Entries Tagged "NSA"

Page 50 of 54

Mujahideen Secrets 2

Mujahideen Secrets 2 is a new version of an encryption tool, ostensibly written to help Al Qaeda members encrypt secrets as they communicate on the Internet.

A bunch of sites have covered this story, and a couple of security researchers are quoted in the various articles. But quotes like this make you wonder if they have any idea what they’re talking about:

Mujahideen Secrets 2 is a very compelling piece of software, from an encryption perspective, according to Henry. He said the new tool is easy to use and provides 2,048-bit encryption, an improvement over the 256-bit AES encryption supported in the original version.

No one has explained why a terrorist would use this instead of PGP—perhaps they simply don’t trust anything coming from a U.S. company. But honestly, this isn’t a big deal at all: strong encryption software has been around for over fifteen years now, either cheap or free. And the NSA probably breaks most of the stuff by guessing the password, anyway. Unless the whole program is an NSA plant, that is.

My question: the articles claim that the program uses several encryption algorithms, including RSA and AES. Does it use Blowfish or Twofish?

Posted on February 8, 2008 at 5:39 AMView Comments

NSA Monitoring U.S. Government Internet Traffic

I have mixed feeling about this, but in general think it is a good idea:

President Bush signed a directive this month that expands the intelligence community’s role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies’ computer systems.

The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies—including ones they have not previously monitored.

[…]

The classified joint directive, signed Jan. 8 and called the National Security Presidential Directive 54/Homeland Security Presidential Directive 23, has not been previously disclosed. Plans to expand the NSA’s role in cyber-security were reported in the Baltimore Sun in September.

According to congressional aides and former White House officials with knowledge of the program, the directive outlines measures collectively referred to as the “cyber initiative,” aimed at securing the government’s computer systems against attacks by foreign adversaries and other intruders. It will cost billions of dollars, which the White House is expected to request in its fiscal 2009 budget.

[…]

Under the initiative, the NSA, CIA and the FBI’s Cyber Division will investigate intrusions by monitoring Internet activity and, in some cases, capturing data for analysis, sources said.

The Pentagon can plan attacks on adversaries’ networks if, for example, the NSA determines that a particular server in a foreign country needs to be taken down to disrupt an attack on an information system critical to the U.S. government. That could include responding to an attack against a private-sector network, such as the telecom industry’s, sources said.

Also, as part of its attempt to defend government computer systems, the Department of Homeland Security will collect and monitor data on intrusions, deploy technologies for preventing attacks and encrypt data. It will also oversee the effort to reduce Internet portals across government to 50 from 2,000, to make it easier to detect attacks.

My concern is that the NSA is doing the monitoring. I simply don’t like them monitoring domestic traffic, even domestic government traffic.

EDITED TO ADD: Commentary.

Posted on February 4, 2008 at 6:30 AMView Comments

NSA Backdoors in Crypto AG Ciphering Machines

This story made the rounds in European newspapers about ten years ago—mostly stories in German, if I remember—but it wasn’t covered much here in the U.S.

For half a century, Crypto AG, a Swiss company located in Zug, has sold to more than 100 countries the encryption machines their officials rely upon to exchange their most sensitive economic, diplomatic and military messages. Crypto AG was founded in 1952 by the legendary (Russian born) Swedish cryptographer Boris Hagelin. During World War II, Hagelin sold 140,000 of his machine to the US Army.

“In the meantime, the Crypto AG has built up long standing cooperative relations with customers in 130 countries,” states a prospectus of the company. The home page of the company Web site says, “Crypto AG is the preferred top-security partner for civilian and military authorities worldwide. Security is our business and will always remain our business.”

And for all those years, US eavesdroppers could read these messages without the least difficulty. A decade after the end of WWII, the NSA, also known as No Such Agency, had rigged the Crypto AG machines in various ways according to the targeted countries. It is probably no exaggeration to state that this 20th century version of the “Trojan horse” is quite likely the greatest sting in modern history.

We don’t know the truth here, but the article lays out the evidence pretty well.

See this essay of mine on how the NSA might have been able to read Iranian encrypted traffic.

Posted on January 11, 2008 at 6:51 AMView Comments

The Strange Story of Dual_EC_DRBG

Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.

Generating random numbers isn’t easy, and researchers have discovered lots of problems and attacks over the years. A recent paper found a flaw in the Windows 2000 random-number generator. Another paper found flaws in the Linux random-number generator. Back in 1996, an early version of SSL was broken because of flaws in its random-number generator. With John Kelsey and Niels Ferguson in 1999, I co-authored Yarrow, a random-number generator based on our own cryptanalysis work. I improved this design four years later—and renamed it Fortuna—in the book Practical Cryptography, which I co-authored with Ferguson.

The U.S. government released a new official standard for random-number generators this year, and it will likely be followed by software and hardware developers around the world. Called NIST Special Publication 800-90 (.pdf), the 130-page document contains four different approved techniques, called DRBGs, or “Deterministic Random Bit Generators.” All four are based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. It’s smart cryptographic design to use only a few well-trusted cryptographic primitives, so building a random-number generator out of existing parts is a good thing.

But one of those generators—the one based on elliptic curves—is not like the others. Called Dual_EC_DRBG, not only is it a mouthful to say, it’s also three orders of magnitude slower than its peers. It’s in the standard only because it’s been championed by the NSA, which first proposed it years ago in a related standardization project at the American National Standards Institute.

The NSA has always been intimately involved in U.S. cryptography standards—it is, after all, expert in making and breaking secret codes. So the agency’s participation in the NIST (the U.S. Commerce Department’s National Institute of Standards and Technology) standard is not sinister in itself. It’s only when you look under the hood at the NSA’s contribution that questions arise.

Problems with Dual_EC_DRBG were first described in early 2006. The math is complicated, but the general point is that the random numbers it produces have a small bias. The problem isn’t large enough to make the algorithm unusable—and Appendix E of the NIST standard describes an optional work-around to avoid the issue—but it’s cause for concern. Cryptographers are a conservative bunch: We don’t like to use algorithms that have even a whiff of a problem.

But today there’s an even bigger stink brewing around Dual_EC_DRBG. In an informal presentation (.pdf) at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson showed that the algorithm contains a weakness that can only be described as a backdoor.

This is how it works: There are a bunch of constants—fixed numbers—in the standard used to define the algorithm’s elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.

What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.

The researchers don’t know what the secret numbers are. But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem.

Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants—and has the secret numbers. We don’t know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does.

We don’t know where the constants came from in the first place. We only know that whoever came up with them could have the key to this backdoor. And we know there’s no way for NIST—or anyone else—to prove otherwise.

This is scary stuff indeed.

Even if no one knows the secret numbers, the fact that the backdoor is present makes Dual_EC_DRBG very fragile. If someone were to solve just one instance of the algorithm’s elliptic-curve problem, he would effectively have the keys to the kingdom. He could then use it for whatever nefarious purpose he wanted. Or he could publish his result, and render every implementation of the random-number generator completely insecure.

It’s possible to implement Dual_EC_DRBG in such a way as to protect it against this backdoor, by generating new constants with another secure random-number generator and then publishing the seed. This method is even in the NIST document, in Appendix A. But the procedure is optional, and my guess is that most implementations of the Dual_EC_DRBG won’t bother.

If this story leaves you confused, join the club. I don’t understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It’s public, and rather obvious. It makes no sense from an engineering perspective: It’s too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.

My recommendation, if you’re in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances. If you have to use something in SP 800-90, use CTR_DRBG or Hash_DRBG.

In the meantime, both NIST and the NSA have some explaining to do.

This essay originally appeared on Wired.com.

Posted on November 15, 2007 at 6:08 AMView Comments

NSA's Public Relations Campaign Targets Reporters

Your tax dollars at work:

Frustrated by press leaks about its most sensitive electronic surveillance work, the secretive National Security Agency convened an unprecedented series of off-the-record “seminars” in recent years to teach reporters about the damage caused by such leaks and to discourage reporting that could interfere with the agency’s mission to spy on America’s enemies.

The half-day classes featured high-ranking NSA officials highlighting objectionable passages in published stories and offering “an innocuous rewrite” that officials said maintained the “overall thrust” of the articles but omitted details that could disclose the agency’s techniques, according to course outlines obtained by The New York Sun.

Posted on October 4, 2007 at 3:11 PMView Comments

NASA Using 1960s Cryptanalysis Techniques

Well, sort of.

This paper from the Goddard Space Center, “NiCd Space Battery Test Data Analysis Project, Phase 2 Quarterly Report, 1 Jan. – 30 Apr. 1967,” uses “cryptanalytic techniques”—some sort of tri-gram frequency analysis, I think—to ferret out hidden clues about battery failures.

It’s hard to imagine non-NSA cryptography in the U.S. from the 1960s. Basically, it was all alphabetic stuff. Even rotor machines were highly classified, and absolutely nothing was being done in binary.

Posted on September 27, 2007 at 6:14 AMView Comments

More on the German Terrorist Plot

This article is a detailed writeup of the actual investigation. While it seems that intercepted emails were instrumental at several points during the investigation, the article doesn’t explain whether the intercepts were the result of some of the wholesale eavesdropping programs or specifically obtained for this case.

The US intelligence agencies, the NSA and CIA, provided the most important information: copies of messages between German Islamists and their contacts in Pakistan. Three people in Germany were apparently the ones maintaining contact. The first was a man with the pseudonym “Muaz,” who investigators suspected was Islamist Attila S., 22. The second was a man named “Zafer,” from the town of Neunkirchen, who they believed was Zafer S., an old friend of Daniel S., one of the three men arrested last week. According to his father, Hizir S., Zafer is currently attending a language course in Istanbul. The third name that kept reappearing in the emails the NSA intercepted was “Abdul Malik,” a.k.a. Fritz Gelowicz, who prosecutors believe was the ringleader of the German cell, a man Deputy Secretary Hanning calls “cold-blooded and full of hate.”

[…]

While at the Pakistani camp in the spring of 2006, Adem Y. and Gelowicz probably discussed ways to secretly deliver messages from Pakistan to Germany. They used a Yahoo mailbox, but instead of sending messages directly, they would store them in a draft folder through which their fellow Islamists could then access the messages. But it turned out that the method they hit upon had long been known as an al-Qaida ploy. The CIA, NSA and BKA had no trouble monitoring the group’s communications. Two men who went by the aliases “Sule” or “Suley” and “Jaf” kept up the contact from the IJU side.

This is also interesting, given the many discussions on this blog and elsewhere about stopping people watching and photographing potential terrorist targets:

Early in the evening of Dec. 31, 2006, a car containing several passengers drove silently past the Hutier Barracks in Lamboy, a section of the western German city of Hanau. Hanau is known as the home of a major US military base, where thousands of US soldiers live and routinely look forward to celebrating New Year’s Eve in their home away from home. The BfV’s observation team later noted that the car drove back and forth in front of the barracks several times. When German agents finally stopped the car, they discovered that the passengers were Fritz Gelowicz, Attila S. from the southern city of Ulm, Ayhan T. from Langen near Frankfurt and Dana B., a German of Iranian descent from Frankfurt who, when asked what he and the others were doing there, claimed that they had just wanted to see “how the Americans celebrate New Year’s Eve.”

Posted on September 21, 2007 at 4:00 AMView Comments

Interview with National Intelligence Director Mike McConnell

Mike McConnell, U.S. National Intelligence Director, gave an interesting interview to the El Paso Times.

I don’t think he’s ever been so candid before. For example, he admitted that the nation’s telcos assisted the NSA in their massive eavesdropping efforts. We already knew this, of course, but the government has steadfastly maintained that either confirming or denying this would compromise national security.

There are, of course, moments of surreality. He said that it takes 200 hours to prepare a FISA warrant. Ryan Single calculated that since there were 2,167 such warrants in 2006, there must be “218 government employees with top secret clearances sitting in rooms, writing only FISA warrants.” Seems unlikely.

But most notable is this bit:

Q. So you’re saying that the reporting and the debate in Congress means that some Americans are going to die?

A. That’s what I mean. Because we have made it so public. We used to do these things very differently, but for whatever reason, you know, it’s a democratic process and sunshine’s a good thing. We need to have the debate.

Ah, the politics of fear. I don’t care if it’s the terrorists or the politicians, refuse to be terrorized. (More interesting discussions on the interview here, here, here, here, here, and here.)

Posted on August 24, 2007 at 6:30 AMView Comments

The New U.S. Wiretapping Law and Security

Last week, Congress gave President Bush new wiretapping powers. I was going to write an essay on the security implications of this, but Susan Landau beat me to it:

To avoid wiretapping every communication, NSA will need to build massive automatic surveillance capabilities into telephone switches. Here things get tricky: Once such infrastructure is in place, others could use it to intercept communications.

Grant the NSA what it wants, and within 10 years the United States will be vulnerable to attacks from hackers across the globe, as well as the militaries of China, Russia and other nations.

Such threats are not theoretical. For almost a year beginning in April 2004, more than 100 phones belonging to members of the Greek government, including the prime minister and ministers of defense, foreign affairs, justice and public order, were spied on with wiretapping software that was misused. Exactly who placed the software and who did the listening remain unknown. But they were able to use software that was supposed to be used only with legal permission.

[…]

U.S. communications technology is fragile and easily penetrated. While advanced, it is not decades ahead of that of our friends or our rivals. Compounding the issue is a key facet of modern systems design: Intercept capabilities are likely to be managed remotely, and vulnerabilities are as likely to be global as local. In simplifying wiretapping for U.S. intelligence, we provide a target for foreign intelligence agencies and possibly rogue hackers. Break into one service, and you get broad access to U.S. communications.

More about the Greek wiretapping scandal. And I would be remiss if I didn’t mention the excellent book by Whitfield Diffie and Susan Landau on the subject: Privacy on the Line: The Politics of Wiretapping and Encryption.

Posted on August 9, 2007 at 3:29 PMView Comments

1 48 49 50 51 52 54

Sidebar photo of Bruce Schneier by Joe MacInnis.