How is the NSA breaking SSL?

If you’ve been following the news about government spying, you should know by now, thanks to information revealed by Edward Snowden, that the USA’s National Security Agency (NSA) and UK’s Government Communications Headquarters (GCHQ) have been going gangbusters on the infrastructure that underpins Internet security.

Through programs like Bullrun and Edgehill, both spy agencies have likely been breaking SSL at will for a long time. But how exactly are they doing it?

Unless somebody with direct knowledge of the programs is willing to talk, all we can do is speculate. Matthew Green, a cryptographer and research professor at Johns Hopkins University, Baltimore, MD, USA, has done just that, discussing all the possible means that the spy agencies break SSL. Here’s what he wrote about one of those methods – weakening random number generators:

…The security of TLS depends fundamentally on the availability of unpredictable random numbers. Not coincidentally, tampering with random number generator standards appears to have been a particular focus of NSA’s efforts.

Random numbers are critical to a number of elements in TLS, but they’re particularly important in three places:

  1. On the client side, during the RSA handshake. The RNG is used to generate the RSA pre-master secret and encryption padding. If the attacker can predict the output of this generator, she can subsequently decrypt the entire session. Ironically, a failure of the server RNG is much less devastating to the RSA handshake.**
  2. On the client or server side, during the Diffie-Hellman handshake(s). Since Diffie-Hellman requires a contribution from each side of the connection, a predictable RNG on either side renders the session completely transparent.
  3. During long-term key generation, particularly of RSA keys. If this happens, you’re screwed.

And you just don’t need to be that sophisticated to weaken a random number generator. These generators are already surprisingly fragile, and it’s awfully difficult to detect when one is broken. Debian’s maintainers made this point beautifully back in 2008 when an errant code cleanup reduced the effective entropy of OpenSSL to just 16 bits. In fact, RNGs are so vulnerable that the challenge here is not weakening the RNG — any idiot with a keyboard can do that — it’s doing so without making the implementation trivially vulnerable to everyone else.

The good news is that it’s relatively easy to tamper with an SSL implementation to make it encrypt and exfiltrate the current RNG seed. This still requires someone to physically alter the library, or install a persistent exploit, but it can be done cleverly without even adding much new code to the existing OpenSSL code. (OpenSSL’s love of function pointers makes it particularly easy to tamper with this stuff.)

If tampering isn’t your style, why not put the backdoor in plain sight? That’s the approach NSA took with the Dual_EC RNG, standardized by NIST in Special Publication 800-90. There’s compelling evidence that NSA deliberately engineered this generator with a backdoor — one that allows them to break any TLS/SSL connection made using it. Since the generator is (was) the default in RSA’s BSAFE library, you should expect every TLS connection made using that software to be potentially compromised.

And I haven’t even mentioned Intel’s plans to replace the Linux kernel RNG with its own hardware RNG.

Interesting stuff. If this type of material tickles your fancy, read the complete article here.

Related Posts

How To Make Python Run As Fast As Julia Editor: Julia is a dynamic programming language for technical computing known for its speed and performance. It's like R, but less popular. Julia v...
Announcing Kunjika, a Free Software Stack Overflow clone Kunjika is a modern question and answer forum application that aims to give users the same features available on Stack Overflow. It is the brain-child...
Design a secure and usable communication tool, win a prize This article was originally written for and posted at EFF's website under the title Designing a Prize for Usable Cryptography. It's been reproduced he...
Privacy International announces the “Eyes Wide Open” project Eyes Wide Open is a new project from Privacy International, a UK Charity. The goals of the project are to: 1. Pry open the Five Eyes arrangement an...
Plasma Media Center 1.1 and digiKam 3.3 Plasma Media Center 1.1 was released today August 20, while digiKam 3.3 was released on August 6. Plasma Media Center is a promising media center appl...
SteamOS Beta 1.0 is released The first pre-stable edition of what will become SteamOS 1.0 has been released. That is SteamOS 1.0 Beta. But be warned, as this beta release is no...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at ContainerizeThis.com

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


Leave a Comment

Your email address will not be published. Required fields are marked *

*