WASHINGTON » The National Security Agency, working with the British government, has secretly been unraveling encryption technology that billions of Internet users rely upon to keep their electronic messages and confidential data safe from prying eyes, according to published reports based on internal U.S. government documents.
The NSA has bypassed or altogether cracked much of the digital encryption used by businesses and everyday Web users, according to reports in The New York Times, Britain's Guardian newspaper and the nonprofit news website ProPublica. The reports describe how the NSA invested billions of dollars since 2000 to make nearly everyone's secrets available for government consumption.
In doing so, the NSA built powerful supercomputers to break encryption codes and partnered with unnamed technology companies to insert "back doors" into their software, the reports said. Such a practice would give the government access to users' digital information before it was encrypted and sent over the Internet.
"For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies," according to a 2010 briefing document about the NSA's accomplishments meant for its UK counterpart, Government Communications Headquarters, or GCHQ. Security experts told the news organizations such a code-breaking practice would ultimately undermine Internet security and leave everyday Web users vulnerable to hackers.
The revelations stem from documents leaked by former NSA contractor Edward Snowden, who sought asylum in Russia this summer. His leaks, first published by the Guardian, revealed a massive effort by the U.S. government to collect and analyze all sorts of digital data that Americans send at home and around the world.
Those revelations prompted a renewed debate in the United States about the proper balance between civil liberties and keeping the country safe from terrorists. President Barack Obama said he welcomed the debate and called it "healthy for our democracy" but meanwhile criticized the leaks; the Justice Department charged Snowden under the federal Espionage Act.
Thursday's reports described how some of the NSA's "most intensive efforts" focused on Secure Sockets Layer, a type of encryption widely used on the Web by online retailers and corporate networks to secure their Internet traffic. One document said GCHQ had been trying for years to exploit traffic from popular companies like Google, Yahoo, Microsoft and Facebook.
GCHQ, they said, developed "new access opportunities" into Google's computers by 2012 but said the newly released documents didn't elaborate on how extensive the project was or what kind of data it could access.
Even though the latest document disclosures suggest the NSA is able to compromise many encryption programs, Snowden himself touted using encryption software when he first surfaced with his media revelations in June.
During a Web chat organized by the Guardian on June 17, Snowden told one questioner that "encryption works." Snowden said that "properly implemented strong crypto systems" were reliable, but he then alluded to the NSA's capability to crack tough encryption systems. "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it," Snowden said.
It was unclear if Snowden drew a distinction between everyday encryption used on the Internet -- the kind described in Thursday's reports -- versus more-secure encryption algorithms used to store data on hard drives and often requires more processing power to break or decode. Snowden used an encrypted email account from a now-closed private email company, Lavabit, when he sent out invitations to a mid-July meeting at Moscow's Sheremetyevo International Airport.
The operator of Lavabit LLC, Ladar Levison, suspended operations of the encrypted mail service in August, citing a pending "fight in the 4th (U.S.) Circuit Court of Appeals." Levison did not explain the pressures that forced him to shut the firm down but added that "a favorable decision would allow me to resurrect Lavabit as an American company."
The government asked the news organizations not to publish their stories, saying foreign enemies would switch to new forms of communication and make it harder for the NSA to break. The organizations removed some specific details but still published the story, they said, because of the "value of a public debate regarding government actions that weaken the most powerful tools for protecting the privacy of Americans and others."
Such tensions between government officials and journalists, while not new, have become more apparent since Snowden's leaks. Last month, Guardian editor Alan Rusbridger said that British government officials came by his newspaper's London offices to destroy hard drives containing leaked information. "You've had your debate," one UK official told him. "There's no need to write any more."
The U.S. National Security Agency is able to crack protective measures on iPhones, BlackBerry and Android devices, giving it access to users' data on all major smartphones, according to a report Sunday in German news weekly Der Spiegel.
The magazine cited internal documents from the NSA and its British counterpart GCHQ in which the agencies describe setting up dedicated teams for each type of phone as part of their effort to gather intelligence on potential threats such as terrorists.
The data obtained this way includes contacts, call lists, SMS traffic, notes and location information, Der Spiegel reported. The documents don't indicate that the NSA is conducting mass surveillance of phone users but rather that these techniques are used to eavesdrop on specific individuals, the magazine said.
The article doesn't explain how the magazine obtained the documents, which are described as "secret." But one of its authors is Laura Poitras, an American filmmaker with close contacts to NSA leaker Edward Snowden who has published several articles about the NSA in Der Spiegel in recent weeks.
The documents outline how, starting in May 2009, intelligence agents were unable to access some information on BlackBerry phones for about a year after the Canadian manufacturer began using a new method to compress the data. After GCHQ cracked that problem, too, analysts celebrated their achievement with the word "Champagne," Der Spiegel reported.
The magazine printed several slides alleged to have come from an NSA presentation referencing the film "1984," based on George Orwell's book set in a totalitarian surveillance state. The slides -- which show stills from the film, former Apple Inc. chairman Steve Jobs holding an iPhone, and iPhone buyers celebrating their purchase -- are captioned: "Who knew in 1984...that this would be big brother...and the zombies would be paying customers?"
Snowden's revelations have sparked a heated debate in Germany about the country's cooperation with the United States in intelligence matters.
On Saturday, thousands of people in Berlin protested the NSA's alleged mass surveillance of Internet users. Many held placards with slogans such as "Stop watching us."
Separately, an incident in which a German police helicopter was used to photograph the roof of the American consulate in Frankfurt has caused a minor diplomatic incident between the two countries.
German magazine Focus reported Sunday that U.S. Ambassador John B. Emerson complained about the overflight, which German media reported was ordered by top officials after reports that the consulate housed a secret espionage site.
A U.S. embassy spokesman downplayed the story, saying "the helicopter incident was, naturally enough, the subject of embassy conversation with the Foreign Ministry, but no demarche or letter of complaint about the incident was sent to the German government."
Of course NSA can crack crypto. Anyone can. The question is, how much?
Of course NSA can crack crypto. Anyone can. The question is, how much?
Making and breaking encryption is one of the main roles of a signals intelligence agency. That the National Security Agency (NSA) engages in such activities is not surprising. Aspects of this work aren't even secret: NSA involvement in the development of some cryptographic standards was legally mandated and openly acknowledged.
What we don't know, in general, are any specific details. Recent headlines, both here at Ars and elsewhere, paint a grim picture, suggesting that many or all of the cryptographic safeguards that people use to protect their privacy have been undermined. Simultaneous with this, cryptographic experts have said that the mathematics underpinning crypto is still basically sound. These attacks instead depend on implementation flaws, bad passwords, weak algorithms, corporate cooperation, and, perhaps, backdoors.
These mixed messages and ill-defined capabilities sound scary but perhaps scarier than they really are.
Consider, for example, a report from Spiegel Online that "NSA can spy on smartphone data," with the iPhone, BlackBerry, and Android all reported to be vulnerable.
There have long been questions about data extraction from smartphones. We know, for example, that there are standard forms used by law enforcement agencies to demand assistance with unlocking phones from Apple and Google. What we don't know is whether these companies can actually comply with such demands. In any well-designed encryption system, law enforcement could ask until they're blue in the face. The companies shouldn't, in fact, be able to help.
Does the Spiegel piece provide the answers that have long been sought about these capabilities? Not really. The only data extraction it describes in detail concerns taking data from the iPhone. The technique it describes is a technique available to any reasonably skilled computer user. When an iPhone is paired to a PC running iTunes, the iPhone trusts the PC and will allow the PC to perform certain operations—such as making a full backup of the iPhone that includes all the data stored on it.
The NSA apparently takes advantage of this trust: malware is installed on the PC of any person of interest, and that malware is used to extract data from any iPhones that trust the PC. We've written before of attacks that depend on exploiting this kind of trust. The technique isn't secret, isn't particularly advanced, and it would frankly be extraordinary if the US' spy agencies weren't using this approach. It's possible that the systems used to extract data from BlackBerry and Android phones are more advanced, but judging by the iPhone example, it's certainly not safe to assume so.
Similar uncertainty surrounds reports that the NSA can crack some VPNs to eavesdrop on their traffic. At one end of the spectrum, this could mean that the NSA can crack properly configured VPNs using strong encryption and protocols such as IPSec, ssh, or TLS. The other end of the scale is cracking Microsoft PPTP VPNs using MS-CHAP authentication. Flaws in this protocol have been known for a long time, and in 2012 a cloud service for cracking the protocol was published.
Where do the NSA's capabilities lie? We don't know, and there's a huge difference between the two extremes. The NSA could have some significant advantage over the techniques that are well-known and documented. Or it could be using standard attacks against protocols that are known to be insecure.
The same story could be repeated in other contexts. We've covered numerous attacks against SSL-protected HTTP with catchy names like BEAST and CRIME. Making practical use of these attacks is perhaps tricky, as they require a particular set of circumstances, but it's probably not impossible.
Even among protocols that can't, generally, be cracked, there are known limitations. RSA asymmetric encryption with 1024 bit keys—widely used in SSL/TLS connections—can't be broken by a common or garden-variety hacker. Though algorithms for cracking RSA are known, they're out of reach to individuals, because they require massive computational resources. But that's not a problem for the NSA (or any other organizations that have or can afford large supercomputers). Nobody knows with absolute certainty if the NSA has supercomputers that can be used to attack 1024-bit RSA in a reasonable timeframe, but it's certainly well within the realm of possibility.
A big clue as to susceptibility of 1024-bit RSA to cracking can be found in the government's own recommendations. In its SP 800-57 document, NIST, whose responsibilities include developing standard rules for use of encryption, it says that use of 1024-bit RSA is deprecated through to the end of this year and disallowed subsequently, precisely because it is susceptible to being broken. 2048-bit RSA, in comparison, is approved until 2030 and disallowed thereafter.
SP 800-57 was last revised in 2012, and academic researchers have been saying that 1024-bit RSA is vulnerable since at least 2007.
As such, if the NSA can crack this level of encryption, it's not a big surprise and it's not a big revelation. It's rather what we would expect to see. It's also a capability that's easy to defeat. Switching to 2048-bit keys is a minor reconfiguration, and it would render the ability to crack 1024-bit keys irrelevant.
The exact limits on what the NSA can and can't do are unlikely to be known any time soon. It's possible that Ed Snowden has revealed this information to the newspapers, but the coverage of his leaks has thus far consistently excluded such specifics for one reason or another (Snowden et al. may simply not know the details, or there may be some level of editorial constraint at work). Measured responses, such as upgrading RSA keys from 1024- to 2048-bits, are a logical enough reaction.
But there should nonetheless be some circumspection. Headlines and mainstream coverage can obscure important details. The NSA has access to all the same public research that everyone else does, and anyone with access to that research can—at least some of the time—crack VPNs, crack HTTPS, and extract data from iPhones. They can do lots more besides. We know that various full-disk encryption systems, for example, can be defeated by supercooling RAM chips on recovered machines. Give them a sufficiently large budget, and they can crack some SSL/TLS too. We've known this implicitly since the research, official techniques, and guidance were first published.
Is it possible that the NSA can go far beyond the state of the art, breaking even encryption believed to be secure? Sure. It can't be ruled out. But it's not the only interpretation of the information that's been leaked so far—and if experts remain confident that the basics of cryptography are all still sound (a belief that appears to be shared by Snowden himself), it's arguably not even the most likely one.
Just-released documents by the Guardian explain how intelligence agencies collude with technology companies to thwart Internet-based encryption protocols.
To set the tone, here’s the Guardian describing what intelligence agencies are doing to overcome their biggest hindrance, “The use of ubiquitous encryption across the internet.”
[M]ethods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force", and — the most closely guarded secret of all — collaboration with technology companies and Internet service providers themselves.
Through these covert partnerships, the agencies have inserted secret vulnerabilities — known as backdoors or trapdoors — into commercial encryption software.
It’s like a Sherlock Holmes mystery, with each new release of intelligence-agency documents providing another clue as to how intensely citizens are being surveilled. We even have our modern-day digital detectives, who help interpret these clues.
poul_henning.png Poul-Henning Kamp
With that, I’d like to introduce our first sleuth, Poul-Henning Kamp, a Unix guru who is synonymous with the FreeBSD project. Poul-Henning wrote an eye-opening article for ACM titled, "More Encryption is not the Solution." Poul-Henning shakes things up right away by offering the following prediction:
“The recent exposure of the dragnet-style surveillance of Internet traffic has provoked a number of responses that are variations of the general formula, ‘More encryption is the solution.’ This is not the case. In fact, more encryption will probably only make the privacy crisis worse than it already is.”
Poul-Henning then offers three “Inconvenient Facts about Privacy” as explanation why encryption does not ensure privacy:
Inconvenient fact number one: Politics trumps cryptography. Nation-states offer their citizens a choice, unlock encrypted files or go to jail.
Inconvenient fact number two: Not everybody has the right to privacy. For example, in most nation-states: prisoners are only allowed private communications with their attorneys; employees give up large chunks of privacy as part of their employment agreement; and finally, most citizens are now witnessing the loss of their privacy through judicial oversight.
Inconvenient fact number three: Encryption will be broken if need be. If a nation-state determines that someone should not have any privacy, it will do everything possible to make it so.
When I started this article, I intended to devote the entire piece to Poul-Henning’s ACM paper and how he builds a case for his “Inconvenient Facts.” That all changed two days ago, when the Guardian released new documents proving Poul-Henning correct.
My reporter curiosity had me wondering, so I asked Poul-Henning if he knew about these particular documents before they were made public: “No, I simply looked at the plausible NSA budget (that was also before the "black budget" was released) and thought about how I would use the money if I were in charge of NSA.”
As you will see in a bit, Poul-Henning was scary accurate.
bruce_schneier.jpg Bruce Schneier
This brings us to our next digital detective: fellow Minnesotan, author, and world-renowned security expert, Bruce Schneier. It was Bruce’s article, "NSA surveillance: A guide to staying secure," that alerted me to the latest document release by the Guardian.
Bruce starts out by mentioning he’s been working with the people at the Guardian for several weeks now, sifting through hundreds of agency documents. This gave Bruce valuable insight into what intelligence agencies have managed to assemble:
“The primary way the NSA eavesdrops on Internet communications is in the network. That's where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic.”
Each time I read the papers and the Guardian articles, I come to the same conclusion, intelligence agencies have the ability to compromise everything digital. Bruce offers his blunt assessment:
“These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it's in. Period.”
The Guardian, Poul-Henning, and Bruce all mention that major encryption processes are compromised, but I didn’t understand how intelligence agencies could subvert something like HTTPS. Poul-Henning explains one way:
With expenditures of this scale, there are a whole host of things one could buy to weaken encryption. I would contact providers of popular cloud and ‘whatever-as-service’ providers, and make them an offer they couldn't refuse: on all HTTPS connections out of the country, the symmetric key cannot be random; it must come from a dictionary of 100 million random-looking keys that I provide. The key from the other side? Slip that in there somewhere, and I can find it (encrypted in a Set-Cookie header?).
If I understand, this means the process itself is not flawed. The key randomness is reduced, allowing those with powerful processing capabilities to easily crunch through the possible keys. Bruce verified Poul-Henning:
Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on.
If you remember, Bruce’s article was titled “A guide to staying secure.” So, Bruce must have some options for us:
1. Hide in the network: Whenever possible use services like Tor; doing so increases the surveillance effort markedly.
2. Encrypt your communications: It’s true, intelligence agencies target encrypted traffic, but any encryption is still better than sending traffic in the clear.
3. Assume your computer can be compromised: This is the tough one. Bruce suggests we create files and encrypt them on a computer that has never been attached to the Internet. Then using a flash drive, transfer the encrypted files to an Internet-facing computer for delivery. Decryption would be the exact opposite.
4. Be suspicious of commercial encryption software especially from large vendors: The secret agreements between intelligence agencies and technology companies extends to those developing security and encryption software. We should assume that every commercial application has an NSA-friendly back door.
5. Try to use public-domain encryption that has to be compatible with other implementations, which means:
Do not use proprietary software, back doors are easier to hide in proprietary software.
Use encryption applications employing symmetric cryptography instead of public-key cryptography.
Use encryption applications that are conventional discrete-log based, not elliptic-curve systems.
The advice I’m getting from Bruce and other experts is to make decoding our Internet traffic as difficult as possible. That way targeting us will not be worth the time and effort. Bruce concludes his article by saying:
Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure even in the face of the NSA.
The hard part will be figuring out what encryption process has not been compromised.
The ethics and legality of what intelligence agencies are doing is debatable. What concerns me even more is if — more likely, when — the bad guys figure this stuff out. They’re not going to spend time debating ethics; they’ll use the built-in weaknesses for their purposes without a second thought.