24 November 1999
Date: 24 Nov 1999 13:00:08 -0000
From: RProcess <firstname.lastname@example.org>
To: email@example.com, firstname.lastname@example.org
Subject: Traffic Analysis Capabilities
The following document is an analysis of what capabilities may exist to read and trace remailer messages, and who has which capabilities. Although "the NSA is reading my mail" is a favorite comment, I've seen little public analysis which presents remailer users with information on what algorithms may be better than others, and what techniques may be more effective than others in reducing such traffic analysis and snooping.
The cryptographic community scoffs at this kind of document, and with good reason. It is akin to saying "there's a backdoor in PGP" and providing no proof. The cryptographic community uses facts. But in assessing an unknown security threat people whose lives or fortunes depend on cryptography piece together what clues they have and develop tentative working assumptions. For obvious reasons these tend to be conservative.
Please understand that very few hard facts are available. The best code-breaking agency in the world, the US National Security Agency (NSA), is very good at containing leaks. My information is pieced together from various comments made over the years by people in cryptographic and signal intelligence circles, and is also based on observations I have made of irregularities in remailer mail, leading me to believe that a system is in place to analyze and interrupt anonymous email.
It is not the goal of this document to prove or even hypothesize anything to the reader, or to present facts or justifications. This is simply a transcript of common assumptions various individuals and organizations use when they want their mail to be genuinely anonymous and secure from all parties. It is a recipe of sorts. Salt to taste.
1kbit RSACompletely vulnerable if the public key is available with minor expense. Messages without the public key can be cracked with some greater expense depending on symmetric algorithm.
2kbit RSA / 1-2kbit DHSome keys are weaker than others, a random aspect of creation. Only the NSA can tell which keys are weak or strong to them. (When the military needs a key, the NSA may provide one which has tested to be strong.) Messages without public key available may or may not be secure.
3kbit+ RSA / DHGenerally secure. Some weak keys may exist. For maximum security do not distribute the public key.
IDEAGenerally weak but somewhat expensive (time-consuming) to crack on a widespread basis.
3DESPresumed unbreakable or very difficult to crack. Probably the NSA's worst symmetric enemy.
ConnectivityThe NSA logs all data through major internet hubs and other assorted points for analysis.
Echelon links: http://www.echelon.wiretapped.net/
NotesShares some intelligence data with UK GCHQ, Australian DSD, etc. Performs some services for Naval Intelligence, CIA, FBI, other.
US Military Intelligence
Largely depends on the NSA for codebreaking and provision of crypto services. Naval Intelligence is known to have some independent codebreaking abilities of unknown extent.
CIA / Other US and Foreign Intelligence
US, European, and Australian intelligence largely depends on the NSA for codebreaking. Focuses on passphrase theft, insider access, backdoors, coercion. Extensive surveillance capabilities on focused targets. Capabilities of Russian, Chinese, other SIGINT are generally far less than the NSA, due to hardware and other constraints. 2kbit RSA probably secure. 1kbit questionable. 128bit symmetric cyphers secure.
FBI / IRS / Federal Level Law Enforcement / Drug Enforcement
Depends on the NSA for codebreaking in special circumstances. In general the FBI cannot crack strong crypto and relies on passphrase theft, surveillance, and coercion. Very limited abilities against most anonymous remailer messages except where they receive tip-offs from the NSA, which appears to be rare.
State and Local Law Enforcement
No codebreaking abilities. In special circumstances may use extended surveillance. Occasional tip-offs from intelligence.
Corporate and Military-Industrial Corporations
Limited codebreaking abilities. 2kbit RSA is secure. 1kbit RSA is questionable. IDEA/3DES secure.
Civilian Organizations and Individuals / Press
Very limited codebreaking abilities. 512kbit questionable. 1kbit and higher secure. IDEA/3DES/128bit symmetric cyphers secure.
Mixmaster messages are completely transparent to the NSA, generally opaque to others. (3DES is secure, but 1kbit RSA keys used by Mixmaster are routinely broken by the NSA.)
At the same time, Mixmaster presents a greater obstacle to other organizations which rely on traffic analysis, due to the use of fixed-size packets.
Mixmaster messages are generally 'left alone' (not interrupted or deleted).
Cypherpunk messages are generally opaque to everyone except the NSA. 1kbit keys are routinely broken by the NSA. Some 2kbit keys are broken. Larger keys are generally secure.
Cypherpunk messages are somewhat easily traced by the NSA, due to key availability combined with variations in message size, PGP versions, and other statistical patterns. Cypherpunk messages which cannot be traced or cracked, and random messages may be deleted en route by likely automated systems.
Other non-NSA intelligence organizations may have limited success in tracing basic and larger Cypherpunk messages with aren't remixed, the greatest hindrance being access to data worldwide.
Law enforcement is not known to trace chained Cypherpunk messages.
Reply-blocks are routinely traced by the NSA. A given encrypted reply-block does not vary with each message. Remixing has no effect because of the transparency of Mixmaster messages. Using Encrypt-Key at each remailer makes the task more difficult, but message size gives clues, and IDEA is somewhat transparent, though perhaps costly. Encrypt-3DES is more opaque.
The NSA will often delete new untraced reply-blocks until the owner is established.
Other than the NSA, most remixed reply-blocks are secure. Non-remixed reply-blocks which use ek/ekx at remailers may be traced given access to the data.http://www.skuz.net/potatoware/PSKB-003.html
Reply-blocks which do not use remix or ek/ekx are easily traced given access to the data.http://www.skuz.net/potatoware/PSKB-001.html
Non-NSA intelligence and federal law enforcement may have some access to the data en route, but may not have software to perform analysis. State and local law enforcement generally have access to data at the ISP only.
The NSA is presumed to have the key to nym.alias.net and the remailers at LCS. Thus all messages there are transparent. (Beware of PGP timestamps in config requests. Use Alter-PGP Timestamp in JBN or the NSA can immediately trace you by the time on your signature.)
Avoid Mixmaster and use inflated, delayed, and well-encrypted Cypherpunk messages to avoid the NSA, but be prepared for high message loss. Other than the NSA, use of remixed reply-blocks and Mixmaster chains is generally more secure and reliable.
In general it is currently unlikely that a usable reply-block can be constructed which cannot be traced by the NSA. Any successes are deleted outright by a likely automated tracing system, or large numbers of messages on which the trace is lost are deleted.
Encrypt-3DES combined with Cypherpunk remailers with large (3kbit+) keys present the greatest difficulty to the NSA, but will also incur the greatest losses. Use new remailers and remailers which change their keys regularly.
Use 2kbit keys at the nym-server. Distribute 4kbit+ keys for message correspondence. When feasible, do not upload your public keys to key-servers or make them generally available.
What does it matter that the NSA reads your mail or traces your identity? Maybe not much. You can imagine the sorts of things they come across snooping data worldwide. They presumably focus on things which threaten 'national security', their snooping abilities, or other less legal interests. They provide tip-offs to other intelligence agencies and law enforcement when it suits their purposes, but don't confuse them with a police force. Intelligence communities are themselves highly involved in drug trafficking, etc. There's plenty of dirt. Unless you're doing something highly provocative you probably won't gain much attention from them.
Beyond the NSA and those they inform or perform services for, it appears that careful use of remailers and strong crypto is highly secure, the greatest threat being passphrase and data theft and coercion.
Crypto users should make themselves aware of general methods of passphrase and key theft.
Trojans - software which runs surreptitiously on your computer and monitors your keystrokes and other data, transmitting it to other locations. This software is also increasingly being used by corporations to monitor the activities of employees. Do some research and install a firewall to help avoid this.http://www.skuz.net/potatoware/atguard.html
Passphrase Guessing - Use good or random passphrases. The NSA and others can apply billions of word combinations in guessing passphrases. Passphrase FAQ:http://www.stack.nl/~galactus/remailers/passphrase-faq.html
Van Eck Phreaking - All electrical devices emit radiation. Guns aimed at your computer from hundreds of meters away (through walls) can read what's displayed on your monitor, what keystrokes you're typing, and other signals. Thus the NSA, CIA, etc. can drive up to your house and steal your passphrases and possibly your keys without entry.
This technology isn't limited to the NSA and CIA anymore. It is becoming increasingly available to the FBI and others. In fact it is estimated that within five years PC cards will be available to let you spy on your neighbors.http://www.newscientist.com/ns/19991106/newsstory6.html
The technology to shield computers against Van Ecking is called TEMPEST. The NSA recently declassified documents on TEMPEST, overtly in response to a FOIA request, but probably to encourage businesses to sharpen their defenses.
A ton of information on TEMPEST is available athttp://www.eskimo.com/~joelm/tempest.html
(Joel McNamara is the original author of Private Idaho)
You can see pics of and buy TEMPEST shielded machines here:http://www.meco.org/