New top secret documents leaked by Snowden (link below) reveal that GCHQ, Britain’s spy agency, has a team to reverse engineering popular encryption software and they routinely collaborate with British police when they come across encrypted data during the course of an investigation. Since it is not needed to explain in court how law enforcement has managed to access the encrypted data, it can remain secret when GCHQ finds a vulnerability in an specific program.
In one particular case, GCHQ assisted the National Technical Assistance Centre, a domestic law enforcement agency, to decrypt child pornography stored inside a virtual encrypted container created with Crypticdisk and in another case, GCHQ cracked Acer eDataSecurity Personal Secure Disk for an undetermined “high profile police case“.
Acer eDataSecurity is a free file encryption utility that comes with Acer laptops. I was not able to find out what algorithm Acer is using for encryption but I learned reading the laptop manual that the user can choose a bit strength of in between 128bit and 256bit, the manual textually says that “If you lose your password, there will be no way to decrypt your encrypted file!“, it has not been designed with a backdoor, deducing that GCHQ cracked it on its own without assistance from Acer.
Exlade CryptDisk encrypted container
The other cracked software, CrypticDisk, from Canadian company Exlade, has thousands of companies and government agencies as customers. CrypticDisk can create a virtual encrypted disk or encrypt and external device, like a USB memory stick, where you can store data or programs, once the container has been closed, it is meant to be inaccessible, it works like Truecrypt and the company page mentions that CrypticDisk encryption keys can be made of up to 2944-bits in strength, with built-in support to open Truecrypt containers.
CrypticDisk containers can use multiple encryption algorithms in cascade, there is a selection of AES, Twofish, Serpent, Blowfish and CAST6. The encryption wizard advises that the more algorithms you choose in cascade, the higher the cryptographic strength.
There isn’t any clue in the leaked papers about how GCHQ cracked this software, I will make a guess of a bad implementation because the encryption algorithms are all open and AES has been widely reviewed by expert cryptographers. I am discounting the possibility of a user mistake choosing a weak password because British police is known to have a computer cluster where they can try thousands of dictionary words per minute, theoretically there should be no need for the UK secret services to help out law enforcement brute forcing a passphrase.
The same secret documents reveal that GCHQ has obtained a warrant from the Foreign Secretary so that they can not be prosecuted for breaching copyright law from proprietary software companies. The agency is also targeting antivirus companies to be able to send trojan horses to targets without being detected. KasperSky, a Russian antivirus company, is named in the documents as being a challenge to them.
Snowden documents: https://firstlook.org/theintercept/2015/06/22/gchq-reverse-engineering-warrants/
Joe
I am not an expert of cryptography at all, but I have a mild interest in it. (I remember playing with Scramdisk and E4M many years ago, but I am basically at “consumer level”)..
Nevertheless I feel that what I read recently was *very* important,so I’d like to share a couple of hyperlinks with your readers.
The first link is entitled “Software developers are failing to implement crypto correctly, data reveals”
Subtitle is: “Lack of specialized training for developers and crypto libraries that are too complex lead to widespread encryption failures”
and here is the link for further reading,giving the reasons why:
http://www.infoworld.com/article/2940551/encryption/software-developers-are-failing-to-implement-crypto-correctly-data-reveals.html
A brief quote from the above article is: “Many developers believe they know how to implement crypto, but they haven’t had any specific training in cryptography and have a false sense of security, he said. Therefore, even though they end up with applications where encryption is present, so they can tick that checkbox, attackers are still able to get at sensitive data.”
The second link is older, from 2013, and it concerns very powerful Government agencies much more than the previous link.
Title is: “Spooks break most Internet crypto, but how?”
Subtitle is:-“In a post-Snowden era, it’s getting hard to tell prudence from paranoia.”
A brief quote from the article:-“As stated recently by Edward Snowden, the former National Security Agency (NSA) contractor who leaked highly classified documents leading to the reports, “Encryption works. Properly implemented strong crypto systems are one of the few things you can rely on.” How is it, then, that agents from the NSA and its British counterpart, known as the Government Communications Headquarters (GCHQ), are reportedly able to bypass the crypto protections provided by Internet companies including Google, Facebook, Microsoft, and Yahoo?”
Hyperlink is here,and it is recommended reading:-
http://arstechnica.com/security/2013/09/spooks-break-most-internet-crypto-but-how/
Thanks for the blog, Hacker10.
Zoltán Jókay
Hello, this way because I haven’t found your mail address .
I am looking for a way to communicate per encrypted mail with people who don’t bother at all about encryption. I am trying lava boom , tutanota, proton mail. I couldn’t even convince an IT person, he said these services are not worth the hassle, because of the browser side encryption . All of my acquaintances don’t want to change their ways, even if it’s hardly a hassle…
I found now this service: https://mynigma.org/en/
It would be nice if you could look at it.
Hacker10
Hello Zoltan,
My contact email address is listed in the About page (http://www.hacker10.com/about/), but thanks to your comment I can see now that due to a design flaw, pages are hidden from the blog, I will fix it when I can.
I have a long list of things to do, and this blog is not a full time job so I can’t guarantee any kind of review or post but I might just do as the service looks good. I also have a Lavaboom account and I should review them first, thanks for the tip.
hacker10