Schneier on Security
A blog covering security and security technology.
« New York and the Moscow Subway Bombing |
| The Effectiveness of Air Marshals »
April 7, 2010
Cryptography Broken on American Military Attack Video
At a news conference at the National Press Club, WikiLeaks said it had acquired the video from whistle-blowers in the military and viewed it after breaking the encryption code. WikiLeaks released the full 38-minute video as well as a 17-minute edited version.
And this quote from the WikiLeaks Twitter feed on Feb 20th:
Finally cracked the encryption to US military video in which journalists, among others, are shot. Thanks to all who donated $/CPUs.
Surely this isn't NSA-level encryption. But what is it?
Note that this is intended to be a discussion about the cryptanalysis, not about the geopolitics of the event.
EDITED TO ADD (4/13): It was a dictionary attack.
Posted on April 7, 2010 at 1:37 PM
• 57 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Could simply be a cover for a source who provided an unencrypted video.
"He said the organization has been working for months to find and deploy powerful computers to de-encrypt the military videos, beginning with a request via Twitter in January that Wikileaks “needed supercomputer time.”
He said that the effort is ongoing. “There are more videos than just that one video,” Mr. Schmitt said."
Note that in the WSJ article about drone encryption (http://online.wsj.com/article/SB126102247889095011.html). The Air Force Secretary is quoted : "There's a balance between pragmatics and sophistication,"
This seems to echo Bruce's opinion on security spendings ;-)
Pretty impossible to know without knowing the full history of the video. If the video was from "whistle-blowers in the military" it could be anything from files stored on an encrypted USB stick to an encrypted video stream over the air and everything it between.
My guess is that all we'll have is speculation, most likely to protect the source, and my speculation is that it was some snake-oil vendor crypto bundled with the surveillance rig. Seems to me that if they were breaking military level encryption, they'd be more forthcoming with details (you know, in the spirit of wikileaks and all).
I've not seen the video, and I don't plan on watching it.
Here's what I don't understand: It's illegal to view a ``snuff'' film correct? How is this any different? Are these viewers now accessories to murder?
I'm not trying to give the military or government a pass. It sounds to me like they made a huge mistake, or even actively encouraged the events.
This has been bothering me since I first heard about it. Thanks for looking into it!
The events recorded on the video happened in July 2007:
That Ars Technica story links to a WSJ story that suggests the US didn't even think about encryption for drones until summer 2009:
So if helicopter video is treated like drone video then the ecrypted video is 2 years early for even mild encryption.
These video portray 'lawful' killings. Snuff films portray unlawful killings. If agents of the state kill you, under agreed upon laws, its legal. If agents of the public kill you, under agreed upon laws (self defense), its legal.
So I guess by extension, its legal to video tape, and watch legal killings. Is it legal to watch legal killing videos, that were obtained illegally?
"So if helicopter"
@Peri. And if a banana were just like an apple.
Helicopters have been around a lot longer than drones and are involved in much more combat than drones. So I think it's implausible bordering on unbelievable to think the two are comparable.
Continuing, I suspect the reason we don't get more detail from wikileaks is precisely for the reason they have mentioned; they are not through yet with their encryption breaking plans. I think when all is done they tell the whole story.
Maybe "strong" encryption but short passphrase? Perhaps CPU power is about a dictionary attack?
Deaths on film are not considered 'snuff' films unless the death was staged to be the subject of the film.
@Eric: It might be illegal to watch a snuff film in Singapore, but in America it isn't.
You've seen the JFK assassination tape, right? Do you detect a material difference, here?
anybody know extent of use by military of passwordsafe, password gorilla, etc.?
"You've seen the JFK assassination tape, right? Do you detect a material difference, here?"
Again, it's all about the intent here.
For a film to be a 'snuff' film, the death(s) it portrays must have occurred at the behest of the filmmaker(s) for the explicit purpose of making a film about those deaths.
No other real death caught on tape is a 'snuff' film, simple as that.
This guy says it was a password-protected Word document in a public-facing directory. He provides a link to the document. He also speculates that WikiLeaks probably attacked it like any other. I haven't verified his claims, but here's the link.
This was my first thought too. "How did they do it". The politics are mostly irrelevant...
Perhaps it is high levels of encryption (NSA levels) and an un-released exploit for it was used to decrease the time to decode it. Aside from wikileaks telling us how it was done, everything we can propose is speculation.
Well, either it used an extremely weak algorithm, like DES in order to save their system's resources (which makes sense... Imagine building a thousand helicopters with a built-in system that automatically encrypts the stream with Rijndael or Diffie-Hellman) or the stream is stored inside a drive (unencrypted) and then is encrypted when it comes back to the base.
Well, we would need access to HOW and WHEN the encryption is made. If the video has to be sent on a live stream to somewhere (like from the helicopter to the Pentagon on a live transmission) it is possible that the video is sent unencrypted to some sort of 'routing' base and there it is encrypted and sent to The Pentagon. In this scenario the video could be acquired using an antenna set on the same frequency and then receive the data (old school, but works)
If the video is not supposed to be watch lively, so it is possible that it is stored inside the helicopter unencrypted and then encrypted on the ground and stored. If that is true, the video could be leaked from the helicopter's storage. Or if the drive isn't properly wiped and the helicopter crashes, it is possible (although unlikely) that this drive be recovered from the debris.
My guess is that the video is transmitted both encrypted and unencrypted (or weakly encrypted), the guys from wikiLeaks acquired an unencrypted version of the video, held it for a while and then announced as 'hey Military, we can crack you down!' just to make a smoke-screen. It is not wise to say that the video was decrypted, because it could (and probably will) make the Pentagon change their encryption method. Although it IS wise to say that the encryption is weak IF you are able to get videos BEFORE it is encrypted. In this way, it doesn't matter if the algorithm used is DES, 3DES, AES, whatever, given that WHEN the video is encrypted remains the same.
It's a smart move, they would put the guys at the Pentagon on a rush to change the algorithm, but the flaw is somewhere else.
@Daniel: "And if a banana were just like an apple."
Everything I said should have been read as a rebuttal to ukabu's supposition that we can infer the kind of encryption used in the helicopter's video from the kind used in drones.
Along these lines, Bruce, what about the decryption (at Carnegie-Mellon wasn't it?) of the hard disk of the hacker in SF who recently ended up getting sent to jail? Any idea how it was done?
>They did a dictionary attack on the password, according to
That page also seems to be encrypted, although not very strongly - you can recognise some of the words.
Perhaps I am missing something but I would submit that since this is a video from 2007, the encryption method in question would not be the helicopter storage, the transmission, the relay of the transmission but the archiving method of the ~3 year old clip.
Er und ein Team von Kryptologen hätten daraufhin etwa drei Monate lang daran gearbeitet. Es sei darum gegangen, unter ein paar Millionen der wahrscheinlichsten Passwörter das richtige zu finden.
[Julian Assange] and a team of cryptologist spent three months working on the clip. It had to do with trying a few million of the most likely passwords in order to find the right one.
It seems implausible that the helo gun-camera footage was pulled out of the air, even encrypted. You would want a helo to have gun-camera footage for damage assessment and post-mission feedback even if the event was emissions controlled (the modern term for radio silence).
Drones need comms because the pilot is on the ground. Helo has a pilot inside, the gun-camera is probably a tape. This video is probably after the fact. If it were encrypted it would be Type 1, and it would be much more interesting news that someone had cracked it with computers they borrowed. Seriously, fellow crypto-xperts, someone used the, probably classified, footage in a briefing or document and the file got leaked on a CD (now that thumb drives are banned and blocked on most DoD computers).
Hacking the password on an MSWord document isn't really encryption in this forum's sense of the term. It might be to Wikileaks, however. As we've all said, nobody attacks cyphers any more because there are so many easier places to attack.
Supposedly, the original encrypted file is here: http://leaks.telecomix.org/cm.rda
It looks like it was encrypted using OpenSSL's command line utility, which takes a passphrase, so that supports the idea that this was broken via a passphrase guesser.
I wonder what the passphrase was. It would be amusing if it turned out to be "progress" again (a la http://www.metafilter.com/79537/... )
re: JFK assassination tape
Since that was a CIA-sanctioned, therefore government sanctioned, termination, it is legal to watch. :-)
I found the file earlier and analyzed it as an OpenSSL type bare encrypted file.
If it's AES-256, then I guess that qualifies as "Military Grade" suite b.
But I don't see any indication of a classified algorithm.
I would love to see the original cleartext... I wonder if wikileaks would release it?
I wonder why the encrypted vid is about 430 megs and the decrypted one is >600 megs. Maybe recompressed, but that makes little sense unless some really weird codec was used in the original. By releasing the encrypted version, they are giving similar hints to potential attackers than with the unencrypted one.
what is the chance that the source supplied the password, and the talk of taking 3 months to get it by dictionary attack is misdirection?
@jan - the 600MB file is an edited version - I'm still hoping to get the complete original file.
The WikiLeaks editor, Julian Assange, says in this video (around 1:20), "we have a number of cryptographers and other security experts and lots of volunteer computer time, so that's just a matter of going through the most probable passwords that something might be encrypted with, so several millions of passwords to find the one that was used."
He further states that they spent about 3 months working on it.
I went to check out some of the above links and links in related articles. Interestingly, I seem to be able to access http://wikileaks.org/ from my home ISP (USA, Comcast), but when I go to their SSL link to submit or view material privately, https://secure.wikileaks.org/ or https://secure.wikileaks.org/wiki/N1 or using the IP from a DNS lookup, http://126.96.36.199/) I get "Cannot find server". Traceroutes go overseas to tunnel2.prq.se but no further. Makes me wonder if wikileaks is swamped/misconfigured or whether my internet is censored. Thoughts?
There are two angles that I'm seeing on the Internet. On one hand, suggestions that the encryption was broken due to a weak choice of passwords by the military. This is not without precedent. The other part is that Wikileaks is overplaying the burden of the cryptography as a fundraising tool.
But one possible scenario that I haven't seen discussed is that the leak contributor encrypted the file *themselves*. Since Wikileaks does not have a public PGP key to secure send materials, it is possible that the file was intentionally encrypted with a weak, but unknown password, that was not sent together with the materials. This could be for several reasons:
- To prevent casual discovery - for example, in case the boss is snooping on your sent e-mails, or to evade "data loss protection" attachment scanners (though many of these scanners are configured to block common encrypted archives like ZIP).
- To effectively delay the leak, by forcing a computationally intensive effort to decrypt the data.
- With the intent to send the password at a later time, delaying the leak, but still allowing the possibility of delayed decryption in case the sender becomes unable to give the password.
- The recipient intends to send the password out of band, but still allows for a delayed decryption in case the password doesn't arrive.
It's also possible that the password was supplied later, but not mentioned to protect the source.
Note that in the encrypted-data scenario, there must be an initial plaintext assurance of legitimacy to "entice" Wikileaks into decrypting the unknown data. The veracity of the information would need to be proven before committing to secrious decryption efforts. These could be things like a still from the video, e-mail being sent from a .mil IP address, or parcels that are postmarked through the military postal system. However, the more convincing messages pose a greater risk of incrimination and traitor tracing.
Working with an established source makes the trust issue much easier, but conveying the idea tgat the data is so important as to warrant decryption efforts would be a difficult proposition, especially if the contributor didn't have access to the plaintext video, or didn't even know what it was. Imagine that you get a CD from a source with files from a network drive: military paperwork, base intranet screenshots, and an unknown, encrypted AVI file. Exactly how much of a wild goose chase would YOU follow to try and decode the data - with no assurance of success?
If the sender is a known high-value source, certainly secure communication channels could have been established with them, and they are likely to have plaintext access to the video.
There's also other wild possibilities, such as the "decryption" security experts actually being asked to search for traitor-tracing watermarks. Overall though, I think there is a bit more than is being told. While the video isn't the kind of classified material that needs major spycraft to leak out - it was probably shared by several dozen people - there are some details we may never know about exactly how they got to posting that video.
If I remember correctly, it actually *was* the passphrase "progress" again.
Just like Enigma, the problem is always the human operator. I guess no matter if it's military or otherwise, very few people actually take the steps to use good passwords.
Who knows, maybe the military will finally step up its security (unlikely).
Is it perhaps possible that wikileaks obtained a completely unencrypted video, or the encrypted video and the key, and have made up a story about an effort to decrypt it, in order to protect their source?
If there were only a handful of people originally able to view the video, and one of them gave it to wikileaks, I'd be looking for a way to obscure who actually provided the video (if I was wikileaks)
I've tried to figure out what the most plausible rationale behind this theory is, and it seems that it's "plausible deniability".
By announcing that the video was encrypted, those who had custody of the material could claim a good-faith effort to protect it. The "encryption" - if there existed any at all - could be added by Wikileaks, or by the submitter before he/she "lost" control of the media.
(Presumably, if the video owner intended to leak, they'd send the decrypted version or include the key, since that's the most effective way to ensure a leak. If the owner kept the video unencrypted they could be accused of negligence.)
If there's any other logic behind this theory I'd like to hear it.
This is one of those posts that upset me about this blog - and yes, I know the blog is about cryptography.
I watched the video; yes, it's upsetting - as upsetting as you'd expect a video showing 7 or 8 men being murdered in cold blood.
But here, everybody is likely to ignore the fact that these men were innocent; that their lives were taken by people who should face an inquiry at least, charges at best... no here, you're all just going to cogitate on how it got out.
Now, having said that I will go back to being understanding of men living in the spectrum.
After reading all the comments I think the most plausible explanation is that wikileaks got the video unencrypted and then claimed it was encrypted to protect their source.
Assange also mentions another video will be released soon with 97 civilians being killed by a bomb in Afghanistan. That sound like the event that caused quiet a disturbance in Germany some months ago when a german bomb plane hit a tank truck and 97 civilians were killed. Most of them where there to collect free gasoline from the truck.
There are lots of forums/blogs/articles that are discussing the political/legal/moral/ethical issues. This blog, like many are specialized and staying on topic is a good thing.
@anon "Is it legal to watch legal killing videos, that were obtained illegally?"
In the United States - it is. The individual is liable for the disclosure having signed an NDA. But Having no Official Secrets act the press may publish anything they deem is news worthy. Most notable test case was the Pentagon papers-New York Times Co. v. United States. Daniel Ellsberg disclosed papers that the Nixon administration exerted extreme pressure to restrain the New York Times from publishing. Ellsberg himself was tried under the Espionage act of 1917.
I'll have to check my facts on this but with the exception of FOIA/privacy and atomic energy I think information classification is basically authorized by Executive Order. This causes all kinds of issues between the branches since Congress can (and does) disregard the "administrative rules" of the executive at will. Among other problems this leads to the executive (including the military) feeling justified in routinely lying to Congress. They leak. And this was in the end what happened with the Pentagon papers. A Senator entered the whole of it into the record of his committee.
Regarding the crypto issue...I'm inclined to agree with the argument that a weak password was exploited.
But we don't know enough to do more than guess. Everything here is speculation. Morning workout.
I'd say the question is, and others have come close to it, why were the files still encrypted?
I assume the source did not provide the original media but made a copy.
The source had access to the files but not in an unencrypted form?
The source gained access to the files but not the key?
The source gained access to the device/system the files were on but couldn't decrypt them during retrieval.
We haven't established were the encryption was performed.
There seems to be an assumption here that it was part of COMMSEC. I'd start with the video not the comms gear on the Apache.
First the Apache (do we know if they were AH-64Ds or not) isn't an overly roomy craft. Mostly airborne comms suites are VHF/UHF, some HF but that's rare. Some Satellite, maybe, but these spectrums are all bandwidth constrained. The only things being transmitted is what they would need to support combat. (Block II upgrades to the AH-64D said something about "tactical internet" but I don't have the time to research it)
Second communication encryption is normally for the over the air path only. If the video was streamed then is was (maybe) encrypted for transmission and decrypted for use at the receiver.
Perhaps they performed the encryption at the video suite and transmitted it over clear channels. If they transmitted it at all. The Apache is a tactical attack platform. Hmmm. Why would video be transmitted at all? Unlike a drone it's not in need of c2. In an attack group wouldnt only data to coordinate the attack would be shared. would this include moving images?
So I think we can leave the aircraft out of it. Beyond being the source it's irrelevant to my mind.
These were, apparently, encrypted files at rest.
So either the data was aquired from a database (but then why would the files still be encrypted) or static file server (windows EFS/Bitlocker?), laptop, or some digital media USB/CD/DVD. Still it was some media removed from a secure space and they do watch some networks for unauthorized USB connections. (though we know the Army uses/used classified USB drives in Afghanistan) Given the stated size of the files I'd lean to CD-r but that could be a red herring.
DoD is a heavily Windows enviornment, not combat or avionics devices I trust, but definately in the rear echelons. There may not be an NSA app for encrypting commerical gear. I've never heard any unclass discussion of it. And it makes sense to me why there wouldn't be - NSA maintains much of their security through the physical protection of their cipher gear as much as through their cipher algorithms and keymat management practice. They are stringent about QA and secure deployment. A general purpose OS wouldn't serve. Secure spaces don't need encrypting software on the server/client level. That's handled by the encrypting networking gear. Don't know about laptops in the field (credant? yuck)
So someone choose a windows app (Winzip?) to encrypt the files (EFS is a possibility. I'm gonna bet against bitlocker 'cause there aren't enough Vista machines deployed.) But not whole disk encryption because they got some files not an entire disk image.
A share on a file server? Surely not. Surely pear shapped blowhards with birds and stars on their collars know better. It would, though, be easier to cover up who retrieved it since it's unlikly these files were being subject to file and object auditing.
An administrator? possibly. Hard to cover up the audit logs. Unless, again, file and object access auditing isn't enabled.
Interesting fact - The Pentagon has added Wikileaks.org to its list of the enemies threatening the security of the United States. Which, I think, means if S3081 passes and the President signs it the Military can take anyone even Americans on American soil from Wikileaks into custody.
Reuters News was seeking video footage from the U.S. military and other materials relating to the killing of Noor-Eldeen and Chmagh. The footage was taken by cameras on board the U.S. helicopters involved in the incident.
Therefore Wikileaks leaked the video captured by the onboard TADS (Target Acquisition Designation Sight)
Re whether the video was transmitted live during the incident, I will "speculate" that MFD display data is available in realtime to forward command elements, largely to verify that soldiers actually are killing people as ordered. (MFD = multifunction display; "gun cameras" have been obsolete for a long time.)
After World War Two studies found that over half of U.S. soldiers were unwilling to shoot to kill, even in the heat of combat. This problem has been addressed by more intensive training and propaganda, deconditioning through simulation training, and where possible direct monitoring of field performance by command elements. Our very high rates of veteran suicide reflect the consequences of brainwashing a soldier to be a cold indifferent killer then expecting him or her to return to civil society and resume "normal human values".
The low quality of the video we have may be due to compression by Wikileaks, but more likely due to compression prior to transmission. The chipset in a cheap digital camera can compress video in realtime, and block ciphers are very fast on minimal hardware. Processing overhead is not an issue - but transmission bandwidth is. It is unlikely that "tapes" are stored onboard the aircraft, due to the intelligence and propaganda value of the said materials should they fall into enemy hands.
re. low quality. the quality of the wikileak is actually very good!
usually video from the TADS looks like this at best...
re. "It is unlikely that "tapes" are stored onboard the aircraft". it might surprise you, but the TADS on the AH-64's works like this. In fact not only is it an analog videorecorder, one must decide if either pilot's view is recorded or gun-man's view. (the wikileak is gunman's view BTW)
There were two Reuters correspondents killed in the incident. Reuters did not at the time suggest that they were murdered, just that they were in the wrong place at the wrong time and those are the dangers of war-time reporting. This was after they saw the video within a few weeks of the incident in 2007 (officially, via the military).
I have seen it suggested that the wikileaks source was Reuters and that the "decryption" is misdirection.
It depends during which phase the video was encrypted. If it was encrypted at the file level and you know the video container format you can guess some of the bits. Even more if you know the codecs used. If the packets of the streams were encrypted you can still make some guesses knowing the codec and encoder. The great part about this type of attack is that you can easily and quickly detect if you got it wrong (one way to foil this type of attack would be to give your video a lead of corrupt looking video).
@greg that's as maybe.
Better that people are reminded that cryptography without humanity is a pretty pointless exercise.
Videotapes really? And I thought Blue thunder was a movie.
I'll take it read that the video was transmitted though it still doesn't make sense to me.
Okay so were the tapes encrypted on the aircraft? I could see why they would be in the event of a loss of the aircraft but it seem more likley to me that the video was digitized back at command. Either in the video processing unit or upon reciept of the image stream at command from the aircraft.
yep. plain analog video recording.
in 2007 none of the apache helis had any digital video or even life-streaming.
this was promised for 2008, but didn't come before 2009...
ps: wikileaks did most excellent background research before they released the video. e.g. they checked back with serveral ah-64 experts in the netherlands, israel, and greece, serbia, etc.
I'm inclined to believe EWilliams and BF Skinner here with an exception: I believe the video was most probably streamed and recorded from the chopper.
The military uses "tactical internet," both encrypted and un-encrypted over radio, but also over satellite. I'm not sure of this particular aircraft's comms ability, but satellite links are not out of the question. This video could very well have been streamed at some point using the military's COMSEC keys on the encrypted net - using keys which DO happen to come from NSA, but can be used by basically anyone with a valid security clearance and access to the keying device.
The keys could very easily have been compromised by a servicemember with access to the key device - very very easy to exploit - just exploit the person; OR give them a reason to want to share the information, but I don't think that's what happened.
It is also likely that the video was part of a briefing and found its way onto SEVERAL other harddrives, USB sticks, and CDs. I've been witness to this kind of data sharing in the military, and it has some pretty hefty consequences.
The military has good encryption, but some very clumsy operators of the equipment. Some folks don't even know what they have a hold of if they've got keying material.
My guess is either that it was leaked from a briefing, or that someone involved was able to leak an unencrypted version of the RECORDED stream OR provide the key to unencrypt it. The last point is probably the least likely, however, as it WOULD result in jail time if that person were caught. And they would be caught.
Wikileaks article said it got the video via a FOIA that was issued in 2007. Not sure it would have been encrypted with a FOIA response.
Too little data, and a grand standing ex hacker..?? Busted encryption.. What encryption NSA's type I using the Baton cipher or AES 256 in a secure operating mode..?? Somehow I don't thinks so...!!
Assange is a grandstanding ex hacker.
FYI see the following:
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.