Four days after the BULLRUN disclosure in the Guardian, the New York Times, and ProPublica and the practitioner community is, finally, having the conversation about commercial encryption that should have followed DigiNotar in 2011 but instead was deferred. The Snowden documents Glenn Greenwald, Jeff Larson, and Nicole Perlroth published last Thursday describe two coordinated programmes — BULLRUN at the NSA, Edgehill at GCHQ — running at substantial scale ($250 million per year for BULLRUN, on the documents) with the explicit purpose of defeating commercial encryption used on the public internet. The methods listed in the documents are the ones the cryptographic-research community has been worrying about for years: working with vendors to insert backdoors, weakening cryptographic standards in the standards process, supercomputer cryptanalysis against specific algorithms, and exploiting implementation flaws in the specific encryption products in widest use. The combination is operationally substantial, and the implications for the privacy-and-encryption methodology I have been writing for the past year are direct.
The Dual_EC_DRBG confirmation is the part that has produced the loudest reaction in the cryptographic community. Niels Ferguson and Dan Shumow noted at the CRYPTO 2007 rump session that the elliptic-curve constants in the NIST SP 800-90A specification of Dual_EC_DRBG appeared to admit a backdoor — that whoever chose those constants could, given the right side-channel, recover the internal state of the random-number generator and thus predict its output. The observation was made publicly. NIST kept the algorithm in the standard. RSA Security used it as the default in their BSAFE library. The community discussed it as a theoretical concern that nobody could prove was an actual backdoor. The BULLRUN documents are now the proof, or at least proof of intent: the NSA worked with NIST to standardise a cryptographic primitive whose constants they had chosen and which they could break. NIST has, this week, reopened public review of Dual_EC_DRBG and the related standards. Whether they actually withdraw it remains to be seen. The damage to NIST's reputation as a neutral cryptographic-standards body is not recoverable in the short term.
The wider implication is the one I keep coming back to. The defensive engineering case I have been making since Petraeus, and which sharpened through PRISM and Tempora and Lavabit over the summer, is that the trust chain that runs through commercial encryption is itself a target. BULLRUN is the documentary confirmation that this is not a theoretical concern. The list of techniques in the documents — working with vendors, weakening standards, exploiting implementations — is exactly the list the cryptographic community has been worrying about, and it is now confirmed as operational practice. Bruce Schneier worked with Greenwald on the document analysis and his commentary at Schneier on Security has been the most useful day-by-day analysis as the documents continue to land.
For the engagement work, the post-BULLRUN conversation has been about which cryptographic primitives and which implementations can be defended on the assumption that the standards process and the major vendors are inside the threat model. The honest answer in 2013 is shorter than I would like. AES is probably fine — it was a public competition, the design is open, the rationale for parameter choices is documented, the analysis is extensive. RSA with adequate key length is probably fine — the mathematics is in the public domain, the implementations have been scrutinised for two decades. ECC is mostly fine if the curves chosen are not the NIST curves with unexplained parameters; Bernstein and Lange's Curve25519 is the closest thing to a community-validated alternative. Hash functions: SHA-256 and SHA-512 are probably fine, SHA-1 is fading regardless. Pseudo-random number generators: not Dual_EC_DRBG, not anything else with parameter choices that are not publicly justified. The list of "not", as a result of the past week, is longer than the list of "yes".
For the SOC build, the BULLRUN material is not directly actionable in the detection sense — we cannot detect at the SOC level whether NSA has subverted a vendor's product — but it is changing the engagement-team material on which products to recommend to clients. The recommendations are now more cautious, more grounded in cryptographic-community consensus rather than vendor marketing, and more explicit about what the trust chain actually rests on. This is a structural change in the kind of advice we give; the change has been a long time coming and BULLRUN is the moment that pushed it through the engagement-team review.
The wider piece I have been outlining for two months is, finally, about half-finished. I think it will land in October, after the engagement-team review has caught the obvious mistakes. The post-BULLRUN moment is, in some ways, the cleanest single illustration the piece needs. The argument I have been working on — that the commercial security infrastructure and the state-level surveillance infrastructure are in many places the same infrastructure — is now the argument that the primary documents make on my behalf.
The next post is probably the Adobe breach, which broke quietly in late August and which is now turning out to be much larger than the initial disclosure suggested — the customer-count was revised upward to thirty-eight million yesterday, and the source-code component is also being analysed publicly. Or whatever Snowden material lands next; the pace of disclosure has not slowed.