1. 22

  2. 14

    User diafygi from HN also provides these useful links:

    The full list of documents: http://www.spiegel.de/international/world/nsa-documents-attacks-on-vpn-ssl-tls-ssh-tor-a-1010525.html

    The CCC stream of the lecture by Poitras and Appelbaum: http://streaming.media.ccc.de/relive/6258/

    The actual lecture starts 15 minutes into the stream, and its introduction juxtaposes General Alexander’s 2012 DEFCON talk with what we know now. The intro alone is powerful and I’m currently watching through the rest of the lecture.

    Some notes from the lecture:

    • At 34:30 or so, Appelbaum states that in approximately three weeks additional stories will be released documenting specific forms of malware and how the information gathered with that malware is shared (presumably amongst Five Eyes)
    • At 40:00, Appelbaum begins discussing SSH and SSL/TLS. It is implied that SSH isn’t owned, but that the Five Eyes go to great lengths to attack the implementations and to store the ciphertext. They then either bruteforce it or else attempt to obtain key material later.
    • At 46:00, Appelbaum reveals that they have released the first FISA intercepts that are utilized by other executive bodies via parallel reconstruction (this appears to be one such document, along with a comforting message: “No decrypt available for this PGP encrypted message.”).
    • At 49:00, Appelbaum shows one such FISA intercept, with the comforting message “No decrypt available for this OTR encrypted message” found in the chatlogs collected via PRISM.
    • At 49:40 or so, Appelbaum indicates that OTR works, and that the NSA et. al. are unable to break the encryption itself.
    • At 51:25 or so, Appelbaum indicates the same thing with PGP.
    • At 54:00, Appelbaum starts detailing that the NSA et.al. view the following as “catastrophic” to their mission:
      • Redphone and Signal
      • Tails and tor
      • OTR
      • PGP
    • At 56:00, Appelbaum mentions a program called TUNDRA, which appears to have “a handful of cryptanalytic attacks on AES”. No further indication on what these are, save that they can’t straight-up break it. Presumably, some of the recent cache poisoning attacks might come to mind.
    • At 1:03:00, questions begin.
    • At 1:04:35, question from the internet: “What should we do about SSH?” Appelbaum essentially reiterates that he doesn’t have direct evidence of attacks on the protocol itself, but that there is evidence that the NSA claims it has several attacks on SSH (presumably, on implementations). Appelbaum mentions the NIST curves, and really anything coming from a governmental standards body. He states that the NSA regards their involvement in undermining these standards as “top secret”, implying that such undermining is likely a large part of their work in attacking SSH.
    • At 1:15:10, audience question: “Is there a minimum keylength that you [Appelbaum] would consider unsafe?” Appelbaum mentions the GCHQ’s supercomputing resources, and how they could handle 640 bit keys with ease in 2011-2012. Anything less than 1024 bit is definitely a problem, but Appelbaum also indicates that you are not just encrypting for “today” but also for “50 years from today.” Appelbaum uses 4096-bit RSA keys kept on a hardware token.
    • At 1:16:45, Appelbaum continues: “make it harder for them to target you for surveillance in the first place.” When you can:
      • Utilize tor.
      • Utilize ephemeral keys whenever you can so they can’t steal the key material and decrypt later.
      • Take a look at elliptic curves.
      • Utilize only free-as-in-freedom software.
    • At 1:17:40, Appelbaum summarizes: “Free software with software implementations with large keys. When you can, protocols that allow for ephemeral keying and/or PFS. Things like Pond, OTR, Redphone, GPG is also powerful even with the caveat of not having ephemeral keying.”
    • At 1:19:00, the talk ends.
    1. 3

      The NSA also has a program with which it claims it can sometimes decrypt the Secure Shell protocol (SSH).

      This suggests that they are not able to decrypt all SSH connections. It would be great to know what SSH configurations/options are secure against NSA.

      1. 3

        My snide reply would be “SSHv2.”

        But it’s possible it’s a subset of that.