Editor’s Note: The founder of FreemansPerspective.com, Paul Rosenberg, has spent many years trying to protect Internet users from unjustified surveillance by groups like the NSA. He is part of the team at Cryptohippie, who offer something called a Virtual Private Network (VPN). It’s a service that helps its users avoid tracking by the snoops.
However, it’s just come to light that many such “protection” services have been compromised themselves. Lest people think Cryptohippie has suffered the same fate, he’s asked us to publish a clarification on just how Cryptohippie protects its users – and indeed, what you should look for before using such a service yourself.
– Thomas Anderson
On September 5th, Glenn Greenwald and others revealed that the NSA was able to break the vast majority of encryption used on the Internet. You can find the story here or here, and commentary by cryptographer Bruce Schneier here.
Below, we’ll explain why you need not worry about your Cryptohippie service, but first, here is a short list of what was revealed:
- Tech companies and Internet providers are cooperating with the NSA to break encryption everywhere. They are installing “secret vulnerabilities” and “covertly influencing product designs.”
- Encryption for Hotmail, Google, Yahoo and Facebook is already broken.
- Your data streams are recorded and decrypted, since the NSA (and their British counterpart, GCHQ) already have access to your secret keys.
- These attacks involve something called key exchanges (involved in all encryption) and the subversion of certificate authorities, such as Symantec, Comodo and GoDaddy.
- They have already broken 30 VPNs (Virtual Private Networks) and are working toward 300.
- The NSA has capabilities against HTTPS (used to protect online shopping and banking) and voice-over-IP.
- Encryption is still effective, if used well. As Edward Snowden said, “Properly implemented strong crypto systems are one of the few things that you can rely on.”
It appears the NSA and GCHQ are specifically targeting “certificate authority” services. These are services that verify the authenticity of cryptographic keys.
In particular, it seems that the NSA is colluding with, intimidating or subverting these companies.
Why Cryptohippie Remains Safe
None of the leaks so far have changed anything in our threat assumptions. Almost all of this has been assumed among industry professionals, and we have done a few things from the beginning to keep such problems at bay. In specific:
- We run our own certificate authority (CA).
- We separate server keys from client keys.
- We force clients to verify that they are talking to a server-key and that it is signed exactly by our CA.
- We do not allow new keys to be generated.
- We generate all keys with a known good generator.
- We only rely on static asymmetric keys for authentication, not for negotiating the session keys for content encryption. For that we use DH to generate ephemeral session keys.
- We use good random source on the servers (combination of hardware and software source, with a FIPS check on randomness).
- Because we use DH and good random sources on the server, we can assure good session keys for each connection, even if the user’s computer cannot provide good quality randomness itself.
In other words, our network remains highly secure.
Our public facing website is less secure. We have to use official CA keys there. That, however, matters very little; we don’t have any non-public data attached to that site at all.
Our mail servers have that same certificate issue, but only on the public facing side, not internally. This doesn’t affect our security either: Mails sent out of the Cryptohippie (CH) network have never been safe from the NSA, only mails that stay inside our network – to and from other Cryptohippie users.
The long-term implication of this for Cryptohippie is that we may face the day when they come knocking, or come hacking. So far, all goes well for us.
The bosses at NSA apparently see this as absolutely necessary for the survival of the United States. (The fact that it survived for 200 years prior is ignored.) One of their documents from 2007 said this:
In the future, superpowers will be made or broken based on the strength of their cryptanalytic programs. It is the price of admission for the U.S. to maintain unrestricted access to and use of cyberspace.
In other words, they are obsessed with this, and see it in the starkest possible terms. We’re not sure whether this is just rah-rah talk for the techies who work for them, or whether they really believe it (which would border on mental illness), but it is very dangerous. There’s no worse tyrant than one who believes he’s righteous.
The implications for the Internet community in general are these:
- Do not use a VPN unless it has its own Private Key Infrastructure.
- Do not trust certificate authorities.
This may be a little technical, but we want to be clear on so serious a matter. Here’s what we see at the moment:
- From the data we have both from Snowden and from other sources, plus our own experience, the base algorithms are secure.
- The NSA is doing exactly what has been asserted among professionals for some time: subverting certain software, systems and providers, then promoting them as the ones to use.
- Several of the protocols used – or at least certain of their implementations – are insecure, not just by accident, but also by design.
- The global public key infrastructure is broken.
- Some key generation implementations have been tweaked to give out keys that can be cracked more easily. That has happened accidentally in the past, but the NSA seems to have done it on purpose. There are good hints as to which implementations are subverted.
- The NSA’s plan is to: give up on controlling crypto itself (it’s unfeasible); don’t rely on breaking algos (too expensive or not possible); subvert stuff, then push the subverted stuff; and kill stuff that isn’t subverted.
- The NSA has active capabilities to intrude into many connections. This requires a lot of technology, which is in place all over the world.
- We can still protect intergroup communications.
- Public communication without secure key exchange and traveling over the clearnet is broken, likely beyond repair. It’s almost impossible to roll out an alternative to x509 on a global scale.
- This might lead to a push for a general overhaul of the security infrastructure on the internet.
Here’s what key authentication means:
To connect the owner of a key to his/her key, most systems today use a trusted third party for verification. In order to trust the verifications of these parties, you must trust three particular things:
- That the trusted party is acting faithfully, not deceiving, and not deceived itself.
- That the signature system is unbroken; that is, both the signature algorithm and the hashing used in it are secure.
- That the signed key is secure, that it hasn’t been leaked, and that there has not been a private key generated from the public key that has been signed.
That leads you to questions (and answers) like the following. We have omitted the complicated discussion of hashing.
Is the trusted party trustworthy? (No. Most CAs are surely not trustworthy.)
Is the trusted party competent? (Some are; others are not.)
Is the signature algorithm secure? (Yes, the signature algos are secure.)
Is the public key algorithm irreversible? (That depends on random number source. We have seen many such attacks in the past few years.)
Is the private key secret? (Clearly many secret keys are being sold to the NSA, or stolen.)
Key exchange is only secure if you can answer “yes” to ALL of the above questions. Clearly, we can’t, in most cases today. The math is generally good, but the implementations and organizations are not.