What The CIA WikiLeaks Dump Tells Us: Encryption Works

"If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that data-scrambling encryption works," writes the Associated Press, "and the industry should use more of it." An anonymous reader quotes their report: Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents must go to great lengths to circumvent encryption they can't break. In many cases, physical presence is required to carry off these targeted attacks. "We are in a world where if the U.S. government wants to get your data, they can't hope to break the encryption," said Nicholas Weaver, who teaches networking and security at the University of California, Berkeley. "They have to resort to targeted attacks, and that is costly, risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do stuff like this should reassure civil libertarians that the situation is better now than it was four years ago"... Cindy Cohn, executive director for Electronic Frontier Foundation, a group focused on online privacy, likened the CIA's approach to "fishing with a line and pole rather than fishing with a driftnet."
The article points out that there are still some exploits that bypass encryption, according to the recently-released CIA documents. "Although Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents, it's not known how many holes remain open."

Re:Truecrypt..

If you look in the Wikidump you can see plain as day that NSA owned TrueCrypt, and it was backdoored the entire time using obfuscated code (written by a former obfuscated C-code contest winner - and of course we now know that the contest has been an NSA activity also since day 1).

What shut down TrueCrypt was that someone found the code and reported it and the NSA immediately scuttled the project.

We knew that

[110010001000]

We knew that strong encryption works, because "math and stuff" that lawyers never learned. The point is that the mega companies are WILLINGLY giving your data away to anyone that pays. They provide an unencrypted endpoint to your data, so encryption of data in transit doesn't matter. We are much worse off than we were four years ago, and the cloud is doing to make it worse(er).

Re:You piss off

[Dog-Cow]

Given that IME is for system administrators, the good admins already know about it. The bad ones don't care. So posting this drivel only proves your stupidity and general asshole-ishness.

Re:False assumption

[gnasher719]

The point is, getting around encryption is too costly to do it on a mass scale, so they can only really do it for the small portion of targets judged worth it.

As an example, when you use https some secret code is negotiated between you and the server. There are some random numbers that should be used in the process, and apparently lots of servers use the same random numbers and don't change them. As a result, about 10% of all https at some point used the same random numbers.

In this particular case, there is an unconfirmed rumour that the NSA with an investment > $100 million managed to "crack" this one random number so that any https using one of those servers becomes crackable. That's $100 million, and that investment can be wiped out in a second by using a different random number. That gives you an idea of the cost of breaking encryption.

Re:Truecrypt..

There is literally no evidence to support any of what you claim. Please cite 1) Where it's plain as day the NSA owned it 2) Any evidence of a backdoor, especially given that we have the source code and people have compiled that source to match the published binaries 3) Who wrote it including when they won an obfuscated C contest

Stop spreading your infowars-esque conspiracy theory bullshit, people are libel to think you know what you are talking about.

One broken, forever broken

[coofercat]

The other thing evident by ommission is that (say) the CIA gets a warrant to hack into your TV. They'll start collecting data, but will they 'unhack' your TV when they're done? Not much to suggest they do, so your TV stays hacked, even though you're not a suspect in some new case they're working on.

Re:Sigh.

[jittles]

I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves

There's nothing wrong with ECC. It has significant advantages over RSA, especially on low-power devices. There is a remote possibility that the NIST curves are weak in some way known to the NSA and not to the rest of the world, but if you're concerned about that you can simply choose different curves. Edd25519 is a particularly good choice (though Edwards curves work a little differently, so it's not a drop-in replacement for the NIST curves).

One should also note that when DES was being rolled out the NSA had specifically requested some tweaks be made to the algorithm that people were very skeptical of. Everyone thought the NSA was trying to do something sneaky then, too. It turned out that a known attack vector was discovered in the early 1970s and was not known to the public until the early 1990s. Whether or not the NSA is helping or hurting is something for the history books. There is no way for us to know at this point in time.

Re:No it doesn't

[bsDaemon]

I couldn't agree more. However, a lot of security technologies and methodologies seem to be predicated on the assumption that both terminals in a communication remain uncompromised or, in some (older, more troubling models), the assumption that by connecting two untrusted peers together over a trusted channel that the peers somehow inherit a general trust property, rather than just the trust implicit in authentication between endpoints.

That said, most of the public discussion seems to be go like this: either a), "crypto is great and as long as we use crypto, we're totally secure!" -- ignoring the fact that one compromised endpoint compromises the confidentiality of the channel, or b) "z0mg!! the endpoints can be compromised, so what good is encryption!? Signal is defeated!!", which is equally absurd.

People freak out about the ability of the CIA to conduct targeted operations because it is in the news, and people are bad at risk estimation and therefor threat modeling, especially if they aren't security professionals (i.e., most people). The CIA isn't necessarily in my threat model. However, mass surveillance is, because I'm part of the masses. Targeted actions by non-US foreign intelligence services have been, due to employment. So has industrial espionage, criminal hacking, and hacktivism. One can assume, however, that any non-US threat actors have at least the same level of sophistication for targeted endpoint compromise, even if they don't have the sophistication to suck all the comms out of the air.

So, absolutely defense in depth. But part of that is recognizing that if I put two untrusted endpoints together with a trusted channel, I don't magically get two trusted systems. I get two suspect systems that are able to exchange messages of dubious quality over an overt channel that is less susceptible to passive attack.

Re:Sigh.

[swillden]

I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves

There's nothing wrong with ECC. It has significant advantages over RSA, especially on low-power devices. There is a remote possibility that the NIST curves are weak in some way known to the NSA and not to the rest of the world, but if you're concerned about that you can simply choose different curves. Edd25519 is a particularly good choice (though Edwards curves work a little differently, so it's not a drop-in replacement for the NIST curves).

One should also note that when DES was being rolled out the NSA had specifically requested some tweaks be made to the algorithm that people were very skeptical of. Everyone thought the NSA was trying to do something sneaky then, too. It turned out that a known attack vector was discovered in the early 1970s and was not known to the public until the early 1990s. Whether or not the NSA is helping or hurting is something for the history books. There is no way for us to know at this point in time.

The NSA changed the DES S boxes to make them resistant to differential cryptanalysis, but it also shortened the key length. Had DES been standardized with IBM's original 128-bit key length (but with fixed S boxes), it would still be quite secure. So the NSA's role in DES was a mixed bag. They fixed a non-obvious flaw while introducing an obvious weakness (short keys) that would enable practical attacks in the future. The short key weakness wasn't what anyone could call a "back door", though, since it was obvious to everyone.

Re:No it doesn't

[Freischutz]

Exactly. Most of the surveillance is gone by tapping one of the endpoints. All your "cloud" data (email, voice, whatever) is unencrypted on the server side and there is API access. On the client side, security is horribly broken because the client side software keeps changing and every change introduces new holes.

No, most of the surveillance was done by tapping the largely unencrypted data being sent over the internet backbone and warehousing it. The resulting database could then be data mined at the NSA/FBI/CIAs leisure. Once your data is encrypted they can't easily do that anymore because it isn't as simple anymore. Previously all they had to do was just sit there, watch a system management console while they warehoused insane amounts of unencrypted data and could implement deep intercepts of somebody's entire unencrypted communications with few mouse clicks in a web interface. With encryption they now have to seek out one or both parties in an encrypted data exchange and hack their computers which is a whole lot more hassle while wholesale warehousing and data mining of internet, voice and video traffic (the wet dream of the NSA/CIA/FBI and the politicians) is out of the question unless they can decrypt the vast majority of encrypted communications on the fly. I've heard figures of up to 20% of some HTTPS traffic being decryptable in bulk by the NSA because of encryption weaknesses but I'm having real trouble believing they'll be able to decrypt 90-100% of all encrypted traffic on the fly and warehouse it any time soon however much they'd like to.

Encryption lessons from CIA and NSA leaks.

[dweller_below]

The CIA and the NSA leaks teach us several important lessons. They include:

• * The Intelligence communities are much better at creating problems than fixing them. They can easily destroy individuals, communities, governments and trust. They don't create anything of lasting value. Nor do they clean up the messes that they create.
• * Secrecy really REALLY isn't security. Secrecy creates and maintains private agendas. Secrecy creates and fosters waste. Secrecy destroys trust. Secrecy interferes with almost all aspects of security and good governance.
• * A large, complex intelligence organization can't keep secrets. They can't keep secrets from hostile governments. They can't keep secrets from organized crime.
• * Finally, we have learned that cryptanalysis can be surprisingly effective, but a full frontal assault on an encryption algorithm is the hardest way to break a crypto-system. There are many easier ways to break or bypass crypto.

There is a huge gap between crypto theory (https://www.cs.princeton.edu/~felten/encryption_primer.pdf) and expressed and implemented crypto reality. This gap provides many opportunities for anybody who wishes to favor attack over defense.

Traffic Analysis/meta data collection provides cheap, effective attack against virtually all current communication channels. Once you know who, when, where, how, and approximately what they are saying, you usually don't need to break their crypto.

The easiest way to weaken crypto implementation is to simply withdraw support for updates and improvements. Good crypto is hard. Defense is expensive. Without constant support, defenses fail. If you wish to weaken crypto defenses, it is usually sufficient to withhold support for good standards and good processes, and fail to eliminate mistakes.

The next most cost effective ways to weaken crypto implementation is to focus on degrading or hindering:

1. 1) Transparency and disclosure;
2. 2) Purchasing standards;
3. 3) Vetting or approval standards;
4. 4) Programming environments and standards.
5. 5) Crypto standard processes;
6. 6) Crypto implementation projects;
7. 7) And crypto standards;

Good crypto implementations are almost indistinguishable from bad crypto implementations. The market will cheerfully purchase poor crypto if it is available, cheap, and the consequences are not immediate.

If an attacker ever needs to access info that is protected by a robust crypto implementation, it is usually faster and cheaper to subvert it's surrounding environment, people, hardware or software.

Reform of the Intelligence agencies should begin by greatly reducing their budget. Currently, they are huge, bloated, unmanageable monsters. They twist government to their whim. They distort the civilian economy. They cause massive incidental damage. A slim, tightly focused agency can be more carefully controlled and managed. A small, efficient CIA or NSA would achieve almost all of OUR important goals with a tiny fraction of the collateral damage.