Feds put heat on Web firms for master encryption keys

Eugen Leitl eugen@leitl.org
Thu Jul 25 02:19:22 PDT 2013


(See also https://en.wikipedia.org/wiki/Convergence_(SSL) )

http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/

Feds put heat on Web firms for master encryption keys

Whether the FBI and NSA have the legal authority to obtain the master keys
that companies use for Web encryption remains an open question, but it hasn't
stopped the U.S. government from trying.

Declan McCullagh by Declan McCullagh  July 24, 2013 4:00 AM PDT

Large Internet companies have resisted the government's demands for
encryption keys requests on the grounds that they go beyond what the law
permits, according to one person who has dealt with these attempts.

(Credit: Declan McCullagh)

The U.S. government has attempted to obtain the master encryption keys that
Internet companies use to shield millions of users' private Web
communications from eavesdropping.

These demands for master encryption keys, which have not been disclosed
previously, represent a technological escalation in the clandestine methods
that the FBI and the National Security Agency employ when conducting
electronic surveillance against Internet users.

If the government obtains a company's master encryption key, agents could
decrypt the contents of communications intercepted through a wiretap or by
invoking the potent surveillance authorities of the Foreign Intelligence
Surveillance Act. Web encryption -- which often appears in a browser with a
HTTPS lock icon when enabled -- uses a technique called SSL, or Secure
Sockets Layer.

"The government is definitely demanding SSL keys from providers," said one
person who has responded to government attempts to obtain encryption keys.
The source spoke with CNET on condition of anonymity.

The person said that large Internet companies have resisted the requests on
the grounds that they go beyond what the law permits, but voiced concern that
smaller companies without well-staffed legal departments might be less
willing to put up a fight. "I believe the government is beating up on the
little guys," the person said. "The government's view is that anything we can
think of, we can compel you to do."

A Microsoft spokesperson would not say whether the company has received such
requests from the government. But when asked whether Microsoft would turn
over a master key used for Web encryption or server-to-server e-mail
encryption, the spokesperson replied: "No, we don't, and we can't see a
circumstance in which we would provide it."

Google also declined to disclose whether it had received requests for
encryption keys. But a spokesperson said the company has "never handed over
keys" to the government, and that it carefully reviews each and every
request. "We're sticklers for details -- frequently pushing back when the
requests appear to be fishing expeditions or don't follow the correct
process," the spokesperson said.

Sarah Feinberg, a spokeswoman for Facebook, said that her employer has not
received requests for encryption keys from the U.S. government or other
governments. In response to a question about divulging encryption keys,
Feinberg said: "We have not, and we would fight aggressively against any
request for such information."

Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner
Cable, and Comcast declined to respond to queries about whether they would
divulge encryption keys to government agencies.

Encryption used to armor Web communications was largely adopted not because
of fears of NSA surveillance -- but because of the popularity of open,
insecure Wi-Fi networks. The "Wall of Sheep," which highlights passwords
transmitted over networks through unencrypted links, has become a fixture of
computer security conventions, and Internet companies began adopting SSL in
earnest about three years ago.

"The requests are coming because the Internet is very rapidly changing to an
encrypted model," a former Justice Department official said. "SSL has really
impacted the capability of U.S. law enforcement. They're now going to the
ultimate application layer provider."

An FBI spokesman declined to comment, saying the bureau does not "discuss
specific strategies, techniques and tools that we may use."

NSA director Keith Alexander, shown here at a Washington, D.C. event this
month, has said that encrypted data are "virtually unreadable."

(Credit: Getty Images)

Top secret NSA documents leaked by former government contractor Edward
Snowden suggest an additional reason to ask for master encryption keys: they
can aid bulk surveillance conducted through the spy agency's fiber taps.

One of the leaked PRISM slides recommends that NSA analysts collect
communications "upstream" of data centers operated by Apple, Microsoft,
Google, Yahoo, and other Internet companies. That procedure relies on a FISA
order requiring backbone providers to aid in "collection of communications on
fiber cables and infrastructure as data flows past."

Mark Klein, who worked as an AT&T technician for over 22 years, disclosed in
2006 (PDF) that he met with NSA officials and witnessed domestic Internet
traffic being "diverted" through a "splitter cabinet" to secure room 641A in
one of the company's San Francisco facilities. Only NSA-cleared technicians
were allowed to work on equipment in the SG3 secure room, Klein said, adding
that he was told similar fiber taps existed in other major cities.

But an increasing amount of Internet traffic flowing through those fiber
cables is now armored against surveillance using SSL encryption. Google
enabled HTTPS by default for Gmail in 2010, followed soon after by
Microsoft's Hotmail. Facebook enabled encryption by default in 2012. Yahoo
now offers it as an option.

"Strongly encrypted data are virtually unreadable," NSA director Keith
Alexander told (PDF) the Senate earlier this year.

Unless, of course, the NSA can obtain an Internet company's private SSL key.
With a copy of that key, a government agency that intercepts the contents of
encrypted communications has the technical ability to decrypt and peruse
everything it acquires in transit, although actual policies may be more
restrictive.

One exception to that rule relies on a clever bit of mathematics called
perfect forward secrecy. PFS uses temporary individual keys, a different one
for each encrypted Web session, instead of relying on a single master key.
That means even a government agency with the master SSL key and the ability
to passively eavesdrop on the network can't decode private communications.

Google is the only major Internet company to offer PFS, though Facebook is
preparing to enable it by default.

Even PFS isn't complete proof against surveillance. It's possible to mount a
more advanced attack, sometimes called a man-in-the-middle or active attack,
and decode the contents of the communications.

A Wired article in 2010 disclosed that a company called Packet Forensics was
marketing to government agencies a box that would do precisely that. (There
is no evidence that the NSA performs active attacks as part of routine
surveillance, and even those could be detected in some circumstances.)

The Packet Forensics brochure said that government agencies would "have the
ability to import a copy of any legitimate key they obtain (potentially by
court order)." It predicted that agents or analysts will collect their "best
evidence while users are lulled into a false sense of security afforded by
Web, e-mail or VOIP encryption."

With a few exceptions, even if communications in transit are encrypted,
Internet companies typically do not encrypt e-mail or files stored in their
data centers. Those remain accessible to law enforcement or the NSA through
legal processes.

Leaked NSA surveillance procedures, authorized by Attorney General Eric
Holder, suggest that intercepted domestic communications are typically
destroyed -- unless they're encrypted. If that's the case, the procedures
say, "retention of all communications that are enciphered" is permissible.

Valerie Caproni, who was the FBI's general counsel at the time this file
photo was taken, told Congress that the government needs "individualized
solutions" when "individuals who put encryption on their traffic."

(Credit: Getty Images)

It's not entirely clear whether federal surveillance law gives the U.S.
government the authority to demand master encryption keys from Internet
companies.  "That's an unanswered question," said Jennifer Granick, director
of civil liberties at Stanford University's Center for Internet and Society.
"We don't know whether you can be compelled to do that or not."

The government has attempted to use subpoenas to request copies of encryption
keys in some cases, according to one person familiar with the requests.
Justice Department guidelines say subpoenas may be used to obtain information
"relevant" to an investigation, unless the request is "unreasonably
burdensome."

"I don't know anyone who would turn it over for a subpoena," said an attorney
who represents Internet companies but has not fielded requests for encryption
keys. Even a wiretap order in a criminal case would be insufficient, but a
FISA order might be a different story, the attorney said. "I'm sure there's
some logic in collecting the haystack."

Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation,
challenged the notion that current law hands the government the power to
demand master encryption keys. Even with a FISA order for the private key,
Opsahl said, the amount of technical assistance that a company must provide
to the NSA or other federal agencies "has a limit."

Federal and state law enforcement officials have previously said encrypted
communications were beginning to pose an obstacle to lawful surveillance.
Valerie Caproni, the FBI's general counsel at the time, told a congressional
hearing in 2011, according to a transcript:

 Encryption is a problem, and it is a problem that we see for certain
providers... For individuals who put encryption on their traffic, we
understand that there would need to be some individualized solutions if we
get a wiretap order for such persons... We are suggesting that if the
provider has the communications in the clear and we have a wiretap order,
that the provider should give us those communications in the clear.

"One of the biggest problems with compelling the [private key] is it gives
you access to not just the target's communications, but all communications
flowing through the system, which is exceedingly dangerous," said Stanford's
Granick.

Update, 11:40 a.m. PT: Adds additional comments from a Facebook
representative saying the company has not received such requests.

Disclosure: McCullagh is married to a Google employee not involved with this
issue.



More information about the cypherpunks mailing list