Government snooping, backdoors and #necessaryhashtags

[xilman]

Live blog from Arjen Lenstra's event in Lausanne.

[xilman]

Senior US intelligence officials have warned the shutdown of the US government "seriously damages" spy agencies' ability to protect the US.

[kladner]

Quote:

Originally Posted by xilman

Senior US intelligence officials have warned the shutdown of the US government "seriously damages" spy agencies' ability to protect the US.

Oh golly gosh! I'm scared!

[kladner]

http://www.gizmag.com/doping-level-h...ography/29220/

Undetectable hardware Trojans could subvert cryptographic security

Teaser:

Quote:

Researchers have shown that it is possible to compromise the functioning of a cryptographic chip without changing its physical layout. Based on altering the distribution of dopants in a few components on the chip during fabrication, this method represents a big challenge for cyber-security as it is nearly impossible to detect with any currently practical detection scheme.

[ewmayer]

Quote:

Originally Posted by xilman

RSA Data Security in has released a warning not to use one of its products.

More on RSA's fubar below, but based on various web discussions I have seen of this, I think there may be some misunderstanding of the nature of of the bad-RNG exploit ... the point is not to convince vendors/users that the compromised RNG should be the one of choice - in fact no vendor in their right mind would make it the default RNG. The point is to get the known-bad RNG distributed as widely as possible, even though is will be unused [*cough*]. Nice piece in Wired about this - I'll preface a link with the article snip which illustrates the "widespreadness" aspect:

Quote:

The U.S. government has enormous purchasing power, and vendors soon were forced to implement the suspect standard as a condition of selling their products to federal agencies under so-called FIPS certification requirements. Microsoft added support for the standard, including the elliptic curve random-number generator, in a Vista update in February 2008, though it did not make the problematic generator the default algorithm.

Here is the article link:

How a Crypto ‘Backdoor’ Pitted the Tech World Against the NSA

Quote:

In August 2007, a young programmer in Microsoft’s Windows security group stood up to give a five-minute turbo talk at the annual Crypto conference in Santa Barbara.

It was a Tuesday evening, part of the conference’s traditional rump session, when a hodge-podge of short talks are presented outside of the conference’s main lineup. To draw attendees away from the wine and beer that competed for their attention at that hour, presenters sometimes tried to sex up their talks with provocative titles like “Does Bob Go to Prison?” or “How to Steal Cars – A Practical Attack on KeeLoq” or “The Only Rump Session Talk With Pamela Anderson.”

Dan Shumow and his Microsoft colleague Niels Ferguson titled theirs, provocatively, “On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng.” It was a title only a crypto geek would love or get.

The talk was only nine slides long (.pdf). But those nine slides were potentially dynamite. They laid out a case showing that a new encryption standard, given a stamp of approval by the U.S. government, possessed a glaring weakness that made an algorithm in it susceptible to cracking. But the weakness they described wasn’t just an average vulnerability, it had the kind of properties one would want if one were intentionally inserting a backdoor to make the algorithm susceptible to cracking by design.

The article goes on to mention the "muted response" to the disclosure, noting that since the glaring-vulnerability has been well-known since at least the above 2007 talk, in essence only an idiot or someone working hand in glove with the government surveillers would knowingly use it in their crypto suites. I leave it to the reader to decide which of the 2 possibilities best fits RSA labs:

Quote:

On Thursday, corporate giant RSA Security publicly renounced Dual_EC_DRBG, while also conceding that its commercial suite of cryptographic libraries had been using the bad algorithm as its default algorithm for years.

Despite RSA's disclosure-of-usage, several denials-of-real-vulnerability follow (for our non-EFL readers, the "Boris and Natasha" quip is a Bullwinkle reference):

Quote:

Jon Callas, the CTO of Silent Circle, whose company offers encrypted phone communication, delivered a different rump session talk at the Crypto conference in 2007 and saw the presentation by Shumow. He says he wasn’t alarmed by it at the time and still has doubts that what was exposed was actually a backdoor, in part because the algorithm is so badly done.

“If [NSA] spent $250 million weakening the standard and this is the best that they could do, then we have nothing to fear from them,” he says. “Because this was really ham-fisted. When you put on your conspiratorial hat about what the NSA would be doing, you would expect something more devious, Machiavellian … and this thing is just laughably bad. This is Boris and Natasha sort of stuff.”

And

Quote:

Asked why Microsoft supported the algorithm when two of its own employees had shown it to be weakened, a second Microsoft senior manager who spoke with WIRED said that while the weakness in the algorithm and standard was “weird” it “wasn’t a smoking gun.” It was more of an “odd property.”

Microsoft decided to include the algorithm in its operating system because a major customer was asking for it, because it had been sanctioned by NIST, and because it wasn’t going to be enabled as the default algorithm in the system, thus having no impact on other customers.

“In fact it is nearly impossible for any user to implement or to get this particular random number generator instantiating on their machines without going into the guts of the machine and reconfiguring it,” he says.

As soon as I read the last-underlined snip above, I thought to myself "maybe the point is not to give 'regular' users easy access to it ... maybe this is an RNG analog of the "turning your smartphone's mic or GPS on even when you think it's turned off" ploy - in this case, allowing 'someone' to switch the system into unsafe-RNG mode." Bingo:

Quote:

But one advantage to having the algorithm supported in products like Vista — and which may be the reason the NSA pushed it into the standard — is that even if it’s not the default algorithm for encryption on a system, as long as it’s an option on the system, an intruder, like the NSA, can get into the system and change the registry to make it the default algorithm used for encryption, thereby theoretically making it easy for the NSA to undermine the encryption and spy on users of the machine.

[Bruce] Schneier says this is a much more efficient and stealth way of undermining the encryption than simply installing a keystroke logger or other Trojan malware that could be detected.

“A Trojan is really, really big. You can’t say that was a mistake. It’s a massive piece of code collecting keystrokes,” he said. “But changing a bit-one to a bit-two [in the registry to change the default random number generator on the machine] is probably going to be undetected. It is a low conspiracy, highly deniable way of getting a backdoor. So there’s a benefit to getting it into the library and into the product.”

Now, this tells us that the "perfect" way of deploying such a "trick system into using compromised RNG when user thinks he is he getting the good RNG" exploit would be to not even have to toggle one or 2 bits in an internal OS flag like a Windows registry key, but rather to somehow cause the system to switch-to-bad-RNG stealthily at runtime, without leaving any filesystem-based traces. I don't know to what extent the various OSes which include the bad RNG - which I presume include SELinux - permit such a "silent but deadly" vulnerability, but even the registry-bit-based possibility likely renders the vast majority of "ordinary users" vulnerable. We're talking about what is effectively the world's best hacker collective here, if one thinks they don't have ways to do the above kind of bit-fiddling which have been rendered undetectable by commercial virus-scan software, I suspect one is being very naive.

[ewmayer]

o Related background: http://en.wikipedia.org/wiki/Dual_EC_DRBG, which nicely describes the "asymmetric backdoor" aspect of the compromised PRNG, which makes it (virtually) unexploitable by third parties knowing of the existence of the backdoor:

Quote:

This is an asymmetric backdoor as defined in cryptovirology which uses public-key encryption: the designer of the algorithm generates a keypair consisting of the public and private key; the public key is published as the algorithm's constants, while the private key is kept secret. It employs the discrete-log kleptogram introduced in Crypto 1997.[9] Whenever the algorithm is being used, the holder of the private key can decrypt its output, revealing the state of the PRNG, and thereby allowing him to predict any future output. Yet for third parties, there is no way to detect the existence of the private key (nor to prove the non-existence of any such key). However, Appendix A.2 of the NIST document, which describes the weakness, does contain a method of generating a new keypair which will repair the backdoor if it exists.

o Some additional interesting thoughts by Johns Hopkins' Matthew Green at his crypto blog:

Quote:

there are basically three ways to break a cryptographic system. In no particular order, they are:

1. Attack the cryptography. This is difficult and unlikely to work against the standard algorithms we use (though there are exceptions like RC4.) However there are many complex protocols in cryptography, and sometimes they are vulnerable.

2. Go after the implementation. Cryptography is almost always implemented in software -- and software is a disaster. Hardware isn't that much better. Unfortunately active software exploits only work if you have a target in mind. If your goal is mass surveillance, you need to build insecurity in from the start. That means working with vendors to add backdoors.

3. Access the human side. Why hack someone's computer if you can get them to give you the key?
...

Of the libraries above, Microsoft is probably due for the most scrutiny. While Microsoft employs good (and paranoid!) people to vet their algorithms, their ecosystem is obviously deeply closed-source. You can view Microsoft's code (if you sign enough licensing agreements) but you'll never build it yourself. Moreover they have the market share. If any commercial vendor is weakening encryption systems, Microsoft is probably the most likely suspect.

And this is a problem because Microsoft IIS powers around 20% of the web servers on the Internet -- and nearly forty percent of the SSL servers! Moreover, even third-party encryption programs running on Windows often depend on CAPI components, including the random number generator. That makes these programs somewhat dependent on Microsoft's honesty.

Probably the second most likely candidate is OpenSSL. I know it seems like heresy to imply that OpenSSL -- an open source and widely-developed library -- might be vulnerable. But at the same time it powers an enormous amount of secure traffic on the Internet, thanks not only to the dominance of Apache SSL, but also due to the fact that OpenSSL is used everywhere. You only have to glance at the FIPS CMVP validation lists to realize that many 'commercial' encryption products are just thin wrappers around OpenSSL.

Unfortunately while OpenSSL is open source, it periodically coughs up vulnerabilities. Part of this is due to the fact that it's a patchwork nightmare originally developed by a programmer who thought it would be a fun way to learn Bignum division.* Part of it is because crypto is unbelievably complicated. Either way, there are very few people who really understand the whole codebase.

[u]On the hardware side (and while we're throwing out baseless accusations) it would be awfully nice to take another look at the Intel Secure Key integrated random number generators that most Intel processors will be getting shortly[/i]. Even if there's no problem, it's going to be an awfully hard job selling these internationally after today's news.

[Xyzzy]

http://arstechnica.com/tech-policy/2...eted-killings/

[Nick]

Belgacom (the biggest Belgian telco) has confirmed that their networks were penetrated by GCHQ (the British equivalent of the NSA). They appear to have targeted international organisations in Brussels.

Some members of the European Parliament have already raised the question of criminal prosecutions.

[kladner]

Quote:

Originally Posted by Xyzzy

http://arstechnica.com/tech-policy/2...eted-killings/

Quote:

He dismissed the idea and said that while the US does not conduct assassinations, it does conduct “targeted killings.”

Oh, well. That's different, of course! I feel SO much better!

[cheesehead]

Quote:

Originally Posted by kladner

Oh, well. That's different, of course! I feel SO much better!

An assassination is a targeted killing in which the target is a politician or high official.

[LaurV]

I would say that assassination is killing someone in your team.
Killing somebody in another team is heroism. targeted killing.