More like this

Security

Tor de farce: NSA fails to decrypt anonymised network

Turn that frown upside down and do the happy dance

A new round of NSA documents snatched by master blabbermouth Edward Snowden appeared online late on Sunday, revealing spooks' internet security pet hates.

The latest dump of PDFs published by Der Spiegel appeared to show what the Five Eyes surveillance buddies – the USA, the UK, Australia, Canada and New Zealand – see as obstacles posed by internet security protocols.

While it's clear that the docs may well be out of date given that they cover the 2010 to 2012 period, they offer some interesting nuggets about how spies have attempted to break strong encryption online.

An 18-page, redacted file (PDF) dated 13 June 2011, for example, goes into tantalising detail about "A potential technique to deanonymise users of the TOR network".

It reveals that spooks at Britain's eavesdropping nerve centre GCHQ believed that they could unmask Tor.

The document marked "UK TOP SECRET STRAP1 COMINT" reads:

We have shown a technique that can deanonymise TOR web-browsing given packet times between the client and guard node and packet times from the exit node filtered to a single circuit. The false positive rate looks low enough to suggest this technique should be carried forward.

The required data is not collected at present. For this technique to work the following additional data feeds will be required:

  • Second-accurate packet logging at TOR exit nodes we control with packets labelled by a unique circuit identifier.
  • Second-accurate packet logging of sessions between TOR clients and TOR guard nodes. This data could be obtained by SIGINT [signals intelligence] or by running guard nodes. The SIGINT solution would require an up-to-date feed of TOR "consensus" documents; TOR IP addresses could then be extracted from the "consensus" documents for filtering by the SIGINT system.

At the time of writing JTRIG [Joint Threat Research Intelligence Group] are investigating the collection of the exit node data and ICTR-FSP are trialling a feed of guard node data from research bearers.

The g-men concluded that "wider testing" was needed to get a better handle on the "false positive rate". It recommended that Brit spooks should try to deanonymise JTRIG TOR usage as a first step.

Another GCHQ slide summarised (PDF) why the anonymised network was such a nuisance to government snoopers.

"Very naughty people use Tor", it said, before adding "Hidden Services hide the fact web content even exists!", "Near impossible to figure out who is talking to who", and "It's complicated".

Elsewhere, the documents revealed plenty of fear and loathing about attempts to decrypt the likes of PGP (still secure), AES (under attack but no definitive proof that it was compromised by spooks) and OTR (secure, but the software implementing it was found to be buggy and exploitable).

Shared secret keys or passwords need to be obtained before the VPN and SSL protocols can be decrypted. For VPN this would involve, say, hacking into a victim's router or PC, or slapping a court order on a company's sysadmin.

For SSL, someone could, say, through various means obtain a trusted CA root's private key and use it to issue their own certificates for malicious servers masquerading as legit HTTPS websites. Pinned certs and signature-checking plugins can be used to detect the aforementioned man-in-the-middle attack.

An NSA slide suggested that SSH had also been successfully attacked by security agencies by revealing what appeared to be a database of obtained SSH keys/passwords.

It has long been known that Skype has been thoroughly owned by the NSA and it clearly should never be used by anyone with sensitive sources. Similarly, there were no surprises about the fact that PPTP is broken.

Mostly business as usual, then, with spooks either seizing upon known vulns or stolen keys. ®

Chris Williams contributed to this story.

Sponsored: Global DDoS threat landscape report