[Cryptography] CCC: Crypto Wars Part II: The Empire Strikes Back

Henry Baker hbaker1 at pipeline.com
Wed Dec 30 20:55:55 EST 2015

I couldn't find Opsahl's slides, so I made notes from the video:


32c3 talk #7386

Kurt Opsahl CCC slides

Crypto Wars Part II: The Empire Strikes Back

They're Back!
* Twenty years ago we fought back against attempts to limit, suppress and cripple encryption
 - EFF was on the front lines
 - After a long struggle, encryption prevailed.
* But now governments are at it again

The Background
* Not so long ago, in this very galaxy...
 - In Cold War, encryption often a military tech
 - 1975: DES for commercial encryption
 - 1977: RSA implements Diffie-Hellman
 - 1991: PGP distributed
 - 1995: Netscape's SSL

Two types of munitions

Netscape encryption & a military tank

Export Controls
* Netscape Navigator: By mid-90's industry standard was 128-bit SSL
* Export limited to 40-bit (broken in days)
* Legal challenges to export regulations

FREAK and Logjam
* Exploits published in 2015, can downgrade to old "export-grade" keys
 - Designed to allows NSA to break, but not others with less computing power
* Nowadays 1990s era export-grade public key pairs can be broken in hours with cheap cloud computing
* For more see J. Alex Halderman, Nadia Heninger, Logjam: Diffie-Hellman, discrete logs, the NSA, and you

Code is Speech
* Daniel Bernstein challenges export control of Snuffle crypto program, with EFF help
* Bernstein v. Department of Justice:
"The availability and use of secure encryption may...reclaim some portion of the privacy we have lost.  Gov't efforts to control encryption thus may well implicate not only the First Amendment rights ... but also the constitutional rights of each of us as potential recipients of encryption's bounty."

1990's: Clipper Chip
* Clipper chip was an NSA developed chipset
 - For voice comms
* Used Skipjack encryption algorithm
* Included back door with key escrow

Back doors can be dangerous
* Even a small flaw in a crypto system can lead to catastrophic results

Emily Litvack, Risk Analysis Gone Wrong, Univ. of Ariz. 

"Law Enforcement Access Field"
* 1994: Matt Blaze showed Clipper's 128-bit LEAF contained info needed to recover key.
* 1995: Yair Frankel and Moti Yung publish attack to bypass escrow
* Clipper widely condemned

1990's Policy Debate
* Eerily similar to today

1990's and Now
* FBI DDirector Freeh in 1997:
"[W]e're in favor of strong encryption, robust encryption.  The country needs it, industry needs it.  We just want to make sure we have a trap door and key under some judge's authority where we can get there if somebody is planning a crime."

1990's and Now
* FBI GC Valerie Caproni in 2010:
"They can promise strong encryption.  They just need to figure out how they can provide us plain text."

2010's: Encryption at Scale
* Mobile phones get default encryption for stored data
 -- Apple's iOS8, Google's Android
* More messaging services add default encryption
 -- iMessage, TextSecure, WhatsApp, and more

Data encryption to messages
* Conversation started with device encryption, but quickly moved to end-to-end encryption
* UK PM Cameron: "Are we going to allow a means of communications which it simply isn't possible to read?"
* Not if Cameron has his way

The Empire Strikes Back
* Public and private pressure on companies
* Demonize encryption
* Propose legislation
* Technical attacks

Gov't finds your lack of back doors disturbing
* FBI Director Comey: Why would companies "market something expressly to allow people to place themselves beyond the law?"
* UK PM Cameron: Companies "have a social responsibility to fight the battle against terrorism."
* Focus on companies, large user-bases.

Only a Business Model
* Government have been downplaying corporate support for encryption
 - Comey: "Encryption isn't just a technical feature; it's a marketing pitch"
 - Combined with backroom pressure

Secure Back Door Proposals
* Most common is key escrow
* E.g. Message sent with symmetric key
* Encrypt symmetric key twice
 - Recipient's public key and
 - Escrow agent's public key

For more see Keys Under Doormats
* Breaks if escrow agent's private key compromised
* Single escrow breaks forward secrecy
 - Split keys can mitigate, but add complexity

Can you trust the escrow agent?
* Who would be escrow?
 - Government?  Which one(s)?  Provider?  Third-party?
* Insider risk
* Law enforcement access points
 - Tempting target for criminals and state sponsored attackers
 - For example, Greece wiretapping, Google

What if we re-named back doors?
* Comey: "We aren't seeking a back-door approach.  We want to use the front door"
* Washington Post "a back door can and will be exploited by bad guys, too.  However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key"

The Rule of Cynicism
* Bob Litt, General Counsel of the ODNI:
Encryption debate "could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement."

Ok, but what if crypto wasn't involved?
* "We don't know yet, but I think what we're going to learn is that [the attackers] used these encrypted apps, right?"
 - Former CIA deputy director Michael Morell

* Many suggest encryption was to blame
 - Paris attackers actually used plain text SMS
 - San Bernardino actually used direct messages

Fear leads to the dark side
* UK Home Secretary May: "essential to tackle child sexual exploitation, to dismantle serious crime cartels, take drugs and guns off our streets and prevent terrorist attacks."
* US Sen. Feinstein: "product that allows evil monsters to communicate in this way, to behead children, to strike innocents,"

* Many countries are considering legislation that would either
 - mandate backdoors,
 - mandate access to plaintext or
 - endanger encryption

UK Snooper's Charter
* Purport to regulate telecommunications operators all around the world
* Section 189(4)(c): Operators may be obligated to remove "electronic protection" if they provided
 - Could be interpreted to require weakening encryption, holding a key or banning end-to-end

UK Snooper's Charter
* Latest version resented to Parliament in November
 - Currently in committee, which is accepting evidence.
 - Industry and civil society submitted comments

Australia's Defence Trade Controls Act
* Prohibits the "intangible supply" of encryption technologies
* Many ordinary teaching and research activities could be subject to unclear export controls with severe penalties
* International Association for Cryptologic Research organized petition against, signed 100s of experts

India Considers An Encryption Policy
* In September, India released a draft National Encryption Policy
 - Everyone required to store plain text
 - Info kept for 90 days
 - Made available to law enforcement agencies as and when demanded
* Withdrawn after criticism

China's Anti-Terrorism Law
* Passed Sunday
* Draft version required tech companies to hand over encryption codes
* Final version: "shall provide technical interfaces, decryption and other technical support"

US: No Bill to Require Backdoors
* Yet.  Obama "will not --for now-- call for legislation requiring companies to decode messages for law enforcement."
 - SaveCrypto.org: >100k signatures urging Obama to support strong encryption
* Senate Intelligence Committee likely to introduce bill in the coming spring

Trans-Pacific Partnership
* Some report that TPP could contain good news on encryption?
 - Alas, no.
* Provider may not be compelled to give key
 - Only "as condition of sale"
* But provider must still give decrypted content
* TPP still has huge problems throughout

Technical Attacks
* Routing around encryption
* Breaking crypto
* Inserting vulns
* Malware on end point

Attacking Crypto
* BULLRUN: $250 million/year program
 - "Insert vulnerabilities"
 - "influence policies, standards and specifications for commercial public key technologies"
* 2004: NSA paid $10 million to RSA to make DUAL_EC_DRBG default
 - Has costant Q that can be used to backdoor RNG

The Curious Case of Juniper
* Juniper's ScreenOS used DUAL_EC_DRBG
 - But not NSA's default Q.  A new, alternative, Q.
 - Output passed through a second, strong, random number generator
 - But, snippet of code provided raw Dual EC output
  * Allowed attacker to passively break VPN
 - Also included hardcoded password in SSH and Telnet
 - Looks like someone pwned the NSA backdoor

For more see Matthew Green, On the Juniper backdoor.  2015/12/on-juniper-backdoor.html

* If you own the end point, end-to-end encryption does not matter.
* Favorite tool for targeted attacks

How to Fight Back
* Principle
* Public policy
* Pragmatism
* Promotion

* Access to strong encryption is required to effectuate human rights principles
 - Privacy
 - Free expression
* Helps build a brighter future

Universal Declaration of Human Rights
* Article 12: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence...."

Universal Declaration of Human Rights
* Article 19: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."

Protecting Human Rights Requires Encryption
* Right to "receive and impart information and ideas through any media," includes encryption
* Code is speech: Freedom of expression must allow for publication of end-to-end crypto systems
 - Especially open source projects
* Protecting against oppressive regimes is more important than maximizing spying

* Weak encryption mostly good for mass, untargeted spying
 - Mass spying less effective, more invasive
* Strong encryption can guarantee real privacy with math
* Strong encryption enables innovation
 - For example, ecommerce, bitcoin

Public Policy
* Forcing companies to compromise security will make everyone less safe
 - Encryption critical for security
* Other governments will make similar demands
* Already in a golden age of surveillance

* It won't work.
 - Open source, free software hard to stop
* Math: Not possible to make encryption simultaneously weak and strong
* Weakening encryption for law-abiding people won't stop terrorists from having strong encryption

* You can help by promoting, creating, improving and using encryption
* Show your friends how to use encryption
* Make censorship resistant crypto tools
 - Open source, wide distribution, reproducible builds

Let's Encrypt
* New certificate authority
* Getting a certificate is now easy and fun
* No more excuses for HTTP

Encrypt the Web
* Responses to the NSA's smiley face
 - Dropbox, Facebook, Google, Microsoft, Twitter, Yahoo and others massively increased encryption
 - Email encryption of billions of messages

Rating Messaging
* Secure Messaging Scorecard

More information about the cryptography mailing list