New NSA leaks: does crypto still work?

Matthew Green's got an excellent postmortem on the huge dump of NSA docs Der Spiegel last weekend.

Some of the new leaks imply that the NSA is able to compromise core cryptographic Internet protocols like TLS and IPSEC. This is scary news indeed: if the underlying mathematics of crypto are compromised, then in some important sense, all bets are off. But as Green shows, the NSA does not appear to be attacking the math: instead, it has infiltrated and subverted big companies in order to steal their cryptographic certificates, which means that the companies can't be trusted, but the math can be (probably).

And, as Green points out, this militates in favor of free/open codebases, which are transparent in critical ways that commercial firms struggle with.

The new documents don't tell us much we didn't already know, but they do confirm the basic outlines of the attack. The first portion requires endpoints around the world that are capable of performing the raw decryption of SSL/TLS sessions provided they know the session keys. The second is a separate infrastructure located on US soil that can recover those session keys when needed.

All of the real magic happens within the key recovery infrastructure. These documents provide the first evidence that a major attack strategy for NSA/GCHQ involves key databases containing the private keys for major sites. For the RSA ciphersuites of TLS, a single private key is sufficient to recover vast amounts of session traffic — in real time or even after the fact.

The interesting question is how the NSA gets those private keys. The easiest answer may be the least technical. A different Snowden leak shows gives some reason to believe that the NSA may have relationships with employees at specific named U.S. entities, and may even operate personnel "under cover". This would certainly be one way to build a key database.

But even without the James Bond aspect of this, there's every reason to believe that NSA has other means to exfiltrate RSA keys from operators. During the period in question, we know of at least one vulnerability (Heartbleed) that could have been used to extract private keys from software TLS implementations. There are still other, unreported vulnerabilities that could be used today.

On the new Snowden documents [Matthew Green]