bit-tech.net

Snowden leaks point to cryptography backdoors

Snowden leaks point to cryptography backdoors

The NSA and GCHQ have joint programmes, dubbed Bullrun and Edgehill,

The latest leak from whistleblower Edward Snowden's cache of classified material suggests that the US National Security Agency (NSA) and UK Government Communications Headquarters (GCHQ) have been working with software and hardware developers to insert weaknesses and backdoors into cryptographic products.

Cryptography is the art of scrambling information such that, in an ideal world, it appears as nothing more than random noise to anybody but the intended recipient. It's used in everything from military communications systems to web browsers, and protects secrets as important as nuclear missile codes to your credit card details and banking passwords. Cryptographic encryption is also used commercially, in digital rights management (DRM) systems like High-bandwidth Digital Content Protection (HDCP) as a means of attempting to curb piracy.

Sadly, the latest leak from Snowden's files suggests that many encryption systems provide little more than the illusion of security thanks to backdoors inserted into their code by the NSA and GCHQ under projects dubbed Bullrun and Edgehill - two famous battles from American and English civil wars, offering a worrying insight into the mindset of those who authorised such programmes, confirmed by the official designation of users of these packages as 'adversaries' - even if they're just sending private emails, or doing their shopping online.

According to details published by the Guardian last night, which GCHQ and NSA officials had asked remain secret, Bullrun and Edgehill are long-running projects by the NSA and the GCHQ respectively to cripple the efficacy of commercial encryption products in order to further their efforts at total information capture.

The NSA's Bullrun programme, Snowden's files claim, enjoys a budget in the hundreds of millions of dollars - ten times higher than the previously-leaked Prism information capture system - and operates at Top Secret and above levels of classification. The reason for such secrecy: the programme is claimed to 'leverage sensitive, co-operative relationships with specific industry partners' to insert back door access or other weaknesses into commercial security and cryptography products.

The revelation has privacy advocates and security experts up in arms, but such things have long been rumoured: the NSA was accused of inserting a backdoor into Microsoft's Windows operating system which gave it full and unrestricted access to users' files, even when encrypted - a claim that Microsoft has denied for years.

Snowden's leak also tells of efforts, under the unlikely codename Project Cheesy Name, to identify potentially weak Secure Socket Layer (SSL) certificates for brute-force cracking attempts - which, if successful, would allow the NSA to run servers that pretend to belong to the owner of the certificate, or decrypt in real-time any captured traffic destined for the real servers.

In a separate feature for the Guardian, security expert Bruce Schneier offers advice for protecting yourself against such all-encompassing spying: use of encryption, even if weakened; use of anonymising services such as Tor; automatic suspicion of any closed-source commercial packages, especially those from larger US-based companies; and the use of public-domain, source-based encryption systems.

Even the use of open-source software packages - into which it would be extremely difficult for the NSA to plant a backdoor, thanks to the public having full and transparent access to the source code - may not offer complete protection, however: leaked details surrounding Bullrun suggest that the NSA uses a network of supercomputers to perform brute-force attacks against encrypted data to which it does not have a master key. Protection against this type of attack comes from the user: passwords must be long enough and complex enough to not fall to such an attack, and when given the option of key length - measured in bits - the longest supported by the software should be chosen, even at the cost of performance.

One thing is clear from the leak, however: commercial security software which does not provide the complete source code is, clearly, not to be trusted.

32 Comments

Discuss in the forums Reply
GeorgeStorm 6th September 2013, 12:13 Quote
Read the Guardian article earlier, not great stuff :/

“Those who would give up Essential Liberty, to purchase a little Temporary safety, deserve neither Liberty nor Safety" is the phrase that comes to mind.
Gareth Halfacree 6th September 2013, 12:16 Quote
Quote:
Originally Posted by GeorgeStorm
Read the Guardian article earlier, not great stuff :/
I'm just pleased that pretty much all the software I use is open source - no backdoors there. Just a shame about my Gmail account and Android phone, really...
Krikkit 6th September 2013, 12:43 Quote
A nicely-written piece again Gareth!

I suppose I should be more surprised to hear this kind of thing goes on, but I'm not tbh. Clever though, to insert back-doors into the source with big corporates in the first place.
Gareth Halfacree 6th September 2013, 13:05 Quote
Quote:
Originally Posted by Krikkit
A nicely-written piece again Gareth!
Why thank you!
Quote:
Originally Posted by Krikkit
Clever though, to insert back-doors into the source with big corporates in the first place.
The real issue, and one I didn't have room to get into in the already-lengthy piece, is the possibility that the NSA's 'relationships' extend beyond software vendors and into hardware vendors. Let's imagine a processor manufacturer called, I don't know, Acumen. Acumen builds a popular line of processors called the Crux family, which account for a massive percentage of the world's computing systems. Each Acumen Crux chip has inside it a random number generator and cryptographic acceleration engine, used by the OS for all encryption and decryption operations.

Some time ago, however, the NSA approached Acumen and asked them nicely if they wouldn't mind modifying the design of the RNG and cryptographic accelerator such that it introduced a handy-dandy flaw into proceedings. To the end-user, everything looks normal; if you know what the flaw is, however, you can easily break the encryption in a fraction of the time it would otherwise have taken. Acumen does this, and hides it from its customers by dint of not releasing the design files for the chip - which isn't a problem, because it never releases those anyway.

The users of Acumen Crux processors don't realise this, of course. The more paranoid use open-source software, confident that they are secure because there can be no back-door in the source code - little realising that the back-door is right there in the hardware. Their handy-dandy open-source encryption engine is relying on hardware that is introducing a weakness - a weakness that the NSA can easily exploit. Whoops!

Sounds less crazy today than it did yesterday - and a whole lot less crazy than when free software giant Richard Stallman announced he was switching to China's homebrew Loongson processor for his computing needs out of a fear of exactly this scenario should he use a chip from a US-based company.
[USRF]Obiwan 6th September 2013, 14:02 Quote
Seems like the best protection you can get is not to connect to anything that requires a connection. What basically means that you shut down the power and throw away your processor based hardware you have like phones, television, pc, laptop, mediaboxes etc.

Maybe the Amish got it right all that time...
AlphaAngel 6th September 2013, 14:50 Quote
Although not completely the fault of the US, it is the legalised bribary (though campaign donations to politicians) that exists there and the US's power to influence other countries that is the reason that everyone should be up to date on US politics, and by this I don't mean watch Fox, MSNBC or CNN and by the same reasonng not the other extreme like Alex Jones. Couple this global power and corruption with the vast wealth and lack of accountability of corporations that do the bribing and there is no way anyone should be surprised by this.

Did anyone really think that corporations give money to politicains because they just want to be nice to them?

Also it has to be remembered that corporations in some ways are more powerful than governments as they are not constrained by a countries borders. So next time a large corporation claims it is 'American' or 'British', remember this is propoganda designed to play on national pride. they are no more American or British than the moon.

If you think all this is scary then you should see the legislation that is trying to be pushed thorough that would for all intents and purposes allow corporations to declare war on countries (using national defences such as the army). Sound crazy? Well, I'm sure the information in this article did too a few years ago.

As Noam Chomsky said so well, "In today's world, democracy is little more than manufactured consent, you won't fight a system your believe you have choosen, that you believe you can change, but in reality the puppets on both hands are joined to the same body and you have no choice over the choice of people you have to choose from".
rollo 6th September 2013, 16:32 Quote
If you want to stay protected, Stay of the internet simple enough.
ferret141 6th September 2013, 17:41 Quote
Did anyone notice how there's a North American router/access point firmware and an international one?
I don't think it is purely for radio spectrum regulation.
Red 5 6th September 2013, 18:16 Quote
Quote:
Originally Posted by Gareth Halfacree
The real issue, and one I didn't have room to get into in the already-lengthy piece, is the possibility that the NSA's 'relationships' extend beyond software vendors and into hardware vendors. Etc. etc....

It brings a whole new meaning to "Intel inside".
Nexxo 6th September 2013, 18:22 Quote
Quote:
Originally Posted by AlphaAngel
If you think all this is scary then you should see the legislation that is trying to be pushed thorough that would for all intents and purposes allow corporations to declare war on countries (using national defences such as the army). Sound crazy? Well, I'm sure the information in this article did too a few years ago.

Didn't that already happen with the invasion of Iraq?
patrickk84 6th September 2013, 20:00 Quote
Quote:
Originally Posted by Gareth Halfacree
Why thank you!The real issue, and one I didn't have room to get into in the already-lengthy piece, is the possibility that the NSA's 'relationships' extend beyond software vendors and into hardware vendors. Let's imagine a processor manufacturer called, I don't know, Acumen. Acumen builds a popular line of processors called the Crux family, which account for a massive percentage of the world's computing systems. Each Acumen Crux chip has inside it a random number generator and cryptographic acceleration engine, used by the OS for all encryption and decryption operations.

Why do you think the US government has specifically stopped using certain hardware products made in China? Huawei and ZTE...
GravitySmacked 6th September 2013, 21:09 Quote
Quote:
Originally Posted by rollo
If you want to stay protected, Stay of the internet simple enough.

Not true; what about phone monitoring, snail mail surveillance, monitoring of your transactions, the near constant watch of security cameras, number plate tracking etc? Also it's easy to say stay off the internet but just doing that isn't easy to do in this day and age.
CraigWatson 6th September 2013, 21:40 Quote
Quote:
Originally Posted by Gareth Halfacree
... Let's imagine a processor manufacturer called, I don't know, Acumen. Acumen builds a popular line of processors called the Crux family...

I see what you did there ;)
Nexxo 7th September 2013, 12:26 Quote
Quote:
Originally Posted by GravitySmacked
Not true; what about phone monitoring, snail mail surveillance, monitoring of your transactions, the near constant watch of security cameras, number plate tracking etc? Also it's easy to say stay off the internet but just doing that isn't easy to do in this day and age.

Stay off the grid. There's a storm coming.
AlphaAngel 7th September 2013, 17:32 Quote
Quote:
Originally Posted by Nexxo
Didn't that already happen with the invasion of Iraq?

To an extent, yes. Lobbying by private interests created public policy. However the new legislation would remove the requirement for the government to be involved in the declaration of war. I will try to find the FOI docs on the proposed legislation so you can have a read. It is certainly very interesting
forum_user 7th September 2013, 18:31 Quote
I always wondered why hackers were always able to find the next hole to exploit. Is it because the holes are there for a reason?

Is it time for a tech site to compile a list of 'safe' software and services?
Corky42 7th September 2013, 19:40 Quote
I don't think there is such a thing as 'safe' software or services.

Although all the talk of back-doors and the NSA does make me wounder how useful something like that would be. Wouldn't it also provide access for other organisations ? Admittedly they would have to find the back door first, but aren't country's like China big into the whole cyber hacking stuff, so wouldn't it be just a matter of time before they identified any back-doors ?
PlayLoud 7th September 2013, 20:18 Quote
Quote:
Originally Posted by Nexxo

Stay off the grid. There's a storm coming.
No fate
Gradius 8th September 2013, 04:01 Quote
If you got it right it means by 2015 (perhaps they already have it) EVERY bank accounts and passwords will be INSECURE, every credit card and password too! You name it. It means they can EMPTY your bank account at ANY time and sink you in debt just typing few things on a keyboard. Think about it. And I see nothing about the media talking on Impeachment Obama... RIGHT NOW!
Gradius 8th September 2013, 04:19 Quote
Quote:
Originally Posted by Gareth Halfacree
I'm just pleased that pretty much all the software I use is open source - no backdoors there. Just a shame about my Gmail account and Android phone, really...

As for Gmail, just register a domain, even if is dynamic IP you can use noip.com, opendns, etc.

Then just install an e-mail server on your "open source" will be enough to drop gmail forever. About android it would be a bit more secure by using Firefox (drop Chrome forever!) and your e-mail server.
mclean007 8th September 2013, 15:45 Quote
HDCP isn't "High Definition Content Protection"; it's "High-bandwidth Digital Content Protection". http://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection

To be honest I don't much care what the NSA can see about my online activities - I'm not doing anything they'd be likely to take an interest in; and as for anyone who IS doing something they'd be interested in, to be honest I'm quite glad that their communications may not be as secure as they'd thought. The problem is if the back doors fall into the wrong hands. I'd really prefer my credit card details to remain out of the hands of thieves, thanks all the same. And you can be damn sure that these latest allegations from that idiot Snowden are going to have sent many misanthropic, but talented, hands to work trying to work out the secrets to the purported back doors.
Quote:
Originally Posted by Gareth Halfacree
Sounds less crazy today than it did yesterday - and a whole lot less crazy than when free software giant Richard Stallman announced he was switching to China's homebrew Loongson processor for his computing needs out of a fear of exactly this scenario should he use a chip from a US-based company.
Because, of course, there is absolutely no risk whatsoever that a Chinese company would be coerced by its own government into doing exactly what you describe, what with China's flawless track record on transparency, freedom of information and espionage.
Quote:
Originally Posted by Gareth Halfacree
The users of Acumen Crux processors don't realise this, of course. The more paranoid use open-source software, confident that they are secure because there can be no back-door in the source code - little realising that the back-door is right there in the hardware. Their handy-dandy open-source encryption engine is relying on hardware that is introducing a weakness - a weakness that the NSA can easily exploit. Whoops!
No obligation to use the RNG in an "Acumen" chip, of course - OSS developers are perfectly at liberty to code their own RNG seeded by any convenient entropy source. Sampling a large enough amount of network traffic should do the job.
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by GeorgeStorm
Read the Guardian article earlier, not great stuff :/
I'm just pleased that pretty much all the software I use is open source - no backdoors there. Just a shame about my Gmail account and Android phone, really...
Isn't the problem though that the SSL layer covering all your supposedly secure internet traffic may be compromised? If (say) Amazon is using an SSL certificate generated by compromised code, then anyone with access to the back door to said code could feasibly crack Amazon's SSL certificate, and from that obtain details of any credit card transaction on which they can snoop on the ciphertext, thereby obtaining credit card information regardless of whether the user is using a system which is itself affected by any such back door?
GravitySmacked 8th September 2013, 16:30 Quote
Wouldn't it be easier to use multi-quote?
DC74 8th September 2013, 22:04 Quote
And when the governments are asked about such things they always rely on either of the following excuses.

1. We're doing this for your own protection to prevent terrorists from coordinating attacks.
2. It's a matter of National Security.(which is a broad term meaning we can get away with anything).

You have to love democracy, the illusion we are free to make our own choices and have power over our own lives. Honestly the more things change, the more the state becomes like in George Orwell's 1984, scary isn't it!
Nexxo 8th September 2013, 22:15 Quote
The future is amongst us.
Gareth Halfacree 8th September 2013, 22:34 Quote
Quote:
Originally Posted by mclean007
HDCP isn't "High Definition Content Protection"; it's "High-bandwidth Digital Content Protection". http://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection]
My mistake - I'll correct that now, thanks!
debs3759 8th September 2013, 23:01 Quote
Quote:
Originally Posted by Gareth Halfacree
I'm just pleased that pretty much all the software I use is open source - no backdoors there. Just a shame about my Gmail account and Android phone, really...

I had to sign up to gmail for something standard on my android device. Have never used it for anything, or told anyone I have the gmail email, yet it still got hacked less than 6 months after getting the phone!
Corky42 9th September 2013, 11:52 Quote
I think its safe to say nothing on the internet is secure, or safe from being hacked.
Its just a sliding scale of how easily third party's can access your data, imho the cloud and other online based accounts being the least secure.

Google scans all Gmail traffic to target advertising, and argues for right to continue scanning Gmail
And the NSA has apparently spied on Smart Phone Data since 2009.

If your data is that important you wouldn't trust sending it on a network open to the entire world.
mclean007 9th September 2013, 12:38 Quote
Quote:
Originally Posted by GravitySmacked
Wouldn't it be easier to use multi-quote?
Probably, if I had thought of all the things I wanted to quote on simultaneously. I commented on things as I read them. No big deal. Seems an admin has kindly tidied all my posts into one.
faceplant 9th September 2013, 13:55 Quote
Whilst working for a rather large corp in the banking sector creating encryption methods many moons ago with the folks at Oakley and Benhall (I think that's where it was) (nowadays...the shiny doughnut people) a little story emerged......

in the 90's the US gov intercepted files being sent from a company in the UK to its US counterpart.....the US gov could not crack the encryption. From that point both UK and US govs passed laws that encryption methods should have backdoors.
Adnoctum 10th September 2013, 03:40 Quote
The First Rule of the NSA's Bullrun Cryptographic Club is "Do not ask about or speculate on sources or methods."
The Second Rule of the NSA's Bullrun Cryptographic Club is "DO NOT ask about or speculate on sources or methods."
Adnoctum 10th September 2013, 05:10 Quote
Quote:
Originally Posted by Gareth Halfacree
The real issue, and one I didn't have room to get into in the already-lengthy piece, is the possibility that the NSA's 'relationships' extend beyond software vendors and into hardware vendors. Let's imagine a processor manufacturer called, I don't know, Acumen. Acumen builds a popular line of processors called the Crux family, which account for a massive percentage of the world's computing systems. Each Acumen Crux chip has inside it a random number generator and cryptographic acceleration engine, used by the OS for all encryption and decryption operations.

Some time ago, however, the NSA approached Acumen and asked them nicely if they wouldn't mind modifying the design of the RNG and cryptographic accelerator such that it introduced a handy-dandy flaw into proceedings. To the end-user, everything looks normal; if you know what the flaw is, however, you can easily break the encryption in a fraction of the time it would otherwise have taken. Acumen does this, and hides it from its customers by dint of not releasing the design files for the chip - which isn't a problem, because it never releases those anyway.

The users of Acumen Crux processors don't realise this, of course. The more paranoid use open-source software, confident that they are secure because there can be no back-door in the source code - little realising that the back-door is right there in the hardware. Their handy-dandy open-source encryption engine is relying on hardware that is introducing a weakness - a weakness that the NSA can easily exploit. Whoops!

Sounds less crazy today than it did yesterday - and a whole lot less crazy than when free software giant Richard Stallman announced he was switching to China's homebrew Loongson processor for his computing needs out of a fear of exactly this scenario should he use a chip from a US-based company.

Not to rain on the unbiased logical arguments of the cool-headed and well known friend of Big Business Richard Stallman, and I'm not going to say that it is beyond the realms of the possible, but it would take massive balls on "Acumen's" part to risk their entire company on the whims of the NSA/US Government. Especially doing something that would be very vulnerable to being audited, discovered, exposed and then have all manner of effluent hitting various cooling devices in every market on the planet.

What would be the pay off for Acumen? A truck load of money they don't need (ACRONYM is more likely to want that blinged up truck)? Relief from spook-related arm twisting? Some sweet government contracts they are already getting? Some political mutual loving?

What would be the pay off for the NSA/US Govt? Access to something they can't already brute force, bribe, subvert, legislate, criminalise or otherwise glean with their contractor (Google et al) supplied analytic programs? Is there such a mythical beast?

What is the risk for Acumen? If they are caught with subverted RNG and crypto logic they are f**ked. No "ifs" or "buts". This is the end of Acumen as a supplier than can be trusted to process and transport encrypted data. There would be customer boycotts and I have no doubt import bans on the national level. Can you see the EU/Russia/China/India/me/you being all laid back about it? Hell no.

What is the risk for NSA/US Govt? How about the biggest security flaw ever introduced into a secure communications network, sitting there bubbling away like a massive subterranean super-volcano and waiting for someone to discover, bribe or blab all about it? You think the US Govt will use some special "fixed" batch of Acumen chips. Nope, all of the US Govt's computers will use the same borked commercial chips to secure and transmit the US Govts most sensitive alien-probe secrets.

Further risk to Acumen is how hard it would be to do and not have someone spill the beans. It is not a software backdoor that could be injected fairly easily and silently. A hardware backdoor would require a lot of people being "in the know" from Acumen and the NSA, both inside and outside the US, and it would require that many people outside these organisations also keep their mouths shut. People such as their rival, ACRONYM, who might have a financial interest in getting Acumen in hot water. People such as those pesky foreign governments and their communist electron microscopes and socialist x-ray machines. People such as a scientist who wonders why their research data isn't turning out quite as they expected and decides to investigate the anomaly.

The good news is that you don't have to use Acumen's RxRAND if you are a Linux user, and the code is fairly open to inspection and modification. Too bad if you are speedballing on MS's gravy, that's a closed shop, man.

TL:DR Version.
Basically, my argument is that Acumen and the NSA would have to require a lot of people who aren't involved in The Big Secret to keep their blabbing mouths shut and/or not try to exploit it against the US Govt.
ferret141 13th September 2013, 11:50 Quote
Quote:
Originally Posted by Adnoctum
Not to rain on the unbiased logical arguments of the cool-headed and well known friend of Big Business Richard Stallman, and I'm not going to say that it is beyond the realms of the possible, but it would take massive balls on "Acumen's" part to risk their entire company on the whims of the NSA/US Government. Especially doing something that would be very vulnerable to being audited, discovered, exposed and then have all manner of effluent hitting various cooling devices in every market on the planet.

What would be the pay off for Acumen? A truck load of money they don't need (ACRONYM is more likely to want that blinged up truck)? Relief from spook-related arm twisting? Some sweet government contracts they are already getting? Some political mutual loving?

What would be the pay off for the NSA/US Govt? Access to something they can't already brute force, bribe, subvert, legislate, criminalise or otherwise glean with their contractor (Google et al) supplied analytic programs? Is there such a mythical beast?

What is the risk for Acumen? If they are caught with subverted RNG and crypto logic they are f**ked. No "ifs" or "buts". This is the end of Acumen as a supplier than can be trusted to process and transport encrypted data. There would be customer boycotts and I have no doubt import bans on the national level. Can you see the EU/Russia/China/India/me/you being all laid back about it? Hell no.

What is the risk for NSA/US Govt? How about the biggest security flaw ever introduced into a secure communications network, sitting there bubbling away like a massive subterranean super-volcano and waiting for someone to discover, bribe or blab all about it? You think the US Govt will use some special "fixed" batch of Acumen chips. Nope, all of the US Govt's computers will use the same borked commercial chips to secure and transmit the US Govts most sensitive alien-probe secrets.

Further risk to Acumen is how hard it would be to do and not have someone spill the beans. It is not a software backdoor that could be injected fairly easily and silently. A hardware backdoor would require a lot of people being "in the know" from Acumen and the NSA, both inside and outside the US, and it would require that many people outside these organisations also keep their mouths shut. People such as their rival, ACRONYM, who might have a financial interest in getting Acumen in hot water. People such as those pesky foreign governments and their communist electron microscopes and socialist x-ray machines. People such as a scientist who wonders why their research data isn't turning out quite as they expected and decides to investigate the anomaly.

The good news is that you don't have to use Acumen's RxRAND if you are a Linux user, and the code is fairly open to inspection and modification. Too bad if you are speedballing on MS's gravy, that's a closed shop, man.[/spoiler]

TL:DR Version.
Basically, my argument is that Acumen and the NSA would have to require a lot of people who aren't involved in The Big Secret to keep their blabbing mouths shut and/or not try to exploit it against the US Govt.

I try not get involved in conspiracy theories as nothing is absolutely impossible. You could go crazy/paranoid in following and believing them all. I would rather just get on with life.

I feel it comes back to the longest running theory of a Bilderberg Group/Illuminati group who operate the world. They supposedly puppeteer/own governments and mega corporations. Having all these back doors makes staying in control easier.

As for keeping secrets. People have lost their lives to silence for less.


Sorry I didn't write a well thought out argument but I'm under the weather.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums