Mujahideen Secrets 2

Mujahideen Secrets 2 is a new version of an encryption tool, ostensibly written to help Al Qaeda members encrypt secrets as they communicate on the Internet.

A bunch of sites have covered this story, and a couple of security researchers are quoted in the various articles. But quotes like this make you wonder if they have any idea what they're talking about:

Mujahideen Secrets 2 is a very compelling piece of software, from an encryption perspective, according to Henry. He said the new tool is easy to use and provides 2,048-bit encryption, an improvement over the 256-bit AES encryption supported in the original version.

No one has explained why a terrorist would use this instead of PGP -- perhaps they simply don't trust anything coming from a U.S. company. But honestly, this isn't a big deal at all: strong encryption software has been around for over fifteen years now, either cheap or free. And the NSA probably breaks most of the stuff by guessing the password, anyway. Unless the whole program is an NSA plant, that is.

My question: the articles claim that the program uses several encryption algorithms, including RSA and AES. Does it use Blowfish or Twofish?

Posted on February 8, 2008 at 5:39 AM • 60 Comments

Comments

PaeniteoFebruary 8, 2008 6:26 AM

"provides 2,048-bit encryption, an improvement over the 256-bit AES encryption"

They could have switched to RC4.

NickoFebruary 8, 2008 7:08 AM

"But quotes like this make you wonder if they have any idea what they're talking about"

Of course it could be that the cryptologically illiterate media simply misinterpreted what the "security expert" said. After all, in many respects supporting 2K-bit RSA, with private keys that don't need to be moved around, is more secure than raw 256-bit AES with shared secrets, which are likely to be hashed passwords that as you rightly point out might be guessed. That complex statement could easily be mis-quoted and/or poorly edited into "the new 2048 encryption is better than the only 256 bit encryption".

Paul SladeFebruary 8, 2008 7:26 AM

@Bruce,
The quote you cite is not as damning as the quote from further on in the article...
'Henry' says... "someone could put the software on a USB memory stick, go to an Internet cafe, plug in the USB device and run Mujahideen Secrets 2 to encrypt any communications from that cafe."
I think that stands well on it's own without further comment from me.

Bruce, you mention Blowfish and Twofish. Would you have an issue if they were being used?

HannoFebruary 8, 2008 7:28 AM

When people don't understand the principles behind a technology they push the numbers. 2048 is higher than 256, shure. And the lemmings go and eat that bait.
Noone tries to explain the difference between primebased public key crypto systems like RSA and symetric systems like AES, Twofish and the lot.

What I think of this? First there was never a problem in making 2048 bit keys for RSA or even bigger ones. The only sense this could make is:

1) making a name by pushing numbers
2) it might be a bait of the NSA

And I of cause -I assume- this software is not opensource anymore but a compiled product. I shurley don't know but "easy to use" sounds like this. Would be a quite nice job from the NSA to set such a trap - a cyphersoftware with a trapdoor in it and a signature that differs from everything that's on the mainstream.

If its like I say, we will see a nice little media blowup about this and some revival of "encryption should be better controlled" and "only who has to hide something is using encryption" by certain political fractions.

a_lexFebruary 8, 2008 8:00 AM

Darn, I nearly laghed myself to death. tHIS QUOTE IS ESPECIALLY HILLARIOUS : " Of note is the map in the background that provides locations of their global network." http://blogs.csoonline.com/...

I guess the whole point of this exercise is to make as many ppl as possible die of laughter.

If it is som then teh Terrerists win

aikimarkFebruary 8, 2008 8:17 AM

"Does it use Blowfish or Twofish?"

@Bruce,
Is this another way of saying "What am I...chopped liver?" ?!? :-)

CairnarvonFebruary 8, 2008 8:18 AM

There's some irony in the fact that two of the inventors of RSA are Jewish (and one of those is actually Israeli). I wonder if they realise this.

Trichinosis USAFebruary 8, 2008 8:25 AM

@Cairnavon: yes, but they used Arabic numerals to do it. The irony just never stops, does it?

J.D. AbolinsFebruary 8, 2008 8:36 AM

@Trichinosis USA & @Cairnavon:

Among the big contributions of Arabic numeral system is the zero, signify "nothing" but doing a lot. Try doing heavy duty mathematics with, say, Roman numeral or the Hebrew letters as numbers systems.

The zero -- ص�?ر - Sifr -- was so mysterious to many people and, eventually, the Arabic word led to the term cypher or cipher.

ZeligFebruary 8, 2008 8:44 AM

It is curious why this software instead of using PGP. Distrust of a US company might be a reason but there are international versions and the source code is open.

Maybe it is a morale thing. "Look we've got our own Mujahideen security tools, properly branded!" What next? Windows notepad for Mujahideen?

jdbertronFebruary 8, 2008 9:00 AM

It's obvious to me that the 2048 bits of encryption is quoted to subliminally impress the veracity of the report.
The media is not that illiterate, unfortunately. It's an excuse they've been using for years.
Here is how it works: anyone reading the report makes the mental comparison that 2048 is greater than 256, and makes the latent deduction that this must make the encryption harder to break. Framed by the carefully picked name of the tool, it is a great way to make the average ignorant think that the danger is imminent.
The psychological trick works because nobody thinks they're an idiot, and therefore anything they conclude is given a high degree of credibility.
It doesn't matter if afterward, the facts used to make the deduction turn out to be false.
Researchers make that mistake all the time.
Anyone spotting the weakness of the facts first (like Bruce here) is better equipped to bust the veracity of the report, and its effects.
J.D.

sooth_sayerFebruary 8, 2008 9:00 AM

@Trichinosis
"@Cairnavon: yes, but they used Arabic numerals to do it. The irony just never stops, does it?"


Numerals are actually Hindu, Europeans started calling them Arabic because Jews translated the Arab books for them in Spain after Moors.
Yes the irony doesn't stop there alone; there are a lot of you who known little about history or science.

sooth_sayerFebruary 8, 2008 9:09 AM

@J.D. Abolins

>>@Trichinosis USA & @Cairnavon:
Among the big contributions of Arabic numeral system is the zero, signify "nothing" but doing a lot. Try doing heavy duty mathematics with, say, Roman numeral or the Hebrew letters as numbers systems.

The zero -- ص�?ر - Sifr -- was so mysterious to many people and, eventually, the Arabic word led to the term cypher or cipher.

What a load of crap,

Decimal number system, Zero as well Infinity are Hindu contributions to mathematics, not Arabic; Know thy history.. it's not that hard.

here is a link "http://en.wikipedia.org/wiki/0_%28number%29"

shadowFebruary 8, 2008 9:36 AM

@sooth_sayer

Hahahaha!!!!one1

You just told someone that they should know their history like you were all enlightened, but then you accidentally let the cat out of the bag. You didn't know this bit of history previous to posting! Admit the truth. You just looked this stuff up on wikipedia to look smart didn't you?

sooth_sayerFebruary 8, 2008 9:43 AM

@shadow

I looked up wikipedia to include the link for smarty pants like you .. who won't believe me unless I pointed out an accepted source.

Given time I can find who your real father is .. so don't mess with me.

Hahahaha

shadowFebruary 8, 2008 10:02 AM

@soot_sayer

not wanting to start a flame war I'm going to limit myself to one simple response.

"Given time I can find who your real father is "

WTF? Not that I would even care, but seriously wtf? Take your medication in the morning please.

John RidleyFebruary 8, 2008 10:33 AM

@J.D. Abolins:
Regarding the Arabs with the "invention" of the zero:
My high school calculus teacher once said that when the Romans needed to do really serious math, they went and kidnapped an Arab.

dlgFebruary 8, 2008 10:36 AM

Not only does this program not seem to provide anything more than PGP or equivalents, having it installed on your computer would be supremely stupid. These days, people will get suspicious if you have PGP installed, but what if you go through customs and the nice people there find "Mujahideen 2" on your laptop? I tend to think that people as (self-)destructively fanatic as your next-door terrorists need to be relatively stupid. But that stupid? It somehow makes me feel more secure.

@Bruce: I think you should publicly distance yourself from the *fish ciphers before it's too late. I bet aiding and abetting can be quite bad in terrorism cases.

Brandioch ConnerFebruary 8, 2008 10:46 AM

You are allowed to try this program for 30 days. If you continue to use it past the 30 day trial, please send $15 to Osama. Upon payment you will receive a registration code that will disable this pop-up.

Wouldn't the FIRST thing you'd do as the US government be to replace whatever binary is being downloaded with your own version that allows you to quickly crack any "encrypted" messages?

Or wouldn't you fake the whole thing just to find the wannabes out there?

SavikFebruary 8, 2008 11:01 AM

The thing is Blowfish and Twofish were not created by Schneier alone either -- IF at all. Little do any of you know Schneier himself is an NSA plant!

smartalixFebruary 8, 2008 11:32 AM

Zero is actually alien technology that was brought to earth centuries ago to help the Egyptians to build the pyramids.

PeterFebruary 8, 2008 11:34 AM

Why would they put an M16 on the splash screen when the AK47 is AQ's preferred weapon. Unless of course, as Admiral Akbar so clearly said "Its a trap!"

Nick LancasterFebruary 8, 2008 11:39 AM


I'm wondering why any self-respecting mujahideen would use a program called 'Mujahideen Secrets 2'.

*** "Now, you can send secret messages just like Osama bin Laden does! With Mujahideen Secrets 2, your secret plans to topple America will be safely hidden behind 2,048-bit encryption! But that's not all! If you call within the next five minutes, you'll also receive a vial of unidentified white powder! Don't delay! Call 1-888-672-8727! That's 1-888-NSA-TRAP! Call now!" ***

Pat CahalanFebruary 8, 2008 12:03 PM

If it doesn't use blowfish/twofish, it's because terrorist have been reading Schneierfacts and they're afraid Bruce can brute-force their crypto with his fists.

dragonfrogFebruary 8, 2008 12:09 PM

I love the splash screens! It could only be better if they fired off a really loud sound sample on startup, of someone screaming "Terrororororist sittin over here! The guy with the panicky look in his eyes!"

Also "Activate Stealthy Cipher". Someone has watched the transformers movie.

Timmy303February 8, 2008 2:03 PM

I would love to be a fly on the wall when terrorists were deciding what algorithm to use:

"So what's the deal Khalid, our brothers in Barcelona, New York, Istanbul, Madrid, and London have all been arrested by the infidels, and you want to use 3DES? Come on."

"Look Ahmed, it's better than AES, I don't trust AES."

"Why not? If it's good enough for NIST, it's good enough for Al Qaeda."

"Please, they chose it for speed and ignored security completely. Hell, it was ten-round Rijndael that was tested for speed, and this was just after the Counterpane team cracked nin-round variant."

"Yeah yeah yeah I get the point, Twofish got robbed. So you're saying we should use Twofish?"

"No, but definitely not AES."

"So what, then? Because I refuse to use 3DES."

"Well, RSA is still unbroken, that combined with a longer key length maybe ..."

"Oh give me a break Khalid, did you seriously not read Bernstein's number field sieve circuit paper?"

...

Sean O'HaraFebruary 8, 2008 2:08 PM

I hope they do use Twofish, because that means the government can crack the terrorist's communications.

I know it's true, because it was on 24.

Timmy303February 8, 2008 2:18 PM

CTU doesn't need block cipher cryptanalysts, they just need Jack Bauer and some lamp cord.

CairnarvonFebruary 8, 2008 2:28 PM

@Trichinosis
That would be ironic if Shamir and Adleman were as known for hating Arabs as these Mujahideen are for hating Jews and Israel.

Also re: zero, it's true the Mayas came up with it first, but the Indians developed it independently, and it's through them the rest of the world got it.
For people who are interested in this sort of thing, "The Nothing That Is" by Robert Kaplan is an excellent book on the history of zero.

BTCrypieFebruary 8, 2008 5:13 PM

Why would someone ask such an asinine question as to the use of PGP? I think Mr. Schneier is a self licking ice cream cone. The NSA wouldn't take him. His ego wouldn't fit through their doors.

LeoFebruary 8, 2008 5:29 PM

@Nick Lancaster

I'd guess that the average "terrorist" that would use this tool is some frustrated, alienated, unemployed 20-something who sits in his bedroom and pretends his life is important by sending secret messages to all his 20-something buddies.

Since the splash screen shows an M-16 and American law enforcement specializes in just this kind of suspect, I'd guess it was put out by Homeland Security. What better proof that that lonely, disaffected 20 year old is a real terrorist than finding "Mujahideen Secrets 2" on his computer? I can't wait for "Mujahideen Voice Secrets". (Then they declare Phil Zimmermann a terrorist sympathizer, ban cryptography and install Clipper chips in all our communications devices. Or maybe someone just writes that into "24".)

aikimarkFebruary 8, 2008 5:32 PM

What's the stinger missile equivalent for Bruce to shoot at Mujahideen Secrets 2?

I've heard that Al Gore invented all the zeroes on the Internet. :-)

avFebruary 8, 2008 6:01 PM

After taking a quick look at the program it looks like it's written in Borland Delphi 5.

AnonymousFebruary 8, 2008 6:06 PM

@aikimark: re Al Gore

Only partially true. Al actually invented chat rooms and blog-comment forms, which then attracted all the zeros that were aimlessly floating around in the real world.

LeoFebruary 8, 2008 6:22 PM

@Mr. Mostel

No, no, no. Al Gore made a law about using zero on the internet. He's a secret Hindu (although there are rumors he's also involved with the Mayans). You know how those Democrats are about pushing their alien religions on America.

Bruce SchneierFebruary 9, 2008 8:14 AM

"Bruce, you mention Blowfish and Twofish. Would you have an issue if they were being used?"

Not in the least. I would add it to my list of products that use those algorithms, though.

DmitryFebruary 9, 2008 11:21 AM

The security "expert" who helped the journalist with the evaluation of the program was J.M. Berger, who considers himself an expert on a bunch of other issues as well including but not limiting to national politics, fighting terrorism, and even science, where his major "contribution" is his unpublished book called "Quantum Chakras." Guess how much science you will find in a book with such a name...

Timmy303February 9, 2008 12:32 PM

"I would add it to my list of products that use those algorithms, though."

LULZ. Laden's endorsement of John Kerry's campaign in 2004 was a hell of a feather in Kerry's cap ...

only_half_kiddingFebruary 9, 2008 4:05 PM

begin quote ---
"Bruce, you mention Blowfish and Twofish. Would you have an issue if they were being used?"

Not in the least. I would add it to my list of products that use those algorithms, though.
end quote ---

I'll second the opinion that Bruce needs to distance himself from *fish'es ASAP, otherwise his next *fish might have to be written while he is enjoying his nice "vacation" in Guantanamo :-)

"Aiding and abetting" can be quite a b!tch ...

SedgequillFebruary 9, 2008 5:01 PM

All of the better encryption algorithms and anonymization tools get used by persons, enterprises, and organizations all along the good-bad moral/behavioral continuum. Alarmed persons who demand nonuse of or distancing from any encryption algorithm or anonymization tool used by terrorists and criminals would not be quite so judgmental, perhaps, if presented with the names of some of its “good-guy��? users.

thsFebruary 10, 2008 8:48 AM

a german blogger actually tried out the program thoroughly and made some fun about it (sorry, linking to german language blog entry).
why would someone who really wants to hide things use a *windows* *closed-source* software where he cannot be sure about anything?
I'd think it's a trapdoor software put out as a bait.
Remarkable that the choice of algorithms is exactly the last 5 participants of the AES challenge.

RandallFebruary 10, 2008 4:39 PM

@ths: I'm far from shocked if the list of algos == the list of AES finalists. Those are the five most-studied unclassified block ciphers since DES.

AnonymousFebruary 11, 2008 2:10 PM

J.D. Abolins:
"Among the big contributions of Arabic numeral system is the zero"

The Indians claim they invented zero and the Arabs brought it with them out of India to other parts of the world.

-ac-February 11, 2008 4:42 PM

Mujahideen Clippy: It looks like you're planning jihaad. Would you like assistance?

Even better if it's Ad supported.

guvn'rFebruary 12, 2008 11:48 PM

I'm surprised that no one has mentioned the threat of another attack on the basic freedom of speech implicit in this comment:

"Berger added that there is a "robust discussion" taking place within the counterterrorism community over the issue of online forums such as al-Ekhlaas being hosted on U.S.-based servers. Some people believe it is easier to monitor what’s going on in the forums when they are hosted on U.S.-based servers, he said. Others, though, want the Web sites to be taken down immediately."

Majhul (Anonymous)February 15, 2008 8:47 AM

Several comment on the Mujahideen Secrets topic...

First, Bruce thank you for covering this topic.

For Bruce's question "Does it use Blowfish or Twofish?"

I've looked briefly at the first version of the Mujahideen Secrets software (asrar.exe) from GIMF and it offers these options for "Symmetric Cipher Algorithm" --
“Rijndael with 256 bit key [AES]��?, “RC6 with 256 bit key��?, “Mars with 256 bit key��?, “Serpent with 256 bit key��?, and “TwoFish with 256 bit key��?.

I am very thankful for Bruce taking a look at the reports on the Muhadeen Secrets software. The topic needed a look by somebody with cryptography expertise. The general reporting on this software has been jumbled and sometimes off on various details.

Much of this I attribute to problems tech press has in covering this type of software. Cryptography tools present the challenge of analyzing and explaining the crypto qualities.

The developers of programs such as Mujahideen Secrets and the e-jihad DDOS tool seek obscurity in the distribution of their wares. They don't put up the software and source code on, say, sourceforge and certainly don't send review copies to the tech media.

So the tech press reporters are getting little glimpses of the software from various sources who will talk to the tech press. Many people who've examined the software and have expertise are not talking to the press. I'm not saying that all the sources talking to the press lack expertise, not at all, just saying that the reporters are working with second and third hand information, never getting a full picture of a category of software that is challenging to review.

The security by obscurity in the distribution presents a cost to the developers and users. No chance for examination and probing for vuilnerabilities that can lead to fixes. Not likely to see Bugtraq reports on Mujahideen Secrets vulnerabilities.

But the Mujahideen Secrets software lacks obscurity in a different way. It's interface, keys, and other things clearly indicate a "Mojahedeen" connection. Maybe it was branding for morale and psyops boost. Plausible deniability is shot for a user if somebody spots the user interface or other artifacts of the software. Maybe the branding is a creation of a pool of users who'll be a distraction to the watchers while others use tools like pgp or gpg that are better tested and hide better in a large crowd of diverse users. Gpg comes pretty as standard part of Linux distros and its presence doesn't hint of affiliations.

The psychological effects of the "branding" also seems to work on the reporting of the software. Like the e-jihad DDOS tool "cyberjihad attack on Nov 11th" reporting last
fall, the naming of the software and association with certain groups may skew the perception of the tools, giving them a sinister appearance independent of their technical qualities. Not saying that the developer and users have innocuous intentions, just that the emotive qualities of the "mujahideen" and "jihad" labels can affect the reporting of the tools. Certainly makes for better headlines than "Ho hum, another DDOS tool" or "Attempt to cobble together a pgp-like program branded for the mujahideen, can it work?; Cryptography isn't so easy to do right".

VinceFebruary 18, 2008 3:04 AM

"LULZ. Laden's endorsement of John Kerry's campaign in 2004 was a hell of a feather in Kerry's cap ..."

Was it really him or another cyber phantom courtesy of Langley ? :-)

JohnApril 1, 2011 7:32 AM

sooth_sayer, either would be a marginal improvement over the Greek base-60 numeric system (also with no concept of zero). In all fairness, I've yet to go to an Arabic-speaking country that uses arabic numerals, they're pretty unapologetic about using Hindu numerals (which, on the bright side, are also base-10 read left-to-right, so reading numbers is easy to pick up).

I also think that it's greatly ironic that they're using an image of an M-16 for the basis for their logo. I've seen AK-47's from the Soviet excursion to Afghanistan where they aren't cleaned on a regular basis, get lubed with any oil available to include vegetable, and still fire at very near cyclic speeds for a prolonged period of time, but I don't trust an M-4/M-16 without serious ongoing maintenance in the same areas.

In other words, I think there's a good chance that this was seeded by a three-letter-agency, or equivalent for other Western countries.

And in other news, the sun will rise in the east, and depending on local weather conditions, the sky will be blue in the daytime.

It_doesnt_matterApril 3, 2011 8:30 PM

Maybe I'm just cynical, but I'd be willing to bet that some US government agency wrote this to kill two birds with one stone. Firstly, no intelligent mujihadeen is actually going to use this software, all of their important communications are word of mouth only or other primitive means. By creating this software the government might get to locate any fully retarded mujihadeen willing to use this (in which case they are probably not a threat anyway) and show the media that due to the "war on terror" we need to give up more liberties. Also, they get to say that the "terrorists" are now using cryptography, trying to conjure the political currency to create legislation to go after popularly implemented cryptography like they did in the 90's. They'll probably recommend the key escrow system again, and some corporation will manage it and get rich.

James CApril 4, 2011 10:43 PM

I'll second the opinion that Bruce needs to distance himself from *fish'es ASAP, otherwise his next *fish might have to be written while he is enjoying his nice "vacation" in Guantanamo :-)

Oh, please...that would be like arresting the CEOs of Toyota because that happens to be the favourite delivery vehicle of moving IDEs or Semtex because that's the explosive preferred by these idiots.

Besides, crypto is only as secure as the passkey...you all know that.

VideogamerApril 13, 2011 1:44 PM

If it was an NSA trap then the splash screen wouldn't be such an obvious mistake that one would be led to believe it was NSA. No, they'd do it right and make it an AK47. Obviously quickly made by someone who wanted to get the prog out quick and help fellow terrorists, but in doing it hastily used the image of the wrong gun. Or maybe it's intentional and meaning to say "Americans use M16s, but now you can keep those M16-using American soldiers from finding out our secret attack plans".


By the way, after scouring the net for a LONG time I managed to find a copy of the prog to test myself. And it takes like 5 whole minutes on my 3GHz laptop to generate the 2048bit key. And yeah it does work to encrypt stuff. And yeah I ran a virus scan as well as the online VirusTotal multi-scan (uses like 10 different scan softwares) to see if it had a back door. And it did not. It appears to be clean. And no I don't work for terrorists. I'm just thinking it's cool to have software that represents an enemy faction in the world, not that I agree with their actions. Sort of like owning a real Confederate dollar, is kind of cool, even though I think slavery was terrible. Same here. It represents a certain aspect of world history and at the moment it is current events, but some day this will all be in the history books, long after this war is over, just like the American Civil War.

Also one of the other articles on this software seemed to be impressed at its ability to "encrypt" any file into plain text. That's just a dumb comment though. 1) It's not encrypting, it's base 64 encoding. 2) Base 64 encoding isn't exceptional or extraordinary in any way, and is actually the way email sends attachments, as the protocol for email only permits plain text, no binary data.

eagleJune 15, 2011 2:17 AM

i think that they developed the standers algorithms and they add new encryption technologies ...how we can to be sure that they did that?any Technic or hints?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..