
The FBI Can Bypass Encryption [pdf] - aburan28
http://cryptome.org/2014/10/fbi-breaks-crypto.pdf
======
AnthonyMouse
Bullocks. Mass surveillance and targeted investigations are two entirely
different things. Unless you're assuming the NSA can break AES, encrypting
your traffic prevents _mass surveillance_ of its contents. That doesn't stop
them from breaking into your specific device (or planting a bug in your house
etc.), but that isn't mass surveillance anymore. It also doesn't stop metadata
surveillance but nobody ever said it would.

And there is no need for intentional security vulnerabilities, the accidental
ones are quite sufficient. Fixing _that_ is a whole different problem.

~~~
xnull2guest
Not bullocks. The thesis is that very widely deployed cryptography is
subverted, both by direct partnership and by infiltration - the Snowden leaks
confirmed as much.

I will give an example of some confirmed and speculative backdoors.

Microsoft Windows and Phone.

1) Bitlocker keys are uploaded to OneDrive by 'device encryption'.

"Unlike a standard BitLocker implementation, device encryption is enabled
automatically so that the device is always protected.

...

If the device is not domain-joined a Microsoft Account that has been granted
administrative privileges on the device is required. When the administrator
uses a Microsoft account to sign in, the clear key is removed, a recovery key
is uploaded to online Microsoft account and TPM protector is created."

[http://technet.microsoft.com/en-
us/library/dn306081.aspx](http://technet.microsoft.com/en-
us/library/dn306081.aspx)

2) Device encryption is supported by Bitlocker for all SKUs that support
connected standby. This would include Windows phones.

"BitLocker provides support for device encryption on x86 and x64-based
computers with a TPM that supports connected stand-by. Previously this form of
encryption was only available on Windows RT devices."

[http://technet.microsoft.com/en-
us/library/dn306081.aspx#BKM...](http://technet.microsoft.com/en-
us/library/dn306081.aspx#BKMK_Encryption)

3) The tech media and feature articles recognise this.

"... because the recovery key is automatically stored in SkyDrive for you."

[http://www.zdnet.com/surface-bitlocker-and-the-future-of-
enc...](http://www.zdnet.com/surface-bitlocker-and-the-future-of-
encryption-7000024613/)

4) Here's how to recover your key from Sky/OneDrive.

"Your Microsoft account online. This option is only available on non-domain-
joined PCs. To get your recovery key, go to ...onedrive.com..."

[http://windows.microsoft.com/en-us/windows-8/bitlocker-
recov...](http://windows.microsoft.com/en-us/windows-8/bitlocker-recovery-
keys-faq)

5) SkyDrive (now named OneDrive) is onboarded to PRISM. (pg 26/27)

[http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPl...](http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPlaceToHide-
Documents-Uncompressed.pdf)

Similarly, Apple's newfangled full disk encryption KDE depends entirely on the
security of the Secure Enclave UID, which it claims not to have. The UID is
used in tandem with ~12 bits of user provided entropy (passcode).

Apple may not have this UID (burned in by the manufacturer) but the
manufacturer still does. The FBI/NSA etc need only to manipulate, partner or
serve legal papers, or to infiltrate as an employee the manufacture of Secure
Enclave devices and wallah.

Microsoft implemented new TLS capabilities but added a backdoor so that the
FBI could filter through it (pg. 30).

[http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPl...](http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPlaceToHide-
Documents-Uncompressed.pdf)

Microsoft removed the end-to-end crypto from Skype. They also have a
newfangled 'voice recognition and translation feature'. Yummy.

RSA's BSAFE (more wirely deployed than shills will insist) included DUAL_EC -
in fact were paid to do it - which means that even if you were to use, for
example, AES the randomness you used to do it would not be safe.

As announced by Germany, TPM 2.0 was backdoored. China will not import TPM 2.0
(in fact any TPM from America) or Window 8.1 as a result. Lenovo (Chinese
company) has a patent under the 380/286 classification 'key escrow' to extract
keys stored in TPMs.

[https://www.google.com/patents/US8290164](https://www.google.com/patents/US8290164)

The encryption standards for voice on telephony networks of course are
completely broken and have been for 20 years.

And taking a detour from backdoors themselves for a second you do realize that
CALEA, the Stored Communications Act, and Section 215 of the Patriot Act
require companies to provide data intercept methods, and key escrow or data
access when the encryption is added by them.

I could go on. Anyway - you get the point. It is NOT bullocks. Cryptography,
both in implementation, as a practice and in standards is backdoored in a way
that enables mass surveillance.

Edit: A correction, as other users have pointed out - Germany specifically
warned against the use of Windows with TPM - not TPMs themselves. See the
following threads for more details.

~~~
AnthonyMouse
You're making a different argument than the PDF does. The example it uses is
heartbleed, which would be difficult to use for mass surveillance and, even
assuming without any evidence that it was put there intentionally, sits along
a large class of vulnerabilities of a similar nature that certainly are
accidental.

You're talking about explicit backdoors separate from the encryption
algorithms, with the exception of DUAL_EC, which is really in the same
category because cryptographers have considered it suspicious from the
beginning and the only people using it are using it because of the backdoor
rather than in spite of it.

The difference is that the consequence changes from "encryption is useless" to
"don't trust implementations from the likes of Microsoft, AT&T or hardware
vendors."

~~~
xnull2guest
Completely agree. I am not repeating cryptome's argument but adding to it.

(It is difficult to say whether heartbleed was accidental or intentional -
intentionally introduced bugs or purposefully accepted buggy code are likely
to be deniable. Asking whether a bug is intentional is ultimately a question
about the mind of the programmer and not the code. Check out the underhanded C
coding contest if you'd like to try a hand at writing or trying to find
intentionally deniable security bugs.)

> You're talking about explicit backdoors separate from the encryption
> algorithms, with the exception of DUAL_EC

Well I also mentioned the TLS one... and the removal of e-to-e in Skype. If
you want to compare to heartbleed again that was an explicit backdoor - not
actually similar to DUAL_EC.

> The difference is that the consequence changes from "encryption is useless"
> to "don't trust implementations from the likes of Microsoft, AT&T or
> hardware vendors."

Totally agree.

------
nanoscopic
The title of this post is misleading. To bypass something means to work around
it, not to already be past it. If your machine is not hacked, and is
encrypted, and you don't run any unsafe binaries, then the FBI cannot "bypass"
your encryption.

I understand the claim that almost all standard operating systems are pre-
hacked. I could believe this for Windows, and for any system running software
that does not have publicly visible source, but I do not believe this is true
for carefully built linux systems.

Additionally, even if your system IS rooted, I believe it is possible to run a
secure virtual machine on it. ( note an encrypted keyboard would need to be
used to prevent keylogging in the host OS )

As others here have stated, I think this article is mostly FUD. It could have
been shorted to the single sentence "Your encryption is irrelevant if the
software on your box can be hacked while it is running."

------
trhway
it seems that it wasn't just my hallucination that recent FBI director show
was really an attempt to make everybody believe that encryption is an
insurmountable obstacle for the FBI and the likes. Not a good theatrical
performance. “I don't believe it!” :)

~~~
erikb
What the pdf says is that it actually is as safe as you thought. It's just
that the computer you are using to do the encryption is not safe. If you might
be targeted by capable sources, don't trust neither your phone, your PC, your
tv, or your car. That's what every spy movie tells you, and it's also true.

Once you have encrypted critical data on a safe source, and are sure that the
keys are safe, you can actually trust that nobody is breaking your encryption
in the next few weeks. The safe source and safe keys are the problem, not the
encryption.

------
erikb
Why is this a PDF and why is this news? Even a guy like me, with the security
expertise of having send about 3 gpg encrypted emails in my life, knows that
you can't trust the machines you are using, while being targeted by FBI/CIA
etc. It's on the first page on every book about computer security.

------
aburan28
AES(Rijndael) was the weakest out of the final three contenders for the
advanced encryption standard. Serpent and Twofish were clearly more secure but
Rijndael was chosen because of its speed. There are attacks that have broken
11 of out the 14 AES-256 rounds
([https://www.schneier.com/blog/archives/2009/07/another_new_a...](https://www.schneier.com/blog/archives/2009/07/another_new_aes.html)).
Using a combination of RNG weaknesses, CPU attacks, software vulnerabilities I
don't think its crazy to conclude that the FBI can "crack" AES implementations
in targeted investigations.

~~~
xnull2guest
It's also important to note that timing attacks on AES are trivial, whereas
other ciphers (Serpent is a popular favorite) is timing-free with naive
implementations.

[http://cr.yp.to/antiforgery/cachetiming-20050414.pdf](http://cr.yp.to/antiforgery/cachetiming-20050414.pdf)

------
aburan28
The NSA claims to have a significant breakthrough in cryptanalysis from the
Snowden revelations. I personally believe that through the commercial
relations the NSA has partnered up with AMD/Intel to weaken chips and CPU's
and could be even pushing microcode updates that could defeat encryption at
such a low level that it would be nearly undetectable.

~~~
quonn
How? The CPU only has instructions for AES-NI (not for the actual encryption
scheme, nor for key generation) and it has to be deterministic or it won't
decrypt on the other side. The only thing I can think about is trying to leak
information using timing attacks and I wonder if these can be introduced
through microcode updates. I doubt it and besides the risk for Intel would be
far greater than for any of the companies involved in PRISM.

~~~
xnull2guest
Was the parent talking about RDRAND? In this case the randomness used by the
machine for both cryptographic protocols and key generation could be
compromised, making AES, implemented in AES-NI or otherwise, moot.

------
stevengg
If you listen to James Comey talk
[https://www.noagendaplayer.com/listen/656/44-52](https://www.noagendaplayer.com/listen/656/44-52)
he sounds like a crazy person. "Dount of smart thinking"

------
nomercy400
I can't help it, but my eyes are filtering out the contents of the pdf like my
eyes do with online ads and spam emails. It looks too much like a poorly
designed manifesto filled with out of context quotes, just after your money.

