Is Encryption Effective Against Snooping? German Government Says No, Snowden Says Yes
from the maybe-not-the-real-problem dept
The revelations of Edward Snowden about the NSA's snooping of citizens both inside and outside the US are posing more questions than they answer at the moment. One key area is whether the use of encryption -- for example for email -- is effective against the techniques and raw power available to the NSA (and equivalents in other countries). That's something that has come up before in the context of the UK's Snooper's Charter. When a top official there was asked whether the proposed surveillance technology would be able to cope with encrypted streams, he replied: "it will." Snowden's claims about massive, global spying makes the issue even more pertinent.
Here's one view, from Germany. Politicians from the Die Linke party posed a number of questions to their government on the subject of the latter's use of surveillance techniques (original PDF in German). Most of the answers were the kind of thing you might expect -- "we can't possibly go into details" etc. etc. -- but one was surprising. To the question:
Is the technology used also capable of decrypting at least partially, or evaluating, encrypted communications (eg via SSH or PGP)?Back came the answer:
Yes, the technology used is generally able to do that, depending on the type and quality of the encryption.But Edward Snowden doesn't agree. When he was asked in an online Q&A session on the Guardian Web site the following question:
Is encrypting my email any good at defeating the NSA survelielance? Id my data protected by standard encryption?He replied:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.In discussions about the German government's claim that it can crack encryption in certain circumstances, some suggested that maybe it could -- not directly, but using the malware that Techdirt has written about before. So even if the question as to the efficacy of encryption itself is still rather up in the air, there seems to be a consensus that the real weakness lies in letting people gain access to your system.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cracking, ed snowden, encryption, germany, nsa surveillance, security, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
no contradiction?
[ link to this | view in thread ]
"Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Crypto
We have to assume the world's major superpower has access to hardware above that available on the market. History has shown that to be the case.
I've heard cryptologists guessing that the NSA might possibly brute-force a dozen or so 1024-bit keys in a year. If this is the case, they will surely focus on the keys of major providers like Yahoo, Microsoft, etc.
Remember they only have to crack each key once. They then have real-time access to the data at e.g. the border taps.
However Google uses forward secrecy (http://googleonlinesecurity.blogspot.co.uk/2011/11/protecting-data-for-long-term-with.html), which will frustrate efforts.
Now, if 1024-bit SSL can't be cracked, even by the NSA, there's nothing to prevent FISA being used to compel a service provider to hand-over their private SSL key, in secret. We'd never know if this had happened.
Security researchers have theorised that a communications service provider might choose to use a different SSL certificate for overseas traffic, thereby protecting US citizen's privacy even after their private key has been compromised.
So on one hand encryption cannot be trusted. Or, more precisely, encryption that you do not control cannot be trusted.
However, that doesn't mean all encryption is useless. In fact it doesn't even mean the same algorithms implemented differently are useless.
If you generate your own key pair with a decent key length and fully-patched software and use PGP to sent an email, there's only a remote chance it will be cracked.
That's because it's your own private key, not Google, Yahoo or Microsoft's; and the NSA would have to crack the key for everyone they want to monitor.
But then we're in to the security versus convenience trade-off. How many people can be bothered to take additional steps to guarantee their privacy?
And because few people will take these steps, those who do will stand out and perhaps make themselves a target for increased surveillance for the things that are harder to hide, e.g. the metadata, which is necessarily available unencrypted so the message can be routed to its destination.
Having said that, whilst the general population has no privacy, there are still many ways for the really bad guys to pass messages largely unobserved.
Where people are willing to sacrifice even more in the way of convenience I can think of half a dozen ways to communicate with a very low probability of being observed.
[ link to this | view in thread ]
Tor?
[ link to this | view in thread ]
Also, I remember reading about a research into encrypted Skype conversations which stated, that even if the message was encrypted, that you could guess what was being said by statistical analysis of the encrypted stream data. This had to do with the fact that the amount of encrypted data being sent depended on the number/length of the words being said...
[ link to this | view in thread ]
in short, if they want to see what you specifically are looking at, encryption probably won't help. If they are doing a general trawl, though, it probably will conceal what you are looking at. (it is, however, possible that people using encryption will automatically come under further scrutiny. They'd probably use the justification of "why would they encrypt it if they have nothing to hide"- yes, I don't like the argument myself.)
[ link to this | view in thread ]
Re: Crypto
Very powerful statement. The worst of them will always find a way to secure communications. As it has been throughout history. But, as these few will always cause chaos,they still cannot top death tolls by war(or peace), regular\and purposeful accidents, physical and mental disease(biggest killers in history), and natural disasters.
So governments electronically monitor communications worldwide, where we know 99% don't use even basic security. And this will yield just a big shit bag of digital storage But in reality, this won't get crap on people who really want to stay under.
Is our elected just feigning stupid, or do most just accept everything from the major industrial-complex lobbyist's propaganda and money?
Sorry dumb question...it is probably both.
Pretty simple:
Stop the stupid "war" tags.
War on drugs? fu
Eliminate this and reallocate 50% of the DEA, ?PD, every other form of LEA, to something more useful.
War on Terror? fu
We are not "Team America-World Police" Of course, war is needed for the entire world's economic stability. Way too much money in it. But get real, terrorism, and every other ISM, ISH, IAN, IST, LAM, LEM, etc. are way too complex to understand or control. Eliminate another trillion in budget. Use all IT stuff and other resources for some amazing human advancement.
[ link to this | view in thread ]
Re: Crypto
Ironically, the only way to protect a PgP key is to encrypt it, but the sheer hassle of so many levels of encryption/decryption makes the tools useless to most people who simply want to send their mothers a "Happy Mother's Day" message (and for them to read it).
I'm on the side with Snowden here. Our companies, who tell us via their ToS our privacy is important, should have blown the whistle on these requests years ago.
The fact they didn't is more a statement than politicians who stated they knew this was going on for 7 years.
Ironic, again, that Google helped stop SOPA, but didn't lift a finger to stop this blatant abuse of the 4th.
[ link to this | view in thread ]
Re:
Encryption is not a panacea, however, and strong password and security protocols still need to be followed regardless of the level of encryption one is using.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
This is the wrong question
If end-user devices are compromised, then what encryption method is in use and whether or not it can be cracked doesn't matter. And "compromising end-user devices" is very, very easy because users themselves make it so. Consider:
- They use Windows. Windows can't be secured, period, full stop.
- They use smartphones. The entire smartphone ecosystem is crawling with malware, including things like CarrierIQ.
- They use "social media", which are equally loaded with malware.
- They use garbage software like Adobe Acrobat, full to the brim with gaping security holes.
- They fall for spam and phishes constructed by illiterates.
- They click on every shiny thing they see, doubly so if they're men and it promises nekkid boobies.
And so on. There's really no need to engage in esoteric cryptography for the most part: users make it easy to plant keystroke loggers and other malware that bypass the need for it.
[ link to this | view in thread ]
Re:
It's not quite that simple.
I remember seeing the math for breaking a message encrypted with 4096-bit RSA. It would take longer than the estimated age of the Universe to brute force it. Also, the energy costs of such an attempt would consume the estimated energy of our galaxy. These are rough estimates, possibly rounded up for dramatic impact, but you get the point.
Of course, you could try to poke holes in the encryption algorithm. Right now, your only chance* of breaking RSA is starting to look like proving that P=NP: you have to find a very fast way to factor huge numbers, which basically amounts to solving an NP problem in P time.
But if you start going the way of one-time pads and such, you are out of luck: those are theoretically unbreakable (which in cryptographic terms, it means that you need to brute-force them...they have no other weakness). But these cryptographic techniques are of limited usefulness.
tl;dr, though you are correct in principle, in practice (that is, in the real world), well implemented cryptographic algorithms are unbreakable, for all intents and purposes. In the real world, if it costs more time and resources than an attacker is willing or able to commit, it is unbreakable, and that is what cryptography gives you.
* apart from some attacks that aren't practical in general, like timing attacks
[ link to this | view in thread ]
Re:
However, it's not terribly practical (sender and recipient must share -- and keep secret from the rest of the world -- a truly random key at least as long the plaintext, and never, ever reuse it).
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Yes == No
- "We can decrypt X" (we cannot decrypt X, but if we say we can, hopefully fewer people will use it)
- "We cannot decrypt X" (we have thoroughly broken X, but want people to keep on using it in the belief it's secure).
[ link to this | view in thread ]
The answer from the German Security people shows just how pervasively they have invaded systems, not only the internet back-bone, but the end systems as well.
In order to have a reasonably secure system you need to have all of the following, a chink in any of them will likely yield the entire system worthless from those determined to invade your privacy.
1. Strong Key pairs (2048 minimum and 4096 would be beter) Any thing less can likely be cracked fairly quickly if someone (a government) decides they want to know what the encryption is hiding.
2. Private Keys must be stored Off-Line! If the Private key is ever on an 'on-line' system, then it may be compromised. Since it would be possible that the system was compromised and the private key copied.
3. Key signing - Must be done in person. Receiving a key signing request via email provides for a man in the middle attack because you can't be certain you are signing or receiving the key of the person you think you are.
Remember, the NSA and others will ALWAYS go after the weakest link. If you use strong encryption then the weakest link becomes the endpoints. So if they can't crack your encryption, and they really want to know what is being transferred they will simply attack the system(s) at one or both endpoints which will very likely yield the very same information with far less work.
To make matters worse, consider this, everyone has been all up in arms about Microsoft, Google, Apple... but the culprit could well be at the hardware level. The NSA could well have infected firmware of motherboards, hard drives...
Don't believe me? Ask yourself this, why is the US Government so certain that China has sold infected chips to US companies? Could it be that the NSA has been responsible for the same actions? Yes, not only possible, but highly likely. In country boy terms "The smeller is the feller!"
Bottom line, if you want security, you MUST perform all encryption and decryption from STAND ALONE Systems. AND you must have performed the key exchange in person, via stand alone systems. So a secure encryption transfer requires at least 2 stand alone systems (one at each end) and the following steps.
1. Create communication on Stand-Alone System
2. Encrypt communication on Stand Alone System using the highest levels of encryption available (preferably with code you wrote, or at least reviewed).
3. Transfer file via a secure medium (single use) to a internet connected medium
4. Transmit the data to the receiving party.
The receiving party must then.
1. Download the encrypted file(s)
2. Transfer the encrypted data to a single use secure medium.
3. Copy the file to the Stand Alone system for Decryption
4. Decrypt the data on the Stand Alone system.
Not something that most people are willing to do.
Or you know you do it the easy way, where a seemingly innocuous statement such as "See you at the marathon" or "Have fun in New York" means something entirely different that has been worked out in person, in advance and of which there is no written record.
/
[ link to this | view in thread ]
Re: Tor?
Thought this was in the FAQ, but I'm not seeing it there in a quick look…
Tor is not designed to be effective against a “global adversary”. That is, an adversary who has a view of the entire network can defeat the assumptions behind the design of Tor.
This has been considered an acceptable tradeoff in order to achieve “low” latency.
[ link to this | view in thread ]
Re: Tor?
(This FAQ is being migrated to General FAQ. The answers in this FAQ may be old, incorrect, or obsolete.)
What attacks remain against onion routing?
[ link to this | view in thread ]
You fit right in here, Glyn. Only cowards need apply.
[ link to this | view in thread ]
Masnicking Minion gins up controversy.
On the piratey aspects, you've yet to come to grips with ISPs doing man-in-the-middle attacks that enable snooping on your TOR and proxied traffic, and besides that, just encrypting flags you for interest, as does amount of traffic, especially upload ratio.
[ link to this | view in thread ]
Re: Crypto
That's why they're using 2048bit keys, much much harder.
Maybe we'll start seeing ECC public key being used, then only quantum computers will be able to break them.
AES is still safe, but the symmetrical key is usually exchanged after being encrypted by the public key, so you're only as strong as your weakest link.
There is currently work being done on quantum-computer immune public key algorithms, but they're kind of hard, since public keys tend to lend themselves well to quantum-computers.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
E.g.: you've managed to get the almost complete plaintext for an encrypted message (maybe the bad guy wasn't quick enough in swallowing or burning it when you kicked the door in). You've got "Attack at ": by a comparison with the ciphertext, you know that all you're missing is the last four characters.
But what are they? "Noon"? "Dawn"? "Dusk"? "1030"? "Once"? With a random, non-repeating, one-use-only key, it could be any of those or more, and you have no way of telling which.
(And yes, I know analysis of most ciphers would be difficult with such a short message, but the point stands: a one-time pad gives you no information on which to do any analysis, no matter how long the message, and no way of telling whether your intelligible, "brute-forced" plaintext is the correct one of the myriad of possibilities.)
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
With the rise in lots of unproven pseudo encryption/index pad methods in various circles (especially PCI), perhaps this whole affair will also shine a spotlight on how useless proprietary techniques are that have no independent validation or published methods. I bet the NSA chaps break them during a coffee break. In their heads.
[ link to this | view in thread ]
Effectiveness of encryption, according to Germany
[ link to this | view in thread ]
Re: Masnicking Minion gins up controversy.
[ link to this | view in thread ]
I see a Need
for those that may be a little more serious about their communications...but again, the average person doesn't know or care.
Maybe this company is moving in the right direction.
http://www.slate.com/articles/technology/future_tense/2013/02/silent_circle_s_latest_a pp_democratizes_encryption_governments_won_t_be.html
Perhaps the next big thing will be the Data Invisibility cloak.
The first APP that really works to make your phone
or PC private will make someone rich.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
1. Encrypt with Alice's 4096-bit public key, sign with own private key.
2. Don't send encrypted message but print it out.
3. Send by snail mail.
4. Have Alice type it out and decrypt it.
I think this is the bare minimum, since no matter what kind of prime factoring-based crypto you use all of it is being stored by the NSA and will be crackable if and when they develop quantum computers that can run Shor's algorithm and decrypt your 4096-bit RSA-encrypted e-mail in a second. By doing it this way you benefit from both the technical protections of PGP and the legal protections that pre-digital communications enjoy. Granted it's a bit cumbersome, so you better make sure you have something interesting to say when you write someone a PGP letter.
[ link to this | view in thread ]
Re: Re: Re:
It is a serious mistake to consider any encryption scheme "uncrackable". Even mathematically uncrackable schemes such as one-time pads can usually be cracked, as the tiniest error such as a slight imperfection in the random number generation can compromise the scheme.
Encryption must be thought of as no different than locking a door. If someone really wants to, they'll be able to open the door no matter what. The goal of encryption is to make cracking is time-consuming and expensive, so that attackers either won't bother, or it will take them so long to succeed that the revealed information is no longer of value.
Is encryption effective against snooping? That answer is a qualified yes: it's effective against snooping unless you, specifically, are very interesting to well-financed snoopers.
[ link to this | view in thread ]
Re: Re:
These types of computations are extremely misleading. First, in most implementations, you don't have to crack the 4096 bit encryption. You have to crack the 256 bit encryption that is holding the key to the 4096 bit encryption. This is more secure than it sounds because it's harder to crack shorter messages (such as a single key) and it's hard to know if you've successfully cracked it if the plaintext appears random (such as with a key).
But still, let's run with the 4096 bit encryption cracking time...
Yes, it would take longer than the lifetime of the universe to brute force such encryption of you were going to just try every possible key until you found the right one. That's not how it's done, though. There are numerous shortcuts in the process that reduces the size of the possible keyspace significantly. In reality, it would certainly not not take anywhere near that long to break. (It would still take significant time, though! Longer than you'll be alive, for certain.)
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: This is the wrong question
I'm being a bit pedantic here, but this isn't actually true. Windows can be made as secure as anything else. The problem is that a fully secure Windows system is a pain in the ass to use, and certainly nobody without a burning need (such as the government or major crime organizations) would be willing to tolerate the restrictions and limitations it presents.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
It is your privacy, is your interest and most importantly it is your rights at stake, you fight for them or lose it.
This is not something you can leave in the hands of others and say "hey if you are not honest I will get mad".
At some point you need to take responsibility for what its yours and protect it as best as you can.
The other guys will not stop and they are relentless.
Do nothing and the other side will take advantage of you.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Provably incorrect. The one time pad is theoretically unbreakable, although practically unusable for most ordinary purposes. Having said that, if you were planning a terrorist attack...
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Crypto
[ link to this | view in thread ]
Re: Re: Re: Re:
The sizes are not equivalent. RSA needs much longer keys to be secure, which is why 1024-bit and 2048-bit are common sizes.
So no, 256-bit symmetric encryption (like for instance AES) is not realistically crackable. Even 128-bit AES is still not realistically crackable. On the other hand, 512-bit RSA has been easily cracked for ages.
There is also ECC and friends, which are public key like RSA but can use smaller keys for the same level of security (IIRC, twice the corresponding symmetric key, so you would use 256-bit ECC with 128-bit AES).
For more information, see Wikipedia: https://en.wikipedia.org/wiki/Key_size
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
And your comment also relies on RSA being perfectly implemented. You could pull a Nintendo and ignore the padding and use strcmp instead of memcmp. Team Twiizers didn't even need Nintendo's private key, their flawed implementation of RSA allowed them to fakesign arbitrary code on the Wii.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
923 bit is probably something other than RSA, but probably still public key.
[ link to this | view in thread ]
Title is trollish, they said the same thing.
[ link to this | view in thread ]
Re: Re: Crypto
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Nonetheless, it is still dangerous to think of any encryption scheme as uncrackable.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
Umm, then by definition it is no longer a one time pad. Therefore the security of a one-time pad is no longer applicable.
[ link to this | view in thread ]
Encryption is ineffective and so are passwords
[ link to this | view in thread ]
Re: Re: and you don't think they are working on it
[ link to this | view in thread ]