Bullrun (decryption program)

According to the NSA's Bullrun Classification Guide, Bullrun is not a Sensitive Compartmented Information (SCI) control system or compartment, but the codeword has to be shown in the classification line, after all other classification and dissemination markings. Furthermore, any details about specific cryptographic successes were recommended to be additionally restricted (besides being marked Top Secret//SI) with Exceptionally Controlled Information labels; a non-exclusive list of possible Bullrun ECI labels was given as: APERIODIC, AMBULANT, AUNTIE, PAINTEDEAGLE, PAWLEYS, PITCHFORD, PENDLETON, PICARESQUE, and PIEDMONT without any details as to what these labels mean.

Access to the program is limited to a group of top personnel at the Five Eyes (FVEY), the NSA and the signals intelligence agencies of the United Kingdom (GCHQ), Canada (CSE), Australia (ASD), and New Zealand (GCSB). Signals that cannot be decrypted with current technology may be retained indefinitely while the agencies continue to attempt to decrypt them.

File:NSA-diagram-001.jpg

Through the NSA-designed Clipper chip, which used the Skipjack cipher with an intentional backdoor, and using various specifically designed laws such as CALEA, CESA and restrictions on export of encryption software as evidenced by Bernstein v. United States, the U.S. government had publicly attempted in the 1990s to ensure its access to communications and ability to decrypt.{{cite web | url=http://reason.com/archives/2000/05/01/rendering-unto-cesa | title=Rendering Unto CESA: Clinton's contradictory encryption policy. | publisher=Reason | date=May 2000 | access-date=2013-09-09 | author=Mike Godwin|quote=[...] there was an effort to regulate the use and sale of encryption tools, domestically and abroad. [...] By 1996, the administration had abandoned the Clipper Chip as such, but it continued to lobby both at home and abroad for software-based "key escrow" encryption standards.}}{{cite web | url=http://epic.org/crypto/key_escrow/wh_cke_796.html | quote=Although we do not control the use of encryption within the US, we do, with some exceptions, limit the export of non-escrowed mass market encryption to products using a key length of 40 bits.|title=Administration Statement on Commercial Encryption Policy | date=July 12, 1996 | access-date=2013-09-09}} In particular, technical measures such as key escrow, a euphemism for a backdoor, have met with criticism and little success.

The NSA encourages the manufacturers of security technology to disclose backdoors to their products or encryption keys so that they may access the encrypted data.("NSA is Changing User's Internet Experience.") Info Security Institute However, fearing widespread adoption of encryption, the NSA set out to stealthily influence and weaken encryption standards and obtain master keys—either by agreement, by force of law, or by computer network exploitation (hacking).

According to a Bullrun briefing document, the agency had successfully infiltrated both the Secure Sockets Layer as well as some virtual private networks (VPNs). The New York Times reported that: "But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government's nuclear department and another's Internet service by cracking the virtual private networks that protected them. By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300."

As part of Bullrun, NSA has also been actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets".{{cite news|url=https://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html|newspaper=New York Times|title=Secret Documents Reveal N.S.A. Campaign Against Encryption}} The New York Times has reported that the random number generator Dual_EC_DRBG contains a back door, which would allow the NSA to break encryption keys generated by the random number generator.{{cite web|url=https://arstechnica.com/security/2013/09/new-york-times-provides-new-details-about-nsa-backdoor-in-crypto-spec/|title=New York Times provides new details about NSA backdoor in crypto spec|website=Ars Technica|year=2013}} Even though this random number generator was known to be insecure and slow soon after the standard was published, and a potential NSA kleptographic backdoor was found in 2007 while alternative random number generators without these flaws were certified and widely available, RSA Security continued using Dual_EC_DRBG in the company's BSAFE toolkit and Data Protection Manager until September 2013. While RSA Security has denied knowingly inserting a backdoor into BSAFE, it has not yet given an explanation for the continued usage of Dual_EC_DRBG after its flaws became apparent in 2006 and 2007.{{cite web|url=http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html|title=RSA warns developers not to use RSA products|author=Matthew Green|date=2013-09-20}} It was reported on December 20, 2013, that RSA had accepted a payment of $10 million from the NSA to set the random number generator as the default.{{cite news | url=https://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220 | title=Exclusive: Secret contract tied NSA and security industry pioneer | date=December 20, 2013 | work=Reuters | access-date=December 20, 2013 | author=Menn, Joseph | location=San Francisco | archive-date=September 24, 2015 | archive-url=https://web.archive.org/web/20150924191918/http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 | url-status=live }}{{cite news|author=Reuters in San Francisco |url=https://www.theguardian.com/world/2013/dec/20/nsa-internet-security-rsa-secret-10m-encryption |title=$10m NSA contract with security firm RSA led to encryption 'back door' | World news |work=theguardian.com |date=2013-12-20 |access-date=2014-01-23}} Leaked NSA documents state that their effort was “a challenge in finesse” and that “Eventually, N.S.A. became the sole editor” of the standard.

By 2010, the leaked documents state that the NSA had developed "groundbreaking capabilities" against encrypted Internet traffic. A GCHQ document warned however "These capabilities are among the SIGINT community's most fragile, and the inadvertent disclosure of the simple 'fact of' could alert the adversary and result in immediate loss of the capability." The document later states that "there will be NO 'need to know.'" Several experts, including Bruce Schneier and Christopher Soghoian, had speculated that a successful attack against RC4, an encryption algorithm used in at least 50 percent of all SSL/TLS traffic at the time, was a plausible avenue, given several publicly known weaknesses of RC4.{{cite web|title=That earth-shattering NSA crypto-cracking: Have spooks smashed RC4?|url=https://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/|access-date=16 April 2015 |date=2013-09-06 |work=The Register}} Others have speculated that NSA has gained ability to crack 1024-bit RSA/DH keys.{{cite web|title=Google strengthens its SSL configuration against possible attacks|url=http://www.pcworld.com/article/2064960/google-strengthens-its-ssl-configuration-against-possible-attacks.html|access-date=16 April 2015|date=2013-11-19}} RC4 has since been prohibited for all versions of TLS by RFC 7465 in 2015, due to the RC4 attacks weakening or breaking RC4 used in SSL/TLS.

In the wake of Bullrun revelations, some open source projects, including FreeBSD and OpenSSL, have seen an increase in their reluctance to (fully) trust hardware-based cryptographic primitives.{{cite web|last=Goodin |first=Dan |url=https://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/ |title="We cannot trust" Intel and Via's chip-based crypto, FreeBSD developers say |website=Ars Technica |date=2013-12-10 |access-date=2014-01-23}}{{cite web|title=Torvalds shoots down call to yank 'backdoored' Intel RdRand in Linux crypto|date=2013-09-10|website=The Register|url=https://www.theregister.co.uk/2013/09/10/torvalds_on_rrrand_nsa_gchq/|author=Security News}}

Many other software projects, companies and organizations responded with an increase in the evaluation of their security and encryption processes. For example, Google doubled the size of their TLS certificates from 1024 bits to 2048 bits.{{cite web|title=Google certificates upgrade in progress|website=Google Developer Blog|date=July 2013|author=Tim Bray, Google Identity Team|url=http://googledevelopers.blogspot.com/2013/07/google-certificates-upgrade-in-progress.html}}

Revelations of the NSA backdoors and purposeful complication of standards has led to a backlash in their participation in standards bodies.{{cite news|last1=Schneier|first1=Bruce|title=The US government has betrayed the internet. We need to take it back|url=https://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying|newspaper=The Guardian|access-date=9 January 2017|date=5 September 2013}} Prior to the revelations the NSA's presence on these committees was seen as a benefit given their expertise with encryption.{{cite web|title=Opening Discussion: Speculation on 'BULLRUN'|url=http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html|quote=the big companies involved ... are all in bed with NSA to make damn sure that working end-to-end encryption never becomes the default on mobile phones|website=The Mail Archive|publisher=The Cryptography Mailing List|date=6 Sep 2013|author=John Gilmore}}

There has been speculation that the NSA was aware of the Heartbleed bug, which caused major websites to be vulnerable to password theft, but did not reveal this information in order to exploit it themselves.{{cite news|title=NSA Said to Have Used Heartbleed Bug, Exposing Consumers|url=https://www.bloomberg.com/news/articles/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers|author=Michael Riley|newspaper=Bloomberg.com|date=2014-04-11|publisher=Bloomberg}}

The name "Bullrun" was taken from the First Battle of Bull Run, the first major battle of the American Civil War. Its predecessor "Manassas", is both an alternate name for the battle and where the battle took place. "EDGEHILL" is from the Battle of Edgehill, the first battle of the English Civil War.{{cite news |last=Ward |first=Mark |title=Snowden leaks: US and UK 'crack online encryption' |url=https://www.bbc.co.uk/news/world-us-canada-23981291 |access-date=6 September 2013 |date=6 September 2013 |work=BBC News}}

{{Portal|United States|Politics}}

• HTTPS
• IPsec
• Mass surveillance
• Mass surveillance in the United Kingdom
• Mass surveillance in the United States
• MUSCULAR
• PRISM
• Tailored Access Operations
• Transport Layer Security
• Voice over IP

{{reflist|30em}}

• [https://www.eff.org/deeplinks/2013/09/crucial-unanswered-questions-about-nsa-bullrun-program Crucial Unanswered Questions about the NSA's BULLRUN Program]
• [https://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=0 Documents Reveal N.S.A. Campaign Against Encryption]
• [https://www.schneier.com/blog/archives/2013/10/defending_again_1.html Defending Against Crypto Backdoors - Schneier on Security]
• [http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html Cryptography Opening Discussion: Speculation on "BULLRUN"] John Gilmore
• https://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_wont_help.pdf

Category:American secret government programs

Category:Mass surveillance

Category:National Security Agency operations

Category:GCHQ operations

Category:Intelligence agency programmes revealed by Edward Snowden

Category:Encryption debate