New Details Reveal NSA Has Cracked Fundamental Internet Encryption Standards

rated by 0 users
This post has 2 Replies | 0 Followers

Top 10 Contributor
Posts 24,887
Points 1,116,995
Joined: Sep 2007
ForumsAdministrator
News Posted: Thu, Sep 5 2013 10:52 PM
Over the past few months, as the Snowden leaks have exposed increasing levels of detail about the scope and nature of the NSA's "oversight" of the Internet, there's been a great deal of discussion on how users can protect themselves. The latest leaks from the Guardian, New York Times, and Pro Publica shed light on just how futile such efforts may be. According to the latest disclosures, the NSA has cracked key encryption algorithms that formerly protected large swathes of Internet traffic, and it did so back in 2010.

Previously, many such efforts were thought to be effectively impossible due to the nature and complexity of hardware required to make the job happen. It's now clear that the NSA has played both sides of the deck against the middle. On the one hand, the organization has invested in specialized cracking hardware and brute force approaches. On the other, it is being reported that the organization allegedly, systemically worked behind the scenes to build backdoors into hardware, software, and to weaken encryption standards.

These are strong charges, but the evidence for this general pattern of activity is significant. Reports from 2010 claim a major breakthrough at the time and note sustained goals, including:
  • Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communication systems used by targets
  • Influence policies, standards, and specifications for commercial public key technologies
  • Reach full operating capability for SIGINT access to a major Internet Peer-to-Peer voice and text communication system.(Skype is the prime suspect here)
  • Complete enabling for [REDACTED] encryption chips used in Virtual Private Networking and Web encryption devices.

The Catastrophic Damage

This may be the worst release yet, and I don't say that lightly. Unlike the past releases, this one strikes at the heart of encryption technology used across the Internet -- an area where the NSA has long been recognized as a master cryptographer. Anyone think the NSA's "Secure Enhanced Linux" (SELinux) is worth the digital paper it's printed on now? Up until now, virtually every leak could be labeled PR damage. This was purposeful -- Greenwald and Snowden picked information that would expose what the NSA was doing, but not the technical details of how it did what it does.



This is something different. It suggests the NSA is arrogant enough to believe that it, and it alone, is capable of exploiting the backdoors and cryptographic flaws it has apparently lobbied for behind closed doors. This is less difficult, by the way, then you might think. Say an encryption standard is supposed to create a randomly generated public key. But thanks to an NSA-inserted flaw, the actual key is chosen from one hundred million possibilities.

Knowing that there are just 100 million keys makes it orders of magnitude easier to crack the encrypted code, but also is far too many keys for a simple check of an RNG to show a problem. But if you know the flaw exists, exploiting it becomes easy. Then consider that reportedly NSA has lobbied for the inclusion of backdoors into software, identified flaws in routers and other networking hardware, and supposedly actively attempted to persuade / coerce companies into maintaining these gaps for itself. But it's an axiom of security that you cannot make a system more secure through creating backdoors, secret passages, or hidden capabilities.

Attempts to inject complexity on this level will inevitably fail, if they created hidden conditions that cause product failures later down the line. Most importantly, discovering it later destroys trust. Now, everyone is going to be staring at the NSA and wondering what it knows that they don't. Companies that have cooperated with the NSA, coerced are not, are going to be terrified of fallout. Companies that haven't collaborated are going to be afraid of being accused of doing so. And, if this is all true, no one is going to want to trust the NSA for beans when it comes to consulting with them on cryptographic questions or security -- a genuine loss, considering that the NSA really is the premier organization for this kind of data.

Security and cryptography expert Bruce Schneier has called for engineers and companies to take a stand, disclose the shape of the NSA's work when it doesn't violate National Security Letters, and begin working on re-securing the Internet. His full editorial is worth a read.
  • | Post Points: 35
Top 200 Contributor
Posts 458
Points 6,985
Joined: Feb 2008
Location: United States
AjayD replied on Sun, Sep 8 2013 3:20 AM

"no one is going to want to trust the NSA for beans when it comes to consulting with them on cryptographic questions or security"

That's kind of like consulting with the fox on how to best guard the hen house, don't you think?

 

***** Time you enjoy wasting, was not wasted. *****

  • | Post Points: 5
Top 10 Contributor
Posts 5,048
Points 60,675
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sun, Sep 8 2013 10:05 AM

>> Anyone think the NSA's "Secure Enhanced Linux" (SELinux) is worth the digital paper it's printed on now?

More so than a backdoored Windows install. It was proven over 15 years ago that Microsoft had given the NSA the keys to the kingdom (http://www.heise.de/tp/artikel/5/5263/1.html), but when we told anyone we were called tin-foil hats.

SELinux is open code that's had a lot of non-NSA eyes on it, it's many many times less likely to have backdoors than Windows 8.1 or server 2012.

Even Android phones (based on Linux) is much more likely to have backdoors in it, since you don't get to look at the code that actually ends up on the device or re-compile it from source yourself.

Well, at least now I won't look half as crazy when I'm railing agains Microsoft's (in)Secure Boot

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 5
Page 1 of 1 (3 items) | RSS