TLS – Passive tap with server key

In the wake of Snowden leaks, warrant canaries are becoming popular. This means it’s likely that the server-side IM logs will be obtained with malware, rather than NSLs. Such illegally obtained conversations are example of parallel construction, which is not part of rechtstaat (the doctrine lacks English translation), a prerequisite of liberal democracy.

Some privacy-conscious services do not actively store logs about users on their servers. Installing peristent malware that stores and exfiltrates data periodically is risky for HSA.  Instead, malware might go after the private key of server. This process is very likely to be extremely covert, and apart from rare cases such as recent report on cryptome, very little is known about it.

In the case of Lavabit, the HSA used legal means to obtain the RSA decryption key.
Lavabit key order

Source (page 36)

It’s impossible to say whether the NSL was just to make data, already decrypted with stolen key, legal evidence. Once the HSA was in possession of Lavabit’s private key, it could decrypt all past and future messages between users and server: this requires only the encrypted data and the handshake (client random, server random, and PMS). The PMS is always encrypted using the same RSA public key. Losing control  of the private key ruined the security of Lavabit, so they did the right thing and closed their service.

5 - TLS RSA Passive tap with server keyHow effective is this attack? According to GCHQ, at least as late as 2012, 90% of servers used RSA key exchange. This makes NSA’s UPSTREAM and GCHQ’s TEMPORA very efficient against naive (=RSA based) TLS.

FlyingPig

Slide leaked by whistleblower Edward Snowden

The solution to make passive decryption impossible is to switch the key exchange protocol from RSA to DHE.

6 - TLS DHE Passive tap with server keyIn DHE, the server does not have a long term RSA decryption key, that can retrospectively decrypt encrypted PMSs. In fact, the PMS is never transmitted over the wire. It is instead derived by combining the other party’s DH public value with personal DH private value.

The private values stay on their own devices until the end of session, after which all DH values along with the PMS are destroyed by both the client and the server. Destruction of this data prevents retrospective decryption of ciphertexts. This is called forward secrecy. The only long term keys server stores are used for signing: during DHE they authenticate that the ephemeral PMS is derived with the server, instead of man-in-the-middle. The main problem, namely the fact that the server has access to decrypted message at one point, remains.

Advertisements

One thought on “TLS – Passive tap with server key

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s