My personal theory: NSA has gotten in bed with the Hardware Security Module (HSM) vendors. There's essentially only two of them: SafeNet and Thales. SafeNet has bought up all the smaller players.
All of the big guys use HSMs to protect key material from intruders or malicious insiders. Key generation happens inside a sealed box from which the keys can never leave, except into another identically-configured sealed box from the same vendor. As such, there's no way to inspect the keys being generated - you have to trust the FIPS certification that it's being done correctly.
If--perhaps as part of the FIPS certification process--the NSA were to compromise the key generation function of a handful of popular HSM models, in one fell swoop they would have compromised all of the CAs, DNSSEC, Google, Microsoft, Facebook, Amazon, etc. (Not to mention all of the banks, credit card companies, etc.)
Further data point: in my experience talking to SafeNet at least, they employ a lot of ex-DoD folks who probably still have connections to their old bosses.
This is just speculation, but seems a likely attack vector.
Might be the tip of the iceberg. Without open source hardware and independent verification, the full supply chain of every shiny new widget is a question mark because of whichever governments/actors may happen to lean on suppliers. I think we need more decap teardowns and open source EDA functional disassembly tools. Otherwise, it's blind trust without enough tinfoil verification.
OpenSource is good but also false security, because there is no guarantee that the box is actually running the software, the real answer is diversification and distribution .
Yeah, I'd like to see a fully open HSM design, where the design can be audited by anyone, and the components are standard and/or easily inspectable by users. Attestation keys and final assembly are done by a trusted entity -- in the case of a bank, that might be ABA; in the case of Facebook, probably Facebook or maybe an industry association or EFF, and in the case of my personal server, me.
Fuck the FIPS process; if you made a decent design which was actually useful, a lot of non-FIPS-requiring entities would benefit from it. Design-to-meet, but let only those who actually need FIPS go through the process of assembling and certifying their particular instantiations of the open design for FIPS. For personal use, I'd consider an open design which never touches NIST to be more trustworthy than SafeNet or Thales products.
"Complete enabling for [REDACTED] encryption chips used in Virtual Private Network and web Encryption devices"
AND
"Large Internet companies use dedicated hardware to scramble traffic before it is sent. In 2013, the agency planned to be able to decode traffic that was encoded by one of these two encryption chips, either by working with the manufacturers of the chips to insert back doors or by exploiting a security flaw in the chips' design."
(Oh, so what's redacted are the names of two companies which sell this kind of hardware...)
My bet is on the core of AES, namely Joan Daemen' and Vincent Rijmen's substitution-permutation network hocus-pocus. A backdoor transformation would suffice to make all other paranoia superfluous.
The smart people like Schneier tend to think that the mathematics of modern encryption is solid. It seems much more likely that a backdoor in an algorithm is detected by academia than a backdoor in some hardware module or in the implementation of some proprietary software.
Plus, when you have an NSA asset in the place of "heda of security" at facebook... why would you think he were not doing things at facebook that made FB "compliant" with the way NSA wants them to be. I.E.: adopting the "known good" security appliances/policies/companies...
All of the big guys use HSMs to protect key material from intruders or malicious insiders. Key generation happens inside a sealed box from which the keys can never leave, except into another identically-configured sealed box from the same vendor. As such, there's no way to inspect the keys being generated - you have to trust the FIPS certification that it's being done correctly.
If--perhaps as part of the FIPS certification process--the NSA were to compromise the key generation function of a handful of popular HSM models, in one fell swoop they would have compromised all of the CAs, DNSSEC, Google, Microsoft, Facebook, Amazon, etc. (Not to mention all of the banks, credit card companies, etc.)
Further data point: in my experience talking to SafeNet at least, they employ a lot of ex-DoD folks who probably still have connections to their old bosses.
This is just speculation, but seems a likely attack vector.