I've followed the Snowden/Greenwald/Miranda saga with varying degrees of fascination and disgust - the UK government didn't exactly cover itself in glory in how it intercepted Greenwald's partner David Miranda - and so I was intrigued by Greenwald's latest missive in the Grauniad: "US and UK spy agencies defeat privacy and security on the internet". For a start, I'd have capitalised the "i" in "Internet" but I digress... An amateur crypto enthusiast like myself usually finds plenty of groan room in these kinds of articles, so what is Greenwald discussing, and why is he writing in conjunction with Guardian diplomatic correspondent Julian Borger and ex-Wikileaks "data journalist" James Ball?
According to Greenwald, NSA and GCHQ are heavily involved with defeating encryption with three main thrusts:
Those methods include [1] covert measures to ensure NSA control over setting of international encryption standards, [2] the use of supercomputers to break encryption with "brute force", and – the most closely guarded secret of all – [3] collaboration with technology companies and internet service providers themselves.I can believe [2] without breaking sweat. Brute-forcing encryption should be the stock-in-trade of any serious spy agency. Even if the opposition encrypts their files / hard disk, typically they have a lousy choice of password because they want it to be memorable and easy to type - two aspects directly benefitting a brute-force attack. Any password typed by a human should make a brute-force attack attractive unless that human is particularly crypto-aware. If you can't decrypt by brute force, another approach is to install a keylogger (e.g. via malware mailed to the user) and catch him or her typing the password directly.
Let's talk about [1], though: influencing international encryption standards. The problem with this idea is that many, many very competent cryptographers are involved in the selection of an encryption or hashing standard such as AES or SHA-3. The overall process may be overseen by US agency NIST, but the decision process and factors are, by design, completely open. Usually there's a fairly clear choice of the shortlist of candidate functions; a cryptographically weak function is likely to have a sufficiently obvious record of theoretical attacks that it would be a glaring anomaly for NIST to short-list it. I could just about believe that NSA could influence the choice between candidates #1 and #2 for the winner, but frankly I don't see it buying them much. There's a theoretical possibility that NSA knew of a better-than-brute-force attack against candidate #2 and "persuaded" NIST to choose #2 instead of #1, but I can't see NIST members accepting that; and the downside publicity would far outweigh the relatively small computational gain in near-brute-force attacks.
It's notable that in the peculiar case of the random number generator Dual_EC_DRBG NIST approved four functions. Three were fine, but the fourth - Dual_EC_DRBG - was the only openly NSA-championed one. It was also very slow, had suspicious "magic numbers", and its output was notably way off the level of entropy (randomness) that it should be. Later analysis by Microsoft cryptographers showed something that looked very much like a back door related to the magic number selection. Why would the NSA champion something that was so startlingly broken? We may never know for sure, but it was as popular as a bacon-wrapped pork chop in Mecca. This was the standardisation process working as intended - everyone was well informed to steer clear of this candidate despite ostensible NSA support.
By contrast I invite the reader to consider the advice of the NSA to IBM to change the data values in the "S-Boxes" forming part of the DES encryption process in 1977. Many years later it became clear that the values NSA had proposed made DES substantially stronger against differential cryptanalysis than the original values. It seems probable that NSA knew of differential cryptanalysis techniques back then, and deliberately made DES resistant to this attack. Why might that be?
Every spy agency wants to eavesdrop on everyone. But there's a trade-off. If everyone's crypto is weak, many other foreign spy agencies will be able to do the same thing; if your country (the USA) is one of the most prominent in world commerce, the limited gain to the domestic spy agency from being able to read commercial communications will be dramatically offset by other countries - Russia, China for instance - where government, espionage and commerce have an unhealthy intersection. It's in the NSA's interest to give good crypto to American firms and, by extension, people. They need to leverage their unique advantages (computing power, mathematical excellence) to target the threats that matter.
By contrast, the Chinese Government blocks most uses of Virtual Private Networks crossing the country's electronic borders, and can block or mount man-in-the-middle attacks on SSL (secure web traffic) connections. Why isn't Greenwald shouting about this? Is it because net censorship and blatant interception isn't interesting if it's a Communist country?
In the interest of neutrality, I'd point out that [3] is justified at least in part by previous NSA behaviour with regard to exported crypto. Back in 1997 it turned out that export versions of Lotus Notes made 24 bits of the 64 bits of the encryption key available to the NSA:
When sending e-mail messages, Lotus uses a 64 bit key. But in export editions, 24 bits of the key are broadcast with the message, reducing the effective key length to 40 bits. The 24 bits are encrypted using a public key created by the NSA. This is called the Workfactor Reduction Field. Only NSA can decrypt the information in the Workfactor Reduction Field. Once the key length is reduced to 40 bits, fast modern computers can break the code in seconds or minutes.The NSA aren't the only ones making exported crypto weak. Witness the sale of Enigma machines after World War 2 to developing countries by the British. "Hey, here's a totally secure encryption system!" Since Enigma had been comprehensively broken by the British, they could read any cipher traffic they chose...
Summary: storm in a teacup. NSA can't negatively effect international encryption standards in practice, and indeed should have a vested interest in these being strong. They totally do brute-force encryption but this only works for very targeted attacks on personally-encrypted files - they can't realistically brute-force regular HTTPS web encryption. They do try to get NSA-specific back doors into exported crypto, but they've been doing this for at least 20 years that we know of. This is not news.
Ref your first point, I agree, these international standards are used for commerce and why would the USA risk its won competitive advantage in electronic commerce?
ReplyDeleteReally secret stuff used by Governments will have had their equivalent of GCHQ crawling all very it first and they will develop their own variations.
If a country isn't sophisticated enough to have a GCHQ it probably doesn't have any secrets worth protecting from the NSA.
SimonF: That last para is superb. I'm totally stealing it for future use.
ReplyDelete