Military Applications - Applications - Modern Cryptography: Applied Mathematics for Encryption and Informanion Security (2016)

Modern Cryptography: Applied Mathematics for Encryption and Informanion Security (2016)

PART IV. Applications

Chapter 15. Military Applications

In this chapter we will cover the following:

image NSA and cryptography

image U.S. cryptography laws

image How do other nations use cryptography

image Cryptography and malware

image The Onion Router

It may seem a bit odd to some readers to include a separate chapter specifically for military applications of cryptography. After all, isn’t the military the primary user of cryptography? Prior to the Internet and the advent of e-commerce, that was undoubtedly true. However, for the past several decades, banks, e-commerce web sites, and individuals sending e-mail or securing their hard drives all use cryptography. In fact, the civilian applications for cryptography are quite numerous. Most of the cryptography I have discussed thus far in this book is used for civilian purposes, although some of it (such as AES and GOST) is also used for military purposes.

In this chapter, we will specifically examine applications of cryptography that are exclusively (or nearly so) the domain of militaries, governments, and intelligence agencies. Although civilian organizations certainly have a need for secure communications, the need is more pressing in military and intelligence applications for two reasons. First, the stakes are much higher. Rather than money being lost or embarrassing data being leaked, lives might be lost. In the event of armed conflict, a breach of security could provide the opponent with a tactical or even strategic advantage. Second, the nature of the persons attempting to breach government security is far more serious. Militaries are not worried about solo hackers or similar threats so much as concerted efforts by trained intelligence personnel to breach their communication systems.

Note

The line between military and law enforcement can sometimes become blurred, especially in regard to dealing with terrorist organizations. Their activities are pursued by law enforcement agencies but also by military and intelligence agencies. International criminal organizations are also the domain of intelligence agencies and law enforcement. In the latter part of this chapter, I will discuss some items that fit in both criminal and terrorist categories.

NSA and Cryptography

It would be impossible to discuss the military applications of cryptography without discussing the U.S. National Security Agency (NSA). In Chapter 2 you read a brief history of the NSA up through the Cold War. In this section I will first discuss the modern cryptographic role of the NSA.

Security Classifications

Throughout this chapter, you will see items designated as “secret” or “top secret.” It is important that you understand the meaning of these terms. Each nation has its own security classification system, and even some agencies within the United States have their own systems. In this chapter, the terms used are in reference to U.S. Department of Defense classifications.

The terms “secret” and “top secret” have specific meanings according to a specific hierarchy of classification in the United States. The lowest classification is confidential. This is information that might damage national security if disclosed. Secret information is data that might cause serious damage to national security if disclosed. Top secret information is data that could be expected to cause exceptionally grave damage to national security if disclosed. And there is one more designation: Top Secret SCI, or Sensitive Compartmented Information. Each of these clearances requires a different level of investigation.

For a secret clearance, an applicant undergoes a complete background check, including criminal, work, and credit history, and a check with various national agencies (Department of Homeland Security, Immigration, State Department, and so on) is required. This is referred to as a National Agency Check with Law and Credit (NACLC). The check for employment will cover the last seven years of the person’s life and may or may not include a polygraph.

The top secret clearance is more rigorous, as you may imagine. Those seeking a top secret clearance require a Single Scope Background Investigation (SSBI)—a complete NACL for the applicant and his or her spouse that goes back at least ten years. It will also involve a subject interview conducted by a trained investigator. Direct verification of employment, education, birth, and citizenship are also required, along with at least four references—at least two of which will be interviewed by investigators. A polygraph is also required. The SSBI is repeated every five years.

SCI clearance is assigned only after a complete SSBI has been completed. An SCI may have its own process for evaluating access; therefore, a standard description of what is involved is not available.

In any clearance investigation, should any issues arise, the scope will be expanded to resolve those issues. For example, if a specific issue arises in regard to the applicant’s education, but that education occurred 20 years ago, the investigation would be expanded to address that issue.

NSA Cryptographic Standards

Since the early days of the NSA, the agency has been responsible for U.S. government cryptography. The NSA defines cryptographic algorithms in two ways: via four encryption product types, numbered 1 through 4, and two algorithm suites named Suite A and Suite B.1

Note

In this chapter we will be discussing classified equipment and algorithms. However, we will be discussing only those aspects that are accessible in the public domain. So you may find some algorithm descriptions much more vague than the algorithms you have explored earlier in this book. For what should be obvious reasons, it is not possible to provide complete descriptions of classified algorithms in a published book.

Type 1 Products

Type 1 products are endorsed by the NSA for classified purposes in the United States. This often includes equipment and algorithms that are classified, though in some cases classified equipment might use an unclassified algorithm.

HAIPE A HAIPE (High Assurance Internet Protocol Encryption) device can use both Suite A and Suite B algorithms. A HAIPE device is often used as a secure gateway to connect two sites. HAIPE is essentially a government-enhanced version of IPSec.

HAIPE is based on IPSec with some additional enhancements. One such enhancement is the ability to encrypt multicast data by having all the HAIPE devices that wish to participate in the multicast session share a key in advance. Whereas IPSec uses security associations (SAs) to establish secure tunnels, HAIPE uses an internal Security Policy Database.

HAVE QUICK HAVE QUICK is a frequency-hopping algorithm originally developed for ultra high frequency (UHF) radios used between ground and air. Military radio traffic hops through a range of frequencies, which makes it very difficult to jam signals. For signals to employ HAVE QUICK, both ends must be initialized with an accurate time of day (often called TOD). They often also use a Word of the Day (WOD) that serves a key for encrypting transmissions. Finally, both ends also use a NET number to select a specific network. HAVE QUICK is not itself an encryption system, but many systems combine HAVE QUICK with encryption to provide confidentiality and prevent jamming.

SINCGARS The Single Channel Ground and Airborne Radio System is a VHF FM band radio using frequencies from 30 to 87.975 MHz. It is currently used by the U.S. military as well as several other countries. It can provide both single frequency and frequency hopping modes. Early SINCGARS units did not have built-in cryptography and required external cryptographic units. Later versions included built-in cryptographic units.

There have been many models, starting with the RT-1439 produced in 1988. More recent developments include the RT-1523G, RT-1730C and E (for Naval applications), and RT-1702G, made to be carried by an individual solider. One example of these systems is shown in Figure 15-1.

Images

FIGURE 15-1 SINCGARS system

Type 2 Products

Type 2 products are endorsed by the NSA for sensitive but unclassified purposes. The Key Exchange Algorithm (KEA) asymmetrical logarithm and the Skipjack block cipher are examples of Type 2 algorithms, and Type 2 equipment examples include Fortezza, CYPRIS, and others.

Fortezza Plus The Fortezza Plus card, also known as the KOV-14 card, is a PC card that provides cryptographic functions and keys for secure terminal equipment. The original Fortezza Crypto Card contained a security token. Each user was issued a Fortezza card that included, among other things, private keys used to access sensitive data. The original Fortezza card was developed to use the Skipjack algorithm.

Fortezza Plus is an improvement that uses a classified algorithm. It is used with secure terminal equipment for voice and data encryption. An even more modern improvement on Fortezza Plus is called the KSV-21, which is backward-compatible with the Fortezza Plus card. A Fortezza Crypto Card is shown in Figure 15-2.

Images

FIGURE 15-2 Fortezza Crypto Card

Type 3 and 4 Products

Type 3 products are unclassified. Many of the algorithms we have examined in this book so far are in this category, including Data Encryption Standard (DES), Advanced Encryption Standard (AES), and SHA.

Type 4 products are not endorsed by the NSA for any government use. They are usually products with such weak encryption that they have no practical value.

Suite A

Suite A algorithms are unpublished, classified algorithms used for highly sensitive systems. Suite A algorithms include MEDLEY, SAVILLE, BATON, WALBURN, JOSEKI, and SHILLELAGH.

SAVILLE The SAVILLE algorithm is often used in voice encryption. Although its details are classified, some indications suggest it may have a 128-bit key.

BATON The BATON algorithm is classified. However, the publically available standard PKCS#11 has some general information about BATON. Public-Key Cryptography Standard (PKCS) 11 defines an API for cryptographic tokens such as those used in smart cards. BATON is a block cipher that uses a 128-block with a 320-bit key. It can also be used in electronic codebook (ECB) mode with a 96-bit block.

Note

Although this was mentioned earlier in this book, it is worth mentioning again that the NSA using classified documents is not in conflict with Kerckhoffs’s principle. To begin with, the NSA is the largest employer of mathematicians and cryptographers in the world. They can subject an algorithm to internal peer review that is quite exhaustive. Furthermore, Kerckhoffs teaches us that the security of a cryptographic mechanism should depend on only the secrecy of the key, not the secrecy of the algorithm. The key word being depend. The Suite A algorithms do not depend on the secrecy of the algorithm for security, but they do add a bit of additional security.

Suite B

Suite B algorithms are published, and AES is a perfect example of a Suite B.2 Suite B includes many algorithms you have already studied in previous chapters, which are all publically available:

image Advanced Encryption Standard If using a 128-bit key, AES is considered secure enough for secret information. If using a 256-bit key, AES is considered secure enough for top-secret information.

image Elliptic Curve Digital Signature Algorithm (ECDSA)

image Elliptic Curve Diffie-Hellman (ECDH)

image Secure Hash Algorithm 2 (SHA-2, 256, 384, and 512)

image Elliptic curve cryptography With a 384-bit key, ECC is considered secure enough for top-secret information.

The Modern Role of the NSA

The NSA has been involved in encrypted communications for military purposes since its inception. This involves developing and approving cryptography for U.S. government use, but also attempting to compromise the cryptographic communications of other countries.

In the past several years, NSA involvement in cyber-espionage has increased. The Office of Tailored Access Operations (TAO) is a cyber-warfare and intelligence gathering unit within the NSA. One of its goals is to infiltrate foreign systems. Edward Snowden revealed that the TAO has a suite of software tools used specifically for breaking into these systems.

Despite the NSA expanding into areas of cyber-espionage and cyber-warfare, its primary role is still to provide secure communications. The NSA leads the U.S. government in creating and approving cryptography. For example, for the past few years, the NSA has been recommending moving from RSA to ECC. And many U.S. government agencies are now using a variation of ECC, including ECDSA and ECDH. Data mining and similar roles involve heavy use of both mathematics and computer science, so it is only natural that the NSA be involved in those activities.

U.S. Cryptography Laws and Regulations

Export laws regarding cryptography were quite strict until the turn of the 21st century. In fact, U.S. cryptography export laws have undergone gradual changes since the 1990s.

One of the first changes came in 1992, when 40-bit RC2 and RC4 became available to export and was no longer governed by the State Department, but was instead managed by the Commerce Department. When Netscape developed Secure Sockets Layer (SSL), this required a reexamination of cryptographic export laws. The U.S. version of SSL used RSA with key sizes of 1024 bits and larger, along with Triple DES (3DES) or 128-bit RC3. The international version used 40-bit RC4.

There were various legal challenges to cryptography export rules throughout the early 1990s. The expansion of e-commerce and online banking also required some rethinking of these export laws. Prior to 1996, the U.S. government regulated most cryptography exports under the auspices of the Arms Export Control Act and the International Traffic in Arms Regulations. Cryptography was treated much like weapons and ammunition. In 1996, President Bill Clinton signed an executive order that moved commercial cryptography off of the munitions list, and since then it has been treated as standard commerce. In 1999, regulations were again relaxed to allow export of 56-bit symmetric keys (DES) and 1024-bit RSA.

Currently, the following technologies are exempt from any export controls:3

image Software or hardware specifically designed for medical use

image Cryptography specifically used for copyright or intellectual property protections

As of this writing, exporting cryptographic products from the United States to other nations requires a license from the U.S. Department of Commerce. For the most part, prior restrictions have been relaxed—for example, McAfee Data Protection Suite, which includes encryption, has been granted an ENC/Unrestricted license exception by the Department of Commerce.

When exporting any software that includes cryptographic functions, one must check with the appropriate government entity within one’s country. In the United States, if you export such software without obtaining proper licensure, you can be fined. For example, in 2014, Wind River Systems (a subsidiary of Intel) was fined $750,000 for exporting encryption to several countries, including China, Russia, and Israel.4

In the United States, cryptography (as well as many other items) for use in government systems is regulated by the Federal Information Processing Standard. Civilian use of cryptography is not regulated (except for the export of cryptography).

Cryptography in Other Nations

Although the NSA is an obvious starting point for examining government-sponsored cryptography, it is not the only place to look. Clearly, other nations develop their own cryptographic systems and standards. In some cases the cryptography developed is applied to military and/or classified purposes. In this section we will take a brief look at how other nations deal with cryptography.

This information is very important for a few reasons. First, you may not reside within the United States. Or you may travel abroad and be subject to the cryptography laws of the nations you visit. And should you be involved in the creation, design, or sale of cryptographic products, a knowledge of international laws is important.

International Regulations and Agreements

Governments have an interest in regulating the import and export of cryptographic equipment and software. The export issue may be more obvious, so let’s begin with that. If a nation has cryptographic software or hardware that is highly secure, that government may want to limit its export to other countries. It is not in any government’s interest to hand other nations its means to secure communications. Import restrictions may not be so obvious, however. One major reason for such restrictions is the fear of cryptographic backdoors (see Chapter 18). Essentially there is a concern that if products are imported from foreign nations, those products could contain backdoors that subvert security.

COCOM and the Wassenaar Arrangement

There have been attempts to regulate and standardize the export of various products considered to be of strategic military value, including both munitions and cryptographic products. One early attempt was the Coordinating Committee for Multilateral Export Controls (COCOM), which consisted of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Italy, Japan, Luxemburg, The Netherlands, Norway, Portugal, Spain, Turkey, United Kingdom, and the United States. Other nations did not join the committee but cooperated with the standards it set: Austria, Finland, Hungary, Ireland, New Zealand, Poland, Singapore, Slovakia, South Korea, Sweden, Switzerland, and Taiwan.

In 1991, COCOM decided to allow the export of mass-market software that implemented cryptography. In 1995, the successor to COCOM, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (often simply called the Wassenaar Arrangement), was created.5

Note

The name comes from the town where the original agreement was reached in 1995. The town of Wassenaar is a suburb of The Hague in the Netherlands. As of this writing, 41 countries have signed the Wassenaar Arrangement.

The Wassenaar Arrangement followed most of the COCOM recommendations but provided a specific exception for the use of mass-market and public domain cryptographic software. It also included a personal use exception that allowed the export of products that were for the user’s personal use (such as encrypting their laptop hard drive).

In 1998, the Wassenaar Arrangement was revised to allow the following:

image Export for all symmetric cryptography products using keys up to 56 bits

image Export for all asymmetric cryptography products using keys up to 512 bits

image Export for elliptic curve–based asymmetric products using keys up to 112 bits

image Export of mass-market products (software and hardware) using keys up to 64 bits

Note

In 2000, the Wassenaar Arrangement lifted the 64-bit limit for mass-market cryptographic products.

Specific Government Regulations

The European Union (EU) regulates cryptography exports under the “Council Regulation (EC) No 1334/2000 setting up a Community regime for the control of exports of dual-use items and technology.” The EU essentially follows the Wassenaar Arrangement with a few exceptions:

image Export from one EU member nation to another is relaxed, with the notable exception of cryptanalysis products.

image Exceptions can be applied to exporting to certain nations including Canada, Australia, Japan, and the United States.

Australia regulates the export of cryptographic products via the Defense and Strategic Goods List. This regulation is notable in that it includes a specific exemption for public-domain software. In 2001, Australia passed the Cybercrime Act of 2001, which included a clause requiring the release of encryption keys or decrypting the data if a court order was issued. Australia passed its Defense Trade Control Act of 2012, which describes “dual use goods” (products with both military and civilian use) and includes segments on electronics and telecommunication. However, its requirements on encryption are not very clear, and some are concerned that it could lead to criminalizing the teaching of cryptography.6

China first implemented the Commercial Use Password Management Regulations in 1999, which requires a license from the government before cryptographic functions can be imported or exported. In 2000, the Chinese government clarified this order, indicating that the order refers to products that have cryptography as a core function. Products such as mobile phones and web browsers, for which cryptographic functions are ancillary, are exempted.

Several nations require a license to use encrypted communications. In Iran, a license is required to use cryptography for any communications. Israel requires a license from the government to export or import cryptographic products. Pakistan requires government approval for the sale or use of cryptography products.

India, under the Information Technology Act 2000, does not require a license, but any organization or individual must cooperate with any agency of the government to assist in decrypting data if requested.

Although Russia has signed the Wassenaar Arrangement, its laws go a bit further. A license is required to import cryptography products manufactured outside of Russia. Exporting cryptography requires government approval.

Belarus has strict regulations regarding the import and export of cryptography. A license is required for the design, production, sale, repair, and operation of cryptography. Along with other countries, Belarus may not recognize a personal use exception.

Tip

Many of us use encrypted hard drives on our personal computers. If you plan to travel internationally, be sure to check the laws of the countries you will be traveling through before you go to determine if you must comply with particular laws or regulations. It may be necessary for you to take a separate laptop that does not include encryption.

Belgium passed the Law on Information-Science Crime in 2000, in which Article 9 allows a court to issue an order to a person who is suspected of having “special knowledge” of encryption services to provide information to law enforcement on how to decrypt data. This means that if a suspect has encrypted data, the court can order the vendor of the cryptography product to provide assistance in decrypting the data. Failure to comply can result in 6 to 12 months of incarceration.

Note

There has been a great deal of debate regarding how to handle evidence that has been encrypted by parties suspected of criminal activity. Currently, the United States has no laws compelling anyone to reveal encrypted data or to assist in decrypting the data, although there has been discussion of creating such laws, which now exist in several other countries.

Cryptography and Malware

Malware, even cryptographic malware, may seem to be an unrelated topic for this chapter. How does malware relate to military applications of cryptography? As cyber-warfare becomes increasingly real, malware that uses cryptography in one form or another has become a common weapon used by governments and other entities.

The term “cryptovirology” is sometimes applied to the study of how cryptography is combined with malware. One application of cryptography with malware is the use of encryption to protect a virus from detection; this is an example of an “armored virus.”7 One of the first armored viruses was the Cascade virus, which was discovered in the late 1980s. This clearly demonstrates that using encryption to bolster viruses is not a new technique.

Malware encryption is done not only to prevent detection, but also to make it difficult to analyze the malware. To use encryption the malware needs at least three components:

image The actual malware code (which is encrypted)

image A module to perform encryption/decryption

image A key

Cryptoviral extortion, or ransomware, is another application of cryptovirology. Ransomware is malware that, once it has infected the target machine, encrypts sensitive files on that machine. The machine user is then sent a ransom message, demanding money for the attacker to decrypt the files. The One_Half virus, first reported in 2007, would encrypt certain files but did not demand ransom.8 The PGPCoder, or GPCode (Virus.Win32.Gpcode.ag), used a 660-bit version of RSA to encrypt certain files. It then asked for a ransom. If the ransom was paid, the victim was sent a key to decrypt the files.

The infamous CryptoLocker is one of the most widely known examples of a cryptovirus that was first discovered in 2013. CryptoLocker used asymmetric encryption to lock the user’s files. Several varieties of the virus have been detected, including CryptoWall, which was first found in August 2014.9 It looked and behaved much like CryptoLocker, but in addition to encrypting sensitive files, it would communicate with a command and control server, and even take a screenshot of the infected machine. In March 2015, a variation of CryptoWall was discovered, which is bundled with the spyware TSPY_FAREIT.YOI and actually steals credentials from the infected system in addition to holding files for ransom.10

Note

The viruses mentioned here are just a sample of viruses that use encryption. The purpose of this chapter is not to educate you on viruses, but the line between viruses and cryptography is becoming blurred. As you have seen, cryptography can be used with malware to create both new forms of malware (ransomware) and enhanced viruses (armored viruses).

Weaponized Malware

Moving forward, we should expect to see more examples of malware-based attacks and state-sponsored malware espionage, as indicated in the “Worldwide Threat Assessment of the US Intelligence Community” report.11 Several nations have either already been discovered to have been engaged in such activities or are strongly suspected of being engaged in such activities. Most analysts believe that the Stuxnet and Flame viruses were designed for the express purpose of cyber-espionage and/or sabotage of the Iranian government.12

Stuxnet Virus

As the first example of cyber-warfare via malware infections, consider the Stuxnet virus. Stuxnet first spread via infected thumb drives; however, after it infected a machine, it would spread over the entire network and even over the Internet. The Stuxnet virus then searched for a connection to a specific type of programmable logic controller (PLC), specifically the Siemens STEP 7 software. Once Stuxnet discovered that PLC, the virus would load its own copy of a specific dynamic link library (DLL) to monitor the PLC and then alter the PLC’s functionality. It was meant to target only centrifuge controllers involved in Iran’s uranium enrichment program.13 Clearly this was meant to be a targeted attack, but it spread beyond the intended targets. Although many reported no significant damage from Stuxnet, outside the Iranian reactors, it was detected on numerous machines. Although the Stuxnet targeting was clearly inadequate, its design was classic virus design. Stuxnet has three modules: a worm that executes routines related to the attack, a link file that executes the propagated copies of the worm, and a rootkit responsible for hiding files and processes, with the goal of making it more difficult to detect the presence of Stuxnet.

Note

It is not the purpose of this chapter to explore the intricacies of Stuxnet. Rather Stuxnet is introduced as both an example of state-sponsored malware attacks and at least an attempt to target such attacks.

Flame Virus

The Flame virus was first discovered in May 2012 in Iran.14 It was spyware that recorded keyboard activity and network traffic; it took screenshots and was even reported to record Skype conversations. It would also turn the infected computer into a Bluetooth beacon that attempted to download information from nearby Bluetooth-enabled devices.

Kaspersky Labs reported that the Flame file contained an MD5 hash that appeared only on machines in the Middle East. This indicated the possibility that the virus authors intended to target the malware attack to a specific geographical region. The Flame virus also appears to have had a kill function that would allow someone controlling it to send a signal directing it to delete all traces of itself. These two items indicate an attempt to target the malware, though like Stuxnet, the outcome of that targeting was less than optimal.

Cyber-Warfare

Cyber-warfare may seem like a topic far removed from cryptography. Although a complete discussion of cyber-warfare is beyond the scope of this text, it is appropriate to introduce the topic briefly. As you have already seen, weaponized malware is an element of cyber-warfare, and cryptovirology certainly has a role to play.

Let’s begin by defining cyber-warfare. According to the Rand Corporation, “Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation’s computers or information networks through, for example, computer viruses or denial-of-service attacks.”15 Cyber-warfare is not just a topic for science fiction. Here are a few real-world incidents:

image In 2008, Central Command (CENTCOM) was infected with spyware. CENTCOM is the U.S. Army entity that is responsible for command and control throughout the Middle East and Central Asia. This means that during the conflicts in Iraq and Afghanistan, spyware was infecting a critical military system for at least a certain period of time.

image In 2009, drone video feed was compromised. In Afghanistan, an unknown attacker was able to tap into the video feed of a U.S. drone and watch the video feed.

image On December 4, 2010, a group calling itself the Pakistan Cyber Army hacked the web site of India’s top investigating agency, the Central Bureau of Investigation (CBI).

image In December 2009, hackers broke into computer systems and stole secret defense plans of the United States and South Korea. Authorities speculated that North Korea was responsible. The information stolen included a summary of plans for military operations by South Korean and U.S. troops in case of war with North Korea, though the attacks were traced back to a Chinese IP address.

image The security firm Mandiant tracked several advanced persistent threats (APTs) over a period of seven years, all originating in China, specifically Shanghai and the Pudong region. These APTs were named APT1, APT2, and so on. The attacks were linked to the UNIT 61398 of the Chinese military. The Chinese government regards this unit’s activities as classified, but it appears that offensive cyber-warfare is one of its tasks. Just one of the APTs from this group compromised 141 companies in 20 different industries. APT1 was able to maintain access to victim networks for an average of 365 days, and in one case for 1764 days. APT1 is responsible for stealing 6.5 terabytes of information from a single organization over a 10-month timeframe.

Each of these incidents reveals that cyber-warfare and cyber-espionage are indeed realities. However, they further demonstrate the role cryptography plays in at least some cyber-warfare; for example, in the drone incident of 2008, it is likely that the encrypted communications with the drone were compromised in some fashion. At a minimum, each of these incidents reveals the need for robust, secure communications.

TOR

TOR, or The Onion Router, may not seem like a military application of cryptography, but it is appropriate to cover this topic in this chapter for two reasons:

image The TOR project is based on an earlier Onion Routing protocol developed by the U.S. Navy specifically for military applications. So TOR is an example of military technology being adapted to civilian purposes.

image TOR is used by privacy advocates every day, but it is also used by terrorist groups and organized crime.

TOR consists of thousands of volunteer relays spread around the world. Each relay uses encryption to conceal its origin and the final destination of the traffic passing through it. Each relay is able to decrypt only one layer of the encryption, revealing the next stop in the path. Only the final relay is aware of the destination, and only the first relay is aware of the origin. This makes tracing network traffic practically impossible.

The basic concepts for Onion Routing were developed at the U.S. Naval Research Laboratory in the mid-1990s and later refined by the Defense Advanced Research Projects Agency (DARPA). The goal was to provide secure intelligence communication online.

Onion routers communicated using Transport Layer Security (TLS, see Chapter 13) and ephemeral keys. Ephemeral keys are created for one specific use and then destroyed immediately afterward. In TOR, 128-bit AES is often used as the symmetric key.16

Although the TOR network is a very effective tool for maintaining privacy, it has also become a way to hide criminal activity. Some markets on the TOR network are used expressly to sell and distribute illegal products and services, and stolen credit card numbers and other financial data are a common product on TOR markets. A screenshot of one of these markets is shown in Figure 15-3.

Images

FIGURE 15-3 Stolen financial data market on TOR

Even more serious criminal activity can be found on TOR, including child pornography, weapons, and other distributors like the Hitman Network that even purport to perform murder for hire. More closely related to military and intelligence operations, various terrorists groups are reported to have used TOR for communication and recruitment. TOR’s anonymity makes it a perfect venue for terrorist communications. The criminal activity on TOR also provides a means for fundraising for terrorist organizations.

Note

In 2015, Ross Ulbricht, the founder of Silk Road—the most well-known of the TOR markets—was sentenced to life in prison. Many people on various news outlets claim that this sentence is draconian. And one can certainly argue the merits of any sentence. But allow me to offer some food for thought. Silk Road was not simply a venue for privacy, or even for marijuana exchanges. It became a hub for massive drug dealing, including heroin, cocaine, meth, and other serious drugs. It was also used to traffic arms, stolen credit cards, child pornography, and even murder for hire. The venue Ulbricht created was a hub for literally thousands of very serious felonies.

Conclusions

In this chapter we examined various military and government applications of cryptography. We looked at the NSA classifications of cryptography as well as specific military applications. We also examined various laws regarding cryptography for the United States and other countries.

The examination of cryptography and malware covered cryptovirology and weaponized malware. As cyber-warfare becomes more prevalent, it is likely that cryptovirology will play a more important part as one of the weapons of choice in cyber-war.

Test Your Knowledge

1. What suite of algorithms does the NSA designate as classified?

2. Which NSA products are used for classified purposes only?

3. Which NSA products are used for sensitive but unclassified purposes?

4. What key length of ECC is considered adequate for top secret information?

5. What key length of AES is considered adequate for top secret information?

6. What government agency currently regulates the export of cryptography from the United States?

7. What was the successor to COCOM?

8. ___________ is the study of how cryptography is combined with malware.

9. Software that encrypts data and provides only the decryption key once a fee has been paid is called ___________.

10. What symmetric algorithm does TOR use?

Answers

1. Suite A

2. Type 1

3. Type 2

4. 384 bits

5. 256 bits

6. Department of Commerce

7. The Wassenaar Arrangement

8. Cryptovirology

9. ransomware

10. AES

Endnotes

1. Cryptology Museum, “NSA Encryption Products,” www.cryptomuseum.com/crypto/usa/nsa.htm.

2. National Security Agency, “Suite B Cryptography,” www.nsa.gov/ia/programs/suiteb_cryptography/.

3. Bureau of Industry and Security, U.S. Department of Commerce, “Identifying Encryption Items,” www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#One.

4. John Leyden, “US government fines Intel’s Wind River over crypto exports,” The Register, www.theregister.co.uk/2014/10/17/intel_subsidiary_crypto_export_fine/.

5. The Wassenaar Arrangement, www.wassenaar.org.

6. Daniel Mathews, “Paranoid defence controls could criminalise teaching encryption,” http://theconversation.com/paranoid-defence-controls-could-criminalise-teaching-encryption-41238.

7. PC Encyclopedia, “Definition of: armored virus,” www.pcmag.com/encyclopedia/term/63208/armored-virus.

8. Symantec, “One_Half,” www.symantec.com/security_response/writeup.jsp?docid=2000-121513-2517-99.

9. Dell SecureWorks, “CryptoWall Ransomware,” www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/.

10. Antony Joe Melgarejo, “CryptoWall Ransomware Partners with FAREIT Spyware,” http://blog.trendmicro.com/trendlabs-security-intelligence/cryptowall-3-0-ransomware-partners-with-fareit-spyware/.

11. James R. Clapper, February 26, 2015, “Worldwide Threat Assessment of the US Intelligence Community,” www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-_SASC_FINAL.pdf.

12. R. Langner, “Stuxnet: Dissecting a Cyberwarfare Weapon,” IEEE Security & Privacy, vol. 9, no. 3 (2011).

13. David E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times, June 1, 2012, www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html.

14. Ellen Nakashima, Greg Miller, and Julie Tate, “U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say,” Washington Post, June 19, 2012, www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html.

15. Rand Corporation, “Cyber Warfare,” www.rand.org/topics/cyber-warfare.html.

16. R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The Second-Generation Onion Router,” www.onion-router.net/Publications/tor-design.pdf.