How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Regarding this diagram:

http://www.zerohedge.com/sites/default/files/images/user5/imageroot/2013/10/NSA%20google%201.jpg

which is described as follows:

===============
In an NSA presentation slide on “Google Cloud Exploitation,” a sketch
shows where the “Public Internet” meets the internal “Google Cloud”
where their data resides. In hand-printed letters, the drawing notes
that encryption is “added and removed here!” The artist adds a smiley
face, a cheeky celebration of victory over Google security.

Two engineers with close ties to Google exploded in profanity when they
saw the drawing. “I hope you publish this,” one of them said.  
===============

where the SSL encryption is said to be "added and removed" at a
strategic network location, my question is this:

Would the existance of a second key contained within ADVAPI32.DLL
(Windoze security and encryption driver) be instrumental for the NSA to
perform the data interception and decoding being depicted in that
diagram?

If I understand the situation correctly, the existance of a second key,
programatically labelled as _NSAKEY, has been believed for years to be
embedded in the windows encryption driver for just this purpose.

You can read the full article about the NSA intercepting Google
data-center traffic here:

http://www.zerohedge.com/news/2013-10-30/how-nsa-spies-your-google-and-yahoo-accounts

Second question:  How would the NSA deal with OSX, Android or
Linux-based SSL traffic entering Google's cloud?

Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

"Virus Guy" wrote:

Quoted text here. Click to load it

Who gives a shit? Not me. If you want to avoid being spied on by
whatever agency then take the appropriate measures. e.g, don't use
free email or cloud providers who can do what they like with your
data. Better still, don't use the internet at all if you're engaged in
nefarious activities.



Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

Ant wrote:

Quoted text here. Click to load it

What the hell is wrong with you Ant?

I certainly didn't expect such a juvenile outburst like that from you.

I put forward a cogent technical discussion and you respond like a child
with a tantrum.

This is usenet - where you don't have to respond to a post or a thread
if you don't want too.  You of all people should know that by now.

Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

"Virus Guy" wrote:

Quoted text here. Click to load it

Calm down. I'm not having a go at you.

Quoted text here. Click to load it

Yeah, well I'm well past the mid-life crisis point and old enough to
be going through a second childhood!

Quoted text here. Click to load it

But I do want to respond - just not in the way you'd like, perhaps.

My point was, if you got past my initial outburst, that people who use
facilities provided by the likes of google, farcebook, etc should not
expect privacy. After all, that's the real price of using their so-
called "free" services. You are the product being sold to advertisers.
Your privacy is not their concern even though they may appear outraged.

Moreover, anyone using the internet should expect to be spied on by
government spooks; that's what they do. Why is that surprising? In
other words: who cares (gives a shit) if the NSA is reading data feeds
in the intertubes? What do people think national security or spy
agencies do?

Sorry that doesn't address your technical point but it's my reaction
to all this fuss about spying.

As for an NSA backdoor in Windows, I don't buy it. If you can point to
a particular function or export in advapi or code in any other dll or
sys (driver) you think is suspicious I might have a look but I can
only go up to XP SP3. I'm sure others with more time, skill and
inclination have already done this anyway.



Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

On 10/31/2013 05:59 PM, Ant wrote:

Quoted text here. Click to load it

Yeah, I don't get it either.  People put their stuff on "free" cloud  
servers and expect it to be secure?  They think that in this age of  
"Homeland Security" the spies have the first clue who the badguys are?  
They don't... they really can't; that they try to spy on everybody in  
hopes of figuring it out should be the obvious conclusion.

"Too Many Secrets" indeed.  I pity the spies who waste their time spying  
on me... death by boredom is just too harsh.

What I really don't get is the US budget, how much is spent on fear and  
how little is spent on having something to be afraid for... I suppose  
that words like "power" and "glory", not to mention "conquest" and  
"supremacy", haven't yet become obsolete within the human lexicon.

Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

crankypuss wrote this copyrighted missive and expects royalties:

Quoted text here. Click to load it

That may well be all it is at the moment.  But imagine that the locus of
interest starts going beyond looking into the planning of nefarious acts,
and into what your political feelings are.  Or who you're sleeping with.

--  
If *I* had a hammer, there'd be no more folk singers.

Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

On Fri, 1 Nov 2013 06:40:09 -0400, Chris Ahlstrom

Quoted text here. Click to load it

    It's 2013 and you are still in 2005. No big deal, happens to
me sometimes. Shrinks have a pet word for it, "abnegation".
    ;)
    []'s

--  
Don't be evil - Google 2004
We have a new policy  - Google 2012

Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

On 11/01/2013 04:40 AM, Chris Ahlstrom wrote:
Quoted text here. Click to load it

I really don't expect royalties ya know, they're taxable and the US has  
too many military toys already for me to be interested in helping them  
buy more from the ironmongers who already have too much money.

Quoted text here. Click to load it

So what?  The boogeyman can get you, so move past that fear.  We all  
face certain death at the end of the tunnel, and you want to spend your  
life squirming because you're scared of the boogeyman, then get to the  
end of the tunnel saying, "well, i should have"?  Young people think  
life will last forever and get involved in all this abstract crap, then  
get T-boned by a semi on their way to the liquor store, oops!  What's  
the boogeyman going to do, solve all my problems with one bullet?  
<snort>  Go ahead, make my day... no more bureaucratic crap dished out  
by goobermint employees, no more worries about anything at all, not even  
any more chances to screw up bigtime, that don't sound too bad all  
things considered.  There are more important things to do in life than  
be the boogeyman's toady.

The only reasons spies can get their greasy paws on encrypted data is  
that (a) people write crap software that lets them reach the files, and  
(b) people follow the rules set up by the spies to ensure that they can  
decrypt the data.  Believe whatever suits you.

I got code to write, so don't expect a whole bunch more responses from  
me on this boring topic.  You'll work it out, and I'll get to write my  
code, and everybody will be fine at the end of the day.  Happy happy happy.

Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

FromTheRafters, while unnecessarily full-quoting, wrote:
  
Quoted text here. Click to load it

Was that supposed to be an answer to the above question?
  
Quoted text here. Click to load it

So you're saying that backdoors were built into the SSL encryption
mechanism of OSX, Android and Linux?

Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

On Friday, November 1, 2013 11:09:20 PM UTC+8, Virus Guy wrote:  
Quoted text here. Click to load it

Well Virus Guy, now you know how I feel when I posted nearly the same quest
ion, about how HTTPS works, a few years ago.  Lots of belittling of me, lot
s of thread hijacks, heat and little light.  Finally, after much runaround,
 I got the following:  using certificates for HTTPS only ensures that the p
eople between you and the server you are communicating with cannot read you
r message (transport layer security).  But once at the server, the employee
s of the server can decrypt your message into plaintext.  Which is exactly  
what this NSA slide showed--and the fact that the NSA had a backdoor into t
he destination server meant they too could read in plaintext any HTTPS comm
unications sent to Google.  

RL

Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

After serious thinking RayLopez99 wrote :
Quoted text here. Click to load it

Yep, as I recall I had tried an analogy of two cans and a string. TLS  
is designed to thwart those who attempt to listen in on the string but  
does nothing about those listening in on the cans.



Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

FromTheRafters wrote:
  
Quoted text here. Click to load it

And so I ask (you, and everyone else) again:

: Would the existence of a second key contained within ADVAPI32.DLL
: (Windoze security and encryption driver) be instrumental for the
: NSA to perform the data interception and decoding being depicted
: in that diagram?

In other words, for the NSA to insert themselves into the picture so
that they would be one of those "cans", would that require the existance
and use of the so-called second key contained within ADVAPI32.dll on
systems running Windoze?

Can you give a clear(*) answer to that question?

------------

(*) A clear answer includes "yes", "no", "I don't know" and "I'm not
sure".

Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

Virus Guy wrote :
Quoted text here. Click to load it

If they have access to the computer, they don't need to decrypt the  
session - they can have the plaintext as it is decrypted automatically  
when it leaves the transport layer.

Quoted text here. Click to load it

No, but if they have the so-called NSA key they can get the session key  
during the exchange of secrets that comprise the pre-master secret. IOW  
if they have access to the public key cryptography 'private' key of the  
server they can listen to the 'string' because they have all of the  
information needed to build a session key. Why do that if they have  
access to the plaintext though?

Quoted text here. Click to load it

I don't know. That would depend on how much understanding you already  
have. The session key is derived from shared secrets and PRNG - the  
secrets are shared covered by Public Key Cryptography. If I'm not  
mistaken, the so-called NSA key is sort of like a key escrow or  
recovery agent mechanism and gives lie to the idea that private keys  
are actually private. Having this key gives you the capability to  
monitor the secret sharing that builds the session key.

Have you got a good URL that explains exactly what the so-called NSA  
key is or does?



Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

FromTheRafters wrote:
  
Quoted text here. Click to load it

See here: http://endswithbeginnings.wordpress.com/tag/nsakey/
(largely reproduced below for your reading pleasure).

See also this:  http://cryptome.org/jya/msnsa-ke.htm

Which provides the complete CAPI key, as does this:

http://en.wikipedia.org/wiki/NSAKEY#Secondary_key_.28_NSAKEY_and_KEY2.29

Doing a web-search for some component of that key - for example, the
first line:

mQCPAzfTdH0AAAEEALqOFf7jzRYPtHz5PitNhCYVryPwZZJk2B7cNaJ9OqRQiQoi

gives many hits - not sure which of them (if any) are useful / relavent.

More technical stuff here:

http://blogs.technet.com/b/pki/archive/2009/06/17/what-is-a-strong-key-protection-in-windows.aspx

And on a slight tangent:

http://bsd.slashdot.org/story/10/12/15/004235/fbi-alleged-to-have-backdoored-openbsds-ipsec-stack

    Aggrajag and Mortimer.CA, among others, wrote to inform us that
    Theo de Raadt has made public an email sent to him by Gregory
    Perry, who worked on the OpenBSD crypto framework a decade ago.
    
    The claim is that the FBI paid contractors to insert backdoors
    into OpenBSD's IPSEC stack. Mr. Perry is coming forward now that
    his NDA with the FBI has expired. The code was originally added
    ten years ago, and over that time has changed quite a bit, "so  
    it is unclear what the true impact of these allegations are" says
    Mr. de Raadt. He added: "Since we had the first IPSEC stack
    available for free, large parts of the code are now found in many
    other projects/products."

The FBI, as it turns out now, seem to be involved in many cases as aids
or agents in terms of getting stuff done for the NSA.

============

http://endswithbeginnings.wordpress.com/tag/nsakey/

Computer security specialists say that the Windows software driver used
for security and encryption functions contains unusual features which
give NSA that backdoor access.

These security specialists have identified the driver as ADVAPI.DLL. It
enables and controls a variety of security functions. These specialists
say that on Windows, it is located at C:\Windows\system directory of
anyone’s computer that uses Windows software.  Nicko van Someren says
the driver contains two different keys.  One was used by Microsoft to
control cryptographic functions in Windows while another initially
remained a mystery.

Then, two weeks ago (circa 1999?) a U.S. security firm concluded that
the second key belonged to NSA. Analysis of the driver revealed that one
was labeled KEY while the other was labeled NSAKEY, according to
sources. The NSA key apparently had been built into the software by
Microsoft, which Microsoft sources don’t deny.

This has allowed restricted access to Microsoft’s source code software
that allows for such programming.

Access to Windows source code is supposed to be highly
compartmentalized, actually making such actions easier because many of
the people working on the software wouldn’t see the access.

Such access to the encryption system of Windows can allow NSA to
compromise a person’s entire operating system. The NSA keys are said to
be contained inside all versions of Windows from Windows 95 OSR2
onwards.

Having such the secret key inside your Windows operating system makes it
“tremendously easier for the NSA to load unauthorized security services
on all copies of Microsoft Windows, and once these security services are
loaded, they can effectively compromise your entire operating system,”
according to Andrew Fernandez, chief scientist with Cryptonym
Corporation of North Carolina.

===============

Deeze posted the following to the forum:

From Heise.de
How NSA access was built into Windows

Duncan Campbell 04.09.1999

Careless mistake reveals subversion of Windows by NSA.

A CARELESS mistake by Microsoft programmers has revealed that special
access codes prepared by the US National Security Agency have been
secretly built into Windows.  The NSA access system is built into every
version of the Windows operating system now in use, except early
releases of Windows 95 (and its predecessors).  The discovery comes
close on the heels of the revelations earlier this year that another US
software giant, Lotus, had built an NSA “help information” trapdoor into
its Notes system, and that security functions on other software systems
had been deliberately crippled.

The first discovery of the new NSA access system was made two years ago
by British researcher Dr Nicko van Someren.  But it was only a few weeks
ago when a second researcher rediscovered the access system.  With it,
he found the evidence linking it to NSA.

Computer security specialists have been aware for two years that unusual
features are contained inside a standard Windows software “driver” used
for security and encryption functions.  The driver, called ADVAPI.DLL,
enables and controls a range of security functions. If you use Windows,
you will find it in the C:\Windows\system directory of your computer.

ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only
run cryptographic functions that the US governments allows Microsoft to
export.  That information is bad enough news, from a European point of
view. Now, it turns out that ADVAPI will run special programmes inserted
and controlled by NSA.  As yet, no-one knows what these programmes are,
or what they do.

Dr Nicko van Someren reported at last year’s Crypto 98 conference that
he had disassembled the ADVADPI driver.  He found it contained two
different keys.  One was used by Microsoft to control the cryptographic
functions enabled in Windows, in compliance with US export regulations.
But the reason for building in a second key, or who owned it, remained a
mystery.

A second key

Two weeks ago, a US security company came up with conclusive evidence
that the second key belongs to NSA.  Like Dr van Someren, Andrew
Fernandez, chief scientist with Cryptonym of Morrisville, North
Carolina, had been probing the presence and significance of the two
keys.  Then he checked the latest Service Pack release for Windows NT4,
Service Pack 5. He found that Microsoft’s developers had failed to
remove or “strip” the debugging symbols used to test this software
before they released it. Inside the code were the labels for the two
keys.  One was called “KEY”. The other was called “NSAKEY”.

Fernandes reported his re-discovery of the two CAPI keys, and their
secret meaning, to “Advances in Cryptology, Crypto’99? conference held
in Santa Barbara.  According to those present at the conference, Windows
developers attending the conference did not deny that the “NSA” key was
built into their software.  But they refused to talk about what the key
did, or why it had been put there without users’ knowledge.

A third key?!

But according to two witnesses attending the conference, even
Microsoft’s top crypto programmers were astonished to learn that the
version of ADVAPI.DLL shipping with Windows 2000 contains not two, but
three keys.  Brian LaMachia, head of CAPI development at Microsoft was
“stunned” to learn of these discoveries, by outsiders.  The latest
discovery by Dr van Someren is based on advanced search methods which
test and report on the “entropy” of programming code.

Within the Microsoft organisation, access to Windows source code is said
to be highly compartmentalized, making it easy for modifications to be
inserted without the knowledge of even the respective product managers.

Researchers are divided about whether the NSA key could be intended to
let US government users of Windows run classified cryptosystems on their
machines or whether it is intended to open up anyone’s and everyone’s
Windows computer to intelligence gathering techniques deployed by NSA’s
burgeoning corps of “information warriors”.

According to Fernandez of Cryptonym, the result of having the secret key
inside your Windows operating system “is that it is tremendously easier
for the NSA to load unauthorized security services on all copies of
Microsoft Windows, and once these security services are loaded, they can
effectively compromise your entire operating system”.  The NSA key is
contained inside all versions of Windows from Windows 95 OSR2 onwards.

“For non-American IT managers relying on Windows NT to operate highly
secure data centres, this find is worrying”, he added. “The US
government is currently making it as difficult as possible for “strong”
crypto to be used outside of the US.  That they have also installed a
cryptographic back-door in the world’s most abundant operating system
should send a strong message to foreign IT managers”. “How is an IT
manager to feel when they learn that in every copy of Windows sold,
Microsoft has a ‘back door’ for NSA – making it orders of magnitude
easier for the US government to access your computer?” he asked.  Can
the loophole be turned round against the snoopers?

Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

Virus Guy expressed precisely :
Quoted text here. Click to load it

Thanks for the URLs. Here's another.

http://www.cs.uml.edu/~pkrolak/lab18/ExampleMS&NSA/backdoor.asp



Re: How NSA intercepts encrypted Google data-center traffic (using _NSAKEY?)

"Virus Guy" wrote:

Quoted text here. Click to load it

Nice speculation. Duncan Campbell is a journalist who loves a good
conspiracy theory.

Quoted text here. Click to load it

I've now read this and the links from the wikipedia article and am
pleased to see that Bruce Schneier, a respected security expert, said
the same as I did earlier:

"I don't buy it".
http://www.schneier.com/crypto-gram-9909.html

"why in the world would anyone call a secret NSA key "NSAKEY"?"

Indeed.

MS have said that NSAKEY is a backup key. They also said this:

"Why is the backup key labeled "NSA key"?
 This is simply an unfortunate name. The NSA performs the technical
 review for all US cryptographic export requests. The keys in question
 are the ones that allow us to ensure compliance with the NSA's
 technical review. Therefore, they came to be known within Microsoft
 as "the NSA keys", and this was used as a variable name for one of
 the keys. However, Microsoft holds these keys and does not share them
 with anyone, including the NSA".
http://web.archive.org/web/20000520001558/http://www.microsoft.com/security/bulletins/backdoor.asp

This all happened years ago in 1999 and since then the US have relaxed
their strong-crypto export restrictions.



Site Timeline