The latest cache of classified documents leaked by Edward Snowden reveals that the US National Security Agency (NSA) has continued to conduct a secret war on strong cryptography and has enlisted the support of virtually the entire technology industry in its efforts. In reports published simultaneously by the Guardian, the New York Times, and ProPublica, we learn that the NSA and its UK equivalent, the Government Communications Headquarters (GCHQ), regularly use surreptitiously obtained keys to decrypt the encryption used for banking, ecommerce, email, and medical records.
All three publications were asked by intelligence officials not to publish their reports on the Snowden documents. All three publications held some specific facts from their published reports.
In the 1990s, the NSA lost a surprisingly public battle over the Clipper chip. The Clipper chip, the core part of President Clinton’s Public Encryption Management directive, would require a key escrow or key recovery system for the private keys used in strong public-key cryptography. Such an escrow or recovery system would have allowed a “backdoor” to all encrypted communication. The directive was defeated several times between 1993-97 and Clinton mostly — but not completely — abandoned a mandatory key recovery or escrow system and began to take a market-driven approach. Instead of mandating key escrow/recovery, the US government would begin purchasing new technology that would communicate only with key escrow/recovery-enabled systems.
Now we learn that the NSA spent billions of dollars to find a way to defeat strong cryptography.
“The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.
“The NSA hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.”
Just because the NSA can now decrypt many forms of encryption doesn’t make it legal. Theoretically, US law still prohibits surveilling Americans’ email and telephone calls without a probable-cause warrant. In 2011, the NSA was cited by a Judge John D. Bates, then the chief judge on the Foreign Intelligence Surveillance Court (FISC), for violating those laws and misleading the FISC.
As Perlroth, Larson, and Shane note, the NSA’s internal procedures allow it to store any encrypted communication — regardless of origin or destination — for an unlimited time as long as the agency is trying to either decrypt or analyze it.
According to all three published accounts, some cryptography and national security experts worry that the NSA is working at cross-purposes with ensuring the security of US communications. Because the NSA’s focus has been on cracking the secure sockets layer (SSL) and transport layer security (TLS) of secure web communications, virtual private networks (VPNs), voice over internet protocol (VOIP), and the cryptography used to secure 4G smartphones, US communications are anything but secure.
Nonetheless, the NSA has not yet succeeded in cracking the basic levels of internet encryption. All of the corporate media accounts are exceptionally misleading in this regard. Cory Doctorow accurately assesses the situation in a single tweet:
All the headlines saying "#NSA breaks encryption" are wrong; correct phrase is "NSA works with vendors to sabotage security technology"
— Cory Doctorow (@doctorow) September 6, 2013
While the NSA has not cracked the basic levels of internet encryption, what it has done may be worse: According to the leaked documents, the NSA has coerced companies to put backdoors in their software, using court orders when necessary, and it has hacked into the servers of US technology companies to steal encryption keys and alter software and hardware. Backdoor exploits and stolen keys are not cracks.
As Bruce Schneier, a cryptography expert I actually trust, wrote recently in an article for Wired:
“Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system.
“It’s very probable that the NSA has newer techniques that remain undiscovered in academia. Even so, such techniques are unlikely to result in a practical attack that can break actual encrypted plaintext.
“Right now the upper practical limit on brute force is somewhere under 80 bits. However, using that as a guide gives us some indication as to how good an attack has to be to break any of the modern algorithms. These days, encryption algorithms have, at a minimum, 128-bit keys.”
On the other hand, Mike Janke, chief executive of Silent Circle, told Matt Buchanan writing for the New Yorker, he thinks “the NSA developed ‘a massive push-button scale’ ability to defeat or circumvent SSL encryption in virtually real time. … The reality of it is that most of the security world has known that lower level encryption — SSL, HTTPS, VPNs — are highly susceptible to being defeated because of their architecture.”
At any rate, Buchanan accurately sums up the situation: “The most damning aspect of the new disclosures is that the NSA has worked to make widely used technology less secure.”
So, if you haven’t already, you need to immediately update all of your cryptography keys to as high a bit-rate as possible. That’s at least 2048-bit keys. And keep your private keys carefully secured by yourself, not a third party. If you’re not already using open source strong cryptography products like Off the Record, OpenPGP, GNU Privacy Guard, GPGTools, Tails, and TrueCrypt, better start now. Remember, Glenn Greenwald almost missed out on the story of his career because he was hesitant to install and use strong cryptography tools.
Similarly, be extremely careful with your digital certificates and which certificate authority (CA) you use to sign those certificate(s). Glenn Fleishman offers an excellent overview of the new threats.
Schneier, writing for the Guardian, offers five tips for secure internet communications:
- Anonymize yourself
- Use encryption
- Assume that while your computer can be compromised, it takes work and risk, so it probably isn’t
- Avoid commercial cryptography software
- Use open source cryptography software
“Trust the math,” writes Schneier. “Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.”
Edward Snowden said it as plainly as possible in a Guardian chat, “Encryption works. Properly implemented strong crypto systems are one of the few things you can rely on.”
And remember: Just because the NSA hasn’t yet cracked the internet’s underlying cryptography systems doesn’t mean that it won’t in the future. The NSA program, named Bullrun, continues in earnest and the full extent of it is known only by a handful of individuals in the so-called Five Eyes: The NSA itself and it’s equivalents in Australia, Canada, the UK, and New Zealand.
By hook or by crook
The NSA’s Signals Intelligence (Sigint) Enabling Project has an annual budget of more than US$250 million and has successfully exploited flaws and worked with chipmakers to insert backdoors in their hardware products.
The leaked documents indicate that many technology companies have either willingly handed over customer encryption keys or have been coerced into doing so. Microsoft, for example, provided the NSA with pre-encryption access to Outlook, Skype, and SkyDrive. The documents reveal that the NSA maintains Key Provisioning Service — an internal database of private encryption keys for commercial products — that can decrypt information encrypted with many commercial cryptography products. Most of these keys have been acquired by stealing them from the servers of either the vendor or the vendor’s users. When the necessary key is unavailable in the database, a request is forwarded to the agency’s Key Recovery Service, which then sets out, tirelessly, to obtain it.
Additionally the NSA has worked relentlessly to intentionally (and sucessfully) weaken international commercial cryptography standards. One of the Snowden documents reveals the NSA covertly got its own version of a draft cryptography standard issued by the US National Institute for Standards and Technology (NIST) in 2006. “Eventually, NSA became the sole editor,” reads the document according to the published accounts.
Decrypting communications in a piecemeal fashion is extremely inefficient and ineffective. The NSA’s stated goal is to be able to decrypt all encrypted internet traffic in real time — known as opportunistic decryption — and then searching for the good bits later, offline. This is where the NSA’s continued efforts to subvert SSL, TLS, and VPN protocols comes into play. Somewhere around 2010, the NSA and GCHQ had something of a breakthrough and “vast amounts of encrypted internet data which have up till now been discarded are now exploitable,” according to the Snowden documents. The breakthrough is not described in detail in the documents released by Snowden. It remains unclear just what sort of breakthrough — mathematical, crytographic, or other — the spooks accomplished.
As Schneier, the cryptography expert, tells James Ball, Julian Borger, and Glenn Greenwald, writing for the Guardian, “Cryptography forms the basis for trust online. By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet.”
Schneier expands his thoughts in a piece for the Guardian, with a call to action for the engineers: “To the engineers, I say this: We built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.”
Ball, Borger, and Greenwald report that the NSA and GCHQ decryption efforts are particularly important to GCHQ. “Its strategic advantage from its Tempora program –- direct taps on transatlantic fiber-optic cables of major telecommunications corporations –- was in danger of eroding as more and more big internet companies encrypted their traffic, responding to customer demands for guaranteed privacy.”
According to the reports, the NSA invites cryptography developers to present their products and have them assessed by its Commercial Solutions Center. The carrot is potentially lucrative government encryption contracts. The stick is “to leverage sensitive, co-operative relationships with specific industry partners” and coerce the insertion of backdoors and other vulnerabilities into the commercial cryptography products.
Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union (ACLU), told Ball, Borger, and Greenwald, “Backdoors are fundamentally in conflict with good security. Backdoors expose all users of a backdoored system, not just intelligence agency targets, to heightened risk of data compromise.”
Soghoian expands on his thought in an ACLU media release:
“The encryption technologies that the NSA has exploited to enable its secret dragnet surveillance are the same technologies that protect our most sensitive information, including medical records, financial transactions, and commercial secrets. Even as the NSA demands more powers to invade our privacy in the name of cybersecurity, it is making the internet less secure and exposing us to criminal hacking, foreign espionage, and unlawful surveillance. The NSA’s efforts to secretly defeat encryption are recklessly shortsighted and will further erode not only the United States’ reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.”
Proposed legislation to ban NSA backdoors
The day after the most recent revelations about NSA surveillance activities were published, physicist and US Representative Rush Holt (D-New Jersey) drew new attention to his Surveillance State Repeal Act, announced 11 July, eliminating most of the post-11 September 2001 surveillance escalations. “We pay them to spy,” Holt told Scott Shane and Nicole Perlroth, writing for the New York Times. “But if in the process they degrade the security of the encryption we all use, it’s a net national disservice.”
Specifically, Holt’s proposed legislation would:
- Repeal the USA PATRIOT Act
- Repeal the Foreign Intelligence Surveillance Act (FISA) Amendments Act
- Ensure that any FISA-authorized surveillance of an American citizen is accompanied by a probable-cause warrant
- Retain government surveillance capabilities of American citizens
- Retain provisions dealing with surveillance of primarily non-citizens involving weapons of mass destruction
- Prohibit governmental mandate of backdoor inclusions in hardware or software
- Increase terms of FISC judges to 10 years and allow reappointment
- Require FISC to use technologically competent Special Masters to determine veracity of government claims
- Require monitoring of domestic surveillance programs by the Government Accountability Office (GAO)
Clapper claps on
James Clapper, the US Director of National Intelligence — or, more accurately, his office — released a statement the day after the Guardian, New York Times, and ProPublica stories were published:
“It should hardly be surprising that our intelligence agencies seek ways to counteract our adversaries’ use of encryption. Throughout history, nations have used encryption to protect their secrets, and today, terrorists, cybercriminals, human traffickers and others also use code to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that.
“While the specifics of how our intelligence agencies carry out this cryptanalytic mission have been kept secret, the fact that NSA’s mission includes deciphering enciphered communications is not a secret, and is not news. Indeed, NSA’s public website states that its mission includes leading ‘the US Government in cryptology … in order to gain a decision advantage for the Nation and our allies.’
“The stories published yesterday, however, reveal specific and classified details about how we conduct this critical intelligence activity. Anything that yesterday’s disclosures add to the ongoing public debate is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions.”
That “and others” Clapper refers to in his first graf? That’d be you and me (and everyone else on the planet), neighbor. We’re clearly in the “adversaries” column. All of us. Each and every one. And it’s not for nothing that the code names for the NSA (Bullrun) and GCHQ (Edgehill) programs are civil war battles in their respective countries. If you needed one last bit of evidence that the intent here is not security and protection but total surveillance, that should just about do it.
Feeling the heat of being specifically named in the Snowden document dumps, Google seems to be putting its stake in the ground by accelerating work to encrypt the information that flows through and between its global data centers. Google’s encryption initiative started in 2012 and was first accelerated when word of the NSA’s PRISM electronic surveillance program was reported by Glenn Greenwald.
As Craig Timberg, writing for the Washington Post reports, “… increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers.”
Google implemented encryption for Gmail in 2010 and most Google searches are now encrypted as well. But until now, data traveling between Google data centers was passed as clear text and vulnerable to surveillance and interception. Google’s encryption between data centers will be available “soon” and will be “end-to-end” using strong cryptography.
And… the Obama shoe drops
In 2008, FISC explicitly banned warrantless surveillance of American citizens.
Ellen Nakashima, writing for the Washington Post, reports that in 2011, the Obama administration had the FISC reverse restrictions on the NSA’s use of warrantless surveillance records and extended the time — from five years to six years — the agency is legally allowed to retain those surveillance records. Under “special circumstances” the records can be retained even longer.
That would be the very same 85-page decision embedded above, the one rendered by Judge John D. Bates, then the chief FISC judge.
“Together the permission to search and to keep data longer expanded the NSA’s authority in significant ways without public debate or any specific authority from Congress,” writes Nakashima. Apparently, it all boils down to a Clintonian “legalistic definition” of what “target” means. “The court decision allowed the NSA ‘to query the vast majority’ of its email and phone call databases using the email addresses and phone numbers of Americans and legal residents without a warrant, according to Bates’s opinion,” Nakashima continues.
Bates’s ruling was the foundation for the warnings voiced by US Senators Ron Wyden (D-Oregon) and Mark Udall (D-Colorado) about the warrantless surveillance backdoor. “The [surveillance] Court documents declassified recently show that in late 2011 the court authorized the NSA to conduct warrantless searches of individual Americans’ communications using an authority intended to target only foreigners,” Wyden told Nakashima. “Our intelligence agencies need the authority to target the communications of foreigners, but for government agencies to deliberately read the emails or listen to the phone calls of individual Americans, the Constitution requires a warrant.”
Obama administration officials argue a different interpretation of Section 702 of the Foreign Intelligence Surveillance Act (FISA): “If we’re validly targeting foreigners and we happen to collect communications of Americans, we don’t have to close our eyes to that,” Robert Litt, general counsel for James Clapper’s Office of the Director of National Intelligence (ODNI) tells Nakashima. “I’m not aware of other situations where once we have lawfully collected information, we have to go back and get a warrant to look at the information we’ve already collected.”
This should adequately answer those who remain supportive of President Obama, reckoning that he’s being played by the NSA.
Nakashima reports “the NSA intercepts more than 250 million internet communications each year under Section 702 [of FISA]. Ninety-one percent are from US internet companies such as Google and Yahoo.”
Doc Searls’s and David Brin’s analysis
Not at all surprisingly, Doc Searls has the best big picture analysis of these NSA revelations. If you don’t read anything else, read his short, powerful assessment.
I find David Brin’s demand for transparency practical and useful. But only to a point. Citizen oversight and general accountability is, of course, necessary and badly needed. But it’s simply not enough. And I don’t recall anyone — at least anyone credible — in the early days of the Electronic Frontier Foundation (EFF) or the Computers, Freedom, and Privacy (CFP) conferences claiming cryptography as a panacea for anything.
“For an agency like the NSA, the data storage units are a goldmine, combining in a single device almost all the information that would interest an intelligence agency: Social contacts, details about the user’s behavior and location, interests (through search terms, for example), photos, and sometimes credit card numbers and passwords.”
The “location” bit will almost certainly raise some eyebrows because US Senator Ron Wyden (D-Oregon) has repeatedly asked the NSA if it’s tracking the location of individuals through their smartphones. The NSA has repeatedly denied doing so.
Also of interest is that apparently the NSA re-gained access to encrypted data on Blackberry devices (previously known for their strong encryption) in 2010. This may (or may not) be related to the “breakthrough” cited above.