NSA surprises, not?

Transcript

1. None

2. NSA surprises, not ? Jean-Philippe Aumasson (@veorq), Kudelski Security

3. This talk Facts and assumptions Not political, moral, or legal

   issues Doesn’t cover everything

4. part 1 Facts

5. NSA massively intercepts internet traffic

6. TEMPORA, XKeyScore, TURMOIL, etc. Data and metadata collected, searchable

7. None

8. NSA can inject and modify traffic

9. None

10. What if traffic is encrypted?

11. NSA may or may not decrypt it (And metadata that

    is in clear still useful)
12. None
13. None

14. Key theft Passive and active collection (Exploit devices holding keys,

    etc.) Static secrets for VPNs (IPsec PSKs, SSH usernames/pwds, etc.) Private keys of CA certs (TLS interception) SIM cards’ subscriber keys
15. None
16. None

17. Sabotage of commercial systems

18. Exploitation, via “implants”

19. Cryptography circumvented rather than “cracked”

20. Some protocols less prone to compromise (No long-term secrets, forward

    secrecy end-to-end, etc.)

21. Off-the-record (OTR) chat

22. PGP email

23. Proportionality The higher value the target, the more aggressive the

    methods

24. What about cryptanalysis?

25. “According to another top official also involved with the program,

    the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US.” James Bamford, March 2012 http://www.wired.com/2012/03/ff_nsadatacenter/all/1

26. part 2 Assumptions

27. Educated guesses (Based on my and others’ knowledge and experience)

28. AES

29. Risk Practical cryptanalytic attack

30. None

31. Assumption The AES algorithm is and will remain safe

32. NIST elliptic curves

33. Risk Weak/backdoored curves

34. http://safecurves.cr.yp.to/rigid.html

35. Assumption Fishy, but practical attack unlikely Still, “rigid” curves better

    for confidence

36. RC4

37. Risk Practical cryptanalytic attack

38. None

39. Assumption Insecure

40. RSA

41. Risk Factoring breakthrough

42. None
43. None

44. Assumption No major algorithmic advance (In particular, no polytime algorithm)

    But 1024-bit factoring may be doable (For high-value targets, when other methods failed)

45. Quantum computer

46. Risk Scalable system against factoring, discrete log, etc.

47. None
48. None

49. Assumption As far from a working system as public research

50. Tor

51. Risks Deanonymization capabilities

52. None

53. Assumption No mass deanonymization, but progress since pre-2010 documents And

    always, deanonymization from OPSEC failures

54. part 3 Conclusions

55. NSA is to SIGINT what Mossad is to HUMINT (Aggressive,

    by-all-means-necessary approach)

56. Interception, sabotage, exploitation Surprising breadth and depth

57. Cryptanalysis No surprise, so far Why attacking the strongest link?

58. Thank you NSA documents archive: http://cryptome.org/2013/11/snowden-tally.htm Title page visuals: https://citizenfourfilm.com/

    Contact: [email protected] | http://aumasson.jp | @veorq