Submitted by For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret.
The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software.
But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.
The article is behind a paywall, sadly, but I figured it’s important enough to link to.
I think that story has been around for a while, I read it on a security industry website a week or two back while browsing for data about the recent German election controversy.
Try here, https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-cia-bnd-germany-intelligence-report
Thanks for posting an alternative source, it’s not exactly the same article, but same topic.
This CIA operation was going on until 2018. It really makes you wonder how many more fake security companies exist to grab the very data they’re being paid to protect. Insourcing security may be expensive, but outsourcing security is damned risky especially for nation states! Even if there is no suspicion of CIA involvement, why would they even think to contract out to a foreign company? I guess this is just how things must go when there’s a shortage of domestic tech workers.
Apparently most employees didn’t even know they were working for the CIA…
When it comes to government snooping, I think we have to assume the worst and that they won’t stop at anything to get what they want. If the crypto blocks them, they’ll plant undercover agents inside big tech companies including amazon, apple, facebook, google, microsoft, etc to undermine security measures.
Two paychecks must be nice, I wonder if any of them have ever been caught.
The story has been around longer than that. It was first revealed in the late 90s, which is when the Germany left the project. This most recent story is based on getting all the details from the US side, so we know more about how exactly they did it, and not just that they did it.
Still confused about the DES S boxes changes that NSA required IBM to make in the 70’s
https://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA's_involvement_in_the_design
They already had cryptoAG. Why did they make their own lives harder by making DES stronger?
Bill Shooter of Bul,
The sbox changes, although controversial, were supposed to improve the statistical distribution of bits, however this did not increase the brute force characteristics. Actually the other change requested by the NSA was to make the brute forcing weaker:
Taken together, these facts lead to the conclusion that the NSA’s goal was to guaranty a minimum amount of energy required to break the cipher, but also to guaranty that it could be broken. This level of raw brute force complexity is actually somewhat low for an agency like the NSA. Brute forcing would be expensive, but not infeasible! The cipher was broken publicly in the mid 90s for a $10k prize
https://en.wikipedia.org/wiki/DESCHALL_Project
And after breaks were discovered in the algorithm, it quickly became apparent that DES ciphers were breakable in a day with modest resources. Another thing to consider is that when it comes to brute forcing crypto, general purpose PCs are not particularly efficient and not even close to demonstrating what is physically possible. It’s exactly like using CPUs to mine bitcoins, the software technically works, but all of the cryptomining today is done using special purpose ASICs rather than general purpose CPUs. Even highly accelerated GPUs are too slow. So it makes me wonder if the NSA uses ASICs for cracking cryptographic algorithms. This would imply that they ether contract out the fabrication of ASICs in secret, or they do it in-house.
I’m not an expert on this, but I attended a talk once discussing encryption in relation to crypto-currency versus cash money(smart currency) and the near / far future. I understood the concept without taking in the details.
When discussing embedded security in currency, smart bank notes with built in encryption devices, they used examples from the past some of which would be similar vintage systems to those discussed above. In retrospect the back-doors were nothing more than an algorithm/design weakness causing a recurring set of patterns, patterns that when present would uniquely expose the encryption algorithm. It didn’t matter how clever or long the key, as long as the message was long enough the algorithm would be exposed and from a message segment you could get a key. The point being the restricted set of patterns that had to be searched greatly reduced the breaking time by creating a subset of all possibilities. Apparently nearly every algorithm suffers this problem because they are not truly random.
To me this seems to be a paradox for security, because in the modern paradigm the algorithm itself is generally published to be fully open and transparent in a trust based system, yet publishing the algorithm potentially lets the bad people in.
To this end, one of the intents for currency producers is to secure both the keys and the algorithm in the smart notes, but that creates a verification problem for counterfeit detection, it becomes centralized and trust is diminished.
cpcf,
I’m not really sure what you are referring to, but it sounds like you are referring to the lack of entropy in a cryptographic random number generator. But when it comes to cryptography for currency applications, why wouldn’t you just use a real RNG? These can be as simple as using a wall of lava lamps for entropy:
https://www.youtube.com/watch?v=1cUUfMeOijg
Generally I would expect a currency issuer to employ standard PKI to sign every single note (currency/denomination/serial number/date and place of manufacture/etc). This way the information doesn’t need to be hidden and the signature can be verified with the public key. These would be safe from people fabricating new notes, a major flaw is that existing notes could be duplicated (signature and all). Also PKI requires someone to have the secret key to issue new documents.
Bitcoin is really very different than this though. there are no fixed units of currency signed by a central authority. Instead the value of every wallet is traced back to transactions on the distributed (although quite centralized in practice) ledger and the ledger is protected by “proof of work”. With sufficient computing power for hashing, someone can add entries to the ledger while creating new bitcoins out of nothing for themselves. The miner is free to include whichever transactions suits their fancy, however in order to provide an incentive to process 3rd party transactions bitcoin allows for transaction fees.
It’s not without problems. Having a centralized public ledger doesn’t allow for private transactions. The processing time is never going to be as fast as a traditional credit card network. The amount of electricity used to sustain the bitcoin network is very high and ecologically harmful. Although the incentive is to include transactions with the highest fees, bitcoin miners get to pick which transactions get processed making bitcoin vulnerable to discrimination. Also there are some bottlenecks in the bitcoin algorithm that have lead to transactions getting delayed for days and insanely high “fees”. These weaknesses have lead to people using bitcoins for much larger transactions. A lot of the local bitcoin boutiques going back to cash & credit cards.
Looking at the future, the problem for bitcoin is the compromise between scalability and security.
1) A centralized ledger just doesn’t scale well
2) Divide and conquer will clearly fix the scalability issue, for example by breaking up the network into hundreds of independent ledgers, each independently handling the same volume as bitcoin’s single ledger today. However this breaks bitcoin’s security model. The ledger is controlled by anyone having a majority of the hashing power (ie so called 51% attack). Say a facility has 10% of the world’s hashing power today, if we were to break up bitcoin into 100 smaller ledgers, that divides the hashing power between 100 ledgers, or 1% as difficult. So suddenly this facility with the same 10% of the world’s hashing power has enough hashing power to overpower several of the smaller ledgers.
So for this reason, I don’t think we’ll ever see something like bitcoin replacing credit cards for fast transactions. Perhaps it will remain useful for larger institutional transfers, but this likely isn’t what most people imagined bitcoin would become.
Because people are optimists?
It could also be that the window where the data is vulnerable is only a few minutes or hours, and the time to decrypt the data is a day or days for normal people, even with the wonky RNG. The key being normal people.
Also, I don’t remember hardware RNGs being something aside from very specialized equipment until recently, like crypto accelerators. There are cheap open hardware RNGs now, but those are recent.