securitay iv comey crypto · pdf file• us govt offered export easing if you included key...
TRANSCRIPT
Comey CryptoMichael Jack
mikey$ whoami• Michael Jack
• 2nd Year Ethical Hacking BSc @ Abertay
• Member Abertay Ethical Hacking Society
• I <3 Cryptography
• @MikeyJck
• mikeyjck.io
Few Things
• Not a Lawyer or Cryptographer
• ‘classified/ top secret’ leaked material warning
• Nothing new, all info is public domain
• Objective as possible
What’s all this then?
Correcting Misconceptions“misconception that building a lawful intercept solution… requires a so-called “back door,” one that foreign adversaries and hackers may try to exploit.
But that isn’t true. We aren’t seeking a back-door approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law.”James Comey Oct 2014 -
– David Cameron January 2015
“One is communications data, that is not the content of a phone call. It is just who made which call to which
person and when… And what matters, in simple terms is that we can access this data [on all platforms]… I have a very simple principle to apply here… in our country do
we want to allow a means of communication that in extremis we can’t read with a signed warrant…”
https://firstlook.org/theintercept/2015/02/19/great-sim-heist/
https://s3.amazonaws.com/s3.documentcloud.org/documents/1670893/where-are-these-keys.pdf
❤ Adam Boylan
https://firstlook.org/theintercept/document/2015/02/19/cne-access-core-mobile-networks-2/
• Never roll your own crypto!
• Crypto is a tool not a security silver bullet
• Security of crypto is not binary
Cryptography 101
Modern Cryptography
World War II Crypto• Enigma
(electromechanical)
• Broken by Marian Rejewski
• Continued decryption by Alan Turning et al @ Bletchley Park
Modern Cryptography
• post World War II
• more accurately 1970s >
• NSA, GCHQ, IBM
Modern Crypto - Timeline• 1971 - IBM Lucifer Block Cipher (Watson Lab)
• 1973 - NBS asks for Data Encryption Standard (DES) designs
• 1973-4 - IBM develop & submit DES candidate
• 1976 - Diffie & Hellman publish “New Directions in Cryptography”
• 1976 - After alterations by NSA IBMs design chosen as DES
• 1977 - “Method for Obtaining Digital Signatures and Public-Key Cryptosystems" by Rivest, Shamir & Adleman (RSA) @ MIT
• 1984 - RC4 Stream Cipher RSA Labs (Rivest)
• 1991 - Pretty Good Privacy (PGP) Phil Zimmerman
• 1994 - Secure Sockets Layer (SSL) conceived @ Netscape
• 1999 - SSL Standardised by IETF becomes Transport Layer Security (TLS)
• 1999 - NIST wants successor to DES asks for public input for Advanced Encryption Standard (AES)
• 1999 - Wired Equivalent Privacy (WEP) uses RC4
• 2001 - NIST approves AES (Rijndael) for use as FIPS 197
• 2004 - Wi-fi Protected Access 2 (WPA2)
Modern Crypto - Timeline
Modern Crypto - 2015
• Data at Rest = AES or PGP
• Data in Motion = TLS1.2 or IPSEC
• Data in air = WPA2 or SNOW 3G(?)
math• factoring integers into primes (RSA)
• discrete log modulo prime (DSA)
• discrete log in elliptic curve groups (ECDH)
Crypto Wars
Export Controls• 1970s Crypto is added to US Munitions List
• USML part of International Traffic in Arms Regulations (ITAR)
• ITAR licensing requires case by case consideration for export of munitions on USML
• Justice Department told White House in 1978 that ITAR restriction on crypto is unconstitutional.
NSA Controls
• 1974 - IBM discover differential cryptanalysis NSA ask them to keep it secret
• Limit on key size of exported crypto systems
• IBM Notes Int version 64-bit key, 24-bits know to NSA
Clipper Chip• Announced 1993 by NSA
• Skipjack algorithm + DH for key distribution
• Built in Key escrow :(
• Matt Blaze et al
• US Govt offered export easing if you included key escrow
• Dead by 1996
Export Controls
• December 1996 - Bureau of Export Administration transfers jurisdiction over "commercial encryption products” to the Commerce Department
• Encryption products specifically designed or modified for military use remain subject to ITAR controls.
PRISM/ TEMPORA3 slides
https://s3.amazonaws.com/s3.documentcloud.org/documents/813847/prism.pdf
BETTER IMAGE NEEDED
https://s3.amazonaws.com/s3.documentcloud.org/documents/813847/prism.pdf
https://s3.amazonaws.com/s3.documentcloud.org/documents/813847/prism.pdf
Bullrun & EdgehillTOP SECRET/ STRAP1
nsa$ whoamiNational Security Agency
• 2013 Budget: $10.8B
• $2.5B on data collection
• $1.6B on processing/ exploitation
• Upwards of 40k employees
• Created by Truman in secret 1952
• FISA/ National Security Letters/CALEA
gchq$ whoami
Government Communications HQ
• Originally founded 1919 as GC&CS
• Unique access to backbone infrastructure
• Upwards of 6k employees
• RIPA
Cryptanalysis is good
BULLRUN
• Ability to defeat encryption
• BULLRUN sources “extremely sensitive”
• TLS/ SSH/ OTR/ VPN/ VoIP/ etc
https://s3.amazonaws.com/s3.documentcloud.org/documents/784047/bullrun-guide-final.pdf
www.spiegel.de/media/media-35532.pdf
www.spiegel.de/media/media-35532.pdf
www.spiegel.de/media/media-35546.pdf
Circa September 2005
www.spiegel.de/media/media-35546.pdf
National Intelligence Budget 2013DNI Statement
The Curious Case of the Dual_EC_DRBG
here be backdoors• RSA accepted $10M from NSA to use Dual EC
DRBG as default in BSAFE library (2004/5)
• RSA “relied on guidance from NIST”
• RSA claim they didn’t know it was weakened or contained a backdoor
• Dual_EC_DRBG withdrawn after NIST issues new guidlines Sept 2013
math • Constants that define the EC
• should be random
• NIST doesn't say how or where the constants come from
• If these constants were picked specially there is a ‘skeleton key’
• after recovery of 32bytes of output attacker can predict DRBG output
On the Practical Exploitability of Dual EC in TLS Implementations
Matt Green, DJB, Tanja Lange et al
Sys Admins• GCHQ/ CSEC venture
to ‘automate’ NOC hunting
• identifying sys admins and NOCs
• compromise privileged users, fight smart right?
Countermeasures
Countermeasures
• be pissed
• good encryption
• research
• Kerckhoffs 2nd principle
Salty
http://www.spiegel.de/media/media-35535.pdf
http://www.spiegel.de/media/media-35535.pdf
http://www.spiegel.de/media/media-35552.pdf
http://www.spiegel.de/media/media-35545.pdf
Conclusion
• Undermining encryption is a terrible plan
• Step the fuck away from our crypto
• Education & discussion
ThanksQuestions?
@MikeyJck
Regin Malware• ‘nation state’
• US(NSA?) & GCHQ
• months/ years to develop
• designed to gather ‘intelligence’
• focus on remaining undetected
Regin Malware• ‘nation state’
• NSA & GCHQ
• months/ years to develop
• designed to gather ‘intelligence’
• focus on remaining undetected
Why? UK uses CNE against close ally(s) within the EU
the fuck are Belgacom?
Belgacom - Timeline• At some point before March 2011 GCHQ had compromised
Belgacom with what would later be discovered as Regin
• the name appeared for the first time on the VirusTotal website on March 9th 2011
• Undetected in Belgacoms networks until symptoms in Summer 2012
• June 2013 - after an update exchange falls over Belgacom contact M$ who had no clue?
• Belgacom sys admins suspect virus > hire Fox IT
• Belgacom informs authorities & Belgian MI get involved
GCHQ Belgacom Status Reports 😏
April - June 2011
July - Sept 2011
Jan - March 2012
Using Belgacom to ‘seed’
one more thing…
the damage?• 120 ‘systems’, 70 personal computers
• Backbone cisco routers…
• belgacom got ownd
• sept 16th pr: “At this stage there is no indication of any impact on the customers or their data,” it said. “At no point in time has the delivery of our telecommunication services been compromised.””