NSA Building US's Biggest Spy Center

New submitter AstroPhilosopher writes "The National Security Agency is building a complex to monitor and store 'all' communications in a million-square-foot facility. One of its secret roles? Code-breaking your private, personal information. Everybody's a target. Quoting Wired: 'Breaking into those complex mathematical shells like the AES is one of the key reasons for the construction going on in Bluffdale. That kind of cryptanalysis requires two major ingredients: super-fast computers to conduct brute-force attacks on encrypted messages and a massive number of those messages for the computers to analyze. The more messages from a given target, the more likely it is for the computers to detect telltale patterns, and Bluffdale will be able to hold a great many messages. "We questioned it one time," says another source, a senior intelligence manager who was also involved with the planning. "Why were we building this NSA facility? And, boy, they rolled out all the old guys—the crypto guys." According to the official, these experts told then-director of national intelligence Dennis Blair, "You’ve got to build this thing because we just don’t have the capability of doing the code-breaking." It was a candid admission.'"

All your secrets belong to us...

[Grog6]

Panopticon this week; Maybe we'll get Skynet by accident?

That might be best for everyone in the long run...

Re:All your secrets belong to us...

[rot26]

Yeah, that's always the problem, innit? I personally wouldn't mind the NSA reading all of my email if it were, in fact, a sort of protector of good. How can any politician EVER control a beast that knows where every skeleton in every closet is and can protect that information behind armed guards and blast-proof doors? It's a deal with the devil if there ever has been one.

Re:All your secrets belong to us...

[Xacid]

Reminds me of this here: http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_investigation

"Shortly after its release, PGP encryption found its way outside the United States, and in February 1993 Zimmermann became the formal target of a criminal investigation by the US Government for "munitions export without a license". Cryptosystems using keys larger than 40 bits were then considered munitions within the definition of the US export regulations; PGP has never used keys smaller than 128 bits so it qualified at that time. Penalties for violation, if found guilty, were substantial. After several years, the investigation of Zimmermann was closed without filing criminal charges against him or anyone else."

There always seems to be some mysterious upper threshold for most encryption schemes...Wonder why...

USA...we miss you!

In american America, people monitor the government.
In soviet America, the government monitors the people.

Re:USA...we miss you!

[TehZorroness]

Well, here's a word from me at least. Obama can eat a dick. I'm getting so fed up with this gradual transition to full autonomous surveillance. There will be people out in the streets about this when things start getting bad. Soon enough, the schism between reality and the fairy tales they told us about freedom in public school will be too wide even for the American Idol crowd to believe. An interesting time to live. It's just too bad we can't be investing these man-years and resources on attaining sustainability before the Earth becomes a giant radioactive ball of toxic shit inhabited by cannibalistic asshats.

Re:USA...we miss you!

[homer_ca]

That's ok. As long we get to keep our birth control and our gay rights, democracy is safe, right?

Re:USA...we miss you!

[forkfail]

Ah - I love the smell of optimism in the morning!

(Or afternoon, as it happens, but it doesn't quite have the same impact...)

Re:USA...we miss you!

[jmcvetta]

There will be people out in the streets about this when things start getting bad.

Yes, but the drones will take care of them.

a thought

[zlives]

First, I already assumed they were doing this. second, i don't know so just a thought. could you create an encryption method that generates a new encryption key for every new message.

Re:a thought

[klapaucjusz]

could you create an encryption method that generates a new encryption key for every new message.

Yes, modern cryptosystems do that. It's called an Initialisation Vector.

Re:a thought

[adturner]

That's basically what happens today with most protocols like SSL/TLS. For each new connection, the client and server negotiate a new key via public key crypto like RSA. Actually, based on some comments in the article, like needing more "transactions" to help break the encryption, makes me believe the NSA is actually working to break RSA then AES.

Re:a thought

First off, AES isn't public key, it's just usually used in conjunction with public key. The public key portion of the exchange is used to communicate an AES key (the "shared secret") which is then used for communication moving forward. This is because public key encryption is "expensive" by comparison to block cyphers like AES. Secondly, you don't communicate a passphrase with public key. The passphrase that you're used to using is so that keys can be securely stored and someone that gains access to your key file doesn't get access to your key.

You could potentially communicate a new AES key with every message, which would greatly reduce the chances of a bruce force attack being successfully since most rely on the ability to analyze a large number of blocks that use the same key. That said, if you crack one key you do gain access to every key that followed in the chain.

Re:a thought

[zill]

Anyway AES is public key encryption.

AES is a symmetric-key algorithm.

Re:a thought

[wren337]

You're assuming that you're chaining the new AES key into the preceding message. Better to increase the frequency of the PKI handshake and periodically exchange new, clean AES keys.

As for the parent's question about a new key for each message - you could exchange one-time keypads securely and then use a new keypad with each message. Bulky, but guaranteed to be as secure as your exchange and storage mechanisms.

Re:a thought

[CBravo]

You don't build such a large datacenter without a good hint that it will work (out). It means they are on to something. The first question is what exactly are they after: Private keys from SSL certificates, private key of root certificate from certificate authoroties, personal private keys, ... Then the question remains: How do you keep your secret key a secret?

Re:How many bits?

[KhabaLox]

How many bits should we use for encryption now?

More.

Re:How many bits?

[Black+Parrot]

How many bits should we use for encryption now?

If you assume peak computing power is doubling ever n years, they you need one more bit every n years to keep ahead.

And of course, whatever you use now will be breakable in the future, if anyone cares to save your messages until computing catches up.

NSA history and modern crypto's impact upon it

The whole we-can't-break-codes-anymore story is told in

http://www.amazon.com/Coded-Messages-Hoodwink-Congress-People/dp/0875868142/ref=sr_1_1?ie=UTF8&qid=1331918025&sr=8-1

Coded Messages: How the CIA and the NSA Hoodwink Congress and the People

by Nelson McAvoy, former NSA person, who claims to have been at the early meetings from when the NSA was formed.

Re:How many bits?

[Beardo+the+Bearded]

Use no encryption and have a sig like mine. Eventually someone gets bored of reading every mundane post and email and puts you on an "ignore" filter.

Re:How many bits?

[SuricouRaven]

I think at this point it isn't about the number of bits, it's about luck, implimentation issues and the search for user error. Doesn't matter how many bits you use if they can sneak a copy of your laptop hard drive and find the key somewhere in swap space, or if your 8192-bit key is derived from a passphrase that's only ten alphanumeric characters, or if they can pull off an effective MITM attack on an SSL by threatening/bribing/asking a trusted certification authority to sign their cert.

Re:Brute force....

[Black+Parrot]

...seems appropriate as a term for how the US government takes its stance towards the rest of the world. Even although broke. How long, yet ?

We're not broke, just bleeding.

All the hand-wringing is because certain politicians are upset that we're not spending all of it on the haves.

A secret role

[K.+S.+Kyosuke]

One of its secret roles? Code-breaking your private, personal information. Everybody's a target.

Gee, if that is a secret, I promise not to tell anyone. Anyone joining me on that? Just hope that no one will read this article who doesn't already know, that would kind of spoil it.

Re:Wow!

[Black+Parrot]

First post, never got that before.

You must be using the new FTL neutrino submission system.

Intelligence pays for itself

[betterunixthanunix]

We use our signals intelligence capability to pass the trade secrets of foreign companies on to our own domestic companies; there is plenty of money to be made from being able to decrypt messages that the NSA intercepts.

Re:Intelligence pays for itself

You're Chinese?

Re:Intelligence pays for itself

[digitig]

Or French, or American.

Re:Intelligence pays for itself

[Ghostworks]

The cited section basically talks about widespread French spying on American companies, and then claiming it was all a big conspiracy to make the French look bad once it came to light.

The fact remains that even if the U.S. government were willing to steal information and share it with American companies -- and this is pretty unlikely given that the U.S. doesn't have the sort of cozy, formal overlap of public and private sectors that France, China, or even Great Britain have -- most other countries haven't had anything we want. You have to go back to 1793 Pawtucket to find a good example of the U.S. gaining an edge through industrial espionage.

Don't get me wrong, the U.S. government has shown it's willing to co-op private technology for its own ends. (For example, when it co-opted the patent for Phillip French's Crater Coupler and then used that state secrets privilege to get the dispute tossed out of court.) They just haven't been shown to help private U.S. firms with any of it, or to do it specifically to improve the competitive advantage of a U.S. company.

Re:Intelligence pays for itself

[digitig]

and this is pretty unlikely given that the U.S. doesn't have the sort of cozy, formal overlap of public and private sectors that France, China, or even Great Britain have

That would be why there's never been any suggestion at all of US commercial interests influencing foreign policy, then.

Re:Intelligence pays for itself

[spook+brat]

and this is pretty unlikely given that the U.S. doesn't have the sort of cozy, formal overlap of public and private sectors that France, China, or even Great Britain have

That would be why there's never been any suggestion at all of US commercial interests influencing foreign policy, then.

There's a difference between those two cases, which may seem small to you on a practical basis, but is significant from a policy standpoint.

You correctly point out that companies like Halliburton actively lobby the legislature and executive branch to do things like lower taxes on the oil & gas industry or re-authorize the U.S. Export-Import bank. The company's political contributions can be interpreted as bribes, with consequent improper influence over U.S. policy. I agree that's at best questionable, and at worst just plain corrupt. You're probably also aware of problems like regulatory capture, or you wouldn't have made the comment you did.

The French take this to a whole different level, though. Corporate security groups recognize the French National Intelligence services as active threats. In other words, Schlumberger (French competitor to Halliburton for global oilfield services) doesn't need to ask the French equivalent of the CIA to spy on Halliburton, the French spies do it proactively. The French government thinks it's their patriotic duty to help French companies get ahead on the global stage by committing national intelligence resources to corporate espionage. In the U.S.A. that sort of action by agents of the U.S. government on behalf of U.S. industry is illegal (even if the action took place off of U.S. soil).

I don't know where you're from. You may feel that there's nothing wrong with French spies working to help their National industries. You may feel that corporate political contributions are a greater evil than corporate espionage on a national level. As an American, though, I feel that the possibility that individual politicians can be corrupted by corporate bribes is much easier to accept than a national policy of working directly for corporate interests. YMMV.

What am I missing?

[Fnkmaster]

My understanding is that the best known general cryptanalytic attacks on AES are only marginally better than brute-force. Even AES-128 is essentially unbreakable under any known attacks then, since brute forcing a single AES-128 password is so far beyond feasibility, it's absurd. My understanding is that the best known attacks on AES are side-channel attacks, which require only modest computational resources, but need access to the encrypting machine, and related-key attacks that are only effective for certain small classes of keys.

So we can then assume that NSA has a general attack on AES that makes it many, many orders of magnitude easier to break than the best known published attacks? Or is this more likely to be disinformation spread to make people *think* that AES is broken by NSA? My understanding was that NSA is generally somewhat but not extremely far beyond the academic state of the art these days.

And there have been several reports of FBI and other federal agencies being unable to recover AES-256 encrypted hard drives. So if NSA has the capability to do so even for small numbers of keys using existing computing power, they obviously keep it incredibly restricted and under wraps.

So... this is BS by somebody, right? Either congress is getting BSed into funding stuff that won't do what they're being told it will do, or the public is getting BSed into believing that using encryption is pointless because NSA can real-time decrypt anything, so just don't bother, mmm'kay?

Re:What am I missing?

[dkleinsc]

My understanding is that the best known general cryptanalytic attacks on AES are only marginally better than brute-force

... known outside the NSA. If they have something that would break AES easily, they probably keep it safely classified.

Re:What am I missing?

[betterunixthanunix]

My understanding is that the best publicly known general cryptanalytic attacks on AES are only marginally better than brute-force

That is what you are missing.

So we can then assume that NSA has a general attack on AES that makes it many, many orders of magnitude easier to break than the best known published attacks? Or is this more likely to be disinformation spread to make people *think* that AES is broken by NSA? My understanding was that NSA is generally somewhat but not extremely far beyond the academic state of the art these days.

How would we even know? The NSA will always have an advantage over public research: they have access to all the public research, as well as classified expertise.

Re:What am I missing?

[TheGratefulNet]

Either congress is getting BSed into funding stuff that won't do what they're being told it will do

"star wars". lasers and shooting bad guys down. hey, idiots in 'elected office' can understand simple things like that. here, take my money!

same here: big supercomputers that cost money, staff to run it and fat budgets to keep it going. wet dreams, no? who would NOT want that? and its an easy sell. the world is filled with terr-a-wrists and we need lots and lots of big blinkinlight computers to keep us save.

here, take my money. how much do you need?

(puke)

Re:What am I missing?

[TheGratefulNet]

"keep us save".

sigh. OT: I really do know the difference between 'safe' and 'save'. so why did I type 'save' on that post? I don't know,;but I'm not alone in this problem and I see lots of people type one thing when they were thinking another. its a real problem. brain rate != finger rate? lost sync in the clock and data streams? something like that.

Re:What am I missing?

[Dan1701]

Even if they do have such a tool, it is still effectively useless. By analogy, during World War 2 the allies had broken the German ENIGMA codes, yet had to work very hard to pretend that the code was still secure, to prevent the Germans copping wise to the fact that their codes were useless and devising something better. The same applies here: if the NSA have broken AES, then they cannot use this hack for anything save national security, and must also work hard to prevent the merest suspicion of the hack getting out.

The best thing we could do would be to club together to fund a bounty for information on how to break AES without using brute-force computing, so that we'd know if it could not be trusted (we already know that no government can be trusted to act other than as a self-interested parasite).

encrypted message for the NSA

[lemur3]

uckfay offway ationalnay ecuritysay agencyway

Re:How many bits?

[TheGratefulNet]

and even better: send false positives to waste their time.

perhaps the crypto protocols need enhancing to allow fake bullshit messages that can't easily be told from real crypto stuff.

ie, DOS them.

I know, they have lots of power but it IS a war. war on our privacy and its so blatant now, they don't even try to hide their break-in attempts to us, anymore.

the ONLY reason encryption was allowed in the first place was for banking and online 'business'. if there was not this use-case, we would be disallowed encryption entirely.

Re:Notice how the "crypto guys" are the "old guys"

[TheGratefulNet]

WHO would work for them, I ask you?

decades ago, the people didn't view their government quite the way they do today. some patriotism did exist and people wanted to help their government. *generally*.

today we all see how invasive and evil our government has become. totally 100% lost its way. almost anything it does, it does badly and hurts people, long and short run.

if I was offered a job for the so-called white hats (which I now see as black hats) I'd turn it down. I would not be able to live with myself knowing I'm helping an evil force become more evil and more forceful.

I do realize a lot of people can easily shelve their ethics and see money-making jobs as separate. but I wonder how many people still believe that if they join the government or gov-sponsored jobs, that they are really HELPING things?

too many black marks on the government. working for them could be as bad as working for the old mafias. the people that they do get, I would not trust. they are whores.

One Time DVD or SD anyone?

[Gim+Tom]

The one time pad could make a comeback in the form of a one time DVD's or maybe even SD or Micro SD chips. I know, it is not scalable due to the problem of distribution. It is also symmetric in that the same "key" encrypts and decrypts, but it is also immune to brute force since your one time key is equal to or longer than the message length. An interesting variation might be to use an image file that is very long, but completely innocent as a pseudo random key and only have two copies of that exact image. The former Soviet Union used a one time cypher for all of their clandestine agent communications.

Re:One Time DVD or SD anyone?

[Maximum+Prophet]

Everyone used one time pad for all of their clandestine agent communications. OTP, it's the only way to be sure.

See http://en.wikipedia.org/wiki/Number_stations

Using an image has problems in that they are not random, so are subject to analysis. If you stripped the headers, and used an "image" of captured static, it might be good enough, but almost anything organic like a photo of a tree, will have patterns in it.

Who's going to work there?

[jfengel]

The NSA is located in Maryland. At the end of the shift, traffic is bad enough between there and Columbia to block up the Interstates. That includes not just the cryptoanalysts, but the vast support staff: IT, cafeteria workers, security, human resources, etc etc etc.

Who's in Bluffdale? Where is all that support staff going to come from, and what are they going to do with the rest of their lives? Although the NSA is on a military base, a lot of the work is done by civilians, and you can't just order them into the middle of nowhere the way you can with soldiers.

Re:Who's going to work there?

[decsnake]

who's going to be in bluffdale? almost nobody. Security, facility maintenance, remote hands and thats about it. The rest of the folks will be in your way on Rt 32 on their way home from work. Srsly, they are building office buildings where the Ft. Meade golf course used to be. Who do you think is going to be working in those?

Re:Who's going to work there?

[trolman]

The primary problem in Maryland is power. There is not enough generation/transmission available. So the big data centers are being built where free cooling and cheap power can be found.

Re:Who's going to work there?

[PerfectionLost]

Yea my impression was, "We need a lot of space for computers to brute force break your encryption, and a million square feet gives us room to expand."

Re:Who's going to work there?

[AHuxley]

Salt lake city was selected for a very good reason. The people are loyal, pro USA and want good jobs. Their families can be traced back generations and can be interviewed - that is most important.
They do not want new Americans, "dual" citizens with dreams of distant issues, people with no real pasts.
The other issue is power supply, cooling, room to expand and optical loops in the heart of the USA.

Let the paranoid run loose!

[Relayman]

Code-breaking your private, personal information. Everybody's a target.

To target everyone would be a total waste of resources. I would spend as much money figuring out who to target as I would decrypting anything send by that target.

It's like saying, "We're going to mine the whole state of California to find the gold there."

Re:Let the paranoid run loose!

[deapbluesea]

To target everyone would be a total waste of resources

Not to mention unconstitutional and illegal Oh wait, Obama's continuing the Bush policy? Never mind. Totally different then.

Re:Does Anyone Have Lat/Long Numbers?

[KermodeBear]

I know that you're probably trying to be funny, but in this case discretion may be a better idea.

Re:Notice how the "crypto guys" are the "old guys"

[PerfectionLost]

Mostly mathematicians. Where I went to college, after finishing undergrad you either went on to grad school, or you went and worked for the NSA. One of my friends who went to grad school to study abstract mathematics (as well as some encryption) said you could always tell the NSA people from the academics because they had no name tags on.

Re:How many bits?

[mhajicek]

How many bits should we use for encryption now?

All of them.

A tribute

[careysb]

A tribute to "Person of Interest". The Machine.

Re:Notice how the "crypto guys" are the "old guys"

[slew]

I wonder if that sentence says more than they intended it to. Could it be that the skills of the NSA people are eroding just like the skills at CIA did? I knew that CIA was in trouble - tradecraft-wise - when a COS let an asset into their HQ and he blew half the station to kingdom come. No one would have done that in the old days. Maybe NSA is having the same problem.

Crypto-guys are the "old guys" from a tradecraft point of view. AFAIK, in the NSA, many of the old-guys are involved with developing clever new internal ciphers (so-called classified "suite-A" algorithms). Since many of the "bad-guys" aren't nation states with heavy duty crypto development capablities, they often are using off the shelf stuff like AES/ECDSA (members of the "suite-B" algorithms). Until someone discovers a huge gaping hole backdoor, breaking these "suite-B" algorithms benefit from mostly from brute force (even if you know a few clever tricks that others do not which chops things down an order of magnitude or two). This is pretty much an admission that there is no huge gaping back door in these suite-B algorithms, not that any crypto-tradecraft capability was in trouble.

I find it oddly somewhat comforting that the we have "old-guys" that realize that sometimes the best thing to do is to throw this problem at a box of computers and spend their time on other pursuits. Who knows, this facility might be dedicated to cranking on some clever cracking algorithm that is unknown to the public, all we know it it takes lots of OPS. Isn't surpising to me that cracking these algorithms are hard. As a historical data point, DES was apparently hard for even the NSA to crack so they deliberatly limited the DES key size from the original 64-bits, to the final 56-bit (although the NSA apparently lobbied for a mere 48-bits).

It's unlikely the real target is breaking codes

[mbkennel]

I actually doubt that they are most interested in brute-force codebreaking through the front door except in a few rare situations.

Most of the time, it's massive traffic analysis: searching and analyzing a titanic, dynamically changing graph, nodes are IP addresses and phone numbers of the planet.

Once they find a 'target of interest', then they would usually ask the FBI or other authority just to put a tap on a specific line, or if necessary break in and install a trojan on the target's phone or computer, avoiding front-door code-bashing, which isn't generally feasible in large scale any more.

There are companies (e.g. http://www.conveycomputer.com/) which make highly parallel co-processors from FPGA's which give user-definable vectorized instructions on enormous memory bandwidth.

This is just the thing for the NSA.

Re:How many bits?

[TheTrueScotsman]

There's no way they can crack AES-128 unless there's a hole in the algorithm or they have quantum computing.

Current best practices are:

1) AES-128 to AES-256 for symmetric keys (although AES-256 has its own problems which can sometimes collapse it to AES-128 - these are ameloriated by increasing the key rounds)

2) 2048-bit to 4092-bit for RSA keys (2048 may be breakable by 2030 with conventional computing, 4092-bit will take much longer).

If quantum computing becomes feasible then AES keys will effectively halve in complexity (i.e. AES-128 goes to 64-bit, AES-256 goes to AES-128) and RSA and DSA keys will be useless.

Re:How many bits?

[GameboyRMH]

Don't forget there are commercially available quantum computers already, it's safe to say the NSA is already somewhat ahead of that, and they're on the bleeding edge of cryptography research. I've already phased out AES-128 and RSA-2048 from my systems just because I can.

Re:How many bits?

[GameboyRMH]

Yeah but I'm still using the Gmail address I signed up to in the early days, so the NSA's code-breaking capability is the least of my problems right now.

Re:How many bits?

[TheRaven64]

A rainbow table for every 256-bit key, using one atom per key, will just about fit in the universe. A rainbow table using one atom for every 266-bit key using one atom per key will be bigger than the universe. Calculating it will probably take a long time, even if you do have a big enough hard disk...

Re:How many bits?

[CBravo]

That would be 640kB

Re:How many bits?

[RoknrolZombie]

If you believe that then I think you vastly underestimate how willing the US Government is to pay someone to spend months or years poring over the same BS until they find something interesting. They have entire departments devoted to it.

Hiding secrets from the future with math.

[Tackhead]

The former Soviets got caught re-using their one time pads after a year.

"Best of all, your secret: nothing extant could extract it.
By 2025 a children's Speak-and-Spell could crack it.

They were thinking, who would store the eTexts for that long, since OTP is unbreakable?

You can't hide secrets from the future with math.
You can try, but I bet that in the future they laugh,
at the half-assed schemes and algorithms amassed
to enforce cryptographs in the past."

- MC Frontalot, Secrets from the Future

Secrets cost money. How long do you need to keep them? Today we believe - with good reason - that most cryptographic protocols are secure. Bue even if that's true (and there's no guarantee), why not hoover up the data while it's available and wait for your opponent to slip up, or your mathematicians (or computer engineers) to make a breakthrough, whichever comes first?

Re:How many bits?

[JesseMcDonald]

At most you need one (symmetric) key bit for every bit in every message you plan to send using that key. That effectively turns it into a one-time pad, which cannot be broken through brute force—there is a valid key for every possible cleartext of that length. (Be sure to pad the message!)

Which cannot be GUARANTEED to be broken within a certain time through brute force, you mean.

No, I meant exactly what I said. If you try to brute-force a one-time pad you end up with all possible cleartexts, and no idea which one of them was the actual message. Basically, a brute-force search is pointless because you have no idea what you're searching for—no way to recognize the correct key.

The simplest way to implement a one-time pad digitally is a basic XOR operation. You have a private key K and a message M, both X bits long, and the ciphertext C = XOR(M, K). Decrypting is symmetric, M = XOR(C, K). Obviously both the sender and receiver need a copy of the private key; arranging for that is the hard part, and the reason one-time pads aren't more common.

The thing is, for any other message M' (also X bits long) there is a key K' where M' = XOR(C, K'). So was the message "THEBODYISUNDERTHECHURCH" or "PRESIDENTNIXONWASFRAMED"? A brute-force search would give you both of these messages, and many others besides. Without prior knowledge of the real key, there's no way to be sure which was sent. In practice the message would be padded with random bits, so you can't even be sure of the length (though you do know it isn't longer than the ciphertext).