
What the CIA WikiLeaks Dump Tells Us: Encryption Works - kungfudoi
https://www.nytimes.com/aponline/2017/03/11/technology/ap-us-tec-wikileaks-cia-tech-encryption.html
======
andai
I don't see any mention of quantum computers in here so I thought I'd mention:

the NSA themselves are concerned that quantum computing will be a great threat
to encryption in the near future.

Keep in mind that the NSA and god knows who else are storing encrypted
communications to break them later.

Quantum computing will defeat RSA, DH, ECC, asymmetric crypto, but it will
only weaken symmetric crypto (eg. AES) by a factor of two.

So according to my Internet research: if your symmetric crypto is twice as
secure (key size) as needs be, it is future proof.

Also (and please correct me if I'm wrong) I believe the triple encryption
Serpent(Twofish(AES)) available in VeraCrypt (TrueCrypt fork) even protects
against weaknesses which may be discovered in any of these cryptosystems: they
would have to defeat all three.

~~~
hendzen
Symmetric encryption not being broken doesn't really help you if the
encryption key has been exchanged using a (presumably quantum-breakable) form
of asymmetric encryption. Most encryption in the wild works this way.

~~~
y7
True. Note that some "post-quantum" key exchange schemes already exist (based
on lattice cryptography, for which there are no known poly-time quantum
attacks), e.g.
[https://eprint.iacr.org/2015/1092](https://eprint.iacr.org/2015/1092) . But I
haven't heard of it being used anywhere.

~~~
Filligree
The sad truth is, until we've spent a lot more time analysing and attacking
those algorithms, they aren't as secure as what we've got.

~~~
matthewaveryusa
There's an extremely simple method which is to onion multiple algorithms. If
you want to add the promised security features of a new algorithm that hasn't
been battle-tested it's well worth the effort.

~~~
copperx
I've never heard of such technique, what does onioning do?

~~~
matthewaveryusa
I don't think there is an exact term (and if there is I'm all ears), so the
closest one I found pertains to onion routing[1], except instead of each layer
being a different key, each layer is a different algorithm and a different
key. I.E if you wanted to use algorithm X and algorithm Y, you could encrypt
your plaintext with cyphertext_x = X(x_key,plaintext), and then cyphertext =
Y(y_key,cyphertext_x). If X is terrible, Y still protects your data. if Y is
terrible, X still protects your data. Note that the order in which X and Y are
applied doesn't matter.

[1]
[https://en.wikipedia.org/wiki/Onion_routing](https://en.wikipedia.org/wiki/Onion_routing)

~~~
vmarsy
Algorithms composition? (similar to function compositions[1], since algorithms
are just function that take an input and return an output.)

[1]
[https://en.wikipedia.org/wiki/Function_composition](https://en.wikipedia.org/wiki/Function_composition)

------
dromenkoning
The article mentions WhatsApp multiple times as a service that successfully
made the transition to end-to-end encryption, but it always seemed to me that
this claim is rather meaningless when we don't have the possibility of
auditing their source code.

~~~
colordrops
It seems that most people are completely in the dark when it comes to
security, including myself, but there are some principles that should be
unwavering that regularly get ignored again with every new iteration of
"secure" software:

* If there is a weak layer in the stack, from the physical layer to to UI, then the system is not secure. Even if your messaging app is secure, your messages are not secure if your OS is not secure

* If the source code is not available for review, the software is not secure

* If you or someone you trust has not done a full and thorough review of all components of the stack you are using, the software is not secure

* Even if the source code is available, the runtime activity must be audited, as it could download binaries or take unsavory actions or connections.

* On the same note, if you do not have a mechanism for verifying the authenticity of the entire stack, the software is not secure.

* If any part of the stack has ever been compromised, including leaving your device unlocked for five minutes in a public place, the software is not secure.

I could go on, and I'm FAR from a security expert. People compromise way too
much on security, and make all kinds of wrong assumptions when some new
organization comes out and claims that their software is the "secure" option.
We see this with apps like Telegram and Signal, where everyone thinks they are
secure, but if you really dig down, most people believe they are secure for
the wrong reasons:

* The dev team seems like honest and capable people

* Someone I trust or some famous person said this software is secure

* They have a home page full of buzzwords and crypto jargon

* They threw some code up on github

* I heard they are secure in half a dozen tweets and media channels

~~~
MarkMc
I think you are being too strict in your definition of 'secure'. 99.99% of
devices run Android, iOS or Windows which are closed source and therefore not
'secure'.

To me, security is not a binary property but rather a sliding scale. WhatsApp
say they use end-to-end encryption and they have a strong financial incentive
to be telling the truth. No hacker has demonstrated that WhatsApp are lying
and the Wikileaks dump suggests the CIA has been unable to intercept messages
in transit. Given this information I would rate WhatsApp at least 'reasonably
secure'.

~~~
FreeFull
[https://source.android.com/](https://source.android.com/) The source code for
Android is open under the Apache 2.0 license. Of course, iOS and Windows are
closed source.

~~~
cyphar
You're ignoring that most drivers for android phones are proprietary, the
baseband is entirely proprietary (required by law), the Google services are
proprietary (which many apps use) and most apps are proprietary (including
Google's replacements for the AOSP apps).

If you want a completely free software smartphone experience, it is simply not
possible at the moment. Even Replicant[1] still hasn't cracked the baseband
puzzle (and is still struggling with the firmware for a couple of phones).

So no, Android is definitely proprietary -- even if some parts are not.

[1]: [http://www.replicant.us](http://www.replicant.us)

~~~
iheartmemcache
Basebands fall under exactly which entities juristiction such that they can
regulate a baseband to be 'entirely proprietary' ? I mean, BB + superhet.
mixer => IF => carrier wave envelope containing your data. How do you even
regulate a concept of physics? If you're paying the proper fees as a
subscriber to $provider_foo you could even design your own receiver off the
public standards documents.. (used to be a popular project for 4th year
undergrads to do on FPGAs for the CE's who wanted to get closer to the silicon
but MOSIS project space was reserved for only the EEs).

If you want a completely 'free' (as in GPL) cell phone experience, you can
setup a OpenBTS transmitter and transmit at the 900mhz range which is commons
property. To stay legal in the US, your antenna has to put out less than a
watt, but the setup allows you to even use off-the-shelf phones and trunk into
normal phone lines via standard POTS software. Your device would have to be
something a-la
[http://alumni.media.mit.edu/~mellis/cellphone/](http://alumni.media.mit.edu/~mellis/cellphone/)
(just a janky setup, but just a proof-of-concept -- you can patch together
components from DigiKey pretty easily these days; if you want free-silicon, I
think the closest you're going to get is
[https://en.wikipedia.org/wiki/OsmocomBB](https://en.wikipedia.org/wiki/OsmocomBB)
or maybe some soft cores, but if you're actually going to take that soft core
to tape-out, you're probably going to be running 6 figures just for masks...)

~~~
Gregordinary
On the hardware side, there is a project "Free Calypso" to produce a
completely libre (software, firmware, baseband, & hardware) "dumbphone" using
the Calypso chipset.

Initially looking to reuse old phones with the Calypso chipsets, the project
is now working on producing their own. Design files are completed; funding for
the dev boards is about 66% complete.

[https://www.freecalypso.org/fcdev3b.html](https://www.freecalypso.org/fcdev3b.html)

Mailing list is fairly active too.

------
alister
What a welcome shift in public sentiment. Mainstream media is starting to
recommend end-to-end encryption, without back doors, for everybody. (Though
the New York Times might represent the leading edge of the change in popular
opinion.)

~~~
adventured
You tend to see that sort of change every eight years or so. The fake liberals
come back around to pretending to support all civil liberties again.

Ashcroft does X, it's evil and given intense scrutiny. Holder does X, it's
mostly given a pass by the msm.

Bush does X, it's evil. Obama does X (eg regime change in Syria; what, no
million person protests?), it's mostly given a pass by the msm.

That's how the media has functioned for decades. They'll get extremely loud
during Trump's Presidency about domestic spying abuses, after eight years of
giving the Obama Admin a sizable pass. The same will hold true about the
egregious abuses directed at the press under Obama, when Trump does the same
thing it'll be the end of the world.

~~~
scott_karana
> egregious abuses directed at the press under Obama

I'm curious, because I haven't heard of these before. Examples?

------
CapacitorSet
I remember reading a poll where European Parliament members claimed that
encryption (esp. HTTPS and E2E) was the biggest obstacle to espionage. I'm
glad to see that this is a widespread sentiment.

------
raymondh
The CIA WikiLeaks dump might only tell us the breaking through other parts of
the communication chain are easier than decryption.

~~~
moxious
Yes, this has always been the case: defenders put a foot of armor plating on
all of the doors and windows, and attackers look for the key hidden in the
fake rock outside, and simply come in the front door.

------
bgrohman
Original article on AP News in case your NY Times free article count is up:

[https://apnews.com/cf84bf54c2954de8baaa5fb6931a84d0/What-
the...](https://apnews.com/cf84bf54c2954de8baaa5fb6931a84d0/What-the-CIA-
WikiLeaks-dump-tells-us:-Encryption-works)

~~~
j-conn
Please consider subscribing to high quality newspapers, donating to NPR, or
otherwise supporting journalists. IMHO the last few months have driven home
the vital public service they provide. I recently read that Tom Hanks sends an
espresso machine to the White House press corps every year, while I've been
reading their articles in incognito mode.

~~~
bgrohman
Thanks, that's a good message. In this case, though, the original article came
from AP News, so I don't think there's anything wrong with reading it there.

------
Synaesthesia
Another thing is important: trust. As a naive user I have no idea what's going
on on my phone, hardware or software wise We are essentially trusting these
companies with everything. Encryption is no good if Apple and Google provide
backdoors to their systems to the CIA or NSA.

~~~
roywiggins
Encryption in transit defeats dragnet surveillance. Forcing the NSA et al to
actually break into the phones they're interested in substantially reduces the
amount of information they can actually collect. They can't just tap internet
backbones and read everything, like they do with plaintext communication.

~~~
white-flame
But they can say "Hey, Google/Apple/Microsoft/Facebook/etc, give us access on
your end for our dragnet to work after it comes in from encrypted transit.
Also, this is a NSL so neener neener."

------
espeed
That's not what it tells us. Encryption works to the degree it has always
worked -- and cracking ciphertext has never been the weakest link -- but
that's not the message we should be taking. The real message is often only
evident in hindsight, years later, after it has been shaped, after the effects
have percolated through the system and the effect on behavior becomes evident.
It's non-linear system dynamics. The cause and effect are rarely obvious.

~~~
timClicks
However, it is getting at least easier to for a degree to opt-in to
communicating in private over the Internet. HTTPS is easier to deploy than it
ever has been, the Signal protocol seems to be holding up to scrutiny.

Hopefully one of the messages that emerges is that encryption is not scary and
another good one would be that privacy is not deceitful.

The ability for the state to coerce you isn't going away though.

------
Asdfbla
So the same thing the Snowden leak told us years ago. The fact that
governments can't break state-of-the-art encryption itself shouldn't come as a
surprise nowadays.

------
thedatamonger
"Encryption has grown so strong that even the FBI had to seek Apple's help
last year in cracking the locked iPhone used by one of the San Bernardino
attackers. "

Nope, that was about setting precedent using a case that is very hard to argue
against morally, so that they can erode privacy and protections on a wider
scale.

------
twelvechairs
It also tells us that Wikileaks is (still) important

------
mtgx
If it didn't you wouldn't see Comey all over the place trying to promote his
encryption backdoors.

Ironically enough, he's promoting them while saying "Americans don't have
absolute privacy."

Yes, we know. That's why we're trying to use encryption more...But thanks for
reminding us, James.

------
Pica_soO
Conclusion: Goverments always must push for centralization, monopols, weak
clients and against free software, to keep control. Thus free software
projects can not benefit from any longterm relationship with even a democratic
state entity.

------
tranv94
Or is that what they want us to think

~~~
NumberCruncher
Using wikileaks to leak falsified documents to make us feal secure would be so
evil.

------
kakwa_
Crypto Won't Save You Either, Peter Gutmann:
[https://www.youtube.com/watch?v=_ahcUuNO4so](https://www.youtube.com/watch?v=_ahcUuNO4so)

------
throw2016
It's not just software but hardware. There have been persistent controversies
about encryption, random number generators, standards, organized infiltration
and things like Intel ME and basebands in phones.

It's simply not possible for individuals or groups to vet this against nation
state adversaries on an ongoing basis. I think its high time technologists
accept this instead of trying to lull themselves and others into a false sense
of security.

There are multiple layers of social trust in action which are broken because
security services are now brazen and face no consequences.

There is no 'hacking' your way out of this. The solution is to try to restore
the social trust by first understanding why its suddenly ok to run mass
surveillance operations in a 'free democratic country' and refusing to accept
it. And then try to restore some of the trust by making sure there are
consequences, proper oversight and due process.

------
jfhcc
It's possible defeating encryption is the responsibility of another top secret
department whose work remains unleaked.

~~~
patrickaljord
Breaking pgp like encryption would require a huge mathematical breakthrough in
how prime numbers work and their discovery. It would also require unknown math
geniuses to work for said secret department which is unlikely, most of the
best mathematical geniuses are already known and tend to work at
universities/public research/private research and publish their work there.
Not saying this is impossible but it's really highly unlikely borderline crazy
conspiracy.

Also, the fact that most governments tend to hack at the pre-encryption level
and use social engineering to hack devices on encrypted networks kind of
confirms they do not have the capability to break encryption.

~~~
SAI_Peregrinus
The NSA is the single largest employer of mathematicians in the US. The
Snowden leaks did not include any of the data from the departments actually
involved in attacking cryptography. All we really know is that they don't have
any breaks for their low-level mass surveillance tools.

Likewise with the CIA. From the 1% of the documents leaked so far, there's no
evidence that they have the ability to crack modern encryption. But the
documents leaked seem to come from a contractor (or were shared with a
contractor) so there are likely internal-use-only tools with greater
capability than shown in this leak.

That's not to say that they definitely have ways to break modern crypto, just
that we can't prove that they don't given the material publicly known so far.

~~~
TillE
It's fairly difficult to do anything useful with ultra-secret magic decryption
tools. You can passively observe, but taking any action, even subtle indirect
action, means you're eventually going to alert a target to your capabilities.

Anyway, these are extraordinarily difficult problems which may not have good
solutions outside of quantum computing. You can throw all the smart people and
computing power in the world at a problem and still come up with almost
nothing.

------
Traubenfuchs
Does it? Maybe it's a huge false flag campaign.

You should always operate under the assumption that "they" can see everything
they want to see on your internet connected device if they deem you important
enough.

For example, what's with that one news story about government agencies being
unable to break TrueCrypt. How did that get out? Sounds like a huge bullshit
campaign to me, aimed at creating trust in TrueCrypt! (Yes thank you very much
I know about VeraCrypt)

~~~
Ar-Curunir
Cryptanalytic capabilities of academia are on par or are ahead of the
government's abilities. In the past it might have been the case that
governments were agreed of the curve, but academic crypto has progressed
immensely in the past couple of decades.

------
throwaway287391
Not to suggest this is what's happening in this particular case, but if the
CIA (or any other intelligence agency) did figure out a way to break some
particular encryption protocol, wouldn't it be in their best interest to
create fake internal documentation claiming they couldn't break that form of
encryption, and "leak" that to Wikileaks?

~~~
Klauster
Considering that Wikileaks allegedly has the new malwares that CIA has been
using, I think something like that would be part of the slew of documents in
Vault 7. Of course, it might be confidential enough for only a select few to
know, but I'm just saying it looks to me that the leak is revealing pretty
hush-hush stuff.

------
Spooky23
It only tells you that encryption works against the tools included in the
leak. It doesn't seem credible to me that the US government's tooling in this
area is pretty much the same as what is generally available, given the
billions invested in cyber stuff.

There are many reasons beyond self interest (like the viability of online
commerce) that would lead an organization like the CIA to compartmentalize
more advanced/strategic methods.

~~~
fooker
>It doesn't seem credible to me that the US government's tooling in this area
is pretty much the same as what is generally available, given the billions
invested in cyber stuff.

You can not throw money at mathematics and expect it to change. Some crypto
techniques could very well be secure with the hardware available now. And it
might also be true that quantum computers are not anywhere close to be useful.

------
andai
Does anyone here have an air-gapped computer setup?

I'm thinking of doing something with raspberry pi.

I'm stuck at the part where it communicates (for my purposes, small amounts of
ascii) with a non airgapped computer without using USB or networking.

I'm thinking about giving both machines a little speaker and microphone and
using high frequency pulses to transfer the text.

Why, you may be wondering?

1\. Airgapped system is impervious to penetration

2\. Can be used for literally unbreakable communications.

~~~
Kadin
That doesn't make sense. Once you connect it to the rest of the network, it's
no longer "air gapped".

The phrase "air gapped" doesn't signify something special about _air_ , it
refers specifically towards breaking the connection (which is typically
electrical) between that system and the rest of the network. Perhaps it is not
the best term, and "completely isolated" would be better.

If you set up an IR LAN, or use sound, or whatever, then the system is no
longer air gapped and you have created a potential vector for information
leakage and potential penetration. Sure, _probably_ nobody is going to bother,
if the implementation is unique and nothing you have on that system is of
particular value, but there have been a number of high-profile compromises of
"air gapped" systems and networks (e.g. Iranian nuclear production
facilities), that show it can be done even _without_ an intentional connection
if the desire is really there.

There are scenarios where partially isolated systems can offer a real benefit,
though. I have periodically seen ideas for logging systems that use a 100BT
(not Gigabit) Ethernet connection with the Tx pair cut, so that traffic can
only ever go INTO the system and never back out again. The system sits on the
far side of this one-way hardware gate, listening and logging, and is
extremely difficult (although not impossible) to compromise because of the
lack of feedback. Note if you want to do this, you need to use old 10 or 100BT
network cards that don't have GigE capability, because I believe GigE uses all
the pairs in the Ethernet cable in unpredictable ways; you don't have the old
Tx pairs / Rx pairs / shield pairs like you used to be able to count on (and
selectively cut). I think you'd need to make sure the cards didn't support
auto MDIX as well.

~~~
jacquesm
> I have periodically seen ideas for logging systems that use a 100BT (not
> Gigabit) Ethernet connection with the Tx pair cut

That would only work with unidirectional protocols. Scratch TCP/IP and
probably even UDP since it would need to figure out the MAC address of the
other side.

If you're going to do this you essentially have a one-way high speed serial
link without the ability to error-correct.

~~~
Neliquat
Checksums and redundant data would mostly solve that. Look what we do for deep
space transmissions for example, where latency makes it basically one-way. I
just feel like there are too many variables still uncontrolled to make it
worthwhile.

------
1001101
The only encryption I truly trust is one-time pad. Discrete log may be NP-
intermediate (if P!=NP, which is open), and we know from the Snowden
disclosures that NSA was working with U Maryland on a quantum computer which
will be a reality at some point (Shor's algorithm). With 'collect it all,'
today's ciphertext is tomorrow's plaintext. Always be skeptical.

~~~
andai
Your downvotes courtesy of NSA's botnet ;)

Do you use OTP? I've done some little experiments.

I'm surprised at the lack of interest in the only form of encryption that is
literally unbreakable, in this age of surveillance paranoia.

~~~
1001101
I have not. I had discussed a theoretical len(CT) == len(key) system with a
friend for about 30 mins as a thought experiment, but we immediately poked a
number of holes in it -- not the least of which being that we couldn't say
anything about the security of the system on which it was deployed. Other
questions: what to do with the key material files (their remnants would no
doubt be left intact in NAND by opaque eMMC and SD controller implementations
- and if not, some signal processing on the charge of the cells themselves
combined with the regularity of whatever language was being used would give it
up anyway - encrypting the key material might solve this to a degree). Also:
where to get quality key material in the first place, and how to exchange it
(NFC was discussed). I'll certainly take Claude Shannon's word on the security
:)

~~~
andai
1\. Security of the system: I'm thinking about this lately: below in this
thread I mentioned a setup involving an airgapped non-intel (eg. Rpi) computer
that communicates ascii in morse code. This machine would hold the keys and
encrypt / decrypt.

2\. What to do with the files? You'd need to keep them as long as you need to
use them. In my scenario it would be on an SD card in the raspberry pi.
Afterwards.. there are many creative ways to destroy them :) i think an
advantage of SD over HDDs is they are small enough to reasonably melt.

3\. Key exchange: exchange the key on physical media, in person. Ensure the
key does not come into contact with a networked computer (ask your friend
nicely) and keep it away from any untrusted USB devices.

4\. Quality key material: Hardware random number generator (also done on an
airgapped etc machine).

I think I've covered everything, the only thing that crypto people on IRC
could really complain about (it seems they _really_ don't like OTP?) was
integrity: an attacker could modify the message if they guessed parts of it.

I'm still figuring out how that would work (they assumed it would be used for
a standard protocol with something like "From: andai@andai.tv" at the start of
every message).

Now I'm just trying to make it so that anyone could set this up, which is
turning out to be the trickiest step.

For the simplest form of encryption there sure aren't a lot of implementations
out there...

~~~
1001101
In theory, a reasonable hash or CRC _inside_ the OTP stream would prevent
tampering.

TEMPEST and DPA are other things I didn't consider in our thought experiment,
but if I really wanted to be thorough, I would have. (I suspect there's very
little signal for either in the OTP scheme).

I think the key exchange (sneakernet) is what makes the OTP approach unwieldy.
If the source of randomness is good, and keys are not reused, in theory, it's
the highest quality system out there.

~~~
andai
I am thinking about a system for transmitting keys through the mail.

A microSD card is small enough to conceal inside of something else. I'm
thinking of some kind of packaging where you could easily tell if it has been
opened, and it would be impossible to re-seal perfectly.

It does not matter if the key is intercepted, as long as the recipient knows
this, and does not use the key.

\--

As far as TEMPEST goes, I think at the point the adversary is physically near
you, you've got bigger things than encryption to worry about.

You could wrap the raspberry pi's case in aluminium foil. I'm not sure if the
usb power cable leaks any signals: wrap it too for good measure ;)

------
guest
Shouldn't the headline be that; if you have a safe system encryption can work?

Because as long as encryption that has been broken (or systems that have been
compromised) is used what you are basically doing is giving mr V is a receipt
that you have made a transaction...

------
how-bizarre
The CIA Cyber Security division is a joke compared to the NSA and Mosad.

------
aburan28
And the campaign against encryption Comey talked about last fall has begun. If
the United States wants to maintain economic dominance over IT sector globally
we must defend our data

------
developer2
This world we live in... the Associated Press permeates through nearly all of
the US's media. They are the same reason you can find newscasts about some
random throwaway story being repeated word-for-word verbatim. When you have
dozens of news anchors across the country reading the exact same words from a
teleprompter to push a story, something is very very wrong.

I mean, it's nice that the NY Times specifies "By THE ASSOCIATED PRESS" at the
top of the article, but why is it even considered acceptable for the NY Times
to publish articles that don't originate from themselves?

Sigh.

~~~
espeed
The Associated Press is a _wire service_ [1] -- writing and distributing
articles to other news papers is what it does:

[1]
[https://en.wikipedia.org/wiki/News_agency](https://en.wikipedia.org/wiki/News_agency)

~~~
mcbits
In blog spammer terminology, the AP is a shallow content farm that subscribers
can either copy verbatim or spin into new articles to avoid duplicate content
filters, as long as they provide credit/backlinks.

~~~
espeed
Not exactly. The majority of local news organizations don't have the resources
to investigate and report on all the events happening throughout the world and
so the international wire services like AP and Reuters fill this gap. However,
this means the majority of national/international stories being reported by
the downstream local newspapers and media outlets throughout the nation/world
come from just a few big upstream sources, like AP and Reuters. A criticism of
this model is regardless of how impartial the _content_ of the upstream
stories may be, the wire services effectively select _what stories_ get
reported -- what gets attention vs what gets omitted -- out of the sea of
millions of possible stories happening throughout the world each day. This
puts them in position to control our window to the world -- to influence what
we do and don't see -- what we're made aware of -- and thus they are in
position to shape the world's perspective.

~~~
developer2
Thank you, you explained it better than I could put into words. It still
baffles me that "wire services" is even a thing or considered acceptable.
_shrug_

------
whatnotests
Seriously - does it?

