Monday, September 30, 2013

Al Qaeda Promotes Own Comsec!

30 September 2013
Al Qaeda Promotes Own Comsec

Qaeda Plot Leak Has Undermined U.S. Intelligence
Published: September 29, 2013
WASHINGTON — As the nation’s spy agencies assess the fallout from disclosures about their surveillance programs, some government analysts and senior officials have made a startling finding: the impact of a leaked terrorist plot by Al Qaeda in August has caused more immediate damage to American counterterrorism efforts than the thousands of classified documents disclosed by Edward Snowden, the former National Security Agency contractor.
Since news reports in early August revealed that the United States intercepted messages between Ayman al-Zawahri, who succeeded Osama bin Laden as the head of Al Qaeda, and Nasser al-Wuhayshi, the head of the Yemen-based Al Qaeda in the Arabian Peninsula, discussing an imminent terrorist attack, analysts have detected a sharp drop in the terrorists’ use of a major communications channel that the authorities were monitoring. Since August, senior American officials have been scrambling to find new ways to surveil the electronic messages and conversations of Al Qaeda’s leaders and operatives.
“The switches weren’t turned off, but there has been a real decrease in quality” of communications, said one United States official, who like others quoted spoke on the condition of anonymity to discuss intelligence programs.
The drop in message traffic after the communication intercepts contrasts with what analysts describe as a far more muted impact on counterterrorism efforts from the disclosures by Mr. Snowden of the broad capabilities of N.S.A. surveillance programs. Instead of terrorists moving away from electronic communications after those disclosures, analysts have detected terrorists mainly talking about the information that Mr. Snowden has disclosed.
Senior American officials say that Mr. Snowden’s disclosures have had a broader impact on national security in general, including counterterrorism efforts. This includes fears that Russia and China now have more technical details about the N.S.A. surveillance programs. Diplomatic ties have also been damaged, and among the results was the decision by Brazil’s president, Dilma Rousseff, to postpone a state visit to the United States in protest over revelations that the agency spied on her, her top aides and Brazil’s largest company, the oil giant Petrobras.
The communication intercepts between Mr. Zawahri and Mr. Wuhayshi revealed what American intelligence officials and lawmakers have described as one of the most serious plots against American and other Western interests since the attacks on Sept. 11, 2001. It prompted the closing of 19 United States Embassies and consulates for a week, when the authorities ultimately concluded that the plot focused on the embassy in Yemen.
McClatchy Newspapers first reported on the conversations between Mr. Zawahri and Mr. Wuhayshi on Aug. 4. Two days before that, The New York Times agreed to withhold the identities of the Qaeda leaders after senior American intelligence officials said the information could jeopardize their operations. After the government became aware of the McClatchy article, it dropped its objections to The Times’s publishing the same information, and the newspaper did so on Aug. 5.
In recent months, senior administration officials — including the director of national intelligence, James Clapper Jr. — have drawn attention to the damage that Mr. Snowden’s revelations have done, though most have been addressing the impact on national security more broadly, not just the effect on counterterrorism.
“We have seen, in response to the Snowden leaks, Al Qaeda and affiliated groups seeking to change their tactics, looking to see what they can learn from what is in the press and seek to change how they communicate to avoid detection,” Matthew Olsen, the director of the National Counterterrorism Center, told a security conference in Aspen, Colo., in July.
American counterterrorism officials say they believe the disclosure about the Qaeda plot has had a significant impact because it was a specific event that signaled to terrorists that a main communication network that the group’s leaders were using was being monitored. The sharpest decline in messaging has been among the Qaeda operatives in Yemen, officials said. The disclosures from Mr. Snowden have not had such specificity about terrorist communications networks that the government is monitoring, they said.
“It was something that was immediate, direct and involved specific people on specific communications about specific events,” one senior American official said of the exchange between the Qaeda leaders. “The Snowden stuff is layered and layered, and it will take a lot of time to understand it. There wasn’t a sudden drop-off from it. A lot of these guys think that they are not impacted by it, and it is difficult stuff for them to understand.”
Other senior intelligence and counterterrorism officials offer a dissenting view, saying that it is difficult, if not impossible, to separate the impact of the messages between the Qaeda leaders from Mr. Snowden’s overall disclosures, and that the decline is more likely a combination of the two.
“The bad guys are just not going to talk operational planning electronically,” said one senior counterterrorism official. Moreover, that official and others say, it could take months or years to fully assess the impact of Mr. Snowden’s disclosures on counterterrorism efforts.
Over the past decade, the N.S.A. has invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, according to documents provided by Mr. Snowden.
The government’s greatest fear concerning its counterterrorism operations is that over the next several months, the level of intercepted communications will continue to fall as terrorists most likely find new ways to communicate with one another, one senior American official said. It will likely take the government some time to break into that method and monitor communications.
One way the terrorists may try to communicate, the official said, is strictly through couriers, who would carry paper notes or computer flash drives. If that happens, the official said, terrorists will find it very difficult to communicate as couriers take significant time to move messages.
“The problem for Al Qaeda is they cannot function without cellphones,” said one former senior administration official. “They know we listen to them, but they use them anyhow. You can’t run a sophisticated organization without communications in this world. They know all this, but to operate they have to go on.”
A senior intelligence official put it this way: “They are agile, we are agile. When we see a change in behavior, our guys are changing right along with it, or we’re already seeing it and adapting to it. Our capabilities are changing in hours and days, versus weeks and months like we used to.”
To be sure, Qaeda leaders and their top lieutenants use other secure electronic communications as well as old-fashioned means — like couriers, as Bin Laden did — that pose major challenges to American intelligence services.
In the past few months, the Global Islamic Media Front, the propaganda arm of Al Qaeda and other Islamic terrorist groups, has released new software that allows users to encrypt communications for instant-messaging and cellphones. Officials say these new programs may pose fresh challenges for N.S.A. code breakers.
Jihadists have been working on camouflaging their communications through encryption software for years.
Al Qaeda’s use of advanced encryption technology dates to 2007, when the Global Islamic Media Front released the Asrar al-Mujahedeen, or so-called “Mujahedeen Secrets,” software. An updated version, Mujahedeen Secrets 2, was released in January 2008, and has been revised at least twice, most recently in May 2012, analysts said.
The program was popularized in the first issue of Inspire, Al Qaeda in the Arabian Peninsula’s quarterly online magazine, in a July 2010 post entitled “How to Use Asrar al-Mujahedeen: Sending and Receiving Encrypted Messages.”
Since then, each issue of Inspire has offered a how-to section on encrypting communications, recommending MS2 as the main encryption tool.
Shortly after Mr. Snowden leaked documents about the secret N.S.A. surveillance programs, chat rooms and Web sites used by jihadis and prospective recruits advised users how to avoid N.S.A. detection, from telling them to avoid using Skype to recommending specific online software programs like MS2 to keep spies from tracking their computers’ physical locations.
A few months ago, the Global Islamic Media Front issued new software that relies on the MS2’s “Asrar al-Dardashah, or “Secrets of Chatting,” which allows users to encrypt conversations over instant-messaging software like Paltalk, Google Chat, Yahoo and MSN, according to Laith Alkhouri, a senior analyst at Flashpoint Global Partners, a New York security consulting firm that tracks militant Web sites.
In early September, the Global Islamic Media Front said it had released an encryption program for messages and files on mobile phones running the Android and Symbian operating systems.
According to the group, the software can encrypt text messages and files and send them by e-mail or between cellphones with different operating systems. The software also lets users securely check e-mail and prevents users from receiving nonencrypted messages, the group claimed.

Sunday, September 29, 2013

NSA PGP Public Keys


29 September 2013
NSA PGP Public Keys
Downloaded 29 September 2013 is the NSA's National Computer Security Center. A number of the items are spoofs.

Search results for 'ncsc mil'

Type bits/keyID     Date       User ID

pub  2048R/6136A379 2013-04-11 Belleque, Alex  CIV  (US) NSA DDIRIA <>
  Fingerprint=DC46 8FE8 65DF FE6B 5095  D13C 5C5F B845 6136 A379 

pub  2048R/D52BB40D 2012-12-06 Eugene D Myers <>
  Fingerprint=3138 2EBE A244 B09A FBAE  EB60 3AEA 3CF8 D52B B40D 

pub  2048R/48BEC43D 2012-03-13 Temporary <>
  Fingerprint=C5DF 37DC 7CB6 5AE1 A93E  4FFF 0068 B7DA 48BE C43D 

pub  4096R/D46F767C 2011-02-28 Zach Smith <>
  Fingerprint=F157 1A36 61DF E6D0 AEFE  99AE 314D 2A78 D46F 767C 

pub  2048R/FEC28DB8 2011-02-28 Shane Fry <>
  Fingerprint=11D6 8CBE 7880 D38A 69D8  E393 75B2 E925 FEC2 8DB8 

pub  1024D/ABBA5630 2008-05-22 Doug Nordwall <>
                               Douglas Nordwall <>
                               Douglas J Nordwall <>
                               Douglas J Nordwall <>
  Fingerprint=0698 471D 8776 9D3A 29FC  1A2A 1553 8345 ABBA 5630 

pub  1024D/ED4F2514 2008-01-09 Thomas M. DuBuisson <>
  Fingerprint=1662 0234 782F BAFD 4BB7  DCEA 014B 3D2A ED4F 2514 

pub  2048R/D596150C 2006-10-02 Clay Drye <>
  Fingerprint=AAAB 41FE 2EFB 5DEF F287  CBA0 BF78 C5DE D596 150C 

pub  1024R/DEEF9EBD 2006-09-11 Tad DeMaret <>
  Fingerprint=6C2E 86DE A73C 1995 403D  B01F 1A2C DEA0 DEEF 9EBD 

pub  1024D/78CCB84A 2006-05-18 Philip Dollery (Researcher) <>
  Fingerprint=726D 1529 86EE 7F15 BB7C  6C81 FF3C F878 78CC B84A 

pub  1024D/FE647D06 2006-04-05 Chris Bookholt <>
                               Chris Bookholt <>
                               Chris Bookholt <>
                               Chris Bookholt <>
  Fingerprint=E40A E4EB D17D 958E 79A1  0C9E 0B73 F0A1 FE64 7D06 

pub  1024D/92F0E6A6 2006-03-01 Tim Kremann (HCSS Reseacher) <>
  Fingerprint=E70C 4013 8574 1FF4 2B08  7953 CF66 94C4 92F0 E6A6 

pub  1024D/AC2602D2 2006-01-06 Chidozie K. Enyinna <>
  Fingerprint=EF7E 3BCE EBDE 7A98 800F  4C6A ABD7 59EA AC26 02D2 

pub  1024R/FD223D76 2005-12-22 Chidozie K. Enyinna <>
  Fingerprint=EE52 28DD E13F FFB1 BA0E  BAD5 78EF 48F7 FD22 3D76 

pub  1024D/83E7640A 2005-09-12 Edward Zieglar <>
  Fingerprint=F93A B533 B96E E8CC 89D5  71A8 24D5 B0EC 83E7 640A 

pub  1024D/BDFDBC33 2005-06-07 Lisa Cohen <>
  Fingerprint=08FC 0DE1 B228 A23B 1C34  0E60 1172 1FFB BDFD BC33 

pub  1024D/D882BE36 2004-12-14 George S. Coker, II (NSA//R2//R23//R231) <>
  Fingerprint=38C1 C1BA 234A 06B3 42FA  C100 EA62 96C1 D882 BE36 

pub  1024D/0CF6C33E 2004-10-20 Leonard C. Brothers <>
  Fingerprint=4E7C A44A 953F D02B 3C58  3081 1950 2CEB 0CF6 C33E 

pub  1024D/5FD4DCEA 2004-09-17 Lori Korthals <>
  Fingerprint=9A58 4A47 F307 6DBD 9FA9  7F71 4AF6 D06F 5FD4 DCEA 

pub  1024D/C18178ED 2004-03-22 Jared Ziegler <>
  Fingerprint=4E25 1EED 50C1 BDF5 DE44  E2B2 90E5 5636 C181 78ED 

pub  1024D/FF4F0FB8 2004-02-27 James Carter <>
  Fingerprint=CFF5 DCA6 0CD5 AAB4 379E  A1EF CF33 6B17 FF4F 0FB8 

pub  1024D/1202888E 2003-10-28 Gregory Virgin <>
  Fingerprint=2B0A 9D15 5F64 97B5 634C  7E2C C69A D7C1 1202 888E 

pub  1024D/E07ABDE2 2003-10-01 Leonard C Brothers <>
  Fingerprint=DEDD 5C3F 7CDA 65AD 8D16  2349 6AC3 FFF6 E07A BDE2 

pub  1024D/F7B326B2 2003-06-23 Michael W. <>
  Fingerprint=5AA8 756C 0626 CF91 3D65  BF45 17F4 B12B F7B3 26B2 

pub  1024D/6304B617 2003-06-02 Robert A. Cavaluchi <>
  Fingerprint=32EF 1670 0AE3 F178 330B  6E3B 7800 EDFA 6304 B617 

pub  1024D/6AFDF391 2003-04-11 Don Simard <>
                               Simard, Donald </o=R2/ou=INFOSEC/cn=Recipients/cn=infosec_users/cn=dnsimar>
  Fingerprint=8D07 FAEA 96CB 854C 8C4C  8AF3 8A21 C03E 6AFD F391 

pub  1024D/44EAE764 2003-04-11 Eugene D. Myers <>
  Fingerprint=1453 E178 69F7 3E86 EE51  4C39 EF37 669F 44EA E764 

pub  1024D/FEB59871 2003-04-10 Howard Holm <>
  Fingerprint=BA09 0C09 A307 DF49 B7C8  83C1 E1BC D974 FEB5 9871 

pub  1024D/5D4690C3 2003-04-10 Grant M. Wagner <>
                               Grant M. Wagner <>
                               Wagner, Grant </o=R2/ou=INFOSEC/cn=Recipients/cn=infosec_users/cn=gmw>
  Fingerprint=5574 881D 8E2D B8EC 2E8D  A5C0 B441 587A 5D46 90C3 

pub  1024D/3FB56932 2003-03-29 Leonard Brothers <>
  Fingerprint=E691 287B 81BC 3D78 1C94  F32C 214F DC07 3FB5 6932 

pub  1024D/847CB58A 2003-03-25 Peter A. Loscocco <>
                               Peter A. Loscocco <>
                               Peter A. Loscocco <>
  Fingerprint=8048 96DF 4288 A1CE 6C77  32E1 2029 CA5B 847C B58A 

pub  1024D/554496D0 2003-01-10 Adam Compton (Tatanus) <>
  Fingerprint=86EE F56D 79A6 CEE9 BAE8  C45A 83DB 217A 5544 96D0 

pub  1024D/68ECBFA7 2002-11-12 Stephen Smalley <>
                               Stephen D. Smalley <>
  Fingerprint=3857 2668 BF0F 488F ADCF  5417 72DD 99AC 68EC BFA7 

pub  1024D/4E937859 2002-09-16 Albert Holt <>
  Fingerprint=667A 0526 6C70 E0FD 7548  4AA8 7E7D C28B 4E93 7859 

pub  1024D/4D3F3DB0 2002-04-24 Stoll, Steve <>
  Fingerprint=CF3A 79DB 3B42 D49B 8271  73C9 7814 650B 4D3F 3DB0 

pub  1024D/FA0B72A2 2001-09-25 Jose A. Faura <>
  Fingerprint=9342 047C 7666 E5C7 729B  115F 4D8F 1939 FA0B 72A2 

pub  1024D/DFCFD771 2001-05-22 Mark D. Sholund <>
  Fingerprint=0AC1 C865 D8A1 87D9 D51A  3F2F FA1A 7050 DFCF D771 

pub  1024D/7601A8D8 2000-06-23 William Billings <>
  Fingerprint=6B2D B3CC 237E A366 E8EE  18BE 5F14 DC74 7601 A8D8 

pub  1024D/37CDD1A4 2000-06-01 Mark D. Sholund <>
  Fingerprint=B5C8 0502 D7E2 A953 086A  8C21 D173 A7D7 37CD D1A4 

pub  1024D/0942A139 2000-05-26 Brian Delmar <>
                               Brian Delmar <>
  Fingerprint=BA17 B0E2 81DB 9E74 E633  5AB2 5B72 BA01 0942 A139 

pub  1024D/9389E41C 2000-05-12 TSAP <>
  Fingerprint=F282 149E FF8E 7AEF 0E9C  625F FECB 710A 9389 E41C 

pub  1024D/1ED8A7E5 2000-03-07 John A. Goode, Jr. <>
  Fingerprint=9C65 F4CB 5BEA BBAA ABF8  C528 56B0 3B91 1ED8 A7E5 

pub  1024D/8EAF40CB 2000-02-28 PDAS Program Management Office <>
  Fingerprint=3BCC E870 BBDC A15C A29B  1C1C 048C 9685 8EAF 40CB 

pub  2048R/85DF8D9D 1999-09-08 SHO_RSA <>
  Fingerprint=24 B5 C7 EF ED A6 0D 59  BF A4 E2 42 8B 85 57 D6 

pub  1024D/8408310C 1999-09-08 SHO <>
  Fingerprint=B1FE E867 3660 9731 60F0  AA4D 92F6 C35A 8408 310C 

pub  1024D/8178CEE2 1999-07-16 Scott A. Hotes <>
  Fingerprint=C734 7F8A 6378 1254 4572  7B14 CB22 448E 8178 CEE2 

pub  1024D/327FB6DA 1999-06-10 Mark David Sholund <>
  Fingerprint=ABA7 F931 9657 50FE 8BDA  E9EF 405D 1A2D 327F B6DA 

pub  1024D/12CC0AD4 1999-05-23 Jim Hegarty <>
                               Jim Hegarty <>
                               Special Agent James F. Hegarty  FBI - Boston <>
  Fingerprint=9BCB 53CD CC12 54ED C0F0  A1A5 09C8 B699 12CC 0AD4 

pub  1024D/86683071 1999-05-20 Laszlo M. Gregor <>
  Fingerprint=F780 F2AF 7007 EC20 1565  CADD 7FD5 B9AA 8668 3071 

pub  1024D/A592F343 1999-01-27 Jeffrey M. Kubina <>
  Fingerprint=0987 7D4C 3C60 0539 56A1  7350 E722 4DF8 A592 F343 

pub  1024D/DC213C94 1999-01-21 William Billings <>
  Fingerprint=8DF6 C7B7 3C92 9B2D BC34  D5C1 79B3 CFDE DC21 3C94 

pub  1024D/8639939B 1999-01-21 Robin Stephens <>
  Fingerprint=D426 1519 65D5 4FDF CD29  511B 0AAD BFBC 8639 939B 

pub  2048R/D17F8795 1998-12-07 George White <>
  Fingerprint=A0 94 DF 3B 65 E3 83 76  5C 81 CA 51 88 B7 A6 1A 

pub  1024D/3DA863CA 1998-11-16 Matthew L. Bensing <>
  Fingerprint=16C1 59CF 53A1 82B4 0A99  7409 1666 1BDE 3DA8 63CA 

pub  1024D/BB6ED063 1998-10-20 elizabeth s. richards <>
  Fingerprint=D3F7 BB19 D1C2 DD97 78FA  8B82 1A82 78C4 BB6E D063 

pub  1024D/C7B6EB1D 1998-10-18 Matthew Leslie Bensing <>
  Fingerprint=7833 333E B761 AA00 EFAF  0031 371E 3690 C7B6 EB1D 

pub  1024D/7716FDF8 1998-10-08 Mark D Sholund <>
  Fingerprint=2454 627F 451E 1FA5 BC22  F31E 85A1 AFFC 7716 FDF8 

pub  1024D/C4CFD363 1998-05-14 Douglas Allen Womack <>
  Fingerprint=4679 2B7C FD46 93CD 3224  8A65 347B E1AA C4CF D363 

pub   768D/5507B9BB 1998-05-04 Dale Bachman <>
  Fingerprint=2F13 9534 5F64 E0B4 ECB9  04DE 27C6 42AA 5507 B9BB 

pub  1024D/7C8FCF1B 1998-04-28 Glynn E. Bradley-work <>
  Fingerprint=FFDA 1285 4AA2 D651 0E7A  060D C1E4 49F8 7C8F CF1B 

pub  1024D/BBDAD2B2 1998-04-28 Penelope A. Brummitt <>
  Fingerprint=EF8A 6C30 0C74 7E6B 2817  8DAC 05B7 EA53 BBDA D2B2 

pub  1024D/F756BFF6 1998-04-24 Gary W. Seehousz <>
  Fingerprint=9137 C0A8 3F3E 77A0 A14B  8BF1 B37C 7CE1 F756 BFF6 

pub  1024D/0E4E0CCD 1998-03-27 Douglas M. Treff <>
  Fingerprint=786D 6F45 D3F2 D7EF 8718  D39A CDE1 8334 0E4E 0CCD 

pub  1024D/79C17EF1 1998-03-04 Glynn E. Bradley <>
  Fingerprint=8126 8CE5 EED8 EDF2 7D8A  AAAC 17F4 DC23 79C1 7EF1 

pub  1024D/91D8AFB2 1998-03-04 James K. Manzuk <>
  Fingerprint=1EE8 3859 0A3B C555 9997  43AD 6108 FA82 91D8 AFB2 

pub  1024D/E92DEB03 1998-03-04 S. Prescott Fentress <>
  Fingerprint=FD4C 833F 3CB9 01F7 0516  7125 1CCA 10A5 E92D EB03 

pub  1024D/A2E7B080 1998-01-30 Glynn E. Bradley <>
  Fingerprint=AA8C 2343 353C CF2D 26EF  4928 73DA F416 A2E7 B080 

pub  1024D/F77A3E4E 1997-11-23 Joseph Zakar <>
  Fingerprint=DCEA D258 656D C110 7B67  17EA DCFB 012A F77A 3E4E 

pub  1024D/F9E9DC21 1997-11-17 Chris Shutters (valid thru Jan 1999) <>
  Fingerprint=5496 A35F C3A1 67DB 70E6  F261 67F1 E012 F9E9 DC21 

pub  1024D/6E5645AA 1997-11-17 Chris Shutters (valid until Jan 1999) <>
  Fingerprint=3859 6205 39CD 1656 4318  70AF A809 BD86 6E56 45AA 

pub  1024D/0D189C9B 1997-11-14 Scott Cothrell <>
  Fingerprint=1193 4138 DE61 0093 57D7  549C 7E28 EADD 0D18 9C9B 

pub  1024D/6836C34D 1997-10-08 John Shelburne <>
  Fingerprint=AAB5 8326 A396 2717 3F30  797C E9FF 58D1 6836 C34D 

pub  1024R/7F9AFE7D 1996-09-06 Robin K. Juhl <>
  Fingerprint=A4 BE E2 A8 88 82 4E 0D  EE E6 C0 28 EE 4C D3 06 

pub  1024R/BB2A6A95 1996-02-20 Michael J. Oehler <>
  Fingerprint=C9 9C 1A 04 32 D2 77 08  FF E0 F4 8D FB 9B 96 0E 

pub  1024R/7BC1AC55 1995-10-02 Christopher D. Stanley <>
  Fingerprint=5A 84 54 42 2A 9B 7E 7E  EF F3 57 AA 1B 0D 27 06 

pub  1024R/E94C447D 1995-07-20 Sarah Gordon <>
  Fingerprint=12 C9 26 F6 95 CC 9D 70  96 12 0A 7C 0D 9B 5F F5 

pub  1024R/CD27D60D 1995-07-17 Randal L. Sullivan <>
  Fingerprint=C3 E3 E6 C8 14 E5 3F D5  D7 D1 8C 40 C1 D8 97 31 

pub  1024R/1EC4121D 1995-07-14 Mark Schneider <>
  Fingerprint=37 CE C2 C1 6C 9C 0C EB  AB 0D 90 A4 D8 6D 34 21 

pub  1024R/B8360D4D 1995-07-14 James P. Codespote <>
  Fingerprint=36 9D D0 D8 C0 9F D3 17  F5 AD 2A B7 17 4A 23 30 

pub  1024R/5F4D674D 1995-07-14 John E. Peterson <>
  Fingerprint=1B C8 5A C0 E5 3B 11 B4  65 9B E5 C8 E5 F6 5D D2 

pub  1024R/B69A38C5 1995-06-23 Gerald S. Lathem <>
                               Gerald S. Lathem <lathem@WheelGroup.Com>
                               Gerald S. Lathem <>
  Fingerprint=E5 54 14 03 02 46 2B 81  0D F2 E8 C5 AB 21 B8 55 

pub  1024R/59262509 1995-04-25 Chris Shutters <>
                               Chris Shutters <>
                               Chris Shutters' old key (check for new key) <>
  Fingerprint=13 5C 94 58 2D A8 BE B5  68 8E FF 3B 99 0A 18 0D 

pub  1024R/7E007F99 1995-01-23 Marc Schwartz <>
  Fingerprint=31 66 4D 81 C7 50 7A 87  D4 48 63 AE 15 8A A8 AC 

pub  1024R/223C32E1 1994-11-16 
  Fingerprint=20 75 42 E0 3D 6D F7 00  1F 1F 0E C9 35 E8 D8 CA 

pub  1024R/51885065 1994-06-07 Eric Maiwald < or>
  Fingerprint=04 B8 BE B3 57 A4 54 E1  51 47 7E 37 0A 74 37 1F 

pub  1024R/7207279B 1994-03-31 Steve Smaha <>
                               Steve Smaha <>
                               Steve Smaha <>
                               Steve Smaha <>
                               Steve Smaha <>
                               Steve Smaha <>
  Fingerprint=04 21 B1 21 7D A9 2F 3E  33 C7 64 DA 6F D5 D9 15 

pub   384R/62E5F983 1992-11-29 William Hugh Murray <WHMurray@DOCKMASTER.NCSC.MIL>
  Fingerprint=D2 94 E3 81 EF 43 0B CF  68 49 94 8C 6F 4C AD 5F 

Search results for 'ncsc navy mil'

Type bits/keyID     Date       User ID

pub  1024D/0942A139 2000-05-26 Brian Delmar <>
                               Brian Delmar <>
  Fingerprint=BA17 B0E2 81DB 9E74 E633  5AB2 5B72 BA01 0942 A139 

pub  1024D/C4CFD363 1998-05-14 Douglas Allen Womack <>
  Fingerprint=4679 2B7C FD46 93CD 3224  8A65 347B E1AA C4CF D363 

pub  1024D/6836C34D 1997-10-08 John Shelburne <>
  Fingerprint=AAB5 8326 A396 2717 3F30  797C E9FF 58D1 6836 C34D 

pub  1024R/7BC1AC55 1995-10-02 Christopher D. Stanley <>
  Fingerprint=5A 84 54 42 2A 9B 7E 7E  EF F3 57 AA 1B 0D 27 06 

Search results for 'nsa gov'

Type bits/keyID     Date       User ID

pub  3072D/5DFE728F 2013-04-11 Belleque, Alex Colonel  MIL NSA DDIRIA /USCYBERCOM <>
  Fingerprint=7E07 9771 4A9B DCB8 1F56  657C 5854 58A9 5DFE 728F 

pub  2048R/D5FB4DB7 2013-04-11 Belleque, Alex C <>
  Fingerprint=BF58 1196 E25F FADF AF54  82B0 6392 B6DE D5FB 4DB7 

pub  4096R/692E416C 2012-12-03 *** KEY REVOKED *** [not verified]
                               Davidoff the Cool Agent <>
  Fingerprint=72CE 9404 17FE 65F5 497D  9658 4B71 5F28 692E 416C 

pub  2048D/89F8B06E 2012-09-26 Alex Belleque (FOUO Encrypt Key [USG USE]) <>
  Fingerprint=C038 431B 5AD4 4A15 B5AB  99A7 AD12 1A2D 89F8 B06E 

pub  4096R/083B7740 2012-04-17 l f d y <>
  Fingerprint=0D98 39B6 B170 D4C8 18F3  57E5 9DDE CDEB 083B 7740 

pub  1024D/A9F0DE37 2012-03-14 op_sec <>
  Fingerprint=CD96 3B52 AF45 8668 A6E5  686F 1127 6306 A9F0 DE37 

pub  1024D/0BE61F72 2012-01-01 rem_op <>
  Fingerprint=FC95 8276 E2B9 F93C D61D  D1BD 5EB4 CF0F 0BE6 1F72 

pub  2048R/075D1576 2010-06-24 Daniel De Graaf <>
  Fingerprint=9D74 E53C E5C6 2E7C 837F  BD00 02B9 D0B1 075D 1576 

pub  1024D/CA3AC2E7 2010-05-06 Tomek (Secret Service) <>
                               Tomek Inwiligator ( <>
                               [user attribute packet]
  Fingerprint=9C90 2E36 706C 511A F35C  71D0 D097 186A CA3A C2E7 

pub  2048R/6CD45592 2009-06-14 Myron L. Cramer <>
                               Myron L. Cramer <>
                               Myron L. Cramer <>
                               Myron L. Cramer <>
                               Myron L. Cramer <>
  Fingerprint=5F9C 8C2B E63E DC76 9BA7  E243 714E C0EF 6CD4 5592 

pub  1024D/C545E6CD 2008-03-06 Eamon Walsh <>
  Fingerprint=1111 FD4E 7514 7204 C709  0C11 5CAA D20B C545 E6CD 

pub  1024D/2F003F04 2007-07-20 NSA Internal Security Branch (***TOP SECRET CLEARANCE***) <>
  Fingerprint=427C 34B9 6231 D328 ED7F  5633 D6A7 E239 2F00 3F04 

pub  1024D/7D00457A 2007-04-05 GateKeeper <>
  Fingerprint=6E0A B83D 01A8 369B 608B  B998 9371 0E13 7D00 457A 

pub  1024D/C9BD67A0 2006-09-17 echelon <>
  Fingerprint=DB28 C148 7EA7 943D 959A  C7A5 91C5 B74A C9BD 67A0 

pub  1024D/8707BE69 2006-07-29 Eamon Walsh <>
  Fingerprint=2BEC D783 4482 C342 6669  32E8 AF98 7AE7 8707 BE69 

pub  1024D/FE647D06 2006-04-05 Chris Bookholt <>
                               Chris Bookholt <>
                               Chris Bookholt <>
                               Chris Bookholt <>
  Fingerprint=E40A E4EB D17D 958E 79A1  0C9E 0B73 F0A1 FE64 7D06 

pub  1024D/4EDE7807 2006-02-13 Jack Butcher <>
  Fingerprint=EE86 683B AC4B 33BC 99D7  8176 A876 EA3D 4EDE 7807 

pub  1024D/04340DF1 2005-07-07 Mark Gebhart <>
  Fingerprint=E2F8 885D 729D 3947 F7A5  8B00 76EF 22A0 0434 0DF1 

pub  2048R/4DABDA21 2005-02-25 George D. Tenet <>
  Fingerprint=21 39 51 C8 4D 9A 8A 0A  7F 64 62 0F 0A 10 48 9C 

pub  1024D/B1B3434E 2004-06-19 Scott Silver <>
  Fingerprint=FCCE 2345 F9DA 5620 74F0  76FE B0D6 E720 B1B3 434E 

pub  1024D/C2A28098 2004-02-27 NSA SELinux Team <>
  Fingerprint=0928 4B2A D6C2 001D 0E49  E111 7287 F912 C2A2 8098 

pub  1024D/5D4690C3 2003-04-10 Grant M. Wagner <>
                               Grant M. Wagner <>
                               Wagner, Grant </o=R2/ou=INFOSEC/cn=Recipients/cn=infosec_users/cn=gmw>
  Fingerprint=5574 881D 8E2D B8EC 2E8D  A5C0 B441 587A 5D46 90C3 

pub  1024D/847CB58A 2003-03-25 Peter A. Loscocco <>
                               Peter A. Loscocco <>
                               Peter A. Loscocco <>
  Fingerprint=8048 96DF 4288 A1CE 6C77  32E1 2029 CA5B 847C B58A 

pub  1024D/68ECBFA7 2002-11-12 Stephen Smalley <>
                               Stephen D. Smalley <>
  Fingerprint=3857 2668 BF0F 488F ADCF  5417 72DD 99AC 68EC BFA7 

pub  1024D/764DAD55 2002-05-08 James Noble <>
  Fingerprint=7FE2 C7D2 A507 8F4E 8826  F83A 391B E93C 764D AD55 

pub  1024D/66B53400 2002-04-12 NDO <>
  Fingerprint=8C30 29FA E8B3 6C77 BDFB  21E5 1FAE 220A 66B5 3400 

pub  4096R/EE0122E1 2002-04-12 Daforce-1 <>
  Fingerprint=6E37 2CDC 3459 3373 88F9  8CE6 B8DF C805 EE01 22E1 

pub  1024D/518455DD 2002-04-09 Ian Paul Larsen <>
  Fingerprint=0751 F316 5551 7338 F732  EAAE B815 EFD8 5184 55DD 

  Fingerprint=8D 39 71 25 F7 1E A6 B3  D7 3F 7D 54 7B 94 E9 CD 

pub  1024D/8DA3FA1A 2001-08-15 Technician <>
  Fingerprint=D285 317A 5A59 A8B4 C39F  4B9C 79A2 9810 8DA3 FA1A 

pub  1024D/395F4DAB 2001-05-16 Sample Person (None) <>
  Fingerprint=3758 8105 B107 3656 4EB9  E928 A709 D67C 395F 4DAB 

pub  1024D/1DD8BCC0 2001-05-12 Myron L. Cramer <>
  Fingerprint=3639 40A6 ED25 BD8F BCCB  9A97 6037 6762 1DD8 BCC0 

pub  1024D/E79A3B3E 2000-09-10 _Thumper <>
  Fingerprint=9561 8C93 D79B 9AF4 D75E  9CFA D750 EA29 E79A 3B3E 

pub  2048R/1F571513 2000-09-07 
  Fingerprint=2D 24 68 A9 17 47 90 BA  FC 3C 9A 5F A7 88 9F B5 

pub  1024D/3D3BE8E7 2000-09-07 Cyberman <>
  Fingerprint=8C84 A680 8A62 089F B092  5D1F C42B EB07 3D3B E8E7 

pub  1024D/FE2B2768 2000-09-05 cyberman <>
  Fingerprint=87BE 5841 5092 3A27 8CA6  EEC2 AEB4 8668 FE2B 2768 

pub  1024D/E4F1ACCA 2000-09-05 bob <>
  Fingerprint=A4CF 6BDB B60B CFF1 3A40  B138 931E B86D E4F1 ACCA 

pub  1024D/9B928957 2000-05-14 Michael Winters <>
  Fingerprint=3F43 1D1E FCDD 7398 9326  69C0 40A7 87B8 9B92 8957 

pub  1024D/20B5ADF9 2000-05-14 Michael Winters <>
  Fingerprint=D55C 4B40 5ABF 8951 0538  B1E5 DD53 479A 20B5 ADF9 

pub  1024D/1B73DD10 2000-03-19 Mummu Tiamat <>
  Fingerprint=653D 4FEA D511 9A2C 522A  3D46 2F96 070F 1B73 DD10 

pub  2048R/8EF384E3 2000-03-06 trooper <>
  Fingerprint=66 26 5B 34 BA D9 12 03  E2 04 A2 F8 4A E6 F0 37 

pub  1024D/4E0C0C1B 1999-11-09 tymer <>
  Fingerprint=F343 B803 F407 A193 C02C  8D47 59A1 4F74 4E0C 0C1B 

pub  1024R/51682D1F 1999-09-06 NSA's Microsoft CAPI key <>
  Fingerprint=DF 4A 23 3C C2 8C D1 2C  2E 3C 30 6A A8 02 67 50 

pub   768D/1076BC19 1999-06-22 NSA Key [Codename: Echelon] <>
  Fingerprint=76AD ED58 5244 35CE 3C9F  34C1 F807 DE22 1076 BC19 

pub  1024D/9F36C143 1999-02-27 William Bowes <>
  Fingerprint=1A22 5A70 3DA0 37C6 508C  0B49 9421 C9BD 9F36 C143 

pub  1024D/ED19806E 1999-01-30 Bill Gates <>
  Fingerprint=AD76 3BC2 4B8F E717 EA7F  AA2F AB68 3585 ED19 806E 

pub   760R/13629D8D 1998-10-25 
  Fingerprint=CD 2C 69 48 5B 46 2D 9D  F8 67 94 63 9B 81 51 6A 

pub   512R/16ED11D9 1997-06-11 NSA Key Escrow Agent <>
  Fingerprint=77 2A 5F 66 96 E9 C7 E3  40 AD 01 34 83 59 B6 44 

pub  1024D/28C029AF 1997-05-20 Dave Del Torto <>
                               Dave Del Torto <>
                               Dave Del Torto <>
                               Dave Del Torto <>
                               Dave Del Torto <>
                               Dave Del Torto <>
                               Dave Del Torto <>
                               Dave Del Torto <>
                               MCCIHR'99 <>
                               Dave Del Torto <>
                               Dave Del Torto PGP DDH4 <>
                               CIPHR'99 Founder <>
                               DelTorto, Dave <>
                               4096-bit SuperSecure DSS/DH Key <>
                               After 2001-01-01 get this key ONLY at: <>
                               [user attribute packet]
  Fingerprint=9B29 031D 70DE F566 E076  B108 904D FEA3 28C0 29AF 



29 September 2013
Related report:
Scanned from New York Times hardcopy, 29 September 2013
Large size: (15MB)

NSA IDA Cryptologic Research Centers


28 September 2013
NSA IDA Cryptologic Research Centers
Center for Communications and Computing
For nearly 50 years IDA has played a key role in the research endeavors of the National Security Agency, providing cutting-edge research in those areas of mathematics and computer science that are fundamental to the NSA missions of protecting our national security information systems against exploitation, and providing the United States with effective foreign signals intelligence. The program has two intertwined research areas: communications research, and computing research.
Communications Research
The IDA Center for Communications Research (CCR) in Princeton, New Jersey, and La Jolla, California, perform mathematical research that supports the NSA’s two missions: protecting the information and communications of the U.S. government, and deriving foreign signals intelligence.
Computing Research
While high-end computing is an important part of the research program at the Center for Computing Sciences (CCS), its mission has broadened over the years to reflect global political and technological changes to include not only high-performance computing for cryptography, but also cryptography itself, network security, signal processing, and computational/mathematical techniques for mining and “understanding” very large data sets.
Princeton, NJ:
Center for Communications Research - Princeton
805 Bunn Drive
Princeton, New Jersey 08540
Our Mission
The Center for Communications Research in Princeton performs applied mathematical and computational research in cryptology and related disciplines.
CCR-P conducts mathematical research supporting the twin tasks facing cryptologists: cryptography and cryptanalysis. Mathematics remains the fundamental science used to create and analyze the complex algorithms used to encipher vulnerable communications. Virtually every branch of pure and applied mathematics has proved to be useful in these efforts. For example, techniques from the geometry of algebraic curves provide better methods for detecting and correcting errors in data transmission. Even where no explicit mathematics is involved, the mathematical mode of thinking seems to be ideally suited to cryptologic problems.
It is critical that we recruit the very best new mathematical talent. This requires that we foster amd maintain close ties with the academic mathematical world. On occasion graduate students and renowned professors are brought in to work closely with regular CCR-P staff and other mathematicians on difficult and important problems.
Speech and Signals
As the modes and means of modern communications become more complex, we have expanded our research into other areas including speech, the processing of signals to remove noise and distortion, and network security.
La Jolla, CA:
Center for Communications Research
4320 Westerra Court
San Diego, California 92121-1969
Telephone: (858) 622-8600
FAX: (858) 622-8601

NSA IDA Cryptologic Research Centers

Center for Communications Research - Princeton
805 Bunn Drive
Princeton, New Jersey 08540 [Image]

Center for Communications Research
4320 Westerra Court
San Diego, California 92121-1969 [Image]

Institute for Defense Analyses
4850 Mark Center Drive
Alexandria, Virginia 22311-1882
703.845.2000 [Image]

Friday, September 13, 2013

NSA Brazil Spy Slides Decensored

Date: Thu, 12 Sep 2013 15:56:22 -0700 (PDT)
From: paulmd[at]
To: ronxyzzzzz
Subject: The rest of the the Geopolitical trends: censored slide
I am not bothering to encrypt this, for several reasons. 1) it was on Brazilian TV already. 2) I already posted this on Wikipedia. 3) I want to yank the NSA's chain, just a bit. 4) There's little here that will surprise anyone who reads the news, with the possible exception of what actually got published on O Globo's website.
The Fantastico broadcast itself actually reveals most of this slide. (in fact, you already have posted the some of the source images) There is an image of it shown on Greenwald's laptop. And there were closeups of certain areas. Using a combination of tools (video capture software, an image compositor to stitch the closeup pans, and a photo editor), and a talent for reading blurry text, I am able to reconstruct with full confidence all but 2 of the blacked items.
I have about 50% certainty of one of the remaining (the second) "Non State Organizations and Turkey on the World Stage", I think so partly because 1) the letters fit, and 2) the next slide. Which again Fantastico revealed a larger portion of in the original broadcast.
Feel free to post, if you like.
And yes, I'm the guy who wrote the new articles on OAKSTAR and STORMBREW on Wikipedia, which you should check out. There is information that is actually new. The slides were shown on Fantastico, but the tables and some analyses are mine.

Slide as published by Fanstastico: [Image]
Screen shot of slide by Fanstastico:

Slide as publised by Fanstastico: [Image]


Thursday, September 12, 2013


11 September 2013
FBI Joint Terrorism Task Force and New York Police Department Spy Division
The location of these facilities is described in the recently published "Enemies Within: Inside the NYPD's Secret Spying Unit," by Associated Press reporters Matt Apuzzo and Adam Goldman

FBI Joint Terrorism Task Force and
New York Police Department Spying Unit

West entrance to FBI Joint Terrorism Task Force (NBC are initials of the National Biscuit Company) [Image]
Bridge Links FBI JTTF, at upper left, to NYPD Spying Unit across 10th Avenue [Image]
Bridge Links FBI JTTF, at front, to NYPD Spying Unit across 10th Avenue [Image]
Bridge Links FBI JTTF, at rear, to NYPD Spying Unit across 10th Avenue [Image]
Bridge Links FBI JTTF, at rear, to NYPD Spying Unit across 10th Avenue [Image]
NYPD Spying Unit at left, FBI JTTF at right [Image]
East facade FBI JTTF [Image]
North facade of FBI JTTF [Image]
West facade of NYPD Spying Unit [Image]
North facade of NYPD Spying Unit [Image]
South facade of FBI JTTF [Image]
East facade of FBI JTTF [Image]
Southwest facades of NYPD Spying Unit [Image]
South facade of NYPD Spying Unit [Image]
South facade of NYPD Spying Unit [Image]
Possible South facade of NYPD Spying Unit [Image]
NYPD Spying Unit vehicle [Image]
NYPD Spying Unit vehicle [Image]
NYPD Spying Unit vehicle [Image]

PRISM-Proof Security Considerations!!!!

Date: Wed, 11 Sep 2013 16:30:50 -0400
From: Phillip Hallam-Baker <hallam[at]>
To: "cryptography[at]" <cryptography[at]>
Subject: [Cryptography] Summary of the discussion so far
I have attempted to produce a summary of the discussion so far for use as a requirements document for the PRISM-PROOF email scheme. This is now available as an Internet draft.
I have left out acknowledgements and references at the moment. That is likely to take a whole day going back through the list and I wanted to get this out.
If anyone wants to claim responsibility for any part of the doc then drop me a line and I will have the black helicopter sent round.
The cryptography mailing list

Internet Engineering Task Force (IETF)              Phillip Hallam-Baker
Internet-Draft                                         Comodo Group Inc.
Intended Status: Standards Track                      September 11, 2013
Expires: March 15, 2014

                  PRISM-Proof Security Considerations 


   PRISM is reputed to be a classified US government that involves 
   covert interception of a substantial proportion of global Internet 
   traffic. This document describe the security concerns such a program 
   raises for Internet users and security controls that may be employed 
   to mitigate the risk of pervasive intercept capabilities regardless 
   of source.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the 
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF).  Note that other groups may also distribute 
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any 
   time.  It is inappropriate to use Internet-Drafts as reference 
   material or to cite them other than as "work in progress."

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the 
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal 
   Provisions Relating to IETF Documents 
   ( in effect on the date of 
   publication of this document. Please review these documents 
   carefully, as they describe your rights and restrictions with respect
   to this document. Code Components extracted from this document must 
   include Simplified BSD License text as described in Section 4.e of 
   the Trust Legal Provisions and are provided without warranty as 
   described in the Simplified BSD License.

Hallam-Baker                 March 15, 2014                     [Page 1]

 Internet-Draft          Writing I-Ds using HTML           September 2013

Table of Contents

   1.  Requirements . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Attack Degree  . . . . . . . . . . . . . . . . . . . . . . . .  3
      2.1.  Content Disclosure  . . . . . . . . . . . . . . . . . . .  3
      2.2.  Meta Data Analysis  . . . . . . . . . . . . . . . . . . .  4
      2.3.  Traffic Analysis  . . . . . . . . . . . . . . . . . . . .  4
      2.4.  Denial of Service . . . . . . . . . . . . . . . . . . . .  4
      2.5.  Protocol Exploit  . . . . . . . . . . . . . . . . . . . .  5
   3.  Attacker Capabilities  . . . . . . . . . . . . . . . . . . . .  5
      3.1.  Passive Observation . . . . . . . . . . . . . . . . . . .  5
      3.2.  Active Modification . . . . . . . . . . . . . . . . . . .  5
      3.3.  Cryptanalysis . . . . . . . . . . . . . . . . . . . . . .  6
      3.4.  Kleptography  . . . . . . . . . . . . . . . . . . . . . .  6
         3.4.1.  Covert Channels in RSA . . . . . . . . . . . . . . .  6
         3.4.2.  Covert Channels in TLS, S/MIME, IPSEC  . . . . . . .  6
         3.4.3.  Covert Channels in Symmetric Ciphers . . . . . . . .  7
         3.4.4.  Covert Channels in ECC Curves  . . . . . . . . . . .  7
         3.4.5.  Unusable Cryptography  . . . . . . . . . . . . . . .  7
      3.5.  Lawful Intercept  . . . . . . . . . . . . . . . . . . . .  7
      3.6.  Subversion or Coercion of Intermediaries  . . . . . . . .  7
         3.6.1.  Physical Plant . . . . . . . . . . . . . . . . . . .  8
         3.6.2.  Internet Service Providers . . . . . . . . . . . . .  8
         3.6.3.  Router . . . . . . . . . . . . . . . . . . . . . . .  8
         3.6.4.  End Point  . . . . . . . . . . . . . . . . . . . . .  8
         3.6.5.  Cryptographic Hardware Providers . . . . . . . . . .  8
         3.6.6.  Certificate Authorities  . . . . . . . . . . . . . .  8
         3.6.7.  Standards Organizations  . . . . . . . . . . . . . .  9
   4.  Controls . . . . . . . . . . . . . . . . . . . . . . . . . . .  9
      4.1.  Confidentiality . . . . . . . . . . . . . . . . . . . . .  9
         4.1.1.  Perfect Forward Secrecy  . . . . . . . . . . . . . . 10
      4.2.  Policy, Audit and Transparency  . . . . . . . . . . . . . 10
         4.2.1.  Policy   . . . . . . . . . . . . . . . . . . . . . . 10
         4.2.2.  Audit  . . . . . . . . . . . . . . . . . . . . . . . 10
         4.2.3.  Transparency . . . . . . . . . . . . . . . . . . . . 10
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11

Hallam-Baker                 March 15, 2014                     [Page 2]

 Internet-Draft          Writing I-Ds using HTML           September 2013

1. Requirements

   PRISM is reputed to be a classified US government that involves 
   covert interception of a substantial proportion of global Internet 
   traffic. While the precise capabilities of PRISM are unknown the 
   program is believed to involve traffic and meta-data analysis and 
   that the intercepts are obtained with the assistance of 
   intermediaries trusted by Internet end users. Such intermediaries may
   or may not include ISPs, backbone providers, hosted email providers 
   or Certificate Authorities.

   Government intercept capabilities pose a security risk to Internet 
   users even when performed by a friendly government. While use of the 
   intercept capability may be intended to be restricted to counter-
   terrorism and protecting national security, there is a long and 
   abundant history of such capabilities being abused. Furthermore an 
   agency that has been penetrated by an Internet privacy activist 
   seeking to expose the existence of such programs may be fairly 
   considered likely to be penetrated by hostile governments.

   The term 'PRISM-Proof' is used in this series of documents to 
   describe a communications architecture that is designed to resist or 
   prevent all forms of covert intercept capability. The concerns to be 
   addressed are not restricted to the specific capabilities known or 
   suspected of being supported by PRISM or the NSA or even the US 
   government and its allies. 

2. Attack Degree

   Some forms of attack are much harder to protect against than others 
   and providing protection against some forms of attack may make 
   another form of attack easier.

   The degrees of attack that are of concern depend on the security 
   concerns of the parties communicating. 

2.1. Content Disclosure

   Content disclosure is disclosure of the message content. In the case 
   of an email message disclosure of the subject line or any part of the
   message body.

   The IETF has a long history of working on technologies to protect 
   email message content from disclosure beginning with PEM and MOSS. At
   present the IETF has two email security standards that address 
   confidentiality with incompatible message formats and different key 
   management and distribution approaches.

   S/MIME and PGP may both be considered broken in that they reveal the 
   message subject line and content Meta-data such as the time. This 
   problem is easily addressed but at the cost of sacrificing backwards 

Hallam-Baker                 March 15, 2014                     [Page 3]

 Internet-Draft          Writing I-Ds using HTML           September 2013


2.2. Meta Data Analysis

   Meta Data is information that is included in a communication protocol
   in addition to the content exchanged, This includes the sender and 
   receiver of a message, the time, date and headers describing the path
   the message has taken in the Internet mail service. Meta-data 
   analysis permits an attacker to uncover the social network of parties
   that are in frequent communication with each other.

   Preventing disclosure of meta-data is possible through techniques 
   such as dead drops and onion routing but such approaches impose a 
   heavy efficiency penalty and it is generally considered preferable to
   limit the parties capable of performing meta-data analysis instead.

   The IETF STARTTLS extension to email permits the use of TLS to 
   encrypt SMTP traffic including meta-data. However use of STARTTLS has
   two major limitations. First SMTP is a store and forward protocol and
   STARTTLS only protects the messages hop-by-hop. Second there is 
   currently no infrastructure for determining that an SMTP service 
   offers STARTTLS support or to validate the credentials presented by 
   the remote server. The DANE Working Group is currently working on a 
   proposal to address the second limitation.

2.3. Traffic Analysis

   Analysis of communication patterns may also leak information about 
   which parties are communicating, especially in the case of 
   synchronous protocols such as chat, voice and video.

   Traffic analysis of store and forward protocols such as SMTP is more 
   challenging, particularly when billions of messages an hour may pass 
   between the major Webmail providers. But clues such as message length
   may permit attackers more leverage than is generally expected.

2.4. Denial of Service

   Providing protection against denial of service is frequently at odds 
   with other security objectives. In most situations it is preferable 
   for a mail client to not send a message in circumstances where there 
   is a risk of interception. Thus an attacker may be able to perform a 
   Denial of Service attack by creating the appearance of an intercept 

   Whether the potential compromise of confidentiality or service is 
   preferable depends on the circumstances. If critical infrastructure 
   such as electricity or water supply or the operation of a port 
   depends on messages getting through, it may be preferable to accept a
   confidentiality compromise over a service compromise even though 
   confidentiality is also a significant concern.

Hallam-Baker                 March 15, 2014                     [Page 4]

 Internet-Draft          Writing I-Ds using HTML           September 2013

2.5. Protocol Exploit

   Many protocols are vulnerable to attack at the application layer. For
   example the use of JavaScript injection in HTML and SQL injection 

   A recent trend in Internet chat services is to permit the 
   participants in a group chat to share links to images and other 
   content on other sites. Introducing a link into the chat session 
   causes every connected client to retrieve the linked resource, thus 
   allowing an attacker with access to the chat room to discover the IP 
   address of all the connected parties.

3. Attacker Capabilities

   Some forms of attack are available to any actor while others are 
   restricted to actors with access to particular resources. Any party 
   with access to the Internet can perform a Denial of Service attack 
   while the ability to perform traffic analysis is limited to parties 
   with a certain level of network access.

   A major constraint on most interception efforts is the need to 
   perform the attack covertly so as to not alert the parties to the 
   fact their communications are not secure and discourage them from 
   exchange of confidential information. Even governments that 
   intentionally disclose the ability to perform intercepts for purposes
   of intimidation do not typically reveal intercept methods or the full
   extent of their capabilities.

3.1. Passive Observation

   Many parties have the ability to perform passive observation of parts
   of the network. Only governments and large ISPs can feasibly observe 
   a large fraction of the network but every network provider can 
   monitor data and traffic on their own network and third parties can 
   frequently obtain data from wireless networks, exploiting 
   misconfiguration of firewalls, routers, etc.

   A purely passive attack has the advantage to the attacker of being 
   difficult to detect and impossible to eliminate the possibility that 
   an intercept has taken place. Passive attacks are however limited in 
   the information they can reveal and easily defeated with relatively 
   simple cryptographic techniques. 

3.2. Active Modification

   Active attacks are more powerful but are more easily detected. Use of
   TLS without verification of the end-entity credentials presented by 
   each side is sufficient to defeat a passive attack but is defeated by
   a man-in-the-middle attack substituting false credentials.

Hallam-Baker                 March 15, 2014                     [Page 5]

 Internet-Draft          Writing I-Ds using HTML           September 2013

   Active attacks may be used to defeat use of secure after first 
   contact approaches but at the cost of requiring interception of every
   subsequent communication. 

   While many attackers have the ability to perform ad-hoc active attack
   only a few parties have the ability to perform active attack 
   repeatedly and none can expect to do so with absolute reliability.

   A major limitation on active attack is that an attacker can only 
   perform an active attack if the target is known in advance or the 
   target presents an opportunity that would compromise previous stored 

3.3. Cryptanalysis

   Many parties have the ability to perform cryptanalysis but government
   cryptanalytic capabilities may be substantially greater.

3.4. Kleptography

   Kleptography is persuading the party to be intercepted to use a form 
   of cryptography that the attacker knows they can break. Real life 
   examples of kleptography include the British government encouraging 
   the continued use of Enigma type cryptography machines by British 
   colonies after World War II and the requirement that early export 
   versions of Netscape Navigator and Internet Explorer use 40 bit 
   symmetric keys.

3.4.1. Covert Channels in RSA

   One form of kleptography that is known to be feasible and is relevant
   to IETF protocols is employing a RSA modulus to provide a covert 
   channel. In the normal RSA scheme we choose primes p and q and use 
   them to calculate n = pq. But the scheme works just as well if we 
   choose n' and p and look for a prime q in the vicinity of n'/p then 
   use p and q to calculate the final value of n. Since q ~= n'/p it 
   follows that n' ~= n. For a 2048 bit modulus, approximately 1000 bits
   are available for use as a covert channel.

   Such a covert channel may be used to leak some or all of the private 
   key or the seed used to generate it. The data may be encrypted to 
   avoid detection.

3.4.2. Covert Channels in TLS, S/MIME, IPSEC

   Similar approaches may be used in any application software that has 
   knowledge of the actual private key. For example a TLS implementation
   might use packet framing to leak the key. 

Hallam-Baker                 March 15, 2014                     [Page 6]

 Internet-Draft          Writing I-Ds using HTML           September 2013

3.4.3. Covert Channels in Symmetric Ciphers

   A hypothetical but unproven possibility is the construction of a 
   symmetric cipher with a backdoor. Such an attack is far beyond the 
   capabilities of the open field. A symmetric cipher with a perfect 
   backdoor would constitute a new form of public key cryptography more 
   powerful than any known to date. For purposes of kleptography however
   it would be sufficient for a backdoor to limit the key space that an 
   attacker needed to search through brute force or have some other 
   limitation that is considered essential for public key cryptography.

3.4.4. Covert Channels in ECC Curves

   Another hypothetical but unproven possibility is the construction of 
   a weak ECC Curve or a curve that incorporates a backdoor function. As
   with symmetric ciphers, this would require a substantial advance on 
   the public state of the mathematical art. 

3.4.5. Unusable Cryptography

   A highly effective form of kleptography would be to make the 
   cryptographic system so difficult to use that nobody would bother to 
   do so.

3.5. Lawful Intercept

   Lawful intercept is a form of coercion that is unique to government 
   actors by definition. Defeating court ordered intercept by a domestic
   government is outside the scope of this document though defeating 
   foreign lawful intercept requests may be.

   While the US government is known to practice Lawful Intercept under 
   court order and issue of National Security Letters of questionable 
   constitutional validity, the scope of such programs as revealed in 
   public documents and leaks from affected parties is considerably more
   restricted than that of the purported PRISM program. 

   While a Lawful Intercept demand may in theory be directed against any
   of the intermediaries listed in the following section on subversion 
   or coercion, the requirement to obtain court sanction constrains the 
   number and type of targets against which Lawful Intercept may be 
   sought and the means by which it is implemented. A court is unlikely 
   to sanction Lawful Intercept of opposition politicians for the 
   political benefit of current office holders.

3.6. Subversion or Coercion of Intermediaries

   Subversion or coercion of intermediaries is a capability that is 
   almost entirely limited to state actors. A criminal organization may 
   coerce an intermediary in the short term but has little prospect of 
   succeeding in the long term. 

Hallam-Baker                 March 15, 2014                     [Page 7]

 Internet-Draft          Writing I-Ds using HTML           September 2013

3.6.1. Physical Plant

   The Internet is at base a collection of data moving over wires, 
   optical cables and radio links. Every form of interconnect that is a 
   practical means of high bandwidth communication is vulnerable to 
   interception at the physical layer. Attacks on physical interconnect 
   require only a knowledge of where the signal cables are routed and a 
   back hoe.

   Even quantum techniques do not necessarily provide a guarantee of 
   security. While such techniques may be theoretically unbreakable, the
   physical realization of such systems tend to fall short. As with the 
   'unbreakable' One Time Pad, the theoretical security tends to be 
   exceptionally fragile.

   Attacks on the physical plant may enable high bandwidth passive 
   intercept capabilities and possibly even active capabilities.

3.6.2. Internet Service Providers

   Internet Service Providers have access to the physical and network 
   layer data and are capable of passive or active attacks. ISPs have 
   established channels for handling Lawful Intercept requests and thus 
   any employee involved in an intercept request that was outside the 
   scope of those programs would be on notice that their activities are 

3.6.3. Router

   Compromise of a router is an active attack that provides both passive
   and active intercept capabilities. such compromise may be performed 
   by compromise of the device firmware or of the routing information.

3.6.4. End Point 

   Compromise of Internet endpoints may be achieved through insertion of
   malware or coercion/suborning the platform provider.

3.6.5. Cryptographic Hardware Providers

   Deployment of the 'kleptography' techniques described earlier 
   requires that the attacker be capable of controlling the 
   cryptographic equipment and software available to the end user. 
   Compromise of the cryptographic hardware provided is one means by 
   this might be achieved.

Hallam-Baker                 March 15, 2014                     [Page 8]

 Internet-Draft          Writing I-Ds using HTML           September 2013

3.6.6. Certificate Authorities

   Certificate Authorities provide public key credentials to validated 
   key holders. While compromise of a Certificate Authority is certainly
   possible, this is an active attack and the credentials created leave 
   permanent evidence of the attack.

3.6.7. Standards Organizations

   Another route for deployment of cryptography would be to influence 
   the standards for use of cryptography although this would only permit
   the use of kleptographic techniques that are not publicly known.

   Another area of concern is that efforts to make strong cryptography 
   usable through deployment of key discovery infrastructure or security
   policy infrastructure may have been intentionally delayed or 
   discouraged. The chief security failure of the Internet today is that
   insecurity is the default and many attacks are able to circumvent 
   strong cryptography through a downgrade attack. 

4. Controls

   Traditionally a cryptographic protocol is designed to resist direct 
   attack with the assumption that protocols that provide protection 
   against targeted intercept will also provide protection against 
   pervasive intercept. Consideration of the specific constraints of 
   pervasive covert intercept demonstrates that a protocol need not 
   guarantee perfect protection against a targeted intercept to render 
   pervasive intercept infeasible.

   One of the more worrying aspects of the attempt to defend the 
   legality of PRISM program is the assertion that passive intercept 
   does not constitute a search requiring court oversight. This suggests
   that the NSA is passively monitoring all Internet traffic and that 
   any statement that a citizen might make in 2013 could potentially be 
   used in a criminal investigation that began in 2023. 

   At present Internet communications are typically sent in the clear 
   unless there is a particular confidentiality concern in which case 
   techniques that resist active attack are employed. A better approach 
   would be to always use encryption that resists passive attack, 
   recognizing that some applications also require resistance to active 

4.1. Confidentiality

   Encryption provides a confidentiality control when the symmetric 
   encryption key is not known to or discoverable by the attacker. Use 
   of strong public cryptography provides a control against passive 
   attacks but not an active attack unless the communicating parties 
   have a means of verifying the credentials purporting to identify the 

Hallam-Baker                 March 15, 2014                     [Page 9]

 Internet-Draft          Writing I-Ds using HTML           September 2013


4.1.1. Perfect Forward Secrecy

   One of the main limitations of simple public key exchange schemes is 
   that compromise of an end entity decryption key results in compromise
   of all the messages encrypted using that key. Perfect Forward Secrecy
   is a misnomer for a technique that forces an attacker to compromise a
   separate private key for every key exchange. This is usually achieved
   by performing two layers of public key exchange using the credentials
   of the parties to negotiate a temporary key which is in turn used to 
   derive the symmetric session key used for communications.

   Perfect Forward Secrecy is a misnomer as the secrecy is not 
   'perfect', should the public key system used to identify the 
   principals be broken, it is likely that the temporary public key will
   be vulnerable to cryptanalysis as well. The value of PFS is not that 
   it is 'perfect' but that it dramatically increases the cost of an 
   attack to an attacker.

4.2. Policy, Audit and Transparency 

   The most underdeveloped area of internet security to date is the lack
   of a security policy infrastructure and the audit and transparency 
   capabilities to support it.

4.2.1. Policy 

   A security policy describes the security controls that a party 
   performs or offers to perform. One of the main failings in the 
   Internet architecture is that the parties have no infrastructure to 
   inform them of the security policy of the party they are attempting 
   to communicate with except for the case of Certificate Policy and 
   Certificate Practices Statements which are not machine readable 

   A machine readable policy stating that a party always offers a 
   minimum level of security provides protection against downgrade 

4.2.2. Audit

   Audit is verifying that a party is in compliance with its published 
   security policy. Some security policies are self-auditing (e.g. 
   advertising support for specific cryptographic protocols) others may 
   be audited by automatic means and some may require human 
   interpretation and evaluation.

Hallam-Baker                 March 15, 2014                    [Page 10]

 Internet-Draft          Writing I-Ds using HTML           September 2013

4.2.3. Transparency

   A security policy is transparent if it may be audited using only 
   publicly available information.

   An important application of transparency is by trusted intermediaries
   to deter attempted coercion or to demonstrate that a coercion attempt
   would be impractical.

Author's Address

   Phillip Hallam-Baker
   Comodo Group Inc.