How The NSA Works Hard To Break Encryption Any Way It Can

from the brute-force dept

Spiegel has published a detailed article, relying mostly on documents that Ed Snowden leaked, looking at the many ways in which the NSA breaks encryption (and the few situations where it still has not been able to do so). As we've seen from previous leaks, the NSA stupidly treats encryption as a "threat."
And, sure, it is a "threat" to the way in which the NSA snoops on everything, but for the vast majority of users, it's a way to protect their privacy from snooping eyes. The report does reveal that certain encryption standards appear to still cause problems for the NSA, including PGP (which you already use for email, right?), OTR (used in some secure chat systems) and VoIP cryptography system ZRTP. Phil Zimmermann, who helped develop both PGP and ZRTP should be pretty damn proud of his achievements here.

As the report notes, the NSA has the most trouble around open source programs, because it's much more difficult to insert helpful backdoors:
Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism -- an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple -- show that the NSA's efforts appear to have been thwarted in these cases: "No decrypt available for this OTR message." This shows that OTR at least sometimes makes communications impossible to read for the NSA.
When it comes to non-open source systems, well, there the NSA has its ways in. In fact, the NSA seems rather proud of the fact that it can make "cryptographic modifications to commercial or indigenous cryptographic information security devices or systems in order to make them exploitable."
The report also shows that VPNs are targeted by the NSA, and it has had a fair bit of luck in breaking many of them (especially those that rely on PPTP -- which has long been recognized as being insecure, but is still widely used by some VPN providers). However, it also shows that the NSA has been able to crack IPsec VPN connections as well. In short: your VPN probably isn't secure from the NSA if it wants in.

The NSA also has apparently been able to crack HTTPS connections, and does so regularly:
The NSA and its allies routinely intercept such connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month.
HTTPS is still a lot more secure against non-NSA-level hackers, but it certainly shows that it's not a perfect solution.

Another big reveal: the NSA has the ability (at least some of the time) to decrypt SSH (Secure Shell) which many of us use to access computers/servers remotely.

There's lots more in the article and in the many, many included documents (just a few of which are shown below). It's well worth reading.

However, the key point is that the NSA is working very, very hard to undermine key encryption systems used around the internet to keep people safe. And rather than sharing when those systems are cracked and helping to make them stronger, the NSA is exploiting those cracks to its own advantage. That may not be a surprise, but for years the NSA has insisted that it is helping to make encryption stronger to better protect the public. The revelations from this article suggest that isn't even remotely close to true.




Filed Under: encryption, gchq, nsa, otr, pgp, ssh, ssl, surveillance, zrtp


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 29 Dec 2014 @ 2:15pm

    Self-delusion and Arrogance

    That may not be a surprise, but for years the NSA has insisted that it is helping to make encryption stronger to better protect the public. The revelations from this article suggest that isn't even remotely close to true.

    The problem is, you're not thinking about it from their point of view. To a 'good employee'(that being any worker who is obedient and 'patriotic' enough to do what they are told) at the NSA, the agency is, without a doubt, at the very top of the list of 'Good Guys'. And since 'good guys' can never do wrong, than anything they do is, by default, 'good'.

    Given they are breaking encryption in order to further their own efforts, and they are, remember, 'The Good Guys', then it follows that breaking encryption is a 'good' action in their minds, since 'Good guys' don't do 'bad things'.

    Adding to the disconnect with reality, there's also a massive case of arrogance, where the idea that any individual or group could ever employ similarly skilled and intelligent individuals is seen as laughable. They're the NSA after all, with incredible resources in manpower, money, and skill, clearly even if they can spot and take advantage of a security weakness, it doesn't mean that anyone else can, and that means there's no need to fix it or not introduce it.

    (The fact that the above is not even remotely close to reality is rather beyond them, due to the previously mentioned arrogance)

    So between the self-delusion and arrogance, it's no wonder they see nothing wrong with weakening security globally, to them, they're still the Good Guys, and anything they do is also 'Good', despite reality saying otherwise.

    reply to this | link to this | view in chronology ]

  • icon
    Vidiot (profile), 29 Dec 2014 @ 3:16pm

    Say what?

    "... major threat to the NSA's ability to... defeat adversary malware..."

    Thought their job was to create adversary malware.

    reply to this | link to this | view in chronology ]

  • identicon
    peter, 29 Dec 2014 @ 3:36pm

    If you are innocent

    If you have nothing to hide, you have nothing to encrypt.. Right?

    reply to this | link to this | view in chronology ]

    • identicon
      CharlieBrown, 30 Dec 2014 @ 1:00am

      Re: If you are innocent

      By that logic, whilst a criminal uses encryption, so does the guy looking at porn behind his wife's back!

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Dec 2014 @ 6:33am

      Re: If you are innocent

      I guess corporations and governments have nothing to hide either......right?

      reply to this | link to this | view in chronology ]

    • icon
      PT (profile), 30 Dec 2014 @ 3:04pm

      Re: If you are innocent

      Y'know, as a consultant, almost every one of my clients makes me sign an NDA (non disclosure agreement)promising Draconian penalties if I disclose their valuable secrets to a third party. Yet when I offer them my public key and ask for theirs, they look at me in blank surprise. They have no concern about sending their valuable secret drawings and business plans in plain text on unencrypted email.

      So I guess innocence isn't about having nothing to hide. It's about being completely fucking clueless.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jan 2015 @ 9:55am

      Re: If you are innocent

      ... assuming you're innocent, please post a publicly accessible link to your webcam, while already having pulled off your clothes. Shouldn't be much of a problem, i guess ...

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Dec 2014 @ 3:54pm

    >OTR, PGP, ZRTP are secure

    The only problem is getting other people to use them...

    reply to this | link to this | view in chronology ]

  • icon
    mvario (profile), 29 Dec 2014 @ 4:17pm

    also…

    Also, Jacob Appelbaum and Laura Poitras gave an accompanying talk yesterday at 31c3 that has now been posted to Youtube…

    https://www.youtube.com/watch?v=0SgGMj3Mf88

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Dec 2014 @ 4:17pm

    Most people who have worked with IPSec (or were paying attention when it was created) will be extremely willing to go on and on about just how insanely difficult it is to set up IPSec properly.

    There was a theory that the NSA was actually responsible for this - they couldn't undermine the crypto itself and so instead they pushed the design to be overly complicated and have as many extremely nuanced options as possible where only a few combinations would validly produce secure communications. There are several companies and products entirely built around doing the IPSec configuration so customers don't have to.

    Regardless, I would still suggest that if IPSec is crackable by the NSA, it is not an inherent weakness in IPSec's cryptographic groundings but in all odds human error that is giving them a way in.

    reply to this | link to this | view in chronology ]

    • icon
      Dan J. (profile), 30 Dec 2014 @ 4:05am

      Re:

      For whatever it's worth, I'm a network engineer who's set up a large number of IPSec connections and I strongly concur. Additionally, I'm really curious as to the details of cracking SSH. I'd be willing to wager that the sessions they're able to crack use small key sizes.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Dec 2014 @ 6:35am

      Re:

      That sounds like something i already thought they would do

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 30 Dec 2014 @ 7:57am

      Re:

      "Most people who have worked with IPSec (or were paying attention when it was created) will be extremely willing to go on and on about just how insanely difficult it is to set up IPSec properly."

      This. This is the primary reason that I don't really trust IPSec. It's far too easy to get it wrong.

      reply to this | link to this | view in chronology ]

  • identicon
    4th Amendment, 29 Dec 2014 @ 6:32pm

    VeraCrypt

    The Spiegel article notes that TrueCrypt posed major difficulties for NSA, but that's only NSA level 4. NSA Level 5 is 100% unreadable by NSA.

    The open-source TrueCrypt project is now continuing as the new open-source project VeraCrypt at https://veracrypt.codeplex.com/. Security improvements have been implemented and issues raised by the TrueCrypt code audit just before the TrueCrypt developers retired have been addressed. The 1.0e version is the current stable release, and the upcoming 1.0f version is currently in its third beta release. Both are available for download right now at https://veracrypt.codeplex.com/releases/view/132239

    VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool. While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force. "Effectively, something that might take a month to crack with TrueCrypt might take a year with VeraCrypt".

    A vulnerability in the bootloader was fixed on Windows and various optimizations were made to it as well. The developers added support for SHA-256 to the system boot encryption option and fixed a ShellExecute security issue as well.

    Linux and Mac OS X users benefit from support for hard drives with sector sizes larger than 512. Linux on top of that got support for NTFS formatting of volumes.


    The VeraCrypt storage format is INCOMPATIBLE with TrueCrypt storage format due to VeraCrypt's security improvements. VeraCrypt believes that the old TrueCrypt format is too vulnerable to NSA attack and that it must now be abandoned - this is the philosophical point of difference between the VeraCrypt project and the competing Ciphershed project (CipherShed is staying with the old TrueCrypt format). A tool to convert TrueCrypt volumes to VeraCrypt format is being developed but is not yet available, so currently the conversion method involves copying unencrypted files from the (opened) legacy TrueCrypt container into the new VeraCrypt container.

    http://www.esecurityplanet.com/open-source-security/veracrypt-a-worthy-truecrypt-alternati ve.html - VeraCrypt a Worthy TrueCrypt Alternative

    http://www.ghacks.net/2014/12/04/a-second-look-at-veracrypt-an-unofficial-truecrypt-succe ssor/ - A Second Look at VeraCrypt - An Unofficial TrueCrypt Successor

    reply to this | link to this | view in chronology ]

  • identicon
    Wikipedia expert needed, 29 Dec 2014 @ 7:17pm

    Re: VeraCrypt

    VeraCrypt needs a Wikipedia page - any Wikipedia experts here who can do this?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Dec 2014 @ 7:29pm

    only 6000 tor nodes

    I've toyed with starting up a tor node - just to be a good netizen. But 6000 is a manageable number for targeted attacks. If I start up a node, am I inviting every government in the world to compromise my network?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Dec 2014 @ 9:09pm

    Hens, meet Fox

    "...for years the NSA has insisted that it is helping to make encryption stronger to better protect the public."

    See that fox hanging out by that hen house? He's just trying to protect the chickens. Honest!

    reply to this | link to this | view in chronology ]

  • identicon
    Justme, 29 Dec 2014 @ 9:55pm

    Is it Just me??

    3 letter agencies destroying the very thing, they claim to be protecting, is starting to become the norm!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Dec 2014 @ 2:14am

    Wouldn't it have been more helpful if Techdirt had been writing about the NSA back before the NSA broke off its "arrangement" with Google?

    Yeah, that would have been nice.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 30 Dec 2014 @ 3:08am

      Re:

      Oh, you mean before the Snowden leaks, where any discussion of what they might be doing could be easily dismissed as paranoia or baseless conjecture? Yeah, can't imagine why they didn't jump on that opportunity... /s

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 30 Dec 2014 @ 2:36am

    Even if they can decrypt some of the encrypted alternatives out there (that haven't got backdoors) they need horsepower to do it. If the usage is widespread at the very last we can make it hurt financially to grab them all.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 30 Dec 2014 @ 3:21am

      Re:

      And that, really, is the best that can be attained realistically. If a government agency, Intelligence or otherwise, really wants to know what's in the emails, calls, or other communications you're sending, they will be able to do so. It might take them a little bit of time and effort, but if they're really that interested in you, they will manage it.

      Encryption doesn't really do squat there. It'll slow them down a bit, but that's about it. What encryption does do, is make them work for it. If they have a real reason to be looking into your data, then that work will be seen as worth it.

      However, if they're just curious, or 'merely' trying to scoop up everything they can, 'Just in case', then that extra bit of effort might very well be enough to keep your communications private, as they only have so many resources to spend, and using them to decrypt random bits of data is something they would have trouble justifying.

      It's almost funny when you think about it, encryption's main use is to protect the innocent, completely turning on it's head the argument used against it, the ever so popular, 'If you've done nothing wrong, you have nothing to hide'. In the case of encryption, hiding won't do you much good if you're guilty, but if you're innocent, it will do quite a bit in protecting you.

      reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 30 Dec 2014 @ 6:02am

        Re: Re:

        I wouldn't say it's completely breakable. There are protocols out there that are still secure even though I can't name 'em. But eventually everything will be breakable given enough horsepower and we know computers will always get to this tipping point.

        The solution here is to keep improving the existing solutions and develop new ones to keep up with the pace. I particularly like the name the dev gave to PGP. Encryption is pretty good bu never perfect. In this case perfection is achieved by constant evolution and openness.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 Dec 2014 @ 6:58am

          Re: Re: Re:

          What about a system built upon detection, if thats even possible.......i think one of the biggest reasons these abc criminals really want this, is because its essentially undetectable by non techies, if even techs themselves

          reply to this | link to this | view in chronology ]

        • icon
          Dan J. (profile), 30 Dec 2014 @ 7:43am

          Re: Re: Re:

          That depends on what you mean by "breakable." Many of the current algorithms are essentially unbreakable in that if you had every computer in existence working on them it would still take longer than the existence of the universe to brute force them. Whether this results in absolute security, however, depends upon a large enough key, the key being random, the software implementation of the algorithm not containing exploitable bugs, etc. Those are mighty big assumptions. But if you're reasonably smart about crypto and use reasonable practices, you can encrypt things now and through the foreseeable future which neither the NSA nor anyone else will be able to read by breaking the encryption. That doesn't mean the NSA won't get your communications, however. A key can get compromised. In order for your recipient to read the message, they have to decrypt it and the system doing the decryption can be compromised and the plain text exposed. Etc. In other words, there are many avenues of attack other than just breaking the encryption and the NSA is quite good at all of them. So if you're saying that any communication can conceivably be compromised, then yes, I agree. But if you're saying that any method of encryption can be directly broken given enough computer horsepower, then I'd strongly believe that to be incorrect. If it IS correct, then the NSA has made some startling and revolutionary advances in the field of mathematics which would shock the world.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Dec 2014 @ 6:55am

        Re: Re:

        Yes, but you still have to think about what their variable definition of "worth it" entails........and depending on the definition aswell as the illegality of the implementation of an illegal system, they'll be basically running in the same capacity as criminals, while all thats done by folks, is, lets make it more difficult

        Dont get me wrong, i apply to the ideaology of "somethings better then nothing", but i hope thats just a pre-cursor to real change on their end, either honest remorse as opposed to more lies.....or forced by a nation

        reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 30 Dec 2014 @ 8:12am

      Re:

      "If the usage is widespread at the very last [sic] we can make it hurt us financially to grab them all."

      FTFY - since this is tax funded agency.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 30 Dec 2014 @ 2:08pm

        Re: Re:

        If the public is going to be paying either way, I'd rather the cost be measured in monetary terms than privacy ones. One of those is replaceable, the other isn't.

        reply to this | link to this | view in chronology ]

        • icon
          nasch (profile), 30 Dec 2014 @ 3:04pm

          Re: Re: Re:

          If the public is going to be paying either way, I'd rather the cost be measured in monetary terms than privacy ones. One of those is replaceable, the other isn't.

          But if all we do is make it more expensive for the NSA to spy on us, we're being hurt in both ways. We're paying them even more to take away our privacy.

          reply to this | link to this | view in chronology ]

          • icon
            That One Guy (profile), 31 Dec 2014 @ 4:10am

            Re: Re: Re: Re:

            Well, ideally they would be shut down, or at least forced to stop trying to screw over the public every which way they can think of, but until that happens, making their job more difficult, and hopefully protecting the privacy of people who would have had their information scooped up, listed, categorized and stored, is about as good as the public can manage at this time.

            reply to this | link to this | view in chronology ]

    • identicon
      kog999, 30 Dec 2014 @ 8:19am

      Re:

      "widespread at the very last we can make it hurt the Tax Payer financially to grab them all."

      FTFY

      reply to this | link to this | view in chronology ]

  • icon
    nasch (profile), 30 Dec 2014 @ 8:14am

    HTTPS

    HTTPS is still a lot more secure against non-NSA-level hackers, but it certainly shows that it's not a perfect solution.

    Anybody know if there's work on a more secure protocol?

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 30 Dec 2014 @ 1:22pm

      Re: HTTPS

      There's a lot of thought about such a thing, but it's an incredibly hard nut to crack -- and would be even harder to get websites to adopt whatever the solution would be. Look how insanely long it's taken just to get websites to use HTTPS!

      Right now, it looks like the path of least resistance may be a solution based primarily on IPv6 and DNSSEC, but having those baseline technologies in place is still years away.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Dec 2014 @ 8:20am

      Re: HTTPS

      HTTPS, when implemented properly with strong algorithms, strong key sizes, sufficient entropy pools, and a cryptographically secure pseudorandom number generator, on hardware and software without backdoors, is plenty secure.

      But that's a lot of caveats to avoid, and most people either can't be bothered or have to have a less secure fallback (particularly in algorithms) for compatibility with legacy software. Even Microsoft recommends that RC4 be dropped, yet it's still widely used in HTTPS, even with clients that support newer, more secure algorithms.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 31 Dec 2014 @ 8:24am

        Re: Re: HTTPS

        Doh, forgot about the certificate authority chain.

        Ignore the preceding post; even if all the configuration details are correct, the authority chain is still vulnerable.

        reply to this | link to this | view in chronology ]

  • icon
    tqk (profile), 30 Dec 2014 @ 11:37am

    Terrific article from der Spiegel!

    I read this article a couple of days ago, and since then I've been pretty much stumbling around stupified. I wander into another room and five minutes later find myself standing up against a wall wondering how I got there and when. Where the hell did all this totalitarianism come from all of a sudden? IPSec and ssh cracked?!?

    I don't see this stuff when I go outside my little apartment, but it seems everywhere I go on-line is wrapping me up in a tight ball coated with an amalgam of NSA + Nazi SS + Soviet KGB + MI6 + Orwell's 1984 + ... outright and blatantly assaulting each and every one of us every second we're on-line. The VPN that recent employers put in place to secure their networks and my and others' work on them was all just a charade. Every time I logged into on-line banking was no more secure and private as clear text to any potential totalitarian prying eye control freak.

    Who the hell is pulling the lever here, and why are they pulling it, and why are they getting away with this? Whose crazy idea is it that life is supposed to be like this?

    I believe the article also pointed out the crackers still have trouble with tor (I'm not sure whether you mentioned it). Good! Get everyone you know up to speed on it as fast as they can, before it's too late.

    I'm assuming it's not already too late. It's all we appear to have left.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 30 Dec 2014 @ 1:26pm

      Re: Terrific article from der Spiegel!

      "IPSec and ssh cracked?!?"

      The documents don't actually indicate that these have been cracked. They indicate that they have often been circumvented by the NSA obtaining private keys. IPSec should, as always, be avoided simply because it's easy to configure it wrong (rendering it vulnerable), but SSL itself is still apparently mathematically solid. The lesson I take is what we've already known: don't trust any communication where you have to trust a third party to keep a secret.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Dec 2014 @ 12:12pm

    Glad I use OpenVPN instead of PPTP or IPsec. It's good to know Phil Zimmermann's PGP and ZRTP encryption designs still appear secure.

    HTTPS has the potential to be secure too, if it didn't rely on centralized certificate authorities. The big worry is a Certificate Authority's signing key being stolen or handed over voluntarily. If your web browser trusts that Certificate Authority's signing key, you're toast.

    At which point nation-state sponsored man-in-the-middle attacks can deployed, using that Certificate Authority's signing key to sign any website address they want.

    Allowing them to redirect web surfers to NSA HTTPS website proxy servers posing as a legitimate website. These HTTPS proxies sit in the middle of the connection, decrypting and logging all data before finally forwarding it on to the legitimate website.

    I believe TURMOIL is the NSA exploit running these man-in-the-middle HTTPS attacks, by intercepting "CA Service Requests". As illustrated in this NSA slide. TURMOIL sits between the client, web server, and Certificate Authority. Acting as a man-in-the-middle proxy.

    https://en.wikipedia.org/wiki/File:NSA-diagram-001.jpg

    When a client requests the public key for TechDirt.com, TURMOIL returns a public key for the NSA proxy server instead. The client believes the NSA proxy server's public key belongs to Techdirt.com, because it's signed with a Certificate Authority's signing key trusted by the client's web browser.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Dec 2014 @ 2:20pm

    Thanks mvario, for posting the link for Laura Poitras and Jacob Appelbaum addressing the Chaos Computer Club on YouTube. Their talk goes into really deep details about how intelligence agencies are creating dossiers on people. They actually present a FISC document detailing the content captured from people's communications.

    https://www.youtube.com/watch?v=0SgGMj3Mf88

    reply to this | link to this | view in chronology ]

  • identicon
    Been There, Done That, 4 Jan 2015 @ 7:01pm

    VeraCrypt's Wikipedia page is up!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.