The security industry’s collective head is spinning, thanks to the NSA. A week after it emerged that the U.S. intelligence agency has “some capabilities” against basic internet security mechanisms, no one is much the wiser as to what those capabilities are — which means everything is in doubt.
There’s even a grain of doubt (just a grain) regarding the core math behind modern cryptography. Experts such as Bruce Schneier and Phil Zimmermann are confident that the core math is sound, and that the NSA is exploiting weaknesses in today’s cryptographic implementations. They’re almost certainly correct, but some observers, such as Columbia University mathematician Peter Woit, have noted that some kind of secret advance is not out of the question.
The fundamental problem is that the NSA and the security community — certainly in the United States — have worked closely together for many years. After all, the rationale went, the NSA wants to make sure Americans are secure, and the agency also employs some of the brightest minds in the business:
Of course there have always been suspicions, but until this year the NSA has been a regular fixture at the big security conferences, trading tips with the industry’s white hat hackers. And why not? They weren’t the enemy then.
They are now, and the industry is now trying to figure out what’s been compromised and what hasn’t. In the absence of substantive details (for which Edward Snowden didn’t have security clearance), the assumption must be to distrust everything –- security professionals wouldn’t be doing their jobs otherwise.
So, bearing in mind that we’re in the territory of healthy paranoia here rather than hard fact, here’s what’s under suspicion.
Standard elliptic curve cryptography (ECC)
This is a more recently developed alternative to common RSA-based cryptography that basically allows for shorter keys. The NSA is really keen on it and, worse, the Snowden papers confirmed suspicions that the NSA had deliberately weakened an ECC-based random number generator called Dual_EC_DRBG that it was trying to get the industry to use.
Remember that random number generators are a critical part of cryptography — if they’re not really generating random numbers, it’s a lot easier to break the encryption based on those numbers.
As it happened, Dual_EC_DRBG was slow and few adopted it (though Microsoft(s msft) supports it in Windows), but it became a standard anyway and this week the standardizing body — the National Institute of Standards and Technology (NIST) — responded to the Snowden revelations by recommending against its use and re-issuing the draft for public comment. NIST, incidentally, has denied deliberately weakening any cryptographic standards itself.
As Woit wrote: “The mathematics being used here involves some very non-trivial number theory, and it’s an interesting question to ask how much more the NSA knows about this than the rest of the math community.”
TLS/SSL and IPsec
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are the technologies that enable secure online connections – the encryption that allows the “https” prefix and the little green padlock in your address bar. Thanks to Snowden, we know TLS/SSL is at least partially compromised, but how?
What’s most likely (but, as with everything else, not certain) is that the NSA compromises the certificates that are issued to denote a site’s security. The certificate authorities (CAs) that issue these are of varying quality, and some have themselves been hacked (the 2011 Diginotar breach was so major that it sunk the company). Also, the biggest CAs — Symantec, Comodo, GoDaddy — are all based in the United States, which will set alarm bells ringing for many.
GlobalSign, a major CA that is based in Japan but has offices in the United States, felt the need on Tuesday to assure its customers that it has “never received a request from any government to forward any key material or to certify any keys with any identity, domain name or organization information that was not legitimate.” It also said it would fight any such requests, and pointed out that unlike its rivals it has pledged to “provide notice to customers when we receive any requests for their data.”
Then again, it seems the NSA may not need the CA’s participation in many cases. One detail that came out in last weekend’s Brazilian espionage revelations was that the NSA’s “Flying Pig” program sees the agency hacking into targets’ routers and faking the certificates of providers like Google in order to intercept traffic flowing over those firms’ encrypted connections — a so-called “man-in-the-middle” attack.
So what about the newer IPsec standard that’s supposed to protect all IP communications? As EFF co-founder John Gilmore, who closely observed the IPsec standardization process, recently wrote, NSA employees were closely involved throughout and acted to severely weaken the standard.
Open-source software is supposed to be the great security hope, because anyone can audit the code. It is vastly preferable to proprietary software in that sense, but it may not be foolproof.
Some worry about Security-Enhanced Linux, or SELinux, which is a security module that was brought into the Linux kernel itself a decade ago. It was developed by the NSA, ostensibly so Linux can meet U.S. government security requirements, and a version recently came out for Android, which is of course based on Linux.
SELinux’s activation isn’t mandatory — for example, SUSE(s novl) Linux Enterprise Desktop 11 still only includes it as a technology preview. But although it’s been pretty well-reviewed by Linux developers, there have long been suspicions about possible backdoors.
Then there’s RDRAND, a partly NSA-derived instruction in some recent Intel processors for generating (here we go again) random numbers. Someone recently started a petition for Linux to drop RDRAND from its random number generation processes, only to elicit this supremely tetchy response from Linus Torvalds:
“Where do I start a petition to raise the IQ and kernel knowledge of people? Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that you were wrong. Short answer: we actually know what we are doing. You don’t.”
Torvalds’s point was that RDRAND is only one of several inputs into Linux random number generation, so it doesn’t matter whether it’s backdoored or not. But either way, the incident was a handy indicator of the sort of paranoia that’s going around right now.
In a sense, the NSA revelations have given the security industry a healthy shakeup. As Zooko Wilcox-O’Hearn, the CEO of secure storage outfit Least Authority, tweeted on Tuesday:
It's a real pleasure to see scientists, hackers, entrepreneurs, and activists all working hard on crypto, again. Like the good old days.
— zooko❤ⓩ🛡 (@zooko) September 11, 2013
But the reality is that the industry is also in pain — these people know just enough to distrust everything, but not enough to move forward yet. As Mikko Hypponen, chief research officer at Finnish security firm F-Secure, told me today:
“I’m having no fun at all. U.S. intelligence agencies are playing a dangerous game. If you build backdoors into security systems, do not be surprised if your enemy uses them. Infiltrating standardization bodies for the purpose of weakening security systems is simply wrong.”
Those in the security industry have had the rug pulled out from under them. After all, they’re the ones who protect everyone else, and right now they don’t know what they can and can’t promise. Hopefully, that situation will change with time.