Slashdot Mirror
NSA Foils Much Internet Encryption
An anonymous reader writes "The New York Times is reporting that the NSA has 'has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. ... The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.'" You may prefer Pro Publica's non-paywalled version, instead, or The Guardian's.
From Bruce Schneier Here and here.
Also a nice call to arms here.
"I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better."
grammar-lesson free since 1999. (rescinded - 2005)
The claim is VPNs and SSL... so either a break in RSA or AES, either way SSH would be covered. But there are so few details in the story its hard to know how technically competent the staff who reviewed the documents and therefore how serious the threat is.
I wonder if their list includes SSH
OpenSSL came from SSLeay, which was created outside of the US specifically for this reason.
Its not a technical attack in the first round;
The long, strong arm of the NSA
July 27, 1998
Web posted at: 4:15 PM EDT
http://edition.cnn.com/TECH/computing/9807/27/security.idg/
[..]
It's gotten to the point where no vendor hip to the NSA's power will
even start building products without checking in with Fort Meade first.
This includes even that supposed ruler of the software universe,
Microsoft Corp. "It's inevitable that you design products with specific
[encryption] algorithms and key lengths in mind," said Ira Rubenstein,
Microsoft attorney and a top lieutenant to Bill Gates. By his own
account, Rubenstein acts as a "filter" between the NSA and
Microsoft's design teams in Redmond, Wash. "Any time that you're
developing a new product, you will be working closely with the NSA,"
he noted.
[..]
Clearly wary of granting the government supervision over its products,
Microsoft has stubbornly refused to submit a data-recovery plan, even
though the Redmond giant already includes a data-recovery feature in
its Exchange Server.
"The Exchange Server can only be used when this feature is present,"
Rubenstein said. "Because we haven't filed a product plan, it's harder
for us to export this than for companies that have filed plans."
[..]
No need to compromise anything. They just need a single CA to be complicit with a court order to produce a certificate that signs an NSA-provided key for a specific site. Then, they can freely MITM that site. SSL is swiss cheese as security goes, because certs are automatically trusted if signed by a CA, are never stored, and their designated requirements are never checked when determining whether a new key should be trusted or not. In short, SSL is a train wreck.
Self-signed keys are not more secure. If a site goes from a self-signed cert to a signed cert with a different key, most browsers do not display any warning. Although you can install anti-MITM tools that produce a warning when the key changes, those tools would detect such a government MITM whether you're using a CA-signed cert or a self-signed cert. By contrast, a CA-signed cert makes it much harder to perform a MITM attack the first time a user goes to your site, effectively limiting such attacks to those who can convince a CA to give them a cert for your site. Guess which is more likely.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Unless you exchange private keys offline, manually, preferably not using any temporary electronic storage means, the NSA has your keys.
um you never exchange privet key's you only share public keys.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
The claim is VPNs and SSL... so either a break in RSA or AES, either way SSH would be covered.
You do not need to break RSA or AES to break a lot of VPNs. I.e. if you use aggressive mode IKEv1 PSK (typically plus XAUTH, but that does not actually help), the shared private key can be recovered by offline attacks. NSA supercomputers should have no problem handling most keys. Alternatively, if certificates are used, many organizations buy premade certificates including secret keys instead of going through the trouble of generating their own secret keys. That means the NSA only has to compromise the few certificate vendors.
And this is just the passive attacks the NSA can do. If they actively interfere, they can use downgrade attacks or (for HTTPS) the various TLS vulnerabilities or use proper fake vendor certificates or all sorts of other mischief. That is harder to pull off unnoticed of course.
Very little equipment supports IKEv1 with "raw" RSA keys (no certificates), even though that takes the whole PKI problem away and avoids aggressive mode. I'm only aware of (free|open|libre|strong)SWAN and RouterOS. IKEv2 is almost non-existent, and what little equipment supports it tends to only support the equivalent of IKEv1 main mode with PSK or certificates -- precisely the areas where IKEv1 is already good enough.
For those of us who use proprietary encryption acceleration: how do we know that the session keys are chosen securely and not divulged with steganography somehow? I know that products have existed which did exactly that, revealing part of the encryption key in the encrypted data stream (and I know that because the vendor was fairly open about the practice).
Finally! A year of moderation! Ready for 2019?
Certificate authorities never see private keys so you are dead wrong about that. What's more, even if a rogue CA was minting bad certs on the fly to attest that the NSA was really foobar.com, that would have been noticed. Remember that secrecy is something they value insanely highly. They wouldn't ever do something so easily noticed and the articles do not imply any kind of CA compromise.
In fact if you read all the stories (they overlap largely but not entirely) you can get a vague picture of what's going on. Firstly, they record all encrypted traffic in case they can decrypt it later. Secondly, they have a database of public to private keys, populated via any means they can. Thirdly, they obtain keys in lots of ways (hacking, subversion, bogus court orders, brute forcing old/weak keys etc) but they don't seem to have a magical solution to all strong crypto. The closest that the leaks come to this is discussion of some amazing cryptoanalytic breakthrough, which could possibly mean they're able to break some kinds of RSA? Perhaps they're ahead of Joux et al by some years?
Regardless, what it is, it can't be a solution to all crypto, because these governments apparently asked the newspapers not to publish on the grounds that people might switch to stronger systems that worked.
The raw document provides some more details but remains not especially explicit.
"The fact that NSA/CSS has some capabilities against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL, and other network communication technologies".
Capabilities are defined here as NSA/CSS ability to exploit a specific technology. This may encompass acquiring and processing plaintext data and/or acquiring, decrypting and processing encrypted data.
Bruce Schneier should be technically competent enough for you, see his articles today at the Guardian.
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
From the article it sounds like the NSA has compromised most commercial VPN software (and is working on the rest) with backdoors, etc.
Do you use commercial (non open source) VPN software? If so, it doesn't matter that your keys are secure.
I don't read your sig. Why are you reading mine?
To be 1000% clear... all a CA does is sign keys generated by others. They never see the private server key(s). Having the CA signing certificates doesn't give you the magic ability to decode a site's traffic; it only allows you to pretend to be that site. (assuming you can get the users traffic to come to, or through, you. and that other steps (fingerprint validation, serial number checking, etc.) aren't being used.)
I'd like us to continue treating encryption as weapons and regulate its export accordingly. Unfortunately, it is not really possibly — any enemy worth the designation would be able to get it anyway, because moving an algorithm is much easier than a gun. And, unlike guns, you only need to move an algorithm once.
I wish I had sufficient confidence in my own government to be able to sincerely pick charity... Unfortunately, I do not. If the President can already ask the IRS to hurt opposition's finances, what's to prevent him from asking the NSA to look into the opposition's e-mails? The sort of thing, that got Nixon to resign is barely an issue with today's Americans...
However, according to an earlier article about Snowden's interaction with journalist(s), PGP (with sufficiently large keys) is still unbreakable even to the NSA — at least, as far Snowden was aware:
So that's, what a particularly private person should be using for all of his communications...
In Soviet Washington the swamp drains you.
Though I sympathize with the gist of your position, I must question this particular argument:
Why exactly is this so? Of course, it would be rather uncomfortable to have no privacy, but would it necessarily lead to tyranny? Why not the opposite, for example — if no one's dealings are private and all information (from banking transactions, to kissing, to bowel movements) about everyone is readily available to whoever cares, wouldn't it be harder to subdue the electoral process, for example?
You would make it much, much easier to "subdue the electoral process". If you're currently the party in power and facing re-election, you first kill everyone who donates money to the opposition--everybody stops giving them money, hampering their campaign. Then you kill anyone who's given any hint that they might vote for the opposition. You and your cohorts get re-elected. Rinse and repeat, and eventually nobody dares form an opposition party, much less support one. If anybody says or does anything that remotely sounds like rebellion, you kill them too. Your party stays in power indefinately, the only things that might end your reign are a split in your party, or killing off so many people that there not enough people left to work and your economy collapses.