on Thursday September 05, 2013 @06:20PM (#44770329) Journal

        I'm more inclined to trust Bruce Schneier who says "I trust the mathematics," than the authors of this sensationalist NYTimes article

        I trust the math, even though I don't understand it.

        I don't necessarily trust the people who coded the math into a program.

        I don't necessarily trust the computer that is running the program.

    • by knarf (34928)

      I wonder if their list includes SSH

      In the linked BULLRUN document [propublica.org], in section 6 ('BULLRUN sensitivity and coverage') it clearly mentions SSH as one of the covered protocols so the answer is yes. As to whether this coverage is due to some publicly-unknown (but NSA-available) weakness in the SSH protocol, in common implementations, in the used cyphers or enacted case-by-case through man-in-the-middle attacks is of course unknown.

  • Uh... okay (Score:5, Insightful)

    by cryptizard (2629853) on Thursday September 05, 2013 @04:05PM (#44769101) Homepage
    I believe the "working with industries to install backdoors" part, but the cracking internet standards encryption? Nope. The report doesn't even say what they are supposed to have cracked, only some nebulous "widely used internet encryption". Do they have a ton of computation power? Yes. Do they have some magical break on AES that no one in academia knows about or can even fathom? No. Just some FUD.
    • Re:Uh... okay (Score:5, Interesting)

      by Hatta (162192) on Thursday September 05, 2013 @04:11PM (#44769189) Journal

      Cracking doesn't mean brute force. If you compromise the key, the encryption is just as surely cracked. Chances are what they really mean here is that they've compromised the certificate authorities that are trusted by default by most web browsers. Turns out self signed certificates really are more secure.

      GPG and SSH are probably safe as you generate your own keys on the local machine.

      • Re:Uh... okay (Score:5, Informative)

        by dgatwood (11270) on Thursday September 05, 2013 @04:26PM (#44769371) Journal

        No need to compromise anything. They just need a single CA to be complicit with a court order to produce a certificate that signs an NSA-provided key for a specific site. Then, they can freely MITM that site. SSL is swiss cheese as security goes, because certs are automatically trusted if signed by a CA, are never stored, and their designated requirements are never checked when determining whether a new key should be trusted or not. In short, SSL is a train wreck.

        Self-signed keys are not more secure. If a site goes from a self-signed cert to a signed cert with a different key, most browsers do not display any warning. Although you can install anti-MITM tools that produce a warning when the key changes, those tools would detect such a government MITM whether you're using a CA-signed cert or a self-signed cert. By contrast, a CA-signed cert makes it much harder to perform a MITM attack the first time a user goes to your site, effectively limiting such attacks to those who can convince a CA to give them a cert for your site. Guess which is more likely.

        • Re:Uh... okay (Score:5, Interesting)

          by Hatta (162192) on Thursday September 05, 2013 @04:57PM (#44769687) Journal

          No need to compromise anything. They just need a single CA to be complicit with a court order to produce a certificate that signs an NSA-provided key for a specific site.

          That's what's meant by "compromise".

          Self-signed keys are not more secure. If a site goes from a self-signed cert to a signed cert with a different key, most browsers do not display any warning.

          If you remove the CAs from your list of trusted certificates, it would display a warning.

          Although you can install anti-MITM tools that produce a warning when the key changes, those tools would detect such a government MITM whether you're using a CA-signed cert or a self-signed cert

          Unless the NSA is forcing the CAs to compromise every single certificate they offer. They may not be, but it would be foolish to assume that they aren't.

  • by veg_all (22581) on Thursday September 05, 2013 @04:06PM (#44769107)

    From Bruce Schneier Here [theguardian.com] and here [wired.com].

    Also a nice call to arms here [theguardian.com].
    "I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better."

    • by stenvar (2789879) on Thursday September 05, 2013 @04:32PM (#44769443)

      but the US has proved to be an unethical steward of the internet. The UK is no better

      Any nation would prove to be an unethical steward of the Internet: power tempts and corrupts, whether it's the power to control the Internet, the power to wage war and kill people, the power to mess with the economy, or the power to hand out "benefits" to people.

      The only solution to any of these problems is to rely on decentralized mechanisms that can't be controlled and corrupted by central authorities, and to limit the power of governments as much as possible and to the absolute minimum.

  • by hydrofix (1253498) on Thursday September 05, 2013 @04:07PM (#44769119)
    All articles are missing the crucial details; namely which cryptographic algorithms have been successfully cracked and under which parameters. Guardian writes:

    The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions [...] .

    Yet, the article does claim this:

    "Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

    But they also quote Snowden that:

    "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on," he said before warning that NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.

    Maybe we still have some hope?

    • perspective (Score:3, Interesting)

      by geekoid (135745)

      the NSA has done over a 100,000,000 million legal searches.
      From all the leaked records, 22,000 are questionable. Those 22,000 lie everywhere between needing a judicial interpretation, to blatant breech.
      The leaks also show NSA's number one whistle blower to the courts is the NSA. They report them and correct them.

      Not to excuse there blatantly illegal searches, but to thing the whole system is some corrupt entity that s out to get everyone is simply wrong.
      No evidences supports that at all.we have a lot of hop

    • by Laxori666 (748529) on Thursday September 05, 2013 @04:19PM (#44769281) Homepage
      Could they have just Man-in-the-Middle'd a whole ton of HTTPS connections? If they get certificates signed by the right authorities and have access to backbone routers, can't they just read HTTPS as if it were not even encrypted?
      • by hydrofix (1253498) on Thursday September 05, 2013 @04:31PM (#44769435)

        Yes, but this could show up with tools like SSL Observatory, which has recorded millions of certificates from different web sites as seen by hundreds of thousands of Chrome and Firefox users globally. They would risk eventually exposing themselves, and the CAs who signed those bogus certificates for NSA would get nuked from all browsers, which is the absolute worst thing that can happen to a CA. If they use fake certs and MITM, it would have to be very elusive, and carry a calculated risk of exposure.

    • by DMJC (682799)
      I think it's pretty safe to assume that all Cisco products have been cracked and the NSA has backdoors into all the infrastructure gear.
    • by steelfood (895457) on Thursday September 05, 2013 @04:42PM (#44769533)

      There are literally hundreds of places to attack encrypted communications. The encryption algorithm itself is just one component in a chain that must be and remain secure. The NSA only needs to compromise one part of that chain to compromise the entire system.

      It can be a mathematical breakthrough. It can be an implementation flaw. It can be an implementation flaw of any related--however loosely--system. It can be an embedded individual on one end. It can be a specific external device. It can be a component--however marginal--of a device. It can be a (secret) court order. It can be a xkcd-style baseball bat to the knee to one or both parties. It can be negotiated with one or both parties.

      The founders knew this. They understood that an individual with limited resources had no chance against the government who would have relatively unlimited resources (the government's resources is the country itself, so it really is Person vs. United States), and the only way to prevent, stop, or avoid such a scenario is for the government to check and balance itself. Those checks and balances have (mostly) failed. We as individuals have no recourse.

      There's always hope, but you'd be deluding yourself if you think there's any chance.

  • Trojan (Score:5, Funny)

    by Anonymous Coward on Thursday September 05, 2013 @04:11PM (#44769191)

    So I'm left with the impression that the NSA will add features in return for improved access.

    SELinux comes to mind as a gift from the NSA to the Linux community. A gift with a hidden payload.

    Hmm.... We can call it Trojan Linux. Ribbed for your pleasure. The ultimate in back door penetration.

  • I call bullshit (Score:5, Insightful)

    by JoeyRox (2711699) on Thursday September 05, 2013 @04:23PM (#44769349)
    The NSA can crack 4096-bit PGP keys? I doubt it. Seems like FUD to dissuade people from even attempting to use encryption
    • Re: (Score:3, Informative)

      by Anonymous Coward

      You can make keys longer than that too.... google on how to patch gpg for large keys.

      I personally use a 16384 key for weaker stuff, and a 32768 bit key for more serious things.

      The 4096 bit ceiling was purely for computational speed. Any higher back in the day would take over a day to generate the key. Took my machine 4 hours to make the 16384 key with modern hardware but this is significantly more secure than 4096.

      Protip, you can still work with unpatched clients as long as your key is 16384 or less. You ca

    • Re:I call bullshit (Score:5, Interesting)

      by Rich0 (548339) on Thursday September 05, 2013 @05:07PM (#44769785) Homepage

      The NSA can crack 4096-bit PGP keys? I doubt it. Seems like FUD to dissuade people from even attempting to use encryption

      There is no mathematical proof that 4096-bit PGP keys are secure. You can only say that known algorithms cannot find a key in a practical amount of time on known computational hardware.

      You don't know if an algorithm exists that would allow the keys to be factored in a short period of time. You also don't know if somebody has developed a practical quantum computer - it is already known that one would allow certain encryption systems to be trivially broken.

      For every mathematician publishing articles about cryptography in the public space, there are probably 100 much-better-paid ones publishing articles in internal NSA publications. The NSA is by far the largest employer of mathematicians on earth - and they hire the best and the brightest they can find.

  • Lenovo? (Score:5, Interesting)

    by steelfood (895457) on Thursday September 05, 2013 @04:27PM (#44769389)

    From ProPublica:

    In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.

    Who else remembers the debacle about the government no longer purchasing Lenovo computers? I remember some people saying that if the U.S. government is making all this fuss about it, they're probably the ones doing it.

    This seems to indicate those people are correct.

  • by Opportunist (166417) on Thursday September 05, 2013 @04:43PM (#44769549)

    By any stretch of the definition it fits the pattern as an organization that has a harmful, if not outright destructive, impact on the stability of the country and its relationships to other countries.

    But probably they already have more than enough dirt on any politician to keep them in line. It's kinda scary if you think about it.

  • Raw document (Score:4, Informative)

    by Rytis (907427) on Thursday September 05, 2013 @05:02PM (#44769739)

    The raw document [theguardian.com] provides some more details but remains not especially explicit.

    "The fact that NSA/CSS has some capabilities against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL, and other network communication technologies".

    Capabilities are defined here as NSA/CSS ability to exploit a specific technology. This may encompass acquiring and processing plaintext data and/or acquiring, decrypting and processing encrypted data.

  • by m.dillon (147925) on Thursday September 05, 2013 @05:15PM (#44769863) Homepage

    I don't think the NSA has to break actual keys brute-force, but with information leakage it has been shown that data can be sussed-out of an encrypted stream (particularly an interactive one). Given sufficient leakage of known quantities, keys can be broken in much less time.

    As we've seen just recently, even something as innocuous as HTTP compression over a SSL link can result in serious information leakage by anyone monitoring the size of the payloads.

    Encryption streams, in general, require additional random data to be inserted into the stream and for the salt to be continuously modified (i.e. feedback) to remain strong. If one does neither of those things than the information leakage increases to the point where the keys can be broken without spending years of cpu cycles.

    -Matt

  • by Animats (122034) on Thursday September 05, 2013 @05:15PM (#44769867) Homepage

    There are a surprisingly large number of public key generators with weak random number generators:

    And those are the ones we know about.

    For open source systems, the person or persons who inserted the weak code should be identified and kicked off the project. It may just be incompetence, but that's a good reason to keep them out of security-critical areas.

    Weak keys don't just let the NSA in. They let the People's Liberation Army of China in, too.

  • by whoever57 (658626) on Thursday September 05, 2013 @05:23PM (#44769921) Journal

    The agencyâ(TM)s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of Americansâ(TM) e-mails or phone calls without a warrant.

    I can see (although I don't necessarily agree with) the argument that we have no expectation of privacy on metadata, but surely there is an expectation of pricacy on encrypted data. Surely the fact that the user has encrypted his data (or knows that it will be) provides an expecation of privacy that would invoke a 4th amendment protection.

  • by jacobsm (661831) on Thursday September 05, 2013 @05:43PM (#44770101)

    Now that we know the NSA can intercept and decrypt any message, doesn't it also mean that they can change the message to whatever they want, re-encrypt it, and pull it out in a court of law as evidence?

    If they do, or even if they don't, I can now say they did, and they can't prove they didn't.

  • Stallman warned... (Score:3, Insightful)

    by fredprado (2569351) on Thursday September 05, 2013 @06:03PM (#44770219)
    Richard Stallman warned us about this decades ago. It is incredible how people are still able to dismiss his warnings as more and more of his predictions come into reality.
  • by dweller_below (136040) on Thursday September 05, 2013 @07:28PM (#44770729)
    As a security professional, one of my greatest threats is the Exploit Marketplace. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is the greatest driving force optimizing the Internet for Attack, instead of Defense. Now, it looks like the Exploit Marketplace was justified, founded and sustained by the NSA. We have learned that the NSA has enormous budgets devoted to purchasing exploits. Today we learn:

    "The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs."

    So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace.

    If we could just get the NSA out of the exploit market, the whole thing would probably collapse like a real-estate broker's wet dream.

    The other chilling revelation is the names of these programs:

    "The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier."

    The NSA has crappy internal discipline. Instead of using meaningless codewords for project names, their codewords frequently describe the project. PRISM described how the NSA collects info. These project names shout that the NSA is fomenting civil war. They are at war with the rest of the country.

    • * The NSA must be stripped of it's ability to create exploit.
    • * The NSA must be stripped of it's ability to purchase exploit.

    If we survive as a nation of liberty, the NSA must serve us, not attack us.

"How to make a million dollars: First, get a million dollars." -- Steve Martin

Working...