
NSA-proof encryption exists. Why doesn’t anyone use it? - glenstein
http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/14/nsa-proof-encryption-exists-why-doesnt-anyone-use-it/?wprss=rss_ezra-klein
======
david_shaw
_> NSA-proof encryption exists._

Yup. Except it's not that easy.

Let's say that you're using OTR to provide very strong end-to-end encryption
for a conversation between yourself and a buddy, Bob. Maybe he's in a hostile
area, and you're worried that if his government sniffs his traffic, that he
could be executed for speaking to Americans.

Data in transit that is intercepted, if configured correctly, is almost
certainly safe. No one will be able to immediately decrypt it because of the
strong encryption.

So are you safe?

Probably not. The next step that government would take would be to raid your
friend Bob's apartment, arrest him, and take his hard disk. His OTR key (and,
if using Pidgin, account credentials in plaintext if stored) is plainly
available on the disk. You now have the private key.

But what if he used Truecrypt or PGP full-disk encryption? His data would be
safe from decryption then, right?

Sort of. If they're trying to break the _actual encryption,_ they'd likely be
unable to do so. Unfortunately, the weak point for Truecrypt disks or volumes
isn't the crypto... it's the _passphrase._ The passphrase can be brute-forced
_significantly_ more easily than breaking the encryption itself. Furthermore,
as xkcd so accurately pointed out, a hostile government will throw you in
prison (or, worse, hit you repeatedly with a wrench) until you divulge your
passphrase and data.

Encryption is great, and I encourage everyone to use reliably strong crypto.
Will that keep your data safe from the criminals that stole your work laptop?
Absolutely. Will it keep your data safe from the NSA? You're kidding yourself.

~~~
tedks
Remember that post a little while ago about how most logical fallacies aren't
actually logical fallacies? Here, you are committing an _actual_ logical
fallacy. It's called "shifting the goalposts."

The article is in response to a dragnet surveillance program, where everyone's
communications are watched and presumably datamined. It's very easy to do
this, because nothing is encrypted, and everyone uses services that expose
metadata (like who is IM'ing who).

Your comment is entirely true. However, it presents an adversary that doesn't
want dragnet, but _targeted_ surveillance. It assumes that Bob will be
immediately arrested if his communications become encrypted.

This is not the threat model that we're faced with now. Let's say you and Bob
communicate using accounts you've made on random XMPP servers using Tor, and
all the messages are encrypted with OTR. Both servers are in the US, and the
NSA's metadata database shows E83Gxw@jabber.org sending lots of ciphertext to
PAnd9B@jabber.org.

This is "NSA-proof" in that the NSA would not know to link PAnd9B@jabber.org
with you using their existing systems. They would have to drastically escalate
the cost of their surveillance program with respect to you and Bob to figure
out what you're talking about. Unless you really are a political dissident,
conspiracy theorist who accidentally discovered the UN's black helicopter
program, or radical Islamist, you are now out of the surveillance dragnet.

That is to say, unless the threat model changes, using privacy-enhancing
technology will keep your data safe from PRISM and similar dragnet programs.

~~~
sneak
> This is not the threat model that we're faced with now. Let's say you and
> Bob communicate using accounts you've made on random XMPP servers using Tor,
> and all the messages are encrypted with OTR. Both servers are in the US, and
> the NSA's metadata database shows E83Gxw@jabber.org sending lots of
> ciphertext to PAnd9B@jabber.org.

Tor won't help at all if all of the long-distance network traffic in the
country is being mirrored (as it has been in the USA for most of a decade).

Corollary: The NSA knows exactly who runs The Silk Road. Stopping drug
trafficking is obviously not as high a priority to them as not letting
potentially kinetic adversaries know that Tor provides no anonymity to someone
who can (and does) monitor _all_ network traffic.

~~~
jongraehl
Tor messages are disclosed only if the NSA etc. run enough of the entry/exit
nodes. Simply passively recording Tor traffic _might_ let you do traffic
analysis, but won't let you deduce the contents of that traffic.

~~~
sneak
They'd have the whole of the tor network, including entry and exit nodes. Why
run your own exit nodes when you can just sniff the traffic of the existing
ones?

------
Xcelerate
I have a question that perhaps a cryptography expert could answer for me.

My father told me when he was young, he visited Oak Ridge National Labs on a
trip, and while there, they told him they had satellites that could read the
print on a newspaper. At the time, it wasn't classified information; it was
just something that nobody knew. Approximately 15-20 years later, satellites
with that capability became well-known. This indicates to me that top secret
technology is probably somewhere around 15-20 years ahead of what the general
public knows about. This may be less true today than it was back then since
nowadays the equipment and factories to develop state-of-the-art technology
run in the billions of dollars.

Where I'm going with this: is it reasonable to assume that "future technology"
20 years from now could crack AES-256 or PGP? If so, it seems reasonable to me
that the NSA could already crack today's encryption for high-priority data.
Add that to the fact that they tend to hire the very best experts in the field
(mathematicians and cryptographers) and it doesn't seem entirely unreasonable
to me that their decryption technologies are pretty good. Of course, I'm not
talking about better technology in a brute-force sense; it would still be
impossible to crack 256-bit encryption. I'm talking about algorithmic
weaknesses.

But then again, I have only a basic knowledge of cryptography. Would any
experts like to comment?

~~~
lordgilman
This has come up in the past on HN. As I understand it the newspaper story is
bull. As for advancements in technology the answer is likely no - producing
that technology requires an entire toolchain/industry that the NSA is unlikely
to replicate with its size. The only shot the NSA has at pulling ahead of us
is with entirely mathematical things like crypto (which they did at least in
the 70s with differential cryptanalysis). With math you can simply hire a
bunch of smart people and throw them in a room together which is much less
capital intensive than the massive, fundamental research needed to advance
technology ahead of the industry.

~~~
cube13
>This has come up in the past on HN. As I understand it the newspaper story is
bull.

Pretty much. The same effect that causes stars to twinkle limits the
resolution of space-based spy satellites imagery of the ground.

[http://en.wikipedia.org/wiki/Astronomical_seeing](http://en.wikipedia.org/wiki/Astronomical_seeing)

~~~
Xcelerate
That's for distant stars though, isn't it? I mean, just with Google Maps you
can see the mirrors on a car. Newsprint isn't _that_ much of a step up.

~~~
makomk
Google Maps uses aerial photography from planes for the high-resolution layers
of their maps, not satellite imagery.

~~~
Xcelerate
Huh, interesting! I never knew that. So then I'll need to ask my father about
what he was told again. Maybe something got misinterpreted along the way.

~~~
enoch-root
It probably was that you can see newsprint, not read it.

------
aasarava
From the article: _" And while most types of software get more user-friendly
over time, user-friendly cryptography seems to be intrinsically difficult.
Experts are not much closer to solving the problem today than they were two
decades ago."_

I'm not sure I agree that user-friendly cryptography is "intrinsically
difficult." It doesn't seem like it would be hard for email clients and even
the Gmail frontend to pop up a message saying, "Your email is insecure. To let
people send you private messages securely, set up your 'public key' now. It's
easy." Then a short wizard would walk users through the process and
automatically append the public key to all outgoing messages.

On the other side, if you were going to send a message to a friend, the email
client would check if that person has published a public key and then ask,
"The recipient allows secure messages. Would you like us to send this message
securely?"

Google and Microsoft and other large companies are no strangers to
implementing a feature and using their size and clout to quickly make it a de
facto standard. The real reason we don't have easy end-user cryptography is
that these companies would lose access to mine your data and provide new
services on top of that (and the article mentions this too.)

~~~
maaku
And where is the private key stored? On Google or Microsoft's server? What
then would be the point? (I assume you'll answer that it'll be done client-
side, but JavaScript cryptography is a whole mess of fail. But that's a
separate issue.)

~~~
pavel_lishin
And if it is stored client-side, what happens when the user inevitably loses
their key? You and I might have backups in multiple places, and on an
encrypted USB stick in a bank vault, but my dad doesn't, and the next time he
spills wine on his laptop, there goes literally all of his e-mail.

~~~
baltcode
It's stored client-side, and as a back up on the central server, with a
passphrase that is the users responsibility.

~~~
nathan_long
>> with a passphrase that is the users responsibility.

And there's the rub. "What do you mean, I can't ever see my data again? Why
can't you reset my password?"

 _We_ know that true security means only the user has the key. But users don't
all want that responsibility.

~~~
dllthomas
Key escrow services?

~~~
maaku
See: Clipper.

~~~
dllthomas
I'm familiar. There's a big difference between "optional key escrow with a
service I have chosen to trust" and "mandatory key escrow" though. Most
importantly with regard to the ease of mass surveillance.

------
bdamm
Intelligence-community-proof is somewhat of a fallacy. You can make it more
expensive for the NSA to get your email, because then you're forcing them (or
another arm of the government) to penetrate your client and extract the key
there.

And, all you have done is make damn sure they keep your metadata records.
Somewhere I read that sending encrypted email is an automatic flag, in the
same category as using words that incite violence.

So to truly make it effective, encrypted email has to be the norm, not the
exception.

~~~
jiggy2011
That sounds unlikely, encrypted email is relatively common in business. For
example many domain registrars used it as a mechanism for changing domain
settings before "APIs" were a thing.

------
marcosdumay
That's the question about all this thing that I don't know how to anwer. Just
extend it a bit...

There are OSs that won't give root access to the NSA, encryption that the NSA
won't be able to read and cloud services that the NSA won't be able to access
even with cooperation of the CEO. Why none of them are widely used?

And I don't accept the answer on the article as suficient. Yes, a few things
are harder when you want any level of security, but not all. There are plenty
of applications where security just won't disturb you (like VoIP), and plent
of places that put security above all other concerns and should care about
this (like non-US military). Yet, nearly nobody chooses the secure path.

~~~
Spearchucker
The glib answer is that it's a matter of triage - given usability, security
and cost, choose any two.

While that is an influencer, the reality is a bit more complex. That social
drive we've been going through for the last ~5 years means that developers
focus on customer value. Also, while there's little new after Snowdens' leak -
other than absolute proof - there's not been much demand, and hence incentive
to make things secure.

------
crazy1van
Because the vast majority of people like privacy in theory but not enough to
spend the hour it would take to learn how to encrypt their email and
documents.

Seriously, how many HN users have spent hours complaining about privacy on
here but still don't encrypt their own email? This isn't to excuse anything
illegal the US gov't might be doing, but if it matters as much to people as
they say you'd think they'd have at least taken some immediate action.

~~~
unimpressive
>Seriously, how many HN users have spent hours complaining about privacy on
here but still don't encrypt their own email?

I would think that most HN users would be willing to encrypt their email, but
know they can't convince their friends/family/etc to do so. Encryption takes
two to tango.

~~~
betterunix
To put things in perspective: at CRYPTO at some point in the past, I had a
student stipend. I needed to send some documentation via email. I asked the
person responsible, a prominent cryptography researcher (who will not be
named), if they had a public key. The answer was, "No, I really should set one
up but I'm just too busy."

When not even the researchers who run a top-tier cryptography conference are
bothering, you know that it is not just about non-technical folks being
clueless.

------
Balgair
I just posted this question the other day.

Let me explain some of my travails trying to use PGP with Thunderbird:

The install of T-Bird wasn't too bad

The install of OpenPGP was not easy but I managed it. The instructions on the
site were not all that clear and for an out-of-date version, but YouTube
helped out a lot. My mom, the business owners, or a computer science teacher
at Central High School simply do not have time to do this. This could be
streamlined.

The making of keys and storing of data was totally obtuse, fortunately, the
wizard guided me through a lot of it. This could be streamlined.

Now sending a message is where it gets tough. OpenPGP says that I have to use
[shift]+"left-click" on the Write button in T-bird to make sure the html won't
be used so the PGP message will de-crypted correctly. This is non-sense. Why
is this happening?

Ok now assuming I have a plain text email I have to hit [ctrl]+[shift]+[s] and
[ctrl]+[shift]+[e] to sign and encrypt. BS. This needs to be better. Just a
pop-up and type in the pass-phrase (brilliant wording, btw, phrase makes this
so clear it has to be many words long my mom can understand this).

Ok now my buddy can't read it because I did not send him a public key? What
the hell are those? Why do I care? I thought I put in my pass-phrase? Didn't
he? What is going on?

I sort this out, I find the public key and send it over. Now he can read it.
But wait I have another buddy that I have to do this with. Where were those
options in the menus again?

There needs to be a button that remembers if I sent the public key to them,
sends it if I did not, and then automatically tells their email client that I
don't have theirs and gets theirs with permission from them.

Awww, fuck it... the NSA can probably crack this anyway.

~~~
ef4
It's even worse than you think, because several of the things you said in
there don't actually make sense. It sounds like you possibly didn't manage to
get the message encrypted at all, just signed.

And _how_ you exchange public keys matters a great deal -- if you just send
them over email, you haven't actually achieved any meaningful security.

So yes. The entire process is a usability nightmare.

~~~
Balgair
....fudge....

------
ww520
How timely. This NSA fiasco has prompted me to finish up an old project
[https://boxuptext.com/](https://boxuptext.com/), which is a convenient webapp
to encrypt message to url entirely on the browser. It's ready for use.

Not many people use crypto because in general it's hard to set up and hard to
use. A webapp is accessible and easy to use and provide reasonable security.

I know there's a prevailing view against doing crypto in Javascript, and I've
gone the extra steps to address the negatives. At the end I think the benefits
of doing javascript on the browser outweigh the negatives. See
[https://boxuptext.com/faq#benefits](https://boxuptext.com/faq#benefits)

------
zobzu
Its not about convenience. its about money. Like everything really.

Using GPG/PGP for example (which IMO is the best solution) is nice. It has a
good, convenient design. The clients, UI, etc are terrible. Theyre extremely
inconvenient. That can be fixed. This needs some time and a little dedication.
Nobody will pay for a product that has proper, easy, fast PGP support across
the board. Nobody. Since it's not a trivial task, and the benefits are "only"
privacy, it didn't happen yet. If anything, people re-code their own,
incompatible and generally lesser version of PGP, because they will get
financial gain, or popularity from it (patching GPG doesn't give you as much
popularity as making your own, you see.. and we're quite ego-driven / NIH-
happy)

So, here we are. And I'm to blame too, I haven't worked on this either. I'm
secretly hoping things like PRISM will actually help making this move forward.

~~~
tmzt
You could build a Chrome (or Firefox) extension that added GPG/PGP/SMIME to
Gmail, you would have to intercept the emails before they were stored as
drafts in order to protect the message in the inbox. You could use a plugin or
native client to interface with the OS or desktop environment's keystore to
keep the private key out of Javascript. The key passphrase could double as the
passphrase for symmetrically encrypting the message stored in the inbox.

Add to this a keyserver for automatically discovering public keys of contacts
and you have a "good" solution between interested parties, without
compromising recoverability of the majority of your messages.

You could do the same for Gtalk/Hangouts chats with OTR.

~~~
brightsize
In other words, something similar to Mailvelope.
[http://www.mailvelope.com/](http://www.mailvelope.com/)

------
beefman
The main point for me is to have a government I don't need to protect myself
from. And more generally, a society where I don't need to disguise my every
action. Points about the impracticality of strong encryption are secondary.
Here are some of them anyway:

* The vast majority of internet users don't have the domain knowledge needed to use strong encryption effectively. A classic example with e-mail is using a prominent phrase from the plain text of the message body in the (unencrypted) subject field.

* Any cryptography scheme is vulnerable to social engineering, attacks on the trust networks used to exchange keys, etc. Avoiding these requires a nontrivial and ongoing amount of effort even for expert users.

* Encryption complicates archival and search of content even for its author.

* Any service that would help users with the above would be legally obligated to provide information to authorities anyway.

------
rsync
All I want to know is, can SSH traffic be decoded ?

I don't trust SSL, for various reasons of implementation and many, many
questions about weak links in the PKI chain, etc.

But I rely on SSH. I'd like very much to see some kind of assurance that this
is a reasonable thing to rely on...

------
csense
> Experts are not much closer to solving the problem [of user-friendly
> cryptography] today than they were two decades ago.

I disagree. Recently there have been breakthroughs in homomorphic encryption.
From Wikipedia [1]:

"...any circuit can be homomorphically evaluated, effectively allowing the
construction of programs which may be run on encryptions of their inputs to
produce an encryption of their output. Since such a program never decrypts its
input, it can be run by an untrusted party without revealing its inputs and
internal state."

While currently known constructions with the right mathematical properties are
kind of slow, I'm sure that a lot of people are now interested and in the
future we'll eventually be able to do it at practical speeds (especially with
the help of future computers that are faster, and/or have more cores, and/or
have dedicated coprocessors hard-wired for homomorphic encryption
computations, like recent x86 chips have hardware accelerated AES [2]).

If this happens, websites will be able to implement features, like search,
that rely on manipulation of user data, without having access to that data
themselves.

> [Certain] features depend on Facebook’s servers having access to a person’s
> private data

Today this is true, at least for people who aren't on the cutting edge of
research in this field. But it might not be true tomorrow, if homomorphic
encryption ever becomes practical (both in terms of fast algorithms, and in
terms of frameworks/libraries which make it easy for developers to use).

Off-topic remark: Homomorphic encryption will also impact the economics of
cloud computing, since you'll be able to use CPU cycles provided by others
without the security concerns of disclosing the unencrypted confidential data
you want them to manipulate.

[1]
[http://en.wikipedia.org/wiki/Homomorphic_encryption#Fully_ho...](http://en.wikipedia.org/wiki/Homomorphic_encryption#Fully_homomorphic_encryption)

[2]
[http://en.wikipedia.org/wiki/AES_instruction_set](http://en.wikipedia.org/wiki/AES_instruction_set)

------
sneak
We do. We use it in the browser, for communicating between client and server.
Service providers use it internally, for storing messages on disk.

The problem is not one of operations; the problem is one of law. Google (and
others) have been forced under federal law to provide the plaintext to the
government, or have their individual persons face jail time.

This is not a technological problem, and there are no technological solutions.

------
rasengan0
Hmm...the writer of the article almost echoes the exact same narrative of
Defcon 18 Changing threats to privacy - Moxie Marlinspike
[http://youtu.be/eG0KrT6pBPk](http://youtu.be/eG0KrT6pBPk)

------
gasull
Bitmessage is absolutely user-friendly. You are not even asked to enter a
password.

------
aleclarsoniv
"In contrast, when a system has end-to-end encryption, losing a password is
catastrophic; it means losing all data in the user’s account."

Um... what? Can't the user just reset his/her password, instead of a website
emailing him/her the old password?...

~~~
glurgh
You can't 'reset the password' on gigabytes of already encrypted data. Lose
the key, you've effectively lost the data.

------
kimlelly
Why doesn't anyone use it?

The FIRST question is: Is it really a solution?

The answer to that: NO, see:
[https://news.ycombinator.com/item?id=5879308](https://news.ycombinator.com/item?id=5879308)

~~~
glurgh
This simply isn't true. Even if you (with likely a few orders of magnitude
margin) overestimate total world computing capacity at 1e21 decryption
operations per second it's going to take you about age-of-the-universe seconds
to brute force a single 128 bit key. No amount of money or supposed
'exponential technology growth' is going to let any government brute force
these anytime soon. And those are the smallest symmetric keys in wide use.

~~~
kimlelly
Can you back these calculations up with a known scientific source?

~~~
kimlelly
@aryastark - What's the nature of AES 128 & Co., meaning: Who can and cannot
discover flaws? Is this like open source where the whole world can watch or is
this somehow a closed thing like Windows, MacOS, etc.?

~~~
glurgh
These are openly available, highly reviewed algorithms - their adoption as
standards, too, is done by a process of open competition. And it's probably
safe to say that the amount of research and analysis being done on them in the
open exceeds that done in secret by government agencies by a wide margin.

~~~
kimlelly
Thanks, very important to know!

~~~
jlgaddis
Also, note that while AES and friends are public and designed "in the open",
the government also has a number of algorithms that are developed and used
internally and are not "public".

