Four Questions For: Jean-Philippe Aumasson

Long term, who wins: the cryptographers or the code breakers?
Nobody breaks codes anymore, strictly speaking. When you hear about broken crypto, it’s most of the time about bugs in the implementation or about the use of insecure algorithms. For example, the DROWN attack that just won the Pwnie Award of the Best Cryptographic Attack at Black Hat USA exploits weaknesses in: 1) a protocol already known to be shaky, and 2) an algorithm already known to be insecure. So we’ve got unbreakable crypto, we just need to learn how to use it.
What innovations in cybersecurity should companies implement today?
The hot topic in my field is end-to-end encryption, or encryption all the way from the sender’s device to the recipient’s device. This is therefore the strongest form of encryption. WhatsApp and Facebook recently integrated end-to-end encryption in their messaging platforms for the benefit of their users’ privacy. Enterprise encryption software lags behind, however, with encryption solutions that often expose the unencrypted data to an intermediate server. That’s acceptable, for example, for compliance or controllability reasons, but otherwise you should make sure that you use end-to-end encryption to protect sensitive information, such as VoIP phone calls (telecommunication standards, including the latest LTE, are not end-to-end encrypted).
What are the implications of mobile technology and wearables in personal security?
Companies creating those products often neglect security and privacy concerns to save cost (or through ignorance) while security experts tend to exaggerate these concerns. We’ll have to find a middle ground between the needs and expectations of users and regulations. Meanwhile, the lack of security in IoT systems creates great opportunities for conference talks and marketing FUD.
In the Internet of things, is everything hackable, and if so, will someone hack all the pacemakers some day and turn them off?
The “everything is hackable” mantra is actually less scary than it sounds. Literally everything is hackable: from your refrigerator’s micro controller to your mobile phone, as long as you put enough effort in it. One shouldn’t think in terms of mere possibility but instead in terms of risk and economic interests: if I spend X days and Y dollars to hack a pacemaker, will my profit be worth the X-day and $Y investment? A secure pacemaker is obviously better than an insecure one, but the scenario you describe is unlikely to happen; it would just make a great movie plot.
Jean Philippe Aumasson
Jean-Philippe (JP) Aumasson is Principal Cryptographer at Kudelski Security, and holds a PhD in applied cryptography from EPFL. Switzerland. He has talked at top-tier information security conferences such as Black Hat, DEFCON, and RSA about applications of cryptography and quantum technologies. He designed the popular cryptographic algorithms BLAKE2 and SipHash, and organized the Password Hashing Competition project. He wrote the 2015 book “The Hash Function BLAKE”, and is currently writing a book on modern cryptography for a general audience. JP tweets as @veorq.

Senate backs down on ‘Facebook Bureau of Investigations’ mandate

Facebook, Twitter, and other social networking companies no longer have to worry about a mandate that would have required them to share with the United States government information about users discussing terrorism-related topics.
Not only is this great news for young students wishing to share info on self-made clock projects, but also for a large portion of citizens that don’t want the feds sifting through private social data without a warrant.
In an effort to pass a funding bill for federal intelligence agencies, the Senate has recently abandoned a provision that would force social networks to share data on users believed to be involved with terrorism activities. The bill itself was initially blocked from reaching the Senate floor by Sen. Ron Wyden, who described the mandate as a “vague [and] dangerous provision.” Wyden said in a statement Monday that he plans to release his hold on the bill, thus allowing it to move forward.
“Going after terrorist recruitment and activity online is a serious mission that demands a serious response from our law enforcement and intelligence agencies,” Wyden said. “Social media companies aren’t qualified to judge which posts amount to ‘terrorist activity,’ and they shouldn’t be forced against their will to create a Facebook Bureau of Investigations to police their users’ speech.”
But the spirit of the provision is unlikely to be gone for long.
A spokesperson for Sen. Dianne Feinstein told the Hill that the senator “regrets having to remove the provision” and “believes it’s important to block terrorists’ use of social media to recruit and incite violence and will continue to work on achieving that goal.” It’ll be back.
This is merely the latest in a string of examples of the government pressuring tech companies to provide it with more information, or to help it take down content related to extremist organizations like the so-called Islamic State. Other efforts relate to encryption, censorship, and access to private communications.

Germany pushes for widespread end-to-end email encryption

The biggest webmail providers in Germany will soon encourage their customers to use full-blown end-to-end email encryption. The providers, including Deutsche Telekom and United Internet, will next month roll out a browser plugin that’s supposed to make traditionally laborious PGP technology easier to use – and in the process, they’re addressing a key concern about the existing “De-Mail” system.

The De-Mail initiative dates back to 2011, when the German government decided to push for trusted email both as an e-government tool and as a way to cut down on official and corporate paper mail. De-Mail addresses are provided by the likes of Deutsche Telekom and United Internet’s Web.de, and those signing up for them need to show a form of official identification to do so. Receiving emails on a De-Mail address is free but sending them costs money.

In 2013, shortly after Edward Snowden’s leaks started causing conniptions in Berlin, the providers announced that they would start encrypting emails traveling between their various servers – something they should really have been doing anyway. However, emails sent through the system are still scanned for viruses, using a system designed by the German Office for Information Security (BSI), before they are sent to the recipient.

The new end-to-end encryption system will be more secure than that, leaving anyone other than the sender and the recipient unable to inspect what is being sent. From April, De-Mail users will be able to download a plugin for Chrome or Firefox that will supposedly make PGP easy to use, which is no mean feat. United Internet developed the plugin in conjunction with the open-source Mailvelope OpenPGP project and its code will be published, so suspicious developers and hackers will be able to check it for backdoors. The keys will be stored on the customer’s device.

If it all works as promised, this might prove a significant boost for the De-Mail initiative. A recent report showed lackluster take-up for De-Mail among citizens, largely because of the friction involved in registering an address. To that end, the providers also announced on Monday that they’re keen to use online bank accounts as a suitable form of identification – after all, you need ID to set one of those up in Germany, so the verification is already done there. According to a Deutsche Telekom spokesman, the BSI is currently reviewing this proposal.

The De-Mail PGP push appears to have the full support of the German government, providing a notable contrast with the stance of authorities in the U.S. and U.K., who oppose end-to-end encryption because they want their law enforcement and intelligence agencies to be able to more easily read people’s communications. In a statement, interior minister Thomas De Maizière said encryption was an important requirement for Germany’s desire to take the lead in the provision of digital services. He said the new plugins would provide “mass-market-suitable” end-to-end encryption for a variety of different use cases and security requirements.

Various government departments and local authorities are moving over to De-Mail – the Federal Employment Agency started using it for communicating with citizens last month, and the cities of Dresden and Cologne are doing the same. It’s not yet clear whether these authorities will use PGP for those emails, though a United Internet spokesman suggested to me that they will be encouraged to do so.

Email does always leak metadata and we are of course talking about ID-verified email addresses that will be able to show with great certainty that X was talking to Y. However, if this scheme works out it will be a huge boost in getting ordinary people to use what is still very much a niche technology, and once they’re comfortable with it they may start using PGP with regular, possibly anonymous email addresses for added privacy.

Google is also working on an end-to-end encryption plugin for its Gmail service, but that effort is still in the alpha stage and probably some way off from being ready for the mass market.

This article was updated at 5.40am PT with a reference to the cost of using De-Mail.

Decade-old FREAK bug leaves Google and Apple device users vulnerable

A team of security researchers unearthed a decade-old vulnerability called the FREAK (Factoring attack on RSA-EXPORT Keys) attack, which impacts Google and Apple device users who may have visited websites, including Whitehouse.gov and NSA.gov, according to a Washington Post report. One of the researchers who spotted the vulnerability told the Post that “Of the 14 million Web sites worldwide that offer encryption, more than 5 million remained vulnerable as of Tuesday morning.”

According to Matthew Green, a cryptographer and research professor at Johns Hopkins University who has been looking into the flaw, the security researchers found serious vulnerabilities in the security protocols used by the Safari browser and the browser found in Android devices. These protocols are used to encrypt data through secure network connections between websites and browsers.

Even though the Android browser in question uses the OpenSSL protocol and Safari uses the Apple TLS/SSL protocols, both protocols are similarly affected and a hacker taking advantage of the bug can “downgrade connections from ‘strong’ RSA to ‘export-grade’ RSA,” Green wrote. This basically means that a hacker can infiltrate the connection between the browsers and websites and weaken the encryption that occurs. When this happens, a hacker can supposedly decrypt the data and obtain the information that was supposed to be secure.

While the bug clearly affects a lot of users, Forbes is reporting that actually pulling off the hack requires a lot of work, and it’s more likely that hackers would attempt another kind of attack.

From Forbes:
[blockquote person=”Forbes” attribution=”Forbes”]This all sounds scary, but in reality, there are easier attack methods for snoops or criminals to spy on your online lives. For starters, a FREAKy hacker will have to find a target using a vulnerable PC, phone or tablet, and hope they use the affected sites. They’ll also have to be on the same network, though the NSA, GCHQ and myriad other intelligence agencies have access to much of the world’s internet, so would easily be able to carry out such an attack, as long as the other criteria were met.[/blockquote]

What’s interesting is that the reason why there is weaker encryption in the first place has to do with U.S. government policy “that once forbid the export of strong encryption” and instead called for products shipped to other countries to come equipped with weak encryption, the Post reported. Although the policy is supposedly no longer in effect, the damage has been done and “weaker encryption got baked into widely used software that proliferated around the world and back into the United States.”

While Google’s Chrome browser is not affected by the vulnerability, the browser found in the majority of Android devices are, and an Apple spokeswoman told the Post that the company will be issuing a security patch that should fix both Apple computers and mobile devices.

Encryption has been a hot topic as of late as China just unveiled a new counterterrorism law that would require tech companies to hand over their encryption keys if the Chinese government calls for it. Both the U.S. and the U.K. have also let it be known that encryption hampers a government’s ability to perform investigations and if companies use the tech, they should be prepared to turn over the encryption keys.

Google backtracks on Android 5.0 default encryption

When the Nexus 6 handset arrived late last year, it came with full data encryption enabled out the box. Google also pushed its hardware partners to do the same at first, but now appears to have quietly changed the requirement with a strong recommendation to enable encryption by default, reports ArsTechnica.

The same site noted performance issues with Google’s Nexus 6 in November, particularly with regards to read and write disk speeds, which it attributed to the encryption. How much of an impact did the tests show? In some cases, the new [company]Google[/company] Nexus 6 was slower than the Nexus 5 it was designed to replace, even though the handset had much improved internal components.

Nexus 6 side

Google did say in September of 2014 that the then called Android L software — later to become Android 5.0 Lollipop — would have encryption enabled by default out of the box. New devices with Android 5.0, however, don’t have the security feature enabled: The new $149 Moto E with LTE, is a perfect example. So what’s changed?

According to Ars, Google’s Android Compatibility Definition document is what’s changed; specifically, the section on disk encryption with Google making emphasis on what it recommends:

If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data (/data partition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.

Essentially, Google has gone back to having encryption as an option for new Android 5.0 devices, not a requirement: They must support it but it isn’t necessary to enable it by default. However, the last sentence in the guidelines indicates that hardware partners should be ready for this to change back in a future version of Android.

From security standpoint, this is a bit of a disappointment. If encryption impacts performance, however, Google has little choice here.

The concern I have is that most mainstream Android users won’t know that they should enable encryption their device or simply don’t know how. My hope is that if Google reduced the requirements due to performance, it finds a way to address the root cause of the issue and then get device encryption back as a default option.

Why 2015 is the year of encryption

During a visit to Silicon Valley earlier this month, President Obama described himself as “a strong believer in strong encryption.” Some have criticized the president for equivocating on the issue, but as “strong believers” ourselves, we’ll take him at his word. Obama isn’t alone; everyone is calling for encryption, from activists to engineers, and even government agencies tasked with cybersecurity.

In the past, using encryption to secure files and communication has typically only been possible for technically sophisticated users. It’s taken some time for the tech industry and the open source community to ramp up their efforts to meet the call for widespread, usable encryption, but the pieces are in place for 2015 to be a turning point.

Last fall, [company]Apple[/company] and [company]Google[/company] announced that the newest versions of iOS and Android would encrypt the local storage of mobile devices by default, and 2015 will be the year this change really starts to takes hold. If your phone is running iOS 8 or Android Lollipop 5.0, photos, emails and all the other data stored on your device are automatically secure against rummaging by someone who happens to pick it up. More important, even the companies themselves can’t decrypt these devices, which is vital for protecting against hackers who might otherwise attempt to exploit a back door.

Of course the protection from these updated operating systems relies on user adoption, either by upgrading an old device or buying a new one with the new OS preinstalled. Gigaom readers might be on the leading edge, but not everyone rushes to upgrade. Based on past adoption trends, however, a majority of cell phone users will finally be running one of these two operating systems by the end of 2015. As the Supreme Court wrote last year, cell phones are a “pervasive and insistent part of modern life.” The world looks a whole lot different when most of those phones are encrypted by default.

There are two more developments involving encryption which might not make the front page this year, but they’re equally as important as the moves by Apple and Google, if not more so.

First, this month saw the finalization of the HTTP/2 protocol. HTTP/2 is designed to replace the aging Hyper-Text Transfer Protocol (HTTP), which for almost two decades has specified how web browsers and web servers communicate with one another. HTTP/2 brings many modern improvements to a protocol that was designed back when dial-up was king, including compression, multiplexed data transfers, and the ability for servers to preemptively push content to browsers.

HTTP/2 was also originally designed to operate exclusively over encrypted connections, in the hope that this would lead to the encryption of the entire web. Unfortunately that requirement was watered down during the standards-making process, and encryption was deemed optional.

Despite this, Mozilla and Google have promised that their browsers will only support encrypted HTTP/2 connections—which means that if website operators want to take advantage of all the performance improvements HTTP/2 has to offer, they’ll have to use encryption to do so or else risk losing a very large portion of their audience. The net result will undoubtedly be vastly more web traffic being encrypted by default.

But as any sysadmin can tell you, setting up a website that supports encryption properly can be a huge hassle. That’s because in order to offer secure connections, websites must have correctly configured “certificates” signed by trusted third parties, or Certificate Authorities. Obtaining a certificate can be complicated and costly, and this is one of the biggest issues standing in the way of default use of HTTPS (and encrypted HTTP/2) by websites.

Fortunately, a new project launching this summer promises to radically lower this overheard. Let’s Encrypt will act as a free Certificate Authority, offering a dramatically sped-up certificate process and putting implementation of HTTPS within the reach of any website operator. (Disclosure: Our employer, the Electronic Frontier Foundation, is a founding partner in Let’s Encrypt.)

Of course there are sure to be other developments in this Year of Encryption. For example, both Google and Yahoo have tantalizingly committed to rolling out end-to-end encryption for their email services, which could be a huge step toward improving the famously terrible usability of email encryption.

Finally, we’d be accused of naiveté if we didn’t acknowledge that despite President Obama’s ostensible support, many high-level law enforcement and national security officials are still calling for a “debate” about the balance between encryption and lawful access. Even putting aside the cold, hard fact that there’s no such thing as a “golden key,” this debate played out in the nineties in favor of strong encryption. We’re confident that in light of the technical strides like the ones we’ve described, calls for backdoored crypto will come to seem increasingly quaint.

Andrew Crocker is an attorney and fellow at the Electronic Frontier Foundation. Follow him on Twitter @AGCrocker.

Jeremy Gillula is a staff technologist at the Electronic Frontier Foundation. Prior to EFF, Jeremy received his doctorate in computer science from Stanford, and a bachelor’s degree from Caltech.

Proposed Chinese security law could mean tough rules for tech companies

China apparently wants to one-up the U.S. and the U.K. when it comes to urging technology companies to install security backdoors and break their encrypted documents and user communications in the name of national security.

Reuters reported on Friday that a newly proposed Chinese counterterrorism law calls for technology companies to turn over encryption keys to the Chinese government, allow for ways to bypass security mechanisms in their products, require companies to store user data and maintain servers in China, and remove any content that the country deems supportive of terrorists.

China is expected to adopt the draft legislation in the “coming weeks or months,” according to the report. The proposed law follows a set of banking security rules that the Chinese government adopted in late 2014 that requires companies that sell both software and hardware to Chinese financial institutions to place security backdoors in their products, hand over source code and comply with audits.

The Reuters report cited several anonymous executives of U.S. technology companies who said they are more worried about this newly proposed law than the banking rules because of the connection to national security. Supposedly, the laws are worded in a way as to be open to interpretation, especially in regards to having to comply with Chinese law enforcement, which has some executives fearful of “steep penalties or jail time for non-compliance.”

The newly proposed law follows recent news that China has been peeved by U.S. intelligence-gathering operations revealed by the leaked Edward Snowden NSA documents and allegations by the U.S. government that members of the China’s People’s Liberation Army used cyber espionage tactics to steal business trade secrets. China apparently doesn’t take those allegations too kindly and instead the country claims that products sold in China by U.S. technology companies pose security concerns.

If there’s one thing both China, the U.S. and the U.K. can all agree upon, however, is that companies should not be using encrypted technology to mask user communications. If companies do use the security technology, governments want those companies to hand over their encryption keys in case law enforcement or government investigations warrant it.

Attorney General Eric Holder and FBI Director James Comey have made public their displeasure with how encryption supposedly makes it easier to hide the activities of criminals. However, a recently leaked document from the Edward Snowden NSA data dump showed that some U.S. officials believe encryption is the “[b]est defense to protect data.”

Beyond Superfish: Turns out SSL-trashing spyware is widespread

Last week Lenovo found itself in deep trouble over the Superfish spyware that it installed on many recent consumer laptops. Designed to insert ads into customers’ browsing experiences, the software has very insecure foundations and basically made users vulnerable to hacking attacks.

Turns out it’s not just Lenovo customers who should be worried about their exposure — the insecurity of Superfish is largely due to its use of technology from an Israeli company called Komodia, and quite a few software packages in the areas of antivirus and parental protection also use Komodia’s engine. Examples highlighted by the U.S. Department of Homeland Security include products from parental control outfits Qustodio, Kurupira, Infoweise and Komodia’s own KeepMyFamilySecure, and security firms such as Lavasoft and Websecure.

Qustodio wrote in a Saturday blog post that it was working on a “fix in order to avoid potential phishing attacks from external malicious users.”

These various packages, including the Superfish software that Lenovo quietly installed on its consumer laptops late last year, used Komodia to put a fake root certificate authority (CA) on each user’s PC, together with a private key, in order to be able to intercept and analyze even encrypted “SSL” browsing sessions. However, this mechanism was really badly implemented.

As Facebook’s Matt Richard noted, the reuse of the same root CA across multiple machines (with the same “komodia” private key password) means bad actors could “potentially obtain that CA file and perform ‘man-in-the-middle’ (MITM) attacks on untrusted networks like public Wi-Fi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the internet.”

Cloudflare researcher Filippo Valsorda wrote about the potential manipulation of Komodia’s mechanism even without the need for extracting the private key: “An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.”

In short, this software greatly increases insecurity, which is why the DHS is urging people to uninstall all software that uses the Komodia Redirector and SSL Digestor libraries, and all associated root CA certificates, and why Mozilla is considering blacklisting those certificates in Firefox.

That’s kind of ironic, seeing as so many of these software applications are intended to protect their users. The same goes for Comodo, an actual certificate authority that also puts out a security-focused browser called Comodo Dragon. As researcher Hanno Böck wrote on Monday, this and other Comodo products ship with a “privacy” tool called PrivDog that supposedly replaces ads in webpages with ads from “trusted sources” – and as with Komodia’s tools, this one also verifies dodgy certificates when it shouldn’t.

CloudFlare’s Valsorda has come up with a tool called Badfish that was originally designed to detect infections by Superfish, but now also scans for those by other Komodia-using products and PrivDog as well. If you’re a Windows user and you’re using parental control software or certain antivirus products, it might be worth giving that page a visit to see if you need to be uninstalling anything.

Box’s new service lets users hold on to their own encryption keys

It’s only been a few weeks since Box went public, but the file-sync company with a work-collaboration bent is rolling out a new encryption-key feature to entice big-name companies like the General Electrics of the world who are hesitant to jump to the cloud for security reasons.

Called Box Enterprise Key Management (EKM), the new tool basically allows for users to have full control of their encryption keys while still being able to use the [company]Box[/company] platform. Box will be working with customers to install an encryption appliance from the company SafeNet called a hardware security module (HSM) in both their on-premise data centers as well as in Amazon Web Services, according to a Box blog post by CEO Aaron Levie.

Each file that a customer sends over to his or her Box account gets a unique key “for each version of the file,” which Box then shoots over to the HSM; the appliance then encrypts the file “with the customer’s own key,” Levie wrote. At this point, Levie said that customers now have full control of the encryption key and Box can only access those files with customer approval.

What’s interesting is the role Amazon plays in this, which Levie doesn’t expand too much on in his post. According to a blog post by AWS chief evangelist Jeff Barr, the new feature “is powered by AWS CloudHSM,” which is the service that essentially links the HSM to a customer’s AWS cloud.

From the blog post detailing AWS CloudHSM:
[blockquote person=”” attribution=””]As part of the service, you have dedicated access to HSM capabilities in the cloud. AWS CloudHSM protects your cryptographic keys with tamper-resistant HSM appliances that are designed to comply with international (Common Criteria EAL4+) and U.S. Government (NIST FIPS 140-2) regulatory standards for cryptographic modules. You retain full control of your keys and cryptographic operations on the HSM, while Amazon manages and maintains the hardware without having access to your keys.[/blockquote]

I reached out to Box to elaborate a bit more on the role AWS’s technology plays into this new feature as well as if works across other cloud providers like [company]Google[/company] and [company]Microsoft[/company] and I’ll update this post if I hear back.

The new security tool is now available in beta and should be ready for public consumption this coming spring.

Update – 2:32 PM PT. A Box spokesperson sent us some comments.

Regarding if we will see similar features rolled out for other cloud providers:

[blockquote person=”Box spokesperson” attribution=”Box spokesperson”]We expect that over time other public cloud providers will follow our lead offer customers ability to manage their encryption keys. This may require making similar investments to architect the public cloud service to work with a key managed by the customer. As more cloud providers move to support this model, customers will have an easier time centralizing control over key management across their cloud applications.[/blockquote]

Regarding how the new feature utilizes AWS:
[blockquote person=”Box spokesperson” attribution=”Box spokesperson”]AWS CloudHSM is the hosting partner for the HSMs, that are part of the new Box EKM architecture. We are listening to our customers on their preferences for additional partners.[/blockquote]

Funds flow in for GnuPG author after article reveals his plight

On Thursday ProPublica published the frustrating tale of Werner Koch, the one guy – yes really – who’s maintaining the extremely widely-used Gnu Privacy Guard (GnuPG or GPG) software that people use to encrypt their email messages and digitally authenticate downloadable programs such as the Tor Browser.

As the article revealed, Germany-based Koch was raising around $25,000 a year for his work, not enough for someone supporting a wife and kid. A crowdfunding campaign he began in December had only pulled in $43,000 – way less than he needed to employ a second full-time developer for the project. Well, the article worked.

At the time of writing on Friday, that campaign had pulled in over €160,000 ($183,000) from supporters. And that’s not all: Facebook and Stripe will each send $50,000 Koch’s way every year to sustain the project, and the Linux Foundation has also granted him $60,000 (a decision that actually preceded the ProPublica piece.)

Good work, everyone. Koch’s software is very important, and the fact he’s been maintaining it for so long, for so little reward, is an amazing achievement. Now, with a second developer, he can make it even better. Now let’s see the same support for more privacy-protecting tools: