SecurityKISS targeted by the NSA
On December 28th 2014 Der Spiegel published the article disclosing new Snowden documents on the NSA attack capabilities against encrypted systems.
In particular the article exposed the mechanisms of the attacks against VPNs and showed that SecurityKISS was the target.
This is disturbing but not surprising.
Since June 2013 there was no doubt that the NSA and GCHQ harvested massive amounts of SSL/TLS and VPN traffic, even if they were not able to decrypt it at that time. The new documents from December 2014 revealed more details but also posed more questions.
SecurityKISS the target
We do not have access to the more detailed documents where SecurityKISS is actually mentioned and it is hard to make definitive statements. However we would like to clear up some confusion that may result from the reading Der Spiegel article that says among others:The NSA also targeted SecurityKISS, a VPN service in Ireland. The following fingerprint for XKEYSCORE, the agency's powerful spying tool, was reported to be tested and working against the service:
fingerprint('encryption/securitykiss/x509') = $pkcs and ( ($tcp and from_port(443)) or ($udp and (from_port(123) or from_por (5000) or from_port(5353)) ) ) and (not (ip_subnet('10.0.0.0/8' or '172.16.0.0/12' or '192.168.0.0/16' )) ) and 'RSA Generated Server Certificate'c and 'Dublin1'c and 'GL CA'c;
which may be interpreted in many ways.
First let's clarify what is XKEYSCORE
XKEYSCORE is a complicated multi component database and search engine and it is hard to determine its real scope. According to the previously disclosed NSA documents XKEYSCORE holds raw and unselected communications traffic for relatively short time (full-take content for 3-5 days, metadata for 30 days)
Next let's define what the fingerprint is. In this context fingerprint is a set of parameters that allow identify interesting traffic. Once identified it may be filtered out from the stream of data. The attached sample shows that SecurityKISS OpenVPN traffic was of high interest to the NSA. The fingerprint parameters match exactly the protocols and port numbers of SecurityKISS OpenVPN instances.
This only proves that the OpenVPN traffic coming to SecurityKISS servers is a high-value target worth storing. It does not prove or exclude the possibility that cryptoanalysis techniques were used against it later.
The wider context
The new documents show that various allegedly secure protocols are targeted including PPTP, IPsec, SSL/TLS and SSH.
It begs the question: "Is crypto completely broken? Does it make sense to use it anymore? Is there any hope?"
Before we try to find evidence in the released documents let's imagine that we are on the other side and consider possible methods of attack:
- Steal the key
- Sabotage and exploit implementation bugs
- Break fundamental mathematics
The NSA documents demonstrate that simplicity is the key both in cryptography and cryptanalysis.
It turns out that even such powerful and skilled adversary as the NSA uses the most naive and supposedly most efficient method: stealing keys. How do they do it?
The first answer is least technical. Previous Snowden documents give reason to believe that the NSA has relationships with employees at specific named U.S. entities, and even operate personnel "under cover". They help to build the keys database.
The second answer has the technical aspect. The NSA can actively attack routers involved in the communication process to get to the keys to unlock the encryption rather than trying to break it. There is a separate program for it called Tailored Access Operations. One of the documents says: "TAO got on the router through which banking traffic of interest flows". Many routers still run the proprietary firmware what makes it easier to hide the backdoors through which the router configuration with Pre-Shared Keys is leaking.
The second attack method "Sabotage and exploit implementation bugs" is widely used by the NSA and GCHQ. Examples can be found in the description of the BULLRUN program.
The leaked documents give no evidence of attacks on mathematics. AES, RSA, Diffie-Hellman, ECDH, ECDSA remain cryptographically strong primitives. The alarming titles suggesting that RSA or other cryptosystems were broken are in fact showing attacks on weak implementations and not on base algorithms.
As pointed out in the article some higher level applications like PGP, OTR, ZRTP also remain unscathed.
Most of the VPN related documents disclosed on December 28th elaborate on the capabilities of passive and active attacks on the IPSec protocol.
Why the NSA was so much focused on IPSec?
IPsec may owe this particular interest to its popularity especially in the corporate and government environment.
Another reason may be the ease with which they could steal the keys. It is mentioned many times in the documents that IPsec traffic collecting can be assisted by the offensive Tailored Access Operations (TAO) to retrieve keys from the router configurations.
Nothing suggests that IPsec itself was broken as a protocol. This is the key fragment from the document on TURMOIL APEX programs.
IPSec describes a suite of protocols for creation of VPN tunnels between devices. IKE is the protocol used to exchange cryptographic parameters and establish a secure tunnel. ESP is the protocol that performs the packet-by-packet encryption. A wide variety of algorithms of varying strengths may be used within IPSec. CES generally requires the packets from both sides of an IKE exchange and knowledge of the associated pre-shared key (PSK) in order to have a chance of recovering a key for the corresponding cipher (ESP). A major goal of APEX is to access two sides of key exchanges for traffic of interest.
This is probably the most scary fragment of the Der Spiegel article:
The NSA also has a program with which it claims it can sometimes decrypt the Secure Shell protocol (SSH)
It is hard to overstate the significance of SSH and its potential vulnerability. While SSL/TLS is the protocol used for secure web browsing, SSH is the protocol for server administration. While exploiting SSL/TLS means that we lose confidentiality of communication, the compromised SSH means that the attacker gains total control over the machine.
Fortunately the disclosed documents do not support that claim. There is only one slide devoted to SSH. It lacks details and it basically says about the potential of recovering user names and passwords if the NSA can find the keys.
We also need to remember that SSH is safe as long as the SSH fingerprints are manually verified. The question is how many server administrators actually check the SSH fingerprint when connecting to the machine for the first time?
Performing the man-in-the-middle attack when fingerprint verification is neglected does not require neither advanced cryptoanalysis nor special resources. It's a feature of the SSH protocol. The most obvious vulnerability comes not from the protocol fault but from its misuse.
We don't know if this is the attack vector used by the NSA against SSH. Hopefully the new documents that are supposed to be released the following weeks will shed some more light.
Is it safe to use SecurityKISS now?
OpenVPN traffic is collected by the NSA like everything else but there is no evidence that the OpenVPN tunnels were broken. That's why we recommend using OpenVPN.
Unlike other VPN providers we don't use user names and passwords for OpenVPN. Instead we use the individual private keys and certificates embedded in the program. It means that the basic NSA attack method, which is stealing secrets, cannot be used because the keys are not sent in the activation emails.
The above does not rule out the possibility of other attacks. We can never be certain about security especially when confronted with such powerful adversary like the NSA.
Also it is worth to remember about the fundamental limitation of the VPN: it creates the encrypted tunnel only between your device and the VPN server. Further the data must be forwarded decrypted. Otherwise destination services would not understand a byte.
If the critical confidentiality is required between two entities please use end-to-end encryption like PGP (but be aware that using PGP exposes tons of metadata).
The underlying crypto works. The math is adamant. It does not mean that we are secure unless we better guard the keys, use only open source implementations endorsed by high reputation people from the community and be more careful in the operational practices.--------------------------