Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Crypto, the NSA, and Broken Trust

Even as a child I was fascinated by cryptography – and often left the local librarians with puzzled looks thanks to the books I would check out. It’s so elegantly simple, and yet massively complex. There is one very unusual property of crypto though – it’s not about math or modes, it’s about trust.

Cryptography, especially as used today, has the most wonderful dichotomy of trust; on one hand crypto, by its very nature, is used in situations lacking trust. On the other hand, to use crypto – you have to trust it.

But what is it? #

This is where it gets interesting – let’s say you download GPGTools, what is the chain of trust?

Here are some of the assumptions you make:

  • The installer hasn’t been tampered with by your ISP, their upstream providers, GPGTools’ hosting company – all of this is before you even get to the people who publish the software! (And we know this is being done.)
  • The computer that built the binaries was free of malware, or other backdoors.
  • The source code hadn’t been modified, without the knowledge of the developers.
  • The developers haven’t modified the code to add backdoors or otherwise weaken it.
  • The compiler, and other libraries are free of backdoors or other modifications that would alter the resulting binaries.

I could keep going, there’s more – but this gives an idea of how many things you have to trust, not just for every application – but every update of every application.

You could compile everything yourself of course (if its open source that is) – but that only eliminates some of these issues. You still have to trust the code, you still have to trust the developers.

Well, you could audit the code. If you know what you’re doing – in a few weeks you might actually get to the point of installing it. Which of course there will be a new update by then.

Can’t we fix this? #

Some of it, yes – maybe. The Tor project is working on deterministic builds, which would allow others to verify that the released binary was built from a specific revision of the source code. This is really quite impressive, and something I truly applaud them for.

But, that doesn’t lessen the trust you place in the developers and the code – is it actually secure? Are the even competent to be doing this work? Are there bugs in the PRNG or key negotiation that could render the system pointless? There’s still a level of trust required.

What about the standards? #

We know that the government has sought to backdoor or weaken systems in the past – from things like the Clipper chip; enforcing illogical export restrictions, and trying to enact laws that mandate backdoors (CALEA II). Now, we know that after losing the Crypto Wars of the past, they have been clandestinely doing the same things.

The single biggest things that you have to trust are the protocols and algorithms – they are the most complicated, and only a very small number of people are qualified to audit them. If the protocol has deliberate flaws, or there is a backdoor in the algorithm – then your efforts to encrypt may be for nothing.

It’s all about trust #

I’m a big fan of taking the “trust no one” position (and myself least of all), but in the world of cryptography – it’s not that easy. Every step of the way you have to trust something.

Some say, “trust but verify” – and I agree, but full verification is a dream that will never come true. There aren’t enough qualified eyes, and there is far too much code involved.

With so many dependencies, so many places something malicious could be injected – it’s almost overwhelming to think about. In my eyes though, the first, and most important step, is helping people to understand the chain of trust. If you understand what you are trusting, you can ask better questions.

There is no real answer here – this is simply how it is. If you use cryptography (and you aren’t a true cryptographer), then you’re taking a leap of faith. If you didn’t compile all of the tools you use – it’s an even bigger leap.

[N.B. This article was planned before the Bullrun story broke; but in light of these recent events, I’ve updated and published this ahead of schedule.]

Adam Caudill


Related Posts

  • Worried about the NSA? Try AES-512!

    …or, The Cost of Wild Speculation. “We need to boost our security – I think the NSA has broken everything we use. AES-256 is too weak, I don’t trust it. Find a way to implement AES-512.” Double-AES-256! It’d be easy, and double encrypting has never bitten us before. So, let’s write some code! def encrypt(msg, iv, key) return e(e(msg, iv, key.slice(0..31)), iv, key.slice(32..63)) end def decrypt(cipher, iv, key) return d(d(cipher, iv, key.

  • OPSEC, The NSA, and You

    It’s been two weeks since news broke about the NSA collecting massive amounts of data from Verizon; and likely everybody else. There’s also PRISM – whatever the hell that is – it seems there’s no agreement on that, and I doubt there will be anytime soon. What really matters here though, is we have proof that people are watching – and if it’s happening in the US, it’s probably happening everywhere else.

  • Crypto Front Door: Everyone Welcome!

    For decades, the US Government has fought — sometimes with itself — to prevent the use of secure cryptography. During the first crypto war, they allowed strong cryptography within the US, but other countries were limited to small keys — making brute force attacks practical. But what about those pesky US citizens? They didn’t really want them to have strong crypto either — enter key escrow. What is key escrow? According to Wikipedia:

  • The Evolution of Paranoia

    That researchers from Kaspersky Lab uncovered malware that uses hard-drive firmware has now been throughly discussed — perhaps too much for some people. It’s not exactly Earth-shattering news either, the idea has been discussed for years, and has been publicly demonstrated. Brandon Wilson and I were even working proof of concept for SSD controllers to demonstrate this based on our BadUSB work. This isn’t about that story, exactly. This is about paranoia, and how it has changed over the last few years — and even the last few months.

  • Making Android NSA-Proof

    As it turns out, it’s quite easy to make your Android phone NSA-proof. It’s a simple method, and anyone can do it – all you need is a few ounces of thermite! Too extreme? Tools & Tips Let’s shoot for something a little more attainable – spy resistant. We can’t stop every attack, but we can reduce the attack surface a bit. Here are a few tools that I’ve been using recently to do just that.