[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Feds put heat on Web firms for master encryption keys

this is fucking disgusting

(I am sorry, I had to say that)

why do the big US companies bother with encryption anymore...

On Thu, Jul 25, 2013 at 10:19 AM, Eugen Leitl <[email protected]> wrote:
> (See also https://en.wikipedia.org/wiki/Convergence_(SSL) )
> http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/
> Feds put heat on Web firms for master encryption keys
> Whether the FBI and NSA have the legal authority to obtain the master keys
> that companies use for Web encryption remains an open question, but it hasn't
> stopped the U.S. government from trying.
> Declan McCullagh by Declan McCullagh  July 24, 2013 4:00 AM PDT
> Large Internet companies have resisted the government's demands for
> encryption keys requests on the grounds that they go beyond what the law
> permits, according to one person who has dealt with these attempts.
> (Credit: Declan McCullagh)
> The U.S. government has attempted to obtain the master encryption keys that
> Internet companies use to shield millions of users' private Web
> communications from eavesdropping.
> These demands for master encryption keys, which have not been disclosed
> previously, represent a technological escalation in the clandestine methods
> that the FBI and the National Security Agency employ when conducting
> electronic surveillance against Internet users.
> If the government obtains a company's master encryption key, agents could
> decrypt the contents of communications intercepted through a wiretap or by
> invoking the potent surveillance authorities of the Foreign Intelligence
> Surveillance Act. Web encryption -- which often appears in a browser with a
> HTTPS lock icon when enabled -- uses a technique called SSL, or Secure
> Sockets Layer.
> "The government is definitely demanding SSL keys from providers," said one
> person who has responded to government attempts to obtain encryption keys.
> The source spoke with CNET on condition of anonymity.
> The person said that large Internet companies have resisted the requests on
> the grounds that they go beyond what the law permits, but voiced concern that
> smaller companies without well-staffed legal departments might be less
> willing to put up a fight. "I believe the government is beating up on the
> little guys," the person said. "The government's view is that anything we can
> think of, we can compel you to do."
> A Microsoft spokesperson would not say whether the company has received such
> requests from the government. But when asked whether Microsoft would turn
> over a master key used for Web encryption or server-to-server e-mail
> encryption, the spokesperson replied: "No, we don't, and we can't see a
> circumstance in which we would provide it."
> Google also declined to disclose whether it had received requests for
> encryption keys. But a spokesperson said the company has "never handed over
> keys" to the government, and that it carefully reviews each and every
> request. "We're sticklers for details -- frequently pushing back when the
> requests appear to be fishing expeditions or don't follow the correct
> process," the spokesperson said.
> Sarah Feinberg, a spokeswoman for Facebook, said that her employer has not
> received requests for encryption keys from the U.S. government or other
> governments. In response to a question about divulging encryption keys,
> Feinberg said: "We have not, and we would fight aggressively against any
> request for such information."
> Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner
> Cable, and Comcast declined to respond to queries about whether they would
> divulge encryption keys to government agencies.
> Encryption used to armor Web communications was largely adopted not because
> of fears of NSA surveillance -- but because of the popularity of open,
> insecure Wi-Fi networks. The "Wall of Sheep," which highlights passwords
> transmitted over networks through unencrypted links, has become a fixture of
> computer security conventions, and Internet companies began adopting SSL in
> earnest about three years ago.
> "The requests are coming because the Internet is very rapidly changing to an
> encrypted model," a former Justice Department official said. "SSL has really
> impacted the capability of U.S. law enforcement. They're now going to the
> ultimate application layer provider."
> An FBI spokesman declined to comment, saying the bureau does not "discuss
> specific strategies, techniques and tools that we may use."
> NSA director Keith Alexander, shown here at a Washington, D.C. event this
> month, has said that encrypted data are "virtually unreadable."
> (Credit: Getty Images)
> Top secret NSA documents leaked by former government contractor Edward
> Snowden suggest an additional reason to ask for master encryption keys: they
> can aid bulk surveillance conducted through the spy agency's fiber taps.
> One of the leaked PRISM slides recommends that NSA analysts collect
> communications "upstream" of data centers operated by Apple, Microsoft,
> Google, Yahoo, and other Internet companies. That procedure relies on a FISA
> order requiring backbone providers to aid in "collection of communications on
> fiber cables and infrastructure as data flows past."
> Mark Klein, who worked as an AT&T technician for over 22 years, disclosed in
> 2006 (PDF) that he met with NSA officials and witnessed domestic Internet
> traffic being "diverted" through a "splitter cabinet" to secure room 641A in
> one of the company's San Francisco facilities. Only NSA-cleared technicians
> were allowed to work on equipment in the SG3 secure room, Klein said, adding
> that he was told similar fiber taps existed in other major cities.
> But an increasing amount of Internet traffic flowing through those fiber
> cables is now armored against surveillance using SSL encryption. Google
> enabled HTTPS by default for Gmail in 2010, followed soon after by
> Microsoft's Hotmail. Facebook enabled encryption by default in 2012. Yahoo
> now offers it as an option.
> "Strongly encrypted data are virtually unreadable," NSA director Keith
> Alexander told (PDF) the Senate earlier this year.
> Unless, of course, the NSA can obtain an Internet company's private SSL key.
> With a copy of that key, a government agency that intercepts the contents of
> encrypted communications has the technical ability to decrypt and peruse
> everything it acquires in transit, although actual policies may be more
> restrictive.
> One exception to that rule relies on a clever bit of mathematics called
> perfect forward secrecy. PFS uses temporary individual keys, a different one
> for each encrypted Web session, instead of relying on a single master key.
> That means even a government agency with the master SSL key and the ability
> to passively eavesdrop on the network can't decode private communications.
> Google is the only major Internet company to offer PFS, though Facebook is
> preparing to enable it by default.
> Even PFS isn't complete proof against surveillance. It's possible to mount a
> more advanced attack, sometimes called a man-in-the-middle or active attack,
> and decode the contents of the communications.
> A Wired article in 2010 disclosed that a company called Packet Forensics was
> marketing to government agencies a box that would do precisely that. (There
> is no evidence that the NSA performs active attacks as part of routine
> surveillance, and even those could be detected in some circumstances.)
> The Packet Forensics brochure said that government agencies would "have the
> ability to import a copy of any legitimate key they obtain (potentially by
> court order)." It predicted that agents or analysts will collect their "best
> evidence while users are lulled into a false sense of security afforded by
> Web, e-mail or VOIP encryption."
> With a few exceptions, even if communications in transit are encrypted,
> Internet companies typically do not encrypt e-mail or files stored in their
> data centers. Those remain accessible to law enforcement or the NSA through
> legal processes.
> Leaked NSA surveillance procedures, authorized by Attorney General Eric
> Holder, suggest that intercepted domestic communications are typically
> destroyed -- unless they're encrypted. If that's the case, the procedures
> say, "retention of all communications that are enciphered" is permissible.
> Valerie Caproni, who was the FBI's general counsel at the time this file
> photo was taken, told Congress that the government needs "individualized
> solutions" when "individuals who put encryption on their traffic."
> (Credit: Getty Images)
> It's not entirely clear whether federal surveillance law gives the U.S.
> government the authority to demand master encryption keys from Internet
> companies.  "That's an unanswered question," said Jennifer Granick, director
> of civil liberties at Stanford University's Center for Internet and Society.
> "We don't know whether you can be compelled to do that or not."
> The government has attempted to use subpoenas to request copies of encryption
> keys in some cases, according to one person familiar with the requests.
> Justice Department guidelines say subpoenas may be used to obtain information
> "relevant" to an investigation, unless the request is "unreasonably
> burdensome."
> "I don't know anyone who would turn it over for a subpoena," said an attorney
> who represents Internet companies but has not fielded requests for encryption
> keys. Even a wiretap order in a criminal case would be insufficient, but a
> FISA order might be a different story, the attorney said. "I'm sure there's
> some logic in collecting the haystack."
> Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation,
> challenged the notion that current law hands the government the power to
> demand master encryption keys. Even with a FISA order for the private key,
> Opsahl said, the amount of technical assistance that a company must provide
> to the NSA or other federal agencies "has a limit."
> Federal and state law enforcement officials have previously said encrypted
> communications were beginning to pose an obstacle to lawful surveillance.
> Valerie Caproni, the FBI's general counsel at the time, told a congressional
> hearing in 2011, according to a transcript:
>  Encryption is a problem, and it is a problem that we see for certain
> providers... For individuals who put encryption on their traffic, we
> understand that there would need to be some individualized solutions if we
> get a wiretap order for such persons... We are suggesting that if the
> provider has the communications in the clear and we have a wiretap order,
> that the provider should give us those communications in the clear.
> "One of the biggest problems with compelling the [private key] is it gives
> you access to not just the target's communications, but all communications
> flowing through the system, which is exceedingly dangerous," said Stanford's
> Granick.
> Update, 11:40 a.m. PT: Adds additional comments from a Facebook
> representative saying the company has not received such requests.
> Disclosure: McCullagh is married to a Google employee not involved with this
> issue.