What The CIA WikiLeaks Dump Tells Us: Encryption Works

"If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that data-scrambling encryption works," writes the Associated Press, "and the industry should use more of it." An anonymous reader quotes their report: Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents must go to great lengths to circumvent encryption they can't break. In many cases, physical presence is required to carry off these targeted attacks. "We are in a world where if the U.S. government wants to get your data, they can't hope to break the encryption," said Nicholas Weaver, who teaches networking and security at the University of California, Berkeley. "They have to resort to targeted attacks, and that is costly, risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do stuff like this should reassure civil libertarians that the situation is better now than it was four years ago"... Cindy Cohn, executive director for Electronic Frontier Foundation, a group focused on online privacy, likened the CIA's approach to "fishing with a line and pole rather than fishing with a driftnet."
The article points out that there are still some exploits that bypass encryption, according to the recently-released CIA documents. "Although Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents, it's not known how many holes remain open."

When can we expect a ban?

[Evtim]

Now the powers to be really have an incentive to outlaw encryption. Great!

Re:When can we expect a ban?

[bartjan]

The CIA is supposed to spy on foreign subjects. How will the US manage to ban encryption for foreigners?
Banning the export of encryption already has been tried, and we see how effective that was.

"if the U.S. government"

[Nutria]

This is what really pisses me off: the unstated assertion that *only* the US gubmint has these techniques.

No it doesn't

[TheRaven64]

The leaks tell us that encryption only works if the endpoints are secure, which they are not.

Re:No it doesn't

[AmiMoJo]

Security is more about defence in depth than worrying about one compromised endpoint. Encryption makes bulk interception not work, they have to expend far more effort going after the endpoints if they want to listen in. Going after endpoints is not without risk - all the really good zero day exploits are too valuable to waste on the little guys.

Sigh.

[ledow]

Not surprising, really, given that's exactly what encryption was invented for. To military standards. For military purposes. To prevent other militaries doing exactly what you don't want them to do.

All the scaremongering around encryption "being broken" by these "acres of datacentre" junk is just that - scaremongering. Hell, didn't the NSA recently ask for help breaking Skype? I'm sure there's a certain amount of misdirection there (I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves), but nobody has yet shown practical attacks against large enough primes used in PKE.

So far, everything they've done is via side-channel attacks and those are present in every system anyway. And when you have these organisations paying for tools that can open up iPhones, you know that they are struggling to cope.

If you want to secure data, encrypt it and abide by all the necessary precautions for it (i.e. don't enter the passphrase on untrusted computers, etc.).

The whole point of encryption is that you can publish your data on the web and point EVERYONE at it (e.g. Wikileaks insurance file) and nobody can access it without the key. If you don't trust Google or similar to hold your files, only allow them access to the encrypted containers and not the decrypted files.

It's quite clear that encryption is doing its job. And if it wasn't, it would be fixed quite quickly (e.g. we're already preparing against quantum computing attacks).

Re:Sigh.

[swillden]

I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves

There's nothing wrong with ECC. It has significant advantages over RSA, especially on low-power devices. There is a remote possibility that the NIST curves are weak in some way known to the NSA and not to the rest of the world, but if you're concerned about that you can simply choose different curves. Edd25519 is a particularly good choice (though Edwards curves work a little differently, so it's not a drop-in replacement for the NIST curves).

Personally, I have no real concerns about the NIST curves. Mostly because I think that if they were weak, the academic community would have discovered it by now, but also because if the NSA can crack them it's a closely-held secret which is used very sparingly, and nothing I encrypt or sign is that important.

IMO, the biggest problem with ECC is the lack of standardization around how to use it to encrypt. ECDSA is very well-standardized, but ECIES has too many free parameters (choice of KDF being the biggest) which makes interoperability hard.

Honestly, if I put on my tinfoil hat I'm more worried about what the NSA knows about how to break RSA than ECC. Not because I think they can factor products of large primes, but because there are so many subtle ways to screw up RSA and make it exploitable, and because the NSA really seems to discourage use of ECC for encryption. Not only have they not set out clear standards for ECIES, an odd exception to the normal thoroughness of the NIST standards which hinders interoperability and discourages use, but last year they even told the world not to bother with ECC and to stick with RSA until practical post-quantum algorithms are available.

nobody has yet shown practical attacks against large enough primes used in PKE

RSA != PKE. And, actually, there are lots of practical attacks, if you consider the space of the ways people screw up RSA. In addition, RSA's expensive key generation function makes forward secrecy impractical in most cases, which makes logged traffic vulnerable to subpoena attacks. This is the primary reason why all TLS security evaluations issue bad grades for any web server configured to use RSA. DH or ECDH are much better.

Every cryptographer I know recommends against using RSA. For encryption, pick your ECIES parameters and use it, with an authenticated encryption mode, e.g. AES-GCM. For signatures, use ECDSA. In both cases, if you're worried about backdoored curves use Brainpool curves, or Edd25519.

Re:Sigh.

[jittles]

I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves

There's nothing wrong with ECC. It has significant advantages over RSA, especially on low-power devices. There is a remote possibility that the NIST curves are weak in some way known to the NSA and not to the rest of the world, but if you're concerned about that you can simply choose different curves. Edd25519 is a particularly good choice (though Edwards curves work a little differently, so it's not a drop-in replacement for the NIST curves).

One should also note that when DES was being rolled out the NSA had specifically requested some tweaks be made to the algorithm that people were very skeptical of. Everyone thought the NSA was trying to do something sneaky then, too. It turned out that a known attack vector was discovered in the early 1970s and was not known to the public until the early 1990s. Whether or not the NSA is helping or hurting is something for the history books. There is no way for us to know at this point in time.

Re:Sigh.

[swillden]

I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves

There's nothing wrong with ECC. It has significant advantages over RSA, especially on low-power devices. There is a remote possibility that the NIST curves are weak in some way known to the NSA and not to the rest of the world, but if you're concerned about that you can simply choose different curves. Edd25519 is a particularly good choice (though Edwards curves work a little differently, so it's not a drop-in replacement for the NIST curves).

One should also note that when DES was being rolled out the NSA had specifically requested some tweaks be made to the algorithm that people were very skeptical of. Everyone thought the NSA was trying to do something sneaky then, too. It turned out that a known attack vector was discovered in the early 1970s and was not known to the public until the early 1990s. Whether or not the NSA is helping or hurting is something for the history books. There is no way for us to know at this point in time.

The NSA changed the DES S boxes to make them resistant to differential cryptanalysis, but it also shortened the key length. Had DES been standardized with IBM's original 128-bit key length (but with fixed S boxes), it would still be quite secure. So the NSA's role in DES was a mixed bag. They fixed a non-obvious flaw while introducing an obvious weakness (short keys) that would enable practical attacks in the future. The short key weakness wasn't what anyone could call a "back door", though, since it was obvious to everyone.

Re:False assumption

[MMC+Monster]

And that's the point of the argument.

If breaking the encryption was easy, they could just decrypt everything they get off of the wire and not have to insert back doors into software and target into a suspect's OS.

But since encryption is (financially/time/computationally) expensive, it's cheaper to exploit flaws in software.

We knew that

[110010001000]

We knew that strong encryption works, because "math and stuff" that lawyers never learned. The point is that the mega companies are WILLINGLY giving your data away to anyone that pays. They provide an unencrypted endpoint to your data, so encryption of data in transit doesn't matter. We are much worse off than we were four years ago, and the cloud is doing to make it worse(er).

Re: Truecrypt..

[heypete]

[citation needed]

Sarcasm aside, I'm really interested in reading more about that.

Re: Truecrypt..

[TheOuterLinux]

VeraCrypt is it's open source replacement.

Re:False assumption

[gnasher719]

The point is, getting around encryption is too costly to do it on a mass scale, so they can only really do it for the small portion of targets judged worth it.

As an example, when you use https some secret code is negotiated between you and the server. There are some random numbers that should be used in the process, and apparently lots of servers use the same random numbers and don't change them. As a result, about 10% of all https at some point used the same random numbers.

In this particular case, there is an unconfirmed rumour that the NSA with an investment > $100 million managed to "crack" this one random number so that any https using one of those servers becomes crackable. That's $100 million, and that investment can be wiped out in a second by using a different random number. That gives you an idea of the cost of breaking encryption.

Re:Truecrypt..

There is literally no evidence to support any of what you claim. Please cite 1) Where it's plain as day the NSA owned it 2) Any evidence of a backdoor, especially given that we have the source code and people have compiled that source to match the published binaries 3) Who wrote it including when they won an obfuscated C contest

Stop spreading your infowars-esque conspiracy theory bullshit, people are libel to think you know what you are talking about.

One broken, forever broken

[coofercat]

The other thing evident by ommission is that (say) the CIA gets a warrant to hack into your TV. They'll start collecting data, but will they 'unhack' your TV when they're done? Not much to suggest they do, so your TV stays hacked, even though you're not a suspect in some new case they're working on.

Economic limitations on surveillance

[sjbe]

it may not stop them if they decide you are a high-value target. But it stops mass surveillance dragnets in their tracks.

And that's really what privacy laws are supposed to be about. If the government has a legitimate good faith reason to be investigating someone they have the tools to do this and to a point should have reasonable rights to investigate. Broad sweeping surveillance however should not provide them the same degree of resolution on any given individual. Law enforcement and defense surveillance should have to jump through some hoops and do some actual work to target any individual. That's the entire point of the 4th Amendment we well as several others. An investigation should be harder than looking up a database record because government's have shown they cannot resist abusing such power when made available to them. The notion that encryption will somehow make it impossible for them to do their job just hasn't been shown to be true in reality.

In practical terms however the reason encryption works isn't a moral one. It works because it keeps the economic cost for police to watch a given individual remains non-trivial so that they have to pick and choose who is worth bothering to watch. It used to be that getting the records and communications required a significant expenditure of resources. With email, modern phone systems, and the internet some of that became much easier. So much easier that it causes all sorts of problems with protecting civil liberties. Encryption balances things back out. They can still come after you if they need to but it has to rise to a certain level of suspicion to make it worth their while.