More crap about PRISM

My brain hurts from reading one of the most God-forsakenly awful pieces of allegedly technical writing about PRISM:

There's the issue of encryption, such as an SSL connection, which offers a HTTPS [secure web connection] secure pipe between the user's computer and the website providing the service. It's like a metal pipe that stretches end-to-end. The port that's opened up on your computer is encrypted and everything that flows through it is completely unreadable.
But if the NSA were intercepting traffic and decrypting it somehow on the edge connection between the application service provider — such as Facebook, Gmail, Amazon, for example — and the Tier 1 network, the application service provider would be unaware that this was happening.
Yes, and "if" my aunt had testicles she'd be my uncle. Author Zack Whittaker "writes for ZDNet, CNET and CBS News. He is based in New York City." There's a reason why he's writing about computer security and not actually doing it for a living.

Aware that Facebook, Google, Amazon use HTTPS as default, the author tries to overcome the obvious objections:

Although SSL-encrypted data is still unreadable at its current destination, the NSA likely has the capabilities to break this encryption later at its datacenter, presumably using vast computational resources. This would have to be done for each session, and likely only for targets of interest since the ability to do this would be extremely computationally expensive, as both public key and symmetric keys would have to be cracked.
Flipping heck. Does he have any idea how expensive a brute force attack against a 128 bit symmetric key is (assuming that you have some known plaintext so you can check it)? And you have to brute force each individual session, i.e. each HTTPS connection of each user, since the key is unique for each session. Even if you have a way in to massively reduce the search space e.g. by exploiting weakness in the randomness of the key generation, you're still looking at something that is computationally infeasible unless you have a very small number of sessions you're targeting e.g. you know the source internet addresses of your bad guys.

His lack of understanding is also apparent here:

Facebook and Google, for example, use 128-bit RSA encryption with TLS 1.1 connections for their Web servers. (Google is planning to move to a 2048-bit RSA key later this year.)
OK, let's talk slowly here. RSA (Rivest, Shamir, Adleman) is a way for two people talking over a connection that others can eavesdrop on (e.g. an Internet connection) to agree a mutual secret key that can then be used to encrypt the rest of the conversation. The algorithm is such that although the eavesdroppers can see the entire conversation, they can't deduce the secret key. Now that secret key is 128 bits (16 characters) in length. You can use it with a range of symmetric encryption algorithms - where user A encrypts the message with a secret key, and user B decrypts it with the same key - and a common one is RC4_128 although other algorithms are in use. So "128 bits" refers to the shared secret used to encrypt an HTTPS conversation, whereas "RSA" is the method by which that secret is agreed. RSA uses much bigger keys (1024 or 2048 bits long) in a public-key encryption scheme where each user makes enough of their key public to allow anyone else to encrypt a message for them, but keeps enough secret that only they can decrypt the message. If Whittaker can't get this right, I'm not optimistic about his understanding about the more technical details.

Not forgetting:

Cracking the encrypted SSL sessions could also be achieved through compromised certificates from the issuing certificate authority, making decryption of vast amounts of sessions that much easier.
No. Just, no. Compromising a certificate authority (hard, but not impossible) means that you can "man in the middle" communications - intercept the messages from a user to Facebook by pretending to be Facebook, then in parallel relay his messages to Facebook pretending to be him. You're not "cracking" the SSL sessions except in a very, very loose sense; you're just disguising yourself as Facebook. But this doesn't work in many cases anyway, now that this risk is known and the major browsers know what the real Facebook/Google/Amazon certificates should look like before checking with the certificate authority. There are also improvements to the SSL protocol that make man-in-the-middle attacks much harder to carry out without detection. And again, you'd require massive computing resources to tackle this at any scale - it only works for very targeted snooping.

In summary: Zack Whittaker is talking through his lower digestive tract. If anything he writes about PRISM is correct, it's going to be by accident.

No comments:

Post a Comment

All comments are subject to retrospective moderation. I will only reject spam, gratuitous abuse, and wilful stupidity.