The Feds Want Everything

The federal government sure is a grabby little bastard. First it taps all of our phones and Internet connections and now it’s demanding passwords and Secure Sockets Layer (SSL) certificates. Let’s start with their demands that online service providers hand over their customers’ passwords:

The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

“I’ve certainly seen them ask for passwords,” said one Internet industry source who spoke on condition of anonymity. “We push back.”

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies “really heavily scrutinize” these requests, the person said. “There’s a lot of ‘over my dead body.'”

Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

The difficulty of handing over user passwords is that any system administrator worth his salt (pun intended, deal with it) only stores a hash of the password. For those of you who don’t know, a hash is the result of a one-way algorithm. You put some text in and the hashing algorithm gives you some output. Ideally, the input cannot be recovered from the output and the algorithm gives a different output for each unique input. Salts are often added to the hashing algorithm to trip up word list attacks, as the added information to the input creates a different output than sending the clear text password alone.

Assuming the system administrator or software developer properly implemented this system (which is difficult to do), receiving the password hashes would do the federal government very little good. They may be able to reverse individual passwords given enough time and computing power but it’s almost certainly outside their capabilities to revere every user’s password. I would be less concerned about the federal government receiving and reversing my password than I would be of it performing rubber-hose cryptanalysis on it.

The other thing the federal government has apparently been demanding from only service providers are their SSL private keys:

The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users’ private Web communications from eavesdropping.

These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users.

If the government obtains a company’s master encryption key, agents could decrypt the contents of communications intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption — which often appears in a browser with a HTTPS lock icon when enabled — uses a technique called SSL, or Secure Sockets Layer.

“The government is definitely demanding SSL keys from providers,” said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

Having a service provider’s SSL private keys would allow a malicious individual to intercept and decrypt any SSL secured traffic going to or coming from a service provider’s network. This concern can be put to rest if service providers began implementing forward secrecy (which I enabled on this site beginning last month). Forward secrecy negotiates temporary session keys for SSL connections. The temporary keys are used to encrypt and decrypt data going between a service provider and a customer. After the session concludes the keys, at least ideally, are to be disposed of. Implementing forward secrecy means that an attacker is unable to decrypt SSL secured traffic even if they are in possession of the correct private key. Unfortunately, as a recent study by Netcraft noted, very few service providers currently implement forward security (leading one to wonder why a guy operating a free blog is able to implement security technologies before multi-billion dollar corporations). It would be wise, especially in light of recent developments, to put pressure on service providers to implement forward secrecy.

While it’s annoying that the federal government has become a surveillance state, there are technologies that allow us to mitigate many of their demands. We live in a world where the spying powers of the state are incredible but the power to avoid surveillance is also very powerful. The state is a collection of a handful of individuals fighting the rest of the world. With such high odds against it, the state will be unable to win in the long run.