In order for the National Security Agency to collect the massive amounts of communication it has from email and Web traffic, it needs to elude, leapfrog or bash through the barrier that is SSL.
How it’s doing so is the real question, one that noted Johns Hopkins cryptographer Matthew Green wants answered.
“If you really want to collect that kind of information, that means email and web traffic,” Green said. “Those are the most vulnerable things on the Internet and those are secured with SSL.”
Green published a lengthy essay yesterday that proposed a number of practical and elaborate scenarios explaining how SSL could be subverted or suborned. He also suggests that there’s no time like the present to get away from RSA keys and consider alternatives such as perfect forward secrecy and even Elliptic Curve Cryptography.
Some large Internet companies reportedly targeted by the NSA have already taken steps to either encrypt traffic by default, strengthen the keys they use to secure communication, or move away entirely from broken or weakened algorithms. Google, for example, has recently announced it has completed, ahead of schedule, an upgrade of its SSL certificates to 2048-bit RSA and Microsoft announced that it was advising developers to deprecate the RC4 algorithm and stop using the SHA-1 hash algorithm.
The moves are encouraging, but they’re initial steps toward keeping the NSA’s surveillance efforts at bay and securing the privacy of consumers and enterprises alike. Green, for one, says Perfect Forward Secrecy should be considered a minimum standard going forward.
“The other thing that we need to do is start moving away from RSA altogether. Right now there are a few companies such as Google, Facebook and Twitter that have all adopted Perfect Forward Secrecy, but people still view that as a luxury,” Green said. “I think that’s the basic, minimum requirement right now.”
Perfect Forward Secrecy eliminates the single point of failure presented by SSL keys by generating a unique key for every connection and then deleting it after the connection is shut down. Cryptography experts believe, despite the resource overhead it presents, that Perfect Forward Secrecy is the best option rather than the single 128- or 256-bit RSA key generated with each TLS RSA handshake that encrypts every past and future connection made from the device.
“It’s this one piece of information that every single piece of data that’s come over the wire is vulnerable to if that gets compromised. You can go back five years and decrypt what people sent five years ago,” Green said. “If it works right, you have one key, use it and you erase it.”
Modern browsers such as Internet Explorer, Chrome and Firefox already support Perfect Forward Secrecy, but this doesn’t help those users still on older versions of IE for example, a browser that is also a favorite of hackers in targeted attacks, and is still being patched almost monthly by Microsoft.
“The problem is when people are using IE 6 and 7, [those browsers don't] support this. You still have to support RSA; it just ends up being a mess,” Green said. “The good news is it can support people using modern browsers, but we’re never going to be able to help you if you’re using older browsers.”
Green’s essay, meanwhile, postulates several ways the NSA may actually be getting through SSL encryption today. Some of the known attacks don’t involve hacking at all, but rather the theory that the NSA could just be taking SSL keys from organizations, either through court orders or even coercion. Malware exploits are also a possibility, he said.
“The beauty is that these attacks don’t even require remote code execution. Given the right vulnerability, it may simply require a handful of malformed SSL requests to map the full contents of the OpenSSL/SChannel heap,” Green wrote.
The NSA, Green wrote, could also manage to sidestep SSL by working out a backroom deal with hardware encryption chip makers. A September expose by the New York Times on the Bullrun program said the NSA and Britain’s GCHQ have been in cahoots with chip makers to enable decryption on several leading VPN encryption chips.
“The NSA documents aren’t clear on how this capability works, or if it even involves SSL. If it does, the obvious guess is that each chip encrypts and exflitrates bits of the session key via ‘random’ fields such as IVs and handshake nonces. Indeed, this is relatively easy to implement on an opaque hardware device,” Green wrote. “The interesting question is how one ensures these backdoors can only be exploited by NSA — and not by rival intelligence agencies.”
Side-channel attacks are another option, though as Green said, an attacker would need physical proximity to a TLS server in order to siphon off data that might leaking; though with cloud computing implementations, this option is more viable than in the past.
Random number generators are another likely NSA target; RNGs are considered fragile and any number of factors could weaken them, Green said in his essay. Or the NSA could insert itself into the development process for one of these RNGs as it allegedly did with NIST in the development of the Dual-EC DRBG generator that is default in the widely used RSA BSAFE libraries.
And what about actually cracking RSA keys? Green says that while it’s difficult and a constant rumor that the NSA has indeed made some sort of cryptographic breakthrough, it’s not entirely out of reach. A decade ago, the cost was estimated at $10 million for one machine to factor a 1024-bit RSA key per year; Green said that cost has dropped to less than $1 million given Moore’s Law. Not to mention that a botnet-style distributed network could also do the trick.
“In principle, a cluster about the size of the real-life Conficker botnet could do serious violence to 1024-bit keys,” Green said, referring to research already conducted on this possibility.
“We don’t know and can’t know the answer to these things, and honestly it’ll make you crazy if you start thinking about it,” Green wrote. “All we can really do is take NSA/GCHQ at their word when they tell us that these capabilities are ‘extremely fragile’. That should at least give us hope.”