My personal theory: NSA has gotten in bed with the Hardware Security Module (HSM) vendors. There's essentially only two of them: SafeNet and Thales. SafeNet has bought up all the smaller players.
All of the big guys use HSMs to protect key material from intruders or malicious insiders. Key generation happens inside a sealed box from which the keys can never leave, except into another identically-configured sealed box from the same vendor. As such, there's no way to inspect the keys being generated - you have to trust the FIPS certification that it's being done correctly.
If--perhaps as part of the FIPS certification process--the NSA were to compromise the key generation function of a handful of popular HSM models, in one fell swoop they would have compromised all of the CAs, DNSSEC, Google, Microsoft, Facebook, Amazon, etc. (Not to mention all of the banks, credit card companies, etc.)
Further data point: in my experience talking to SafeNet at least, they employ a lot of ex-DoD folks who probably still have connections to their old bosses.
This is just speculation, but seems a likely attack vector.
Might be the tip of the iceberg. Without open source hardware and independent verification, the full supply chain of every shiny new widget is a question mark because of whichever governments/actors may happen to lean on suppliers. I think we need more decap teardowns and open source EDA functional disassembly tools. Otherwise, it's blind trust without enough tinfoil verification.
OpenSource is good but also false security, because there is no guarantee that the box is actually running the software, the real answer is diversification and distribution .
Yeah, I'd like to see a fully open HSM design, where the design can be audited by anyone, and the components are standard and/or easily inspectable by users. Attestation keys and final assembly are done by a trusted entity -- in the case of a bank, that might be ABA; in the case of Facebook, probably Facebook or maybe an industry association or EFF, and in the case of my personal server, me.
Fuck the FIPS process; if you made a decent design which was actually useful, a lot of non-FIPS-requiring entities would benefit from it. Design-to-meet, but let only those who actually need FIPS go through the process of assembling and certifying their particular instantiations of the open design for FIPS. For personal use, I'd consider an open design which never touches NIST to be more trustworthy than SafeNet or Thales products.
"Complete enabling for [REDACTED] encryption chips used in Virtual Private Network and web Encryption devices"
AND
"Large Internet companies use dedicated hardware to scramble traffic before it is sent. In 2013, the agency planned to be able to decode traffic that was encoded by one of these two encryption chips, either by working with the manufacturers of the chips to insert back doors or by exploiting a security flaw in the chips' design."
(Oh, so what's redacted are the names of two companies which sell this kind of hardware...)
My bet is on the core of AES, namely Joan Daemen' and Vincent Rijmen's substitution-permutation network hocus-pocus. A backdoor transformation would suffice to make all other paranoia superfluous.
The smart people like Schneier tend to think that the mathematics of modern encryption is solid. It seems much more likely that a backdoor in an algorithm is detected by academia than a backdoor in some hardware module or in the implementation of some proprietary software.
Plus, when you have an NSA asset in the place of "heda of security" at facebook... why would you think he were not doing things at facebook that made FB "compliant" with the way NSA wants them to be. I.E.: adopting the "known good" security appliances/policies/companies...
"Unless the feds know of a flaw in the Diffie-Hellman key exchange process at the heart of this scheme..."
The only flaw in the DHM algorithm is that it depends on a RNG.
It goes back to the fact that if the NSA has infiltrated the RNG, then DHM key exchange is merely a slight nuisance.
I wrote some software that patched out MS' CryptGenRandom() to only return 0x01's all day. I was easily able to then implement a MITM attack on Adobe RTMPE traffic all day long.
I'm stupid... Imagine what an NSA engineer could accomplish.
You're probably less stupid than you give yourself the credit for. But yes, NSA could do this. Still, this is not practical for dragnet surveillance.
I highly suspect "breaking most of the cryptography on the internet" is an over statement and that most of what they can break derive from people using weak cryptographic algorithms and/or making mistakes in the usage of cryptographic primitives.
I suppose if you had one RNG that's 0wned by the NSA, and another that's 0wned by the Chinese MSS, and another by the Russian FSB... and you assume they never ever work together or crack each others' systems, you could XOR their results together.
See, this is the kind of security thinking I can get behind. The kind of realist thinking that says "Ok, we should just assume we've been compromised by every major government entity. Now what."
Strangely, that is what my thoughts on snooping at this level has been for a while. Using a combination of compromising people and infra, it is easy to break pretty much anything if, as a state, you put your mind to it.
Unfortunately, the debate is mostly centered around if crypto is broken, while the question to ponder is why is the state suddenly forcing well-meaning people to start thinking like people who have something to hide.
My current best guess: A Hardware True Random Number Generator installed on one server combined with entropy broker to commingle all the entropy pools of the devices on my internal network into the entropy pool of that server and then serve that pool back to all devices acting as an entropy server.
My intent is that if there is a deliberate weakening of certain entropy sources, that my pool is sufficiently different to at least complicate attacks which are guided by information like browser signatures.
Maybe it's not a perfectly secure solution but hopefully my network isn't among the lowest hanging fruit.
No. You cannot outsource your random number generation unless you have an ultimately trusted third party. The important thing is that nobody knows your random numbers. After all, random.org could be malicious or compromised, too.
If I were the NSA, I'd definitively try to run a service (or two) like random.org. It'll probably be cheaper than my tor exit nodes, and mixmaster remailers...
As in most of these technological failures, the problem may just be between the keyboard and chair. I never cease to be amazed at the seemingly insurmountable odds people defeat to ensure something breaks somewhere in the least predictable way possible. In such an atmosphere, deliberate sabotage or sci-fi caliber cracking hardware are the least of your worries.
The trouble is, well-done deliberate sabotage is very hard to distinguish from incompetence. (It appears there is definitely deliberate sabotage out there - see for instance http://www.mail-archive.com/cryptography@metzdowd.com/msg123... which sadly didn't make the front page here.)
John Gilmore has been involved in this space, and fighting for "us" for a long time. I'd previously submitted this, but it failed to get traction: http://www.toad.com/des-stanford-meeting.html
Excellent link, thanks. And it is very hard to distinguish. Many other IETF RFCs are incredibly complicated and add idiotic "features" and stuff just for the sake of it.
Mitigating factor in this particular case is that some of the things proposed, like using the same IV for each packet, would definitely be found out by people other than the NSA. That would go against the NSA's goals.
Descriptions like this one make me wonder if the apocryphal "huge breakthrough" in encryption by the NSA is in their ability to simulate and analyze the implementation of complex crypto computer systems. (Rather than in the base mathematics.)
They are deterministic systems after all, and giving researchers the means to look at them more abstractly could make it a lot easier to pick where to attack, or where to concentrate spycraft to introduce weaknesses that would be hard for mere mortals to detect on their own.
That's a good hypothesis. It's definitely possible if you consider things like verified compilers. It shouldn't be beyond them to apply this to crypto implementations.
> The trouble is, well-done deliberate sabotage is very hard to distinguish from incompetence.
Behold the Underhanded C contest, where the aim of the contest is to deliberately create vulnerabilities disguised as genuine bugs.
http://underhanded.xcott.com/
Chrome's pinning is a definite upgrade, but it's more vulnerable than some people make it seem. In practice, a pin consists of a list of CA certificates which are allowed to sign for the given domain (the list is in [1]). This list can be surprisingly long: for example, the list for twitter.com contains 22 keys from 3 different CAs.
This means that, e.g., if you are "good friends" with Verisign, you can get them to issue a certificate for any Google property, and Chrome will happily accept it.
jack9, in case you read this, I just wanted to let you know you're hellbanned. I thought about not telling you, but then I checked your comment history and was very shocked to discover that you've been hellbanned for the past 249 days, during which you've made 69 comments that have been seen by almost no one (because you're hellbanned). You may have also noticed that Hacker News is extremely slow for you -- when a user is hellbanned, the site slows down for them. Each page refresh takes an additional ~10sec to load. So assuming a lowball figure of 10 pageviews per each of your comments, this hellban has claimed at least 2 hours of your life just sitting there waiting for HN to load. Hence I feel compelled to show some mercy and let you know that you need to create a new account if you want anyone to see anything you write. And some of your writing is thoughtful.
You were probably banned because, quite frankly, you were a complete dick when you first started commenting[1][2] and probably got banned for this comment[3] but the quality of your comments increased after you were banned, so if you've changed, you're nice, and you want to contribute to this community in a positive way, then I assume you'd be welcome back. So make a new account.
EDIT: Actually, this[4] is almost certainly what pissed off a mod enough to ban you, and rightfully so: if you still feel that way, then you deserve to remain banned. But I'm optimistic about people's ability to change (I myself was quite a different person 249 days ago). If you still enjoy writing comments that attack people personally, even if the attack is deserved, then you will make me sad, since that will mean I've hurt the community by informing you of your status. So please don't make me regret sticking my neck out for you. Besides, it's much more satisfying to write comments that uplift people rather than tearing them down.
It may just be coincidence. But that's quite a coincidence. HN completely doesn't load for me, with "No Data Received," meaning the Arc process running HN is specifically deciding not to send any data to my specific IP address (since Tor still works). Meaning my IP got banned. And just before that, I started receiving the message "We've limited requests for this url" for everyone's comment page: http://screencast.com/t/h0n0HjTcM ... so it does appear that my IP has been singled out for some special reason, possibly for this comment. (I'm not sharing my connection with anybody, so it was definitely something I did.)
So until I verify what's going on, don't risk your account by making comments telling hellbanned people that they've been banned. There may be consequences. (If that's the case, then I wish they would've just deleted my comment and told me not to do that... I didn't mean to cause problems. Sorry.)
EDIT: The error has changed to "This webpage is not found." http://screencast.com/t/NcFgfnQ3p4 Still not loading. Other websites load fine.
EDIT2: Back to "no data received." Definitely not loading for my IP address.
UPDATE: I've lost access to my account. Attempting to login to sillysaurus2 redirects me to https://news.ycombinator.com/null and doesn't actually process the login. The only reason I'm able to write this comment is because I was still logged in on my phone. I'm genuinely sorry, and I've sent an email to info@ycombinator.com to apologize.
I beg mercy. I was only trying to help. I messed up. I promise I won't do it again.
Moral of the story: Don't do what I just did. It earned me 10 upvotes followed by an instaban.
I'm a scientist at heart. I know how important it is to be very accurate. So I made sure to report exactly what I experienced.
My home IP address is presently still banned (or at least the arc process is refusing to send data to it). I verified that it fails to load both in Chrome and Firefox, ruling out browser issues.
When that happened, I started Tor browser and HN loaded fine. I logged in. It logged in fine. I continued using Tor for awhile. Then after about 30min, I changed Tor IPs and tried to log in. The login failed, redirecting me from /login to /null upon successfully entering my password. It continued to fail in that manner. I tested it from at least three different Tor circuits; probably five.
I then created sillysaurus3 and made a comment here. You should be able to see that comment. The account was hellbanned very quickly; maybe instantly. Does using Tor get your account hellbanned?
I then created "sillysaur" which I successfully made a comment with. I verified the comment wasn't hellbanned. Then I checked again 20min later and it was hellbanned.
I tried logging into sillysaurus2 from about three or four different Tor circuits. All of them redirected me to /null and hence continued to deny me access. Then after an hour or so of continually checking it every 10min, it suddenly started accepting my login successfully and not redirecting me to /null. The only thing that changed on my end was my Tor circuit.
I unbanned my IP using /unban. It reported "unbanned". That failed to have any effect.
I am above all an honest researcher, and these are my honest and accurate experiences, so something very odd was happening Arc side. And I didn't do anything to trigger getting IP banned --- I use a private IP address and I don't run any crawler.
From all of this, I infer it's not accurate to say that nothing changed.
Okay, for the record, no moderator took any action against me whatsoever. pg was absolutely correct.
I experienced an incredible series of coincidences. Due to those coincidences, it seemed very much like I was being banned by a moderator. But it was just extraordinarily bad luck that I managed to run into each of those events. Here's what happened:
Somehow, (and I still have no idea how), I did something to cause HN to blacklist my home IP address. But from my point of view, it appeared to me that I was IP banned in response to posting my original comment.
But I wanted to be certain that it wasn't just a coincidence, so I tried logging in via Tor. I was able to login successfully for about 10 minutes.
Then I restarted Tor, so I was assigned a new Tor IP address. I tried to login again, and that's when I experienced my first bad luck: that specific Tor IP triggered either a bug or a protection mechanism, resulting in HN failing to process my login request. (The login page redirected me to http://news.ycombinator.com/null and silently ignored my login attempt.)
I restarted Tor to get a new IP address and tried again. Same thing: even with the new ip addr, HN refused my login attempts. I restarted Tor yet again with the same result. So at that point I had tried to login with three different Tor IP addresses, and the login attempts failed all three times. So from my point of view, that seemed very much like a moderator was banning me.
Then I created "sillysaurus3" which was instantly hellbanned. This was an automatic action, not a moderator action. (I assume it happened because a lot of spam originates via Tor.)
So I tried again. I created "sillysaur" and posted a comment. I restarted Tor and verified that the comment was publicly visible (i.e. verified sillysaur was not hellbanned). Then I updated my sillysaurus2 profile to say "I've been banned, and my new account is sillysaur." Ten minutes later I checked sillysaur again and discovered that it had become hellbanned.
So at that point it seemed reasonable to conclude that some moderator was actively banning me. But in reality no moderator had taken any action. It was just bad luck (somehow triggering the IP ban) followed by incredible bad luck (somehow running into the login bug / protection mechanism three times in a row from three different Tor IPs that all happened to trigger it) followed by even more bad luck (my new accounts created via Tor were automatically hellbanned, probably because spam was originating from those Tor IP addresses which I had been assigned).
So that was a pretty crazy series of events, and I'm very sorry for scaring people with my warning. It was incorrect: no one had done anything, just as pg said.
> Incidentally, nothing at all changed during this whole saga.
Well I for one wish you would change your hellbanning policy. It seems overly harsh...moderators have no problem hellbanning users with different political views, while letting others slide.
It was (and remains) an interesting approach to the perennial problem of jerks posting jerk posts. But as it stands today it's (1) too harsh and (2) too subjective.
It's a bit of hyperbole, and nothing direct from Snowden as far as I can tell. The actual releases (like XKEYSCORE) clearly show it intercepting unencrypted traffic. This could be something as simple as RSA1024 being "easily" crackable by the NSA, and hence "most encryption" would be vulnerable since so many people use RSA1024 for TLS.
Taking random quotes and highlights from presentations isn't a very good way to get picture of an opponent's capabilities. Otherwise we'd think that Oracle has developed 100% secure database software that is impossible to break.
I really hope Snowden releases some hard evidence or specific citations of what the NSA has broken, instead of the hand-wavy "like, everything, man" articles that have been rehashed several times in the past day. Speculation's sorta pointless.
I'm not sure it was ever the case that the original assumption was that systems are secure until disproven. The claim is more than likely alluding to a combination of techniques for breaking weak crypto (ie. sufficiently small keysize for brute force attack), or attacking the endpoints (backdoors, etc). This still doesn't seem like news to me, but hey, what do I know?
All of the big guys use HSMs to protect key material from intruders or malicious insiders. Key generation happens inside a sealed box from which the keys can never leave, except into another identically-configured sealed box from the same vendor. As such, there's no way to inspect the keys being generated - you have to trust the FIPS certification that it's being done correctly.
If--perhaps as part of the FIPS certification process--the NSA were to compromise the key generation function of a handful of popular HSM models, in one fell swoop they would have compromised all of the CAs, DNSSEC, Google, Microsoft, Facebook, Amazon, etc. (Not to mention all of the banks, credit card companies, etc.)
Further data point: in my experience talking to SafeNet at least, they employ a lot of ex-DoD folks who probably still have connections to their old bosses.
This is just speculation, but seems a likely attack vector.