Is Encryption Effective Against Snooping? German Government Says No, Snowden Says Yes
from the maybe-not-the-real-problem dept
The revelations of Edward Snowden about the NSA’s snooping of citizens both inside and outside the US are posing more questions than they answer at the moment. One key area is whether the use of encryption — for example for email — is effective against the techniques and raw power available to the NSA (and equivalents in other countries). That’s something that has come up before in the context of the UK’s Snooper’s Charter. When a top official there was asked whether the proposed surveillance technology would be able to cope with encrypted streams, he replied: “it will.” Snowden’s claims about massive, global spying makes the issue even more pertinent.
Here’s one view, from Germany. Politicians from the Die Linke party posed a number of questions to their government on the subject of the latter’s use of surveillance techniques (original PDF in German). Most of the answers were the kind of thing you might expect — “we can’t possibly go into details” etc. etc. — but one was surprising. To the question:
Is the technology used also capable of decrypting at least partially, or evaluating, encrypted communications (eg via SSH or PGP)?
Back came the answer:
Yes, the technology used is generally able to do that, depending on the type and quality of the encryption.
But Edward Snowden doesn’t agree. When he was asked in an online Q&A session on the Guardian Web site the following question:
Is encrypting my email any good at defeating the NSA survelielance? Id my data protected by standard encryption?
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
In discussions about the German government’s claim that it can crack encryption in certain circumstances, some suggested that maybe it could — not directly, but using the malware that Techdirt has written about before. So even if the question as to the efficacy of encryption itself is still rather up in the air, there seems to be a consensus that the real weakness lies in letting people gain access to your system.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Filed Under: cracking, ed snowden, encryption, germany, nsa surveillance, security, surveillance
Comments on “Is Encryption Effective Against Snooping? German Government Says No, Snowden Says Yes”
so if your crypto is properly implemented and strong then it’s good, and if not it’s vulnerable. Seems like they are both saying the same thing to me.
The headline is pure sensationalism, particularly given this part of Snowden’s response:
“Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”
I disagree. The German government’s response implies “don’t bother”. Snowden’s response implies “you can be successful if your techniques are good”.
They’re both right.
We have to assume the world’s major superpower has access to hardware above that available on the market. History has shown that to be the case.
I’ve heard cryptologists guessing that the NSA might possibly brute-force a dozen or so 1024-bit keys in a year. If this is the case, they will surely focus on the keys of major providers like Yahoo, Microsoft, etc.
Remember they only have to crack each key once. They then have real-time access to the data at e.g. the border taps.
However Google uses forward secrecy (http://googleonlinesecurity.blogspot.co.uk/2011/11/protecting-data-for-long-term-with.html), which will frustrate efforts.
Now, if 1024-bit SSL can’t be cracked, even by the NSA, there’s nothing to prevent FISA being used to compel a service provider to hand-over their private SSL key, in secret. We’d never know if this had happened.
Security researchers have theorised that a communications service provider might choose to use a different SSL certificate for overseas traffic, thereby protecting US citizen’s privacy even after their private key has been compromised.
So on one hand encryption cannot be trusted. Or, more precisely, encryption that you do not control cannot be trusted.
However, that doesn’t mean all encryption is useless. In fact it doesn’t even mean the same algorithms implemented differently are useless.
If you generate your own key pair with a decent key length and fully-patched software and use PGP to sent an email, there’s only a remote chance it will be cracked.
That’s because it’s your own private key, not Google, Yahoo or Microsoft’s; and the NSA would have to crack the key for everyone they want to monitor.
But then we’re in to the security versus convenience trade-off. How many people can be bothered to take additional steps to guarantee their privacy?
And because few people will take these steps, those who do will stand out and perhaps make themselves a target for increased surveillance for the things that are harder to hide, e.g. the metadata, which is necessarily available unencrypted so the message can be routed to its destination.
Having said that, whilst the general population has no privacy, there are still many ways for the really bad guys to pass messages largely unobserved.
Where people are willing to sacrifice even more in the way of convenience I can think of half a dozen ways to communicate with a very low probability of being observed.
“Having said that, whilst the general population has no privacy, there are still many ways for the really bad guys to pass messages largely unobserved.”
Very powerful statement. The worst of them will always find a way to secure communications. As it has been throughout history. But, as these few will always cause chaos,they still cannot top death tolls by war(or peace), regularand purposeful accidents, physical and mental disease(biggest killers in history), and natural disasters.
So governments electronically monitor communications worldwide, where we know 99% don’t use even basic security. And this will yield just a big shit bag of digital storage But in reality, this won’t get crap on people who really want to stay under.
Is our elected just feigning stupid, or do most just accept everything from the major industrial-complex lobbyist’s propaganda and money?
Sorry dumb question…it is probably both.
Stop the stupid “war” tags.
War on drugs? fu
Eliminate this and reallocate 50% of the DEA, ?PD, every other form of LEA, to something more useful.
War on Terror? fu
We are not “Team America-World Police” Of course, war is needed for the entire world’s economic stability. Way too much money in it. But get real, terrorism, and every other ISM, ISH, IAN, IST, LAM, LEM, etc. are way too complex to understand or control. Eliminate another trillion in budget. Use all IT stuff and other resources for some amazing human advancement.
Re: Re: Crypto
The fundamental point that everyone misses is that all of this stuff isn’t about terrorism. It’s about power and control. Nothing more. Terrorism is just the Trojan Horse used to hide the real intentions.
You’re correct, but I must caution about private keys: they’re stored [i]in the same location on every computer[/i] by design, which means if someone’s machine is broken into, possible with the back door options Microsoft gives “law” enforcement, those keys are pointless.
Ironically, the only way to protect a PgP key is to encrypt it, but the sheer hassle of so many levels of encryption/decryption makes the tools useless to most people who simply want to send their mothers a “Happy Mother’s Day” message (and for them to read it).
I’m on the side with Snowden here. Our companies, who tell us via their ToS our privacy is important, should have blown the whistle on these requests years ago.
The fact they didn’t is more a statement than politicians who stated they knew this was going on for 7 years.
Ironic, again, that Google helped stop SOPA, but didn’t lift a finger to stop this blatant abuse of the 4th.
Re: Re: Crypto
So, use non-persistent private keys that don’t make their way into the key store…or do your decryption on Linux kernels you compiled yourself?
“I’ve heard cryptologists guessing that the NSA might possibly brute-force a dozen or so 1024-bit keys in a year. If this is the case, they will surely focus on the keys of major providers like Yahoo, Microsoft, etc. “
That’s why they’re using 2048bit keys, much much harder.
Maybe we’ll start seeing ECC public key being used, then only quantum computers will be able to break them.
AES is still safe, but the symmetrical key is usually exchanged after being encrypted by the public key, so you’re only as strong as your weakest link.
There is currently work being done on quantum-computer immune public key algorithms, but they’re kind of hard, since public keys tend to lend themselves well to quantum-computers.
is Tor secure?
Thought this was in the FAQ, but I’m not seeing it there in a quick look?
Tor is not designed to be effective against a ?global adversary?. That is, an adversary who has a view of the entire network can defeat the assumptions behind the design of Tor.
This has been considered an acceptable tradeoff in order to achieve ?low? latency.
(This FAQ is being migrated to General FAQ. The answers in this FAQ may be old, incorrect, or obsolete.)
What attacks remain against onion routing?
The statements are not conflicting. Both say that it is (in partial) possible to do…
Also, I remember reading about a research into encrypted Skype conversations which stated, that even if the message was encrypted, that you could guess what was being said by statistical analysis of the encrypted stream data. This had to do with the fact that the amount of encrypted data being sent depended on the number/length of the words being said…
the headline shows ignorance of basic cryptology. Given sufficient resources and time (the more resources, the less time) you can break any code. Therefore, encryption cannot prevent snooping into what you are doing online. it CAN, however, make it difficult.
in short, if they want to see what you specifically are looking at, encryption probably won’t help. If they are doing a general trawl, though, it probably will conceal what you are looking at. (it is, however, possible that people using encryption will automatically come under further scrutiny. They’d probably use the justification of “why would they encrypt it if they have nothing to hide”- yes, I don’t like the argument myself.)
Mmm, while this is theoretically true the time and energy needed to brute-force a 128-bit encryption key is longer than this planet has left. With that in mind saying that ‘encryption probably won’t help’ is rather ill-informed.
Encryption is not a panacea, however, and strong password and security protocols still need to be followed regardless of the level of encryption one is using.
Re: Re: Re:
I heard 128 bit might be getting close to being broken 256 bit is safer long term bet. For the purposes of security if you don’t decrypt something on your own hardware consider it not encrypted at all.
Re: Re: Re: Re:
256 bit is realistically crackable as well. The current record is the cracking of 923 bit encryption in 148 days by a joint venture of Fujitsu, Japan’s NIICT, and Kyushu University.
It is a serious mistake to consider any encryption scheme “uncrackable”. Even mathematically uncrackable schemes such as one-time pads can usually be cracked, as the tiniest error such as a slight imperfection in the random number generation can compromise the scheme.
Encryption must be thought of as no different than locking a door. If someone really wants to, they’ll be able to open the door no matter what. The goal of encryption is to make cracking is time-consuming and expensive, so that attackers either won’t bother, or it will take them so long to succeed that the revealed information is no longer of value.
Is encryption effective against snooping? That answer is a qualified yes: it’s effective against snooping unless you, specifically, are very interesting to well-financed snoopers.
Re: Re: Re:2 Re:
You are mixing symmetric encryption with public key cryptography. 128-bit and 256-bit are common sizes for symmetric encryption. 923-bit sounds like the size for a RSA key.
The sizes are not equivalent. RSA needs much longer keys to be secure, which is why 1024-bit and 2048-bit are common sizes.
So no, 256-bit symmetric encryption (like for instance AES) is not realistically crackable. Even 128-bit AES is still not realistically crackable. On the other hand, 512-bit RSA has been easily cracked for ages.
There is also ECC and friends, which are public key like RSA but can use smaller keys for the same level of security (IIRC, twice the corresponding symmetric key, so you would use 256-bit ECC with 128-bit AES).
For more information, see Wikipedia: https://en.wikipedia.org/wiki/Key_size
Re: Re: Re:3 Re:
923 doesn’t sound like an RSA key. RSA keys are powers of 2. 512, 1024, 2048, 4096. It has to be, because the encrypted data size for RSA is the same as the key size, so unless you have a computer that doesn’t use 8-bit bytes…
923 bit is probably something other than RSA, but probably still public key.
Re: Re: Re:3 Re:
Yes, good point. I was having a brain fart this morning.
Nonetheless, it is still dangerous to think of any encryption scheme as uncrackable.
Re: Re: Re:2 Re:
256 bits of what is realistically crackable? 256 bits of RSA can probably be cracked on a TI 89. 256 bits of AES, on the other hand…
“the headline shows ignorance of basic cryptology. Given sufficient resources and time (the more resources, the less time) you can break any code.”
It’s not quite that simple.
I remember seeing the math for breaking a message encrypted with 4096-bit RSA. It would take longer than the estimated age of the Universe to brute force it. Also, the energy costs of such an attempt would consume the estimated energy of our galaxy. These are rough estimates, possibly rounded up for dramatic impact, but you get the point.
Of course, you could try to poke holes in the encryption algorithm. Right now, your only chance* of breaking RSA is starting to look like proving that P=NP: you have to find a very fast way to factor huge numbers, which basically amounts to solving an NP problem in P time.
But if you start going the way of one-time pads and such, you are out of luck: those are theoretically unbreakable (which in cryptographic terms, it means that you need to brute-force them…they have no other weakness). But these cryptographic techniques are of limited usefulness.
tl;dr, though you are correct in principle, in practice (that is, in the real world), well implemented cryptographic algorithms are unbreakable, for all intents and purposes. In the real world, if it costs more time and resources than an attacker is willing or able to commit, it is unbreakable, and that is what cryptography gives you.
* apart from some attacks that aren’t practical in general, like timing attacks
Re: Re: Re:
Err … you can’t even brute-force a one-time pad: a given ciphertext could decrypt to any conceivable plaintext of the same length.
E.g.: you’ve managed to get the almost complete plaintext for an encrypted message (maybe the bad guy wasn’t quick enough in swallowing or burning it when you kicked the door in). You’ve got “Attack at “: by a comparison with the ciphertext, you know that all you’re missing is the last four characters.
But what are they? “Noon”? “Dawn”? “Dusk”? “1030”? “Once”? With a random, non-repeating, one-use-only key, it could be any of those or more, and you have no way of telling which.
(And yes, I know analysis of most ciphers would be difficult with such a short message, but the point stands: a one-time pad gives you no information on which to do any analysis, no matter how long the message, and no way of telling whether your intelligible, “brute-forced” plaintext is the correct one of the myriad of possibilities.)
Re: Re: Re: Re:
Unless you’re using “brute-force” to include rubber-hose cryptanalysis (“give me the key and I’ll stop hitting you”).
Re: Re: Re: Re:
Unless the pad is re-used, and the pad sequence is not actually random.
With the rise in lots of unproven pseudo encryption/index pad methods in various circles (especially PCI), perhaps this whole affair will also shine a spotlight on how useless proprietary techniques are that have no independent validation or published methods. I bet the NSA chaps break them during a coffee break. In their heads.
Re: Re: Re:2 Re:
Umm, then by definition it is no longer a one time pad. Therefore the security of a one-time pad is no longer applicable.
Re: Re: Re: Re:
One time pad just gives the NSA the opportunity to decrypt the message how ever best suits their needs. I’m sure they have quotas they need to fill.
Re: Re: Re:2 Re:
This is awesomely evil.
Re: Re: Re:
These types of computations are extremely misleading. First, in most implementations, you don’t have to crack the 4096 bit encryption. You have to crack the 256 bit encryption that is holding the key to the 4096 bit encryption. This is more secure than it sounds because it’s harder to crack shorter messages (such as a single key) and it’s hard to know if you’ve successfully cracked it if the plaintext appears random (such as with a key).
But still, let’s run with the 4096 bit encryption cracking time…
Yes, it would take longer than the lifetime of the universe to brute force such encryption of you were going to just try every possible key until you found the right one. That’s not how it’s done, though. There are numerous shortcuts in the process that reduces the size of the possible keyspace significantly. In reality, it would certainly not not take anywhere near that long to break. (It would still take significant time, though! Longer than you’ll be alive, for certain.)
Re: Re: Re: Re:
I think you’ve got that backwards. RSA is used to encrypt the symmetric key. Meaning that the 4096 bit key is holding the 256 bit key.
Re: Re: Re:2 Re:
You’re absolutely right. Some mornings, my brain fails me.
Re: Re: Re:
Timing attacks aren’t practical? I beg to differ. You only need to crack it once, after all. And having physical access to the hardware is not difficult for machines under the attacker’s control. Impractical would be decapping the chips and taking microphotographs – and I’ll bet NSA has the resources to do that.
And your comment also relies on RSA being perfectly implemented. You could pull a Nintendo and ignore the padding and use strcmp instead of memcmp. Team Twiizers didn’t even need Nintendo’s private key, their flawed implementation of RSA allowed them to fakesign arbitrary code on the Wii.
Re: Re: and you don't think they are working on it
If a mathematics guys figures it out then everybody’s drawers are on the ground… and there in lies the problem
Except a one-time pad, which cannot be broken, even in principle.
However, it’s not terribly practical (sender and recipient must share — and keep secret from the rest of the world — a truly random key at least as long the plaintext, and never, ever reuse it).
Re: Re: Re:
Yes, perfectly implemented, the OTP is uncrackable. But it’s notoriously difficult to perfectly implement, as the Germans found out in World War 2.
Given sufficient resources and time (the more resources, the less time) you can break any code.
Provably incorrect. The one time pad is theoretically unbreakable, although practically unusable for most ordinary purposes. Having said that, if you were planning a terrorist attack…
This is the wrong question
It’s an interesting question, but the answer is mostly irrelevant.
If end-user devices are compromised, then what encryption method is in use and whether or not it can be cracked doesn’t matter. And “compromising end-user devices” is very, very easy because users themselves make it so. Consider:
– They use Windows. Windows can’t be secured, period, full stop.
– They use smartphones. The entire smartphone ecosystem is crawling with malware, including things like CarrierIQ.
– They use “social media”, which are equally loaded with malware.
– They use garbage software like Adobe Acrobat, full to the brim with gaping security holes.
– They fall for spam and phishes constructed by illiterates.
– They click on every shiny thing they see, doubly so if they’re men and it promises nekkid boobies.
And so on. There’s really no need to engage in esoteric cryptography for the most part: users make it easy to plant keystroke loggers and other malware that bypass the need for it.
Re: This is the wrong question
I’m being a bit pedantic here, but this isn’t actually true. Windows can be made as secure as anything else. The problem is that a fully secure Windows system is a pain in the ass to use, and certainly nobody without a burning need (such as the government or major crime organizations) would be willing to tolerate the restrictions and limitations it presents.
the thing that is omitted is ‘WHY THE HELL SHOULD WE, AS ORDINARY CITIZENS, HAVE TO GO DOWN THE ROAD OF ENCRYPTING OUR MESSAGES ANYWAY? Jesus, we are not the ones at fault here! we have done nothing wrong! those that are making out that everyone is up to no good, without exception, are the ones that are wrong! they need reining in now and not letting off the leash again!!
That I can answer.
It is your privacy, is your interest and most importantly it is your rights at stake, you fight for them or lose it.
This is not something you can leave in the hands of others and say “hey if you are not honest I will get mad”.
At some point you need to take responsibility for what its yours and protect it as best as you can.
The other guys will not stop and they are relentless.
Do nothing and the other side will take advantage of you.
I thought secure communication was desirable in the business world. I suppose they could meet in the backroom, how retro.
Yes == No
My cynical working assumption is that governments and spooks speak the exact opposite to the truth where crypto is concerned:
– “We can decrypt X” (we cannot decrypt X, but if we say we can, hopefully fewer people will use it)
– “We cannot decrypt X” (we have thoroughly broken X, but want people to keep on using it in the belief it’s secure).
As James Firth and others have said. For those in the business, those to statements are not really in conflict, it is mostly a matter of discipline, most people are not disciplined enough to stop a determined entity (read government) from capturing decrypted information.
The answer from the German Security people shows just how pervasively they have invaded systems, not only the internet back-bone, but the end systems as well.
In order to have a reasonably secure system you need to have all of the following, a chink in any of them will likely yield the entire system worthless from those determined to invade your privacy.
1. Strong Key pairs (2048 minimum and 4096 would be beter) Any thing less can likely be cracked fairly quickly if someone (a government) decides they want to know what the encryption is hiding.
2. Private Keys must be stored Off-Line! If the Private key is ever on an ‘on-line’ system, then it may be compromised. Since it would be possible that the system was compromised and the private key copied.
3. Key signing – Must be done in person. Receiving a key signing request via email provides for a man in the middle attack because you can’t be certain you are signing or receiving the key of the person you think you are.
Remember, the NSA and others will ALWAYS go after the weakest link. If you use strong encryption then the weakest link becomes the endpoints. So if they can’t crack your encryption, and they really want to know what is being transferred they will simply attack the system(s) at one or both endpoints which will very likely yield the very same information with far less work.
To make matters worse, consider this, everyone has been all up in arms about Microsoft, Google, Apple… but the culprit could well be at the hardware level. The NSA could well have infected firmware of motherboards, hard drives…
Don’t believe me? Ask yourself this, why is the US Government so certain that China has sold infected chips to US companies? Could it be that the NSA has been responsible for the same actions? Yes, not only possible, but highly likely. In country boy terms “The smeller is the feller!”
Bottom line, if you want security, you MUST perform all encryption and decryption from STAND ALONE Systems. AND you must have performed the key exchange in person, via stand alone systems. So a secure encryption transfer requires at least 2 stand alone systems (one at each end) and the following steps.
1. Create communication on Stand-Alone System
2. Encrypt communication on Stand Alone System using the highest levels of encryption available (preferably with code you wrote, or at least reviewed).
3. Transfer file via a secure medium (single use) to a internet connected medium
4. Transmit the data to the receiving party.
The receiving party must then.
1. Download the encrypted file(s)
2. Transfer the encrypted data to a single use secure medium.
3. Copy the file to the Stand Alone system for Decryption
4. Decrypt the data on the Stand Alone system.
Not something that most people are willing to do.
Or you know you do it the easy way, where a seemingly innocuous statement such as “See you at the marathon” or “Have fun in New York” means something entirely different that has been worked out in person, in advance and of which there is no written record.
Damn. the parsing engine removed my “Tin foil Hat” tags.
Re: Re: Re:
Wait…do tin foil hats have tags? Do the tags say “Do Not Remove Under Penalty Of Law” like the tags on my pillows? I’m confused. What’s on TV?
This analysis is excellent! Thank you, Mr. Applegate. Well done.
Oh look, another story by Glyn “I’m too chicken shit to ever discuss anything that I publish, just like Mike” Moody.
You fit right in here, Glyn. Only cowards need apply.
Masnicking Minion gins up controversy.
I form my view before glancing through comments, and I’m late to the party: there’s no necessary contradiction here.
On the piratey aspects, you’ve yet to come to grips with ISPs doing man-in-the-middle attacks that enable snooping on your TOR and proxied traffic, and besides that, just encrypting flags you for interest, as does amount of traffic, especially upload ratio.
Re: Masnicking Minion gins up controversy.
I’m sure ISPs have better things to do than perform man-in-the-middle attacks in an attempt to snoop on their clients’ TOR and proxied traffic. All they care about is bandwidth and congestion. They couldn’t care less about content.
Effectiveness of encryption, according to Germany
Want to know whether encryption works? Ask yourself whether the German military relies on encryption to protect its own signals, and there’s your answer.
I see a Need
The use of VM will go up along with VPN and Steganography.
for those that may be a little more serious about their communications…but again, the average person doesn’t know or care.
Maybe this company is moving in the right direction.
Perhaps the next big thing will be the Data Invisibility cloak.
The first APP that really works to make your phone
or PC private will make someone rich.
This is how I used to communicate with my girlfriend Alice before we lived together and got married.
1. Encrypt with Alice’s 4096-bit public key, sign with own private key.
2. Don’t send encrypted message but print it out.
3. Send by snail mail.
4. Have Alice type it out and decrypt it.
I think this is the bare minimum, since no matter what kind of prime factoring-based crypto you use all of it is being stored by the NSA and will be crackable if and when they develop quantum computers that can run Shor’s algorithm and decrypt your 4096-bit RSA-encrypted e-mail in a second. By doing it this way you benefit from both the technical protections of PGP and the legal protections that pre-digital communications enjoy. Granted it’s a bit cumbersome, so you better make sure you have something interesting to say when you write someone a PGP letter.
Title is trollish, they said the same thing.
They both said “Yes” and “No”. Snowden’s is the technical reply, that if done right, encryption works, but he also say it’s usually not done right. Germany gave the practical response, that it’s usually possible to decrypt communications, but it depends upon the type and quality. Yea, they actually said the same thing.
The GERMAN politician talks about the GERMAN secret service. In case you haven’t figured it out, the NSA is not german.
Encryption is ineffective and so are passwords
As long as a hacker has a stream they can decode it..if not today then years later which doesn’t bode well for sensitive data and it just shows the USA is a willing information gifter…. passwords are weaker than encryption but it comes down to this… randomized data streams aren’t enough complexity to guarantee security. Tough encryption can buy time if people are willing to make it mandatory, they don’t. so the streams have to be made more complex and the answer might be mergers of streams and randomly structured packets because it’s all about recognizable sequences… and the most important thing is not to have a compromised stream of data in the first place. Given that there is no need for encryption…I hear about denying access but is that enough? I think that quantum telecommunication locking is the future for integrity.