
Spooks break most Internet crypto, but how? - shawndumas
http://arstechnica.com/security/2013/09/spooks-break-most-internet-crypto-but-how/
======
dpifke
My personal theory: NSA has gotten in bed with the Hardware Security Module
(HSM) vendors. There's essentially only two of them: SafeNet and Thales.
SafeNet has bought up all the smaller players.

All of the big guys use HSMs to protect key material from intruders or
malicious insiders. Key generation happens inside a sealed box from which the
keys can never leave, except into another identically-configured sealed box
from the same vendor. As such, there's no way to inspect the keys being
generated - you have to trust the FIPS certification that it's being done
correctly.

If--perhaps as part of the FIPS certification process--the NSA were to
compromise the key generation function of a handful of popular HSM models, in
one fell swoop they would have compromised _all_ of the CAs, DNSSEC, Google,
Microsoft, Facebook, Amazon, etc. (Not to mention all of the banks, credit
card companies, etc.)

Further data point: in my experience talking to SafeNet at least, they employ
_a lot_ of ex-DoD folks who probably still have connections to their old
bosses.

This is just speculation, but seems a likely attack vector.

~~~
ballard
Might be the tip of the iceberg. Without open source hardware and independent
verification, the full supply chain of every shiny new widget is a question
mark because of whichever governments/actors may happen to lean on suppliers.
I think we need more decap teardowns and open source EDA functional
disassembly tools. Otherwise, it's blind trust without enough tinfoil
verification.

~~~
frozenport
OpenSource is good but also false security, because there is no guarantee that
the box is actually running the software, the real answer is diversification
and distribution .

------
Sonicmouse
"Unless the feds know of a flaw in the Diffie-Hellman key exchange process at
the heart of this scheme..."

The only flaw in the DHM algorithm is that it depends on a RNG.

It goes back to the fact that if the NSA has infiltrated the RNG, then DHM key
exchange is merely a slight nuisance.

I wrote some software that patched out MS' CryptGenRandom() to only return
0x01's all day. I was easily able to then implement a MITM attack on Adobe
RTMPE traffic all day long.

I'm stupid... Imagine what an NSA engineer could accomplish.

~~~
lukifer
What's the practical alternative, assuming a compromised RNG? random.org?

~~~
gojomo
I suppose if you had one RNG that's 0wned by the NSA, and another that's 0wned
by the Chinese MSS, and another by the Russian FSB... and you assume they
never ever work together or crack each others' systems, you could XOR their
results together.

~~~
sliverstorm
See, _this_ is the kind of security thinking I can get behind. The kind of
realist thinking that says "Ok, we should just assume we've been compromised
by every major government entity. Now what."

~~~
codelust
Strangely, that is what my thoughts on snooping at this level has been for a
while. Using a combination of compromising people and infra, it is easy to
break pretty much anything if, as a state, you put your mind to it.

Unfortunately, the debate is mostly centered around if crypto is broken, while
the question to ponder is why is the state suddenly forcing well-meaning
people to start thinking like people who have something to hide.

------
eksith
As in most of these technological failures, the problem may just be between
the keyboard and chair. I never cease to be amazed at the seemingly
insurmountable odds people defeat to ensure something breaks somewhere in the
least predictable way possible. In such an atmosphere, deliberate sabotage or
sci-fi caliber cracking hardware are the least of your worries.

~~~
makomk
The trouble is, well-done deliberate sabotage is very hard to distinguish from
incompetence. (It appears there is definitely deliberate sabotage out there -
see for instance [http://www.mail-
archive.com/cryptography@metzdowd.com/msg123...](http://www.mail-
archive.com/cryptography@metzdowd.com/msg12325.html) which sadly didn't make
the front page here.)

~~~
snowwrestler
Descriptions like this one make me wonder if the apocryphal "huge
breakthrough" in encryption by the NSA is in their ability to simulate and
analyze the implementation of complex crypto computer systems. (Rather than in
the base mathematics.)

They are deterministic systems after all, and giving researchers the means to
look at them more abstractly could make it a lot easier to pick where to
attack, or where to concentrate spycraft to introduce weaknesses that would be
hard for mere mortals to detect on their own.

~~~
harrytuttle
That's a good hypothesis. It's definitely possible if you consider things like
verified compilers. It shouldn't be beyond them to apply this to crypto
implementations.

------
croikle
Chrome's pinning is a definite upgrade, but it's more vulnerable than some
people make it seem. In practice, a pin consists of a list of CA certificates
which are allowed to sign for the given domain (the list is in [1]). This list
can be surprisingly long: for example, the list for twitter.com contains 22
keys from 3 different CAs.

This means that, e.g., if you are "good friends" with Verisign, you can get
them to issue a certificate for any Google property, and Chrome will happily
accept it.

[1]
[https://src.chromium.org/viewvc/chrome/trunk/src/net/http/tr...](https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json)

~~~
rdl
I thought Chrome did both HSTS preload (CA pinning) _and_ real public key
pinning. I trust key pinning a lot more.

------
tensor
Has it been verified that they can break most internet crypto? Or is it just a
claim?

~~~
harrytuttle
No it's a claim. A claim that needs to be formally disproven based on recent
events.

The assumption was originally that systems were secure until disproven. Now
they are insecure until proven otherwise.

The latter statement in the previous sentence is possibly impossible, ergo
we're fucked.

~~~
MichaelGG
It's a bit of hyperbole, and nothing direct from Snowden as far as I can tell.
The actual releases (like XKEYSCORE) clearly show it intercepting unencrypted
traffic. This could be something as simple as RSA1024 being "easily" crackable
by the NSA, and hence "most encryption" would be vulnerable since so many
people use RSA1024 for TLS.

Taking random quotes and highlights from presentations isn't a very good way
to get picture of an opponent's capabilities. Otherwise we'd think that Oracle
has developed 100% secure database software that is impossible to break.

I really hope Snowden releases some hard evidence or specific citations of
what the NSA has broken, instead of the hand-wavy "like, everything, man"
articles that have been rehashed several times in the past day. Speculation's
sorta pointless.

~~~
nly
> I really hope Snowden releases some hard evidence or specific citations of
> what the NSA has broken

That's fairly unlikely. The Guardian articles say he never had access to such
information, nor was it amongst the documents he liberated.

------
AndrewKemendo
As usual, Randall Munroe was basically correct in identifying the best way to
get into closed systems:

[http://xkcd.com/538/](http://xkcd.com/538/)

Find the weak points in a system, which are more often than not, the pink
fleshy things using them.

