Leaked US cybersecurity report singles out crypto as essential for security of private data


Don’t I recall reading, the NSA has had no success at all in cracking crypto algorithms; they just have everybody’s password.


From another recent article linked from BB on cryptography and surveillance (which you may have caught already):

But even without the James Bond aspect of this, there’s every reason to believe that NSA has other means to exfiltrate RSA keys from operators. During the period in question, we know of at least one vulnerability (Heartbleed) that could have been used to extract private keys from software TLS implementations. There are still other, unreported vulnerabilities that could be used today. ... Pretty much everything I said about SSL/TLS also applies to VPN protocols, with the additional detail that many VPNs use broken protocols and relatively poorly-secured pre-shared secrets that can in some cases be brute-forced. The NSA seems positively gleeful about this.

The little I’ve read and understood about all this is that NSA/GHCQ have the ability to get into some crypto stuff, certainly not all, but given their budget and reach, they’ve obviously got a range of options for attacking whatever crypto stands in their way. And also from the article:

Additionally, the documents include significant evidence that NSA has difficulty decrypting certain types of traffic, including Truecrypt, PGP/GPG, Tor and ZRTP from implementations such as RedPhone. Since these protocols share many of the same underlying cryptographic algorithms — RSA, Diffie-Hellman, ECDH and AES — some are presenting this as evidence that those primitives are cryptographically strong.

As with the AES note above, this ‘good news’ should also be taken with a grain of salt. With a small number of exceptions, it seems increasingly obvious that the Snowden documents are geared towards NSA’s analysts and operations staff. In fact, many of the systems actually seem aimed at protecting knowledge of NSA’s cryptanalytic capabilities from NSA’s own operational staff (and other Five Eyes partners). As an analyst, it’s quite possible you’ll never learn why a given intercept was successfully decrypted.

To put this a bit more succinctly: the lack of cryptanalytic red meat in these documents may not truly be representative of the NSA’s capabilities. It may simply be an artifact of Edward Snowden’s clearances at the time he left the NSA.

All of which is to say, fuck you NSA for hacking my shit. And fuck you Cameron, for such a patently stupid solution: What’s that? People are dying because of cars? Let’s outlaw gasoline and save everyone!