Saturday, September 14, 2013
Snowden revelations throw authentication of messages into disarray
by Larry Geller
The NSA meddling with encryption algorithms means you can’t trust that a transaction from your bank is indeed from your bank anymore. This is seldom spoken of, but is clear fallout from the Edward Snowden revelations.
Authentication and encryption are two intertwined technologies that help to insure that your data remains secure. Authentication is the process of insuring that both ends of the connection are in fact who they say they are. This applies not only to the entity trying to access a service (such as an end user) but to the entity providing the service, as well (such as a file server or Web site). Encryption helps to insure that the information within a session is not compromised. This includes not only reading the information within a data stream, but altering it, as well.
[Microsoft TechNet, Authentication and Encryption]
Set aside for the moment that this explanation comes from Microsoft, which has been revealed to have installed “back doors” in Windows operating systems to defeat the security they talk about above (see: NSA Back Doors Get Microsoft Windows Excluded From Procurement in Germany, Techrights.org, 8/22/2013).
The sequential revelations dribbling out via the Guardian newspaper and several other European and American news outlets have demonstrated not only that the NSA is storing and sharing data and phone calls of ordinary Americans, but that it has worked with companies such as Microsoft to bypass the security of encryption.
So NSA supercomputers may be able to read anything, including supposedly secure bank transactions, private medical data, and proprietary corporate secrets. Some revelations point to the NSA engaging in industrial espionage. Add to that the vulnerability built into the Windows operating system you may be using to read this article (or to check your bank balance) and we have a breakdown in data security.
What has not been widely spoken of is the damage to authentication. Why is that important?
Let’s say President Obama receives a messenger from Al Qaida in the oval office. The messenger drops a CD on the president’s desk and then departs. On the CD is a message for Obama from Russian President Putin. Huh? Can this be real??
If the message can be shown to be authentic, it doesn’t matter how questionable the delivery method is, the contents can be trusted.
It could be a sailor dropping off a message from Fidel Castro, or the US ambassador to Iraq communicating via carrier pigeon to Secretary of State Kerry. It could be a message from Syria delivered by space aliens. My point is that powerful encryption means that a message can be authenticated no matter how it came.
Those are wild examples, but authentication is necessary for something as simple as allowing your bank to believe you are asking to withdraw funds and not someone else.
So now we know that the NSA has caused “back doors” to be installed, and that they have compromised encryption algorithms previously relied upon to be secure.
For sure, there are hackers all around the world inspecting their own Windows computers to try to discover how they, themselves, can take advantage of the security holes that Microsoft has gifted to them. Indeed, some of the details are already known:
Computer security specialists say the Windows software driver used for security and encryption functions contains unusual features the give NSA the backdoor access.
The security specialists have identified the driver as ADVAPI.DLL. It enables and controls a variety of security functions. The specialists say that in Windows, it is located at C:\\Windows\system.
Specialist Nicko van Someren says the driver contains two different keys. One was used by Microsoft to control cryptographic functions in Windows while another initially remained a mystery.
Then, two weeks ago, a U.S. security firm concluded that the second key belonged to NSA. Analysis of the driver revealed that one was labeled KEY while the other was labeled NSAKEY, according to sources. The NSA key apparently had been built into the software by Microsoft, which Microsoft sources don’t deny.
[WND, NSA has total access via Microsoft Windows, 06/23/2013]
While there are many who hold that NSA snooping won’t affect them because they have done nothing wrong, they don’t understand that insecure systems can be accessed by others who are now looking for the backdoors and flaws in the algorithms that the NSA has caused to be created.
Even our smartphones can be compromised and perhaps invaded by outsiders who are hard at work learning how to do that. Believe it—someone in a foreign country would love to take over your smartphone, and the loss of authentication may mean that your phone believes the intruder is legit.
Security programs log multiple intrusion attempts to your home desktop computer each day even if you are not aware of them. The Internet permits ranges of IP addresses to be “scanned” looking for open ports or other security loopholes. Don’t think that a hacker equipped with knowledge of these backdoors won’t find your computer or your phone—they will.
A Business Insider article suggests that:
[The Windows 8] operating system is outright dangerous for data security.
It allows Microsoft to control the computer remotely through a built-in backdoor. Keys to that backdoor are likely accessible to the NSA – and in an unintended ironic twist, perhaps even to the Chinese.
[Business Insider, LEAKED: German Government Warns Key Entities Not To Use Windows 8 Over Links To The NSA, 8/27/2013]
It’s not clear why they fingered the “Chinese.” It would seem that backdoors would be accessible to anyone, anywhere in the world.
Can you protect yourself? Maybe not, on a Windows 8 computer. The article describes the difficulty:
Windows governs TPM 2.0 [the Trusted Platform Module chip]. And what Microsoft does remotely is not visible to the user. In short, users of Windows 8 with TPM 2.0 surrender control over their machines the moment they turn it on for the first time.
The next person to withdraw money from your stock fund account could well be a 15 year-old kid in Kazakhstan.
Links to this post: