PRISM && Excited Guardianista

[Peter Fairbrother]

On 12/06/13 11:17, James Firth wrote:
> Bending the discussion a bit to crypto, I've seen questions on my Twitter
> stream about Kasper's talk at OrgCon this weekend. Slides:
> http://www.openrightsgroup.org/assets/files/pdfs/presentations/How_to_wireta
> p_the_Cloud_without_anybody_noticing_ORGcon_8.6.2013.pdf
>
> Specifically on slide 16, NSA capability to collect all cross-border
> traffic.

I don't know for sure that GCHQ can do the same, but it would be lawful 
if a warrant to do it has been issued by the Foreign Secretary - and as 
historically, GCHQ are known to have tapped all telephone traffic 
entering of leaving the UK, so I imagine nowadays they actually do 
intercept almost all internet traffic entering or leaving the UK.

Quite how much of it they look at is another question, but I imagine 
they can look at anything they please.

There are a couple of hints about that in RIPA, especially section 16.

> And slide 17 "(FISA §1881a) reaches inside the SSL!"

I think Caspar is saying that US law can require IPSs, websites like 
Google, Facebook etc, the Banks, Cloud providers, and anyone else, to 
assist in decrypting SSL traffic. Which it can.

In other words, the websites, banks and clouds could be required to give 
out plaintext anyway, so the use of SSL wouldn't achieve much.

> I suspect Kasper may have been referring to PRISM collection *bypassing*
> SSL, however does anyone have a feeling on whether FISA could be used to
> compel a CSP to hand-over private SSL keys to be able to decrypt this
> cross-border traffic?

It could.

However the Websites, Banks and Clouds would raise a stink about giving 
up their master SSL certificate keys, as they are also used to identify 
the websites, banks and clouds to USPersons.

Instead they might prefer to give up SSL session keys, and/or forward 
secrecy data.

They might use a different certificate for nonUSPerson traffic, and give 
NSA that private key.

> Also I remember late in 2011 Google started using forward secrecy:
> http://googleonlinesecurity.blogspot.co.uk/2011/11/protecting-data-for-long-
> term-with.html
>
> FS would, in theory at least, make knowledge of the private key somewhat
> moot.
>
> Or would it?

It should to some extent, if Google create the FS secrets randomly, 
don't give them out, and destroy them as soon as they have been used.

However as an example, Google could/would in any case keep a note of the 
time and sender's IP and what they searched for anyway, plus which links 
were clicked, which data could be demanded - so in reality FS doesn't do 
all that much.

> Knowledge of the system architecture, being able to watch the secondary key
> exchange, and the possibility - likelihood - of the NSA having custom kit
> (D-wave quantum computer, anyone?) opens the possibility that sessions can
> be decoded with workable overhead.

I think it possible that NSA have the capability to break 1kbit RSA, if 
only at a rate of a few keys per week - but after a few weeks they would 
have keys to about 99% of the web's non-FS SSL traffic.


If they can do that then most likely they can also break FS 1kbit DH, 
again at a few primes per week, but as SSL only uses a few primes.


A D-Wave machine wouldn't help though, it's the wrong kind of Quantum 
Computer (if it is a QC - it seems to be, but I'm not entirely sure) and 
doesn't seem to give much if any speedup over classical computers anyway.


-- Peter Fairbrother