The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.
However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community. Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.
The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.
There’s No Hard Evidence That Law Enforcement is Actually “Going Dark”
In both hearings the witnesses representing law enforcement trotted out scary hypothetical situations and terrifying anecdotes about how encryption could stifle investigations and let “bad guys” go free. But when asked by Senators if they had any actual numbers on how often strong encryption thwarted investigations, neither Director Comey nor DAG Yates had any idea.
Both tried to duck the question by claiming that it was like “proving a negative.” But counting each time a law enforcement officer can’t access data because of encryption (or even just thinks they won’t be able to access data, without actually trying) doesn’t seem that difficult.1
The only actual number mentioned was from Manhattan District Attorney Vance, who said that his office had encountered locked iPhones 74 times. A spokesperson for his office told Wired that this was over 9 months, and that the office handles approximately 100,000 cases in the course of a year. This means the office encountered encryption in less than 0.1% of cases. That doesn’t sound like “going dark” is really a particularly pressing problem—especially since DA Vance didn’t bother to explain how any of the 74 encrypted iPhones that his office encountered actually stood in the way of a successful prosecution.
It is now possible to send end-to-end encrypted group, text, picture, and video messages between Signal on iPhone and TextSecure on Android, all without SMS and MMS fees.
When crypto researchers set out to discover the best way to undermine encryption software, they did so believing it would help them eradicate backdoors in the future. Here’s what they found.
Alex Stamos (AS): “Thank you, Admiral. My name is Alex Stamos, I’m the CISO for Yahoo!. … So it sounds like you agree with Director Comey that we should be building defects into the encryption in our products so that the US government can decrypt…
Mike Rogers (MR): That would be your characterization. [laughing]
AS: No, I think Bruce Schneier and Ed Felton and all of the best public cryptographers in the world would agree that you can’t really build backdoors in crypto. That it’s like drilling a hole in the windshield.
MR: I’ve got a lot of world-class cryptographers at the National Security Agency.
AS: I’ve talked to some of those folks and some of them agree too, but…
MR: Oh, we agree that we don’t accept each other’s premise. [laughing]
kreuzaderny