NSA surprises, not?

NSA surprises, not?

SIGS Special Event 2015 @ Zurich


JP Aumasson

April 01, 2015


  1. None
  2. NSA surprises, not ? Jean-Philippe Aumasson (@veorq), Kudelski Security

  3. This talk Facts and assumptions Not political, moral, or legal

    issues Doesn’t cover everything
  4. part 1 Facts

  5. NSA massively intercepts internet traffic

  6. TEMPORA, XKeyScore, TURMOIL, etc. Data and metadata collected, searchable

  7. None
  8. NSA can inject and modify traffic

  9. None
  10. What if traffic is encrypted?

  11. NSA may or may not decrypt it (And metadata that

    is in clear still useful)
  12. None
  13. None
  14. Key theft Passive and active collection (Exploit devices holding keys,

    etc.) Static secrets for VPNs (IPsec PSKs, SSH usernames/pwds, etc.) Private keys of CA certs (TLS interception) SIM cards’ subscriber keys
  15. None
  16. None
  17. Sabotage of commercial systems

  18. Exploitation, via “implants”

  19. Cryptography circumvented rather than “cracked”

  20. Some protocols less prone to compromise (No long-term secrets, forward

    secrecy end-to-end, etc.)
  21. Off-the-record (OTR) chat

  22. PGP email

  23. Proportionality The higher value the target, the more aggressive the

  24. What about cryptanalysis?

  25. “According to another top official also involved with the program,

    the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US.” James Bamford, March 2012 http://www.wired.com/2012/03/ff_nsadatacenter/all/1
  26. part 2 Assumptions

  27. Educated guesses (Based on my and others’ knowledge and experience)

  28. AES

  29. Risk Practical cryptanalytic attack

  30. None
  31. Assumption The AES algorithm is and will remain safe

  32. NIST elliptic curves

  33. Risk Weak/backdoored curves

  34. http://safecurves.cr.yp.to/rigid.html

  35. Assumption Fishy, but practical attack unlikely Still, “rigid” curves better

    for confidence
  36. RC4

  37. Risk Practical cryptanalytic attack

  38. None
  39. Assumption Insecure

  40. RSA

  41. Risk Factoring breakthrough

  42. None
  43. None
  44. Assumption No major algorithmic advance (In particular, no polytime algorithm)

    But 1024-bit factoring may be doable (For high-value targets, when other methods failed)
  45. Quantum computer

  46. Risk Scalable system against factoring, discrete log, etc.

  47. None
  48. None
  49. Assumption As far from a working system as public research

  50. Tor

  51. Risks Deanonymization capabilities

  52. None
  53. Assumption No mass deanonymization, but progress since pre-2010 documents And

    always, deanonymization from OPSEC failures
  54. part 3 Conclusions

  55. NSA is to SIGINT what Mossad is to HUMINT (Aggressive,

    by-all-means-necessary approach)
  56. Interception, sabotage, exploitation Surprising breadth and depth

  57. Cryptanalysis No surprise, so far Why attacking the strongest link?

  58. Thank you NSA documents archive: http://cryptome.org/2013/11/snowden-tally.htm Title page visuals: https://citizenfourfilm.com/

    Contact: jeanphilippe.aumasson@gmail.com | http://aumasson.jp | @veorq