These four slides, released yesterday, describe one process the NSA has for eavesdropping on VPN and VoIP traffic. There’s a lot of information on these slides, though it’s a veritable sea of code names. No details as to how the NSA decrypts those ESP—”Encapsulating Security Payload”—packets, although there are some clues in the form of code names in the slides.
John • March 13, 2014 11:15 AM
I saw the article on Arstechnica. But I was wondering: Did the NSA compromise the Crypto of the VPN, or was it only through malware on a compromised router? Are they throwing huge amounts of hardware at it to actually brute force a key exchange?
Bruce Schneier • March 13, 2014 11:36 AM
“Did the NSA compromise the Crypto of the VPN, or was it only through malware on a compromised router? Are they throwing huge amounts of hardware at it to actually brute force a key exchange?”
The whole point of using QUANTUM, as opposed to a passive eavesdropping system, is to do a MITM attack against the key exchange protocol.
John • March 13, 2014 11:42 AM
@Bruce Schneier Wouldn’t a good handshake protocol detect that the handshake has been forged? (I’m envisioning SSL with trusted certs. Maybe I’m looking at it the wrong way?)
Gonzo • March 13, 2014 12:25 PM
Yeah, a single line that says ‘Attempt decryption’. You think that would be the focus of the entire slide deck since that’s the hard part.
phred14 • March 13, 2014 12:50 PM
Looking at the VPN slide, every TLA looks like it pertains to IPSEC. I wonder what their slide looks like for OpenVPN. (The cheap/easy one.)
Art • March 13, 2014 12:51 PM
The most intriguing bit for me is the box marked ‘CA Resources’. Is this where the NSA keep their (stolen/voluntarily handed over) CA root keys, so they can MITM the x509 key verification?
GregW • March 13, 2014 1:04 PM
Having a modest exposure to SIP/H.323, I have a educated guess what the Voip METROTUBE analytic would make sense as being.
Opinions on whether I should speculate openly?
Rich • March 13, 2014 1:16 PM
The take away (lower right corner of slide 4):
Someone IS listening to your (VoIP) phone calls.
todd glassey • March 13, 2014 1:56 PM
The key issue is the timestamps and their authenticity. Both in a temporal context and a sourcing model.
Benni • March 13, 2014 4:35 PM
By the way bruce, I think you once wrote that
https://www.schneier.com/essay-472.html
“This is best illustrated by the work of the NSA’s Tailored Access Operations (TAO) group, including its catalog of hardware and software “implants” designed to be surreptitiously installed onto the enemy’s computers. This sort of thing represents the best of the NSA and is exactly what we want it to do.”
But well, here is a real tao operator, who writes on what he does:
https://www.eff.org/document/20140312-intercept-five-eyes-hacking-large-routers
He hacks into routers. “but not your home ADSL router. I’m talking about bigger routers. Such as Ciscos, Junipers Huaweis, used by ISPs for their infrastructure. Hacking routers has been good business….”
Do you really “want” that the nsa does this bruce?
The mass surveillance and bulk collection of the nsa is just possible because they use their targeted surveillance on specific targets like google or internet service providers.
So you can therefore not condemn surveillance and at the same time write that TAO is a good thing.
The tao catalogue is merely a catalogue of technical devices. It is as usual, technique is neither good nor bad. It depends on for what and how it is used.
There should be a discussion which are reasonable targets of an intelligence agency. Is an ISP a reasonable target?
Literally, terrorists use phones. But does this mean that you must bug all phones (as the nsa is currently trying it)? This is the question that the responsible politicians must be asked.
Putting all these operations under military does not solve it either.
For example, the US have no war with Iran. Yet an NSA operation that targets responsible persons in iran, so that the US government can reliably tell whether Iran really just wants to use a nuclear research reactor for neutron research or whether iran wants an atomic bomb, this would be a reasonable operation.
(yes, it seems that these reactors have to be fuelled with weapons grade uranium, since otherwise the neutrons are too slow for the usual applications in solid state physics where one needs them. The research reactors in grenoble and in munich also use weapons grade uranium http://fissilematerials.org/blog/2010/03/us_to_supply_heu_for_the_.html all tries to convert them to uranium of lower enrichmend have failed so far.)
The military can not do such a targeted surveillance operation in iran, as there is no one at war between us and iran. So these operations have to be conducted by an intelligence agency.
The question is, should the nsa also use tao methods to spy on political allies who fight with the us in afghanistan. Should the nsa use tao, for targeting Internet service providers in order to get access to bulk data, enabling mass surveillance?
Benni • March 13, 2014 6:08 PM
regarding phones, well this here is a newly found backdoor that is active on most samsung galaxy smartphones:
Would be reasonable that our favourite agency manifests itself into phones, but honestly we do not know whether this is a result of nsa’s project BULLRUN
http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor
Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device. In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone’s storage. As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone’s file system.
name.withheld.for.obvious.reasons • March 13, 2014 6:34 PM
while (democratic republic) {
NSA != democratic institution
};
Buck • March 13, 2014 7:44 PM
do {
NSA.checkDemocraticStatusVersus(public benefit);
} while { NSA.status == democratic institution };
NSA.deFund();
There, fixed that for ya 😉
Buck • March 13, 2014 7:51 PM
Sorry, seems there’s a bug in my code…
I thought the checkDemocraticStatusVersus() method should update the value for NSA.status, but it appears to always just return ‘true’ 🙁
Chris Abbott • March 13, 2014 9:35 PM
I wonder what key exchanges they can exploit to recover the key. In terms of SIP, would ZRTP be the answer to something like this?
Wael • March 14, 2014 12:31 AM
@name.withheld.for.obvious.reasons,
while (democratic republic) {
NSA != democratic institution
};
Has a teeny weeny bug…
The expression “NSA != democratic institution” doesn’t assign any value to NSA. It only evaluates to true or false (1 or 0), and that is the value of the expression. The value of NSA isn’t changed. So this is probably another way of doing it:
while (democratic_republic) {
NSA = !democratic_institution;
};
Amazing the difference a transposition of two symbols makes!
The assumption is there are only two choices for NSA. And the correction I put is also buggy. You’d want to explicitly assign the value to the NSA variable rather than the negation of the other value. You could fix that with two typdefs or an enum. Then again, you can draw a UML use case diagram, a sequence and timing diagrams, use agile development model, and impress a ton of people, but have a bug-to-line-of-code ratio (or density, if you will) of about 4:1 as opposed to the 1:3 you had — not counting the other minor ones 🙂
M_ZEL • March 14, 2014 1:30 AM
Serious question guys: I run OPENVPN on a DD-WRT router. I use certificates / keys I generated on a (true) air-gapped machine and lets just assume I got them into the Router and onto the OpenVPN client via secure means. My setup also uses the optional TLS Auth key on top of everything else.
Assume as well that the router is physically secure and correctly configured. I.e., no one is going to get in and get the keys or certs off of it, and that my client laptop is as well (i.e., the laptop isn’t owned and no one is getting the keys that aren’t supposed to be public from there).
I use OPENVPN when I’m working with clients on the road. The openvpn lets me access network shares from my home network, and also to route internet activity (e.g., online banking etc) over my trusted home office internet connection when I’m in coffee shops etc.
So what are the implications of these NSA slides? I am not a vpn genius, but short of having broken 2048 bit RSA or the underlying sym cipher (anything from AES128 to AES 256, or even Blowfish as an option), how in the world would man on the side or man in the middle get an evesdropper, even the NSA, anything but scrambled packets?
Am I missing something huge about the security of these set ups in general?
c.finley@microsoft.com • March 14, 2014 4:12 AM
@M_Zel your missing the point yes,
Your premise is built in with undeserved trust, the one that gos “I am only secure as my weakest weakest link”.
Cant post my full page comment on this right now 🙂 needs 4+ more iterations of the (personal risk) aggravated text removal process. I trust that process, its in my head, it starts and ends with me, it depends on no one else but me.
Should I trust this message is secure, nope, so i’m only posting 1/100th of the encrypted message as a protest HA!
Was my free speech opinion chilled, yea very much so.
The threat is not to your VPN or in your steps, if you were perfect and your tech perfect, I assert based on what we know of the NSA, your still screwed.
The holistic threat is to all of ecommerce and Tech trust,
We need a clock like the nuclear clock, which I would set at about 30 seconds to midnight.
They the NSA have started a process of unintended consequences or intended consequence that will end tech(as we know it?), create an Ayn Rand type end to tech and a permanent Neo Luddism gardener class society lead by none other than the biggest Luddites of our time, one would reasonable have to conclude is in the NSA ass hat planning office which pitched the idea of implants with endless budget, no moderation, no ethics and no concern but to feed a drunken lust for more exploitative capabilities which they conflate with an ethical role as heroic power star chamber group.
Just re-read en.wikipedia.org/wiki/Neo-Luddism
Now realizing the Luddites are probably in the NSA, EPA and State. Global warming ring a bell, how to better crash carbon emissions than by crashing tech and eCommerce. They wouldn’t justify the means to an end or do that, would they?
I think the NSA situation that the ends justifies the means will result in people getting turn off get disgusted and turn away from tech. No one will he held accountable it will just end when enough tech folks walk away.
—–BEGIN PGP MESSAGE—–
Version: Encryption Desktop 10.3.2 (Build 23100)
Charset: utf-8
snip….
qANQR1DBw04DnYMxJk32IUUQEACsY8w0angvdbAbngrBjggR1f2pLuuzyjMfhDeQ
+B/wvpk
EzXdoX2QPIxIe460Do9UE9DfVIx3ySv14VTFthscObTElfHcIxg54/lCKXD17Wbt
VnrnFJ6mtJZO98RBwP8wXRrISDa3hqsQ8qDyZfyjcOXrfg==
=Yqpm
—–END PGP MESSAGE—–
Peter Smith • March 14, 2014 4:13 AM
Linked page/site is not reachable
See article content also here (from Google Cache):
Dirk • March 14, 2014 6:44 AM
I have a theory for the VPN-Sniffing at least for Windows Agile-IKEv2 clients.
You see a Windows client connecting to a IPSec-IKEv2 host will accept a host certificate that is signed by any of his known CAs.
It will even send all known CA-Keyids to the server. In my strongswan logs I see >30 lines like this every time a Win7 client tries to connect:
received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
So a man in the middle attack would be fairly easy if one of the root CAs in Windows is compromised.
NSA could on the fly generate a host certificate for the VPN-host and pose as it.
So far I haven’t found the possibility to limit the allowed CAs that the IPSec windows client would accept only to my own CA.
@Benni
Literally, terrorists use phones. But does this mean that you must bug all phones (as the nsa is currently trying it)? This is the question that the responsible politicians must be asked.
So then by extension, literally, terrorists breathe air. Does this mean that we should poison all the air? Surely then we’d kill all the terrorists.
LEGAL DISCLAIMER: SINCE MASS SURVEILLANCE MEANS EVERYTHING YOU SAY ANYWHERE TO ANYONE AT ANY TIME CAN BE USED AGAINST YOU IN A COURT OF LAW (EVEN TO YOUR LAWYER), LET ME BE PERFECTLY CLEAR THAT I’M NOT PROMOTING MASS MURDER OR GENOCIDE. I’M ONLY INTENDING TO MAKE A POINT AT HOW STUPID AND RIDICULOUS THE “ENDS JUSTIFIES ANY MEANS” MENTALITY IS THAT JUSTIFIES MASS PHONE SURVEILLANCE.
Buck • March 14, 2014 4:02 PM
@Wael
After reading your comments, I should probably totally retract my algorithm… My ‘bug-to-line-of-code ratio’ is actually double that of what I previously thought!
My deFund() method has a serious low-level issue. It seems someone has surreptitiously patched it to no longer include the cost of necessary food & energy supplies with respect to inflation…
Wael • March 14, 2014 9:56 PM
@Buck,
My deFund() method has a serious low-level issue.
Repudiation rejected. No message authentication code or code digest was included in your original post. However, code is commercial quality. I say ship it then fix it in a service pack…
Buck • March 14, 2014 10:25 PM
Great to hear! We had already accidentally shipped it out to over 9000 global governments anyways 😉
Mitm • March 17, 2014 3:28 PM
@Bard > “The most intriguing bit for me is the box marked ‘CA Resources’. Is this where the NSA keep their (stolen/voluntarily handed over) CA root keys, so they can MITM the x509 key verification?”
Did Snowden copy the contents of this directory? Will he publish these? What would be the consequences if these were leaked?
Mr. Oh Great • March 18, 2014 10:25 AM
Oh great. I click on this link and my modem immediately starts acting odd; it appears it may have gone through a restart, but the log doesn’t show anything.
It could well be coincidence but it’s probably not unreasonable to assume that it’s not; targeting people interested in making and keeping secrets is pretty much NSA/GCHQ’s bread and butter.
KnottWhittingley • March 18, 2014 2:20 PM
Mr. Oh Great,
Yeah, this isn’t the best place to hang out if you don’t want to come to the attention of the NSA.
We know from their internal docs that they “hunt sys admins.” http://www.theregister.co.uk/2014/03/12/snowden_docs_show_nsas_malware_turbine_can_pump_out_millions_of_malware_attacks/
I’d guess they’re especially interested in people with a particular interest in making systems especially secure, I for several reasons.
I assume Bruce is targeted, so all our communications here put us in the Corporate Store.
I just wish I knew if it was NSA malware causing inscrutable errors my ATAPI interface and power management.
(If so, please fix it, NSA guys! Do you even have a tech support line I can call?)
Buck • March 18, 2014 10:50 PM
@KnottWhittingley
I just wish I knew if it was NSA malware causing inscrutable errors my ATAPI interface and power management.
Unfortunately, you’d best believe that at least somebody is doing such a thing :-\ I could probably explain the leg burns and almost melted laptop by manufacturers designing for Microsoft rather than the specifications… Although, I think, the sudden onset and subsequent resolution (requiring no effort on my own part, perhaps with the exception of some private griping), seems to suggest an earlier evolution of some persistent rootkits. Oh the prices you can pay for using a ‘non-standard’ system!
Also kinda curious is the Android that tries to claim it needs a charging when the battery still contains a current…
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Jan • March 13, 2014 11:08 AM
H.323 traffic can easily be decrypted when you act as a man-in-the-middle as the HAMMERSTEIN component does on page 4 of the slides. Its because virtually all vendors skip the (TLS) encryption of the signaling channel and the Diffie-Helmann keys are unprotected.
See my analysis of H.323 encryption on http://www.gnugk.org/h323-encryption.html.