Last Thursday brought significant new revelations about the capacities of the National Security Agency. While the articles in the New York Times, ProPublica, and The Guardian skirted around technical specifics, several broad themes came out.
- NSA has the capacity to read significant amounts of encrypted Internet traffic.
- NSA has some amount of cooperation from vendors to weaken cryptographic aspects of their products.
- NSA has a stable of exploits designed to break into specifically targeted computers (“tailored access”, in NSA parlance)
- NSA shares this technology with its counterparts at some of our close allies, apparently the “five eyes” group (USA, Canada, Great Britain, Australia, and New Zealand)
The NSA appears to be taking a holistic approach toward its interception technologies. Mix a dash of engineering weakness with a sprinkling of advanced mathematics on giant computing clusters, toss in some collaborating ISPs, shroud it all in secrecy, and they hoped to have a capacity that none other could match. Since we still don’t know exactly what the NSA is doing, this makes it difficult to suggest how a user or a company might reengineer its processes to defeat NSA snooping. One NSA document says: “capabilities [of the NSA] against a technology” does not necessarily equate to decryption. In other words, they may have backdoors or other ways to get what they want without necessarily going head-on against the strength of something like Transport Layer Security (a.k.a., TLS, used every time you see a “lock” icon next to a web site you visit with https:// as part of the URL). We’ve already heard about the NSA’s metadata collections as well as their alleged direct access to webmail providers (concerning which many webmail providers have wanted to make public statements but have been legally squelched). These new revelations extend our understanding of the NSA’s capacities in important ways.
The most important implication of these articles, that the NSA has somehow arranged to have backdoor access to widely used devices and software libraries, has set off a storm of seemingly-justifiable paranoia within the technical community. Can we trust our Cisco routers or Microsoft web servers? Are open-source software distributions compromised with subtle bugs? It’s of course entirely possible that the NSA doesn’t need to have compromised these things because they’re often thoroughly riddled with security holes straight out of the box. For example, many server-class computers have a secondary computer within them for “lights out management”. A recent study found that most of these have glaring security vulnerabilities. If an attacker can compromise the management computer, they can take over the main computer as well, ensuring they don’t need to do anything heroic to break the cryptography.
It’s also worth noting that, well before Snowden started leaking documents, the security community was already concerned with weaknesses in standard ciphers. To pick one example, Google began rolling out key-strength upgrades to its external-facing cryptography earlier this year and has just announced that it’s planning to encrypt the high-speed links between its datacenters. When I connect to Google today and ask my browser what sort of crypto it’s using, it responds, “the connection is encrypted using RC4_128, with SHA1 for message authentication and ECDHE_ECDSA as the key exchange mechanism.” Each of those all-caps blurbs is part of a “cipher suite” used by your browser to build a cryptographically secure connection to the server. Notable within Google’s chosen cipher suite, RC4—the most widely used cipher on the Internet—has a growing history of weaknesses in the public literature, including some important new problems discovered earlier this year. We don’t know if the NSA has even stronger attacks than the public literature, but we do know that it’s time to migrate away from RC4. On the other hand, the ECDHE/ECDSA parts of Google’s ciphersuite have an important “perfect forward secrecy” property, making it hard for an attacker who breaks one stream to break other ones. Microsoft’s Outlook.com and Yahoo’s Mail are using cipher suites with the newer AES (almost certainly stronger than RC4, although there are some issues with AES as well that the newest versions of TLS hopefully fix) and the older RSA (which may or may not be stronger than Google’s use of ECDSA, depending on whether the NSA has some secret attacks against elliptic curve cryptography; we don’t know). All of the components in a TLS ciphersuite work together to protect communications against adversaries. If any one can be broken, the whole construction fails as well.
In the middle of these NSA revelations, one interesting new development is that The Guardian has retained the services of well-known cryptographer and security expert Bruce Schneier, working this year as a fellow at Harvard’s Berkman Center. Schneier has described his own process for handling documents originally sourced by NSA whistleblower Edward Snowden and has called for engineers at companies, who may have been asked to compromise their systems, to blow the whistle on these activities; Schneier claims that several have already done so. Needless to say, if anybody has the technical chops to protect himself and his sources, it’s Bruce Schneier, although he’s now going to be a “high value target”. How secure is an American citizen on American soil, at an American academic institution, if he’s handling information that our government doesn’t want to be more widely distributed? We may soon find out.
Schneier, echoing Snowden, points out that good crypto can still do its job. The math is fine. The challenge is that the computer code, which implements the math, might be subtly broken, because a software developer either made a mistake or deliberately planted one. At some point, though, we need to stop asking technical questions and focus on policy. The deeper question is whether the NSA should be intercepting so much data, much less whether it has adequate controls over that data once captured. Schneier notes that the NSA’s behavior can be used by other countries to justify their own malicious behaviors, such as censoring the Internet or intercepting the communications of home-grown anti-government activists. Certainly, we’re setting an ugly example for the world. Attractive as it might be for a spy agency to have an unlimited back catalog of everything said by anybody, including everybody they’ve spoken to and everywhere they’ve physically been, whatever benefits the NSA’s surveillance systems bring need to be weighed against competing goals of privacy and freedom, never mind the constitutionality of the NSA’s behavior. With the pending FOIA release of the previously secret legal justifications and case law that allow the NSA’s actions, the legality of the NSA’s behavior is going to become a hot topic.
Lastly, it’s useful to note that the NSA isn’t exclusively an espionage agency. It has another whole mission: to protect our nation. For example, NSA engineers have contributed important security features to the Linux operating system, which are now built into the latest Android phone software, and nobody is accusing them of doing this in bad faith. The NSA faces a curious existential threat, because the very research and engineering it’s doing to support its surveillance could also be spent toward improving our national infrastructure against others trying to attack us. Every time somebody at the NSA discovers a security hole, they could either press the vendor to fix it, or they could engineer an exploit for it into their surveillance infrastructure. Given the pervasive spread of networks in our country, we have a lot more to lose than other countries. Perhaps the totality of our national security posture would be improved if the NSA spent more time fixing problems than creating and exploiting them.
Sidebar: I often see the sorts of actions allegedly taken by the NSA referred to as “cyber-war”. I believe this is inappropriate, since it implies that every such action is, in some sense, an “act of war”. I prefer the terms “cyber-espionage” and “cyber-sabotage”, as appropriate. Of course, cyber-espionage, as with Bond, James Bond espionage, may well be an important component of a broader “kinetic” war effort, but it’s important to use the right terms when you’re trying to formulate a technical or policy response to what’s going on.
I have one thing to say about your sidebar: the NSA doesn’t respect the law, the constitution or agreements with other countries. And you wonder why some people cry war or revolution.
I notice my Freedom to Tinker’s SSL connection uses TLS 1.0. You should also migrate to TLS 1.1 or 1.2 since 1.0 has known weaknesses.