Nation-State Attackers and their Effects on Computer Security by Andrew Springall A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in the University of Michigan 2018 Doctoral Committee: Professor J. Alex Halderman, Chair Research Professor Peter Honeyman Professor Atul Prakash Assistant Professor Florian Schaub Andrew Springall [email protected] ORCID: 0000-0001-5999-9881 ©Andrew Springall 2018 Acknowledgments This dissertation, the research inside and outside of it, and so many more things would not be possible without the support of an innumerable number of people. I first want to thank my advisor, J. Alex Halderman for everything. The guidance, encouragement, advice, and freedom he’s given me over the last five years is nothing short of miraculous. I also want to thank Peter Honeyman for his steadfast view- points and willingness to openly challenge my perspective over the years. I’d also like to thank my labmates Zakir Durumeric, Eric Wustrow, James Kasten, David Adrian, Ariana Mirian, Benjamin VanderSloot, Matthew Bernhard, Allison Mc- Donald, and Chris Dzombak for their help, willingness to put up with me, and the wonderful discussions. To Mom, the prayers and pleadings to finish high school, and later college, have gotten me here and although I dismissed them at the time, they were undoubtedly needed and welcome. To Dad. you know. To the Marines, Sol- diers, Sailors, and Airmen from Parris Island, California, Maryland, Iraq, and Afghanistan, I can credit you for the mindset and insanity needed to get me this far. To Goose, Katherine, Ariana, and Cecylia, you’ve helped me keep what little of my sanity I have left throughout all this. Throughout the good and the bad, you’ve all been willing to help, mentor, counsel, and inspire me to do things I hon- estly never even imagined were possible. So to everyone listed above and everyone else, whether they know it or not: Thank You for everything you’ve done for me. i TABLE OF CONTENTS Acknowledgments ................................... i List of Figures ..................................... v List of Tables ...................................... viii Abstract ......................................... x Chapter 1 Introduction ..................................... 1 1.1 Computer Security and Nation-State Attackers...............2 1.2 Overview..................................4 2 Nation-State Attacker Model ............................ 6 2.1 Lexicon...................................7 2.1.1 Actors................................8 2.1.2 Actions...............................9 2.1.3 Descriptive............................. 10 2.1.4 Usage................................ 11 2.2 Characteristics of a Nation State Attacker................. 13 2.2.1 Sovereignty............................. 13 2.2.2 Access............................... 14 2.2.3 Money............................... 15 2.3 Advantages of a Nation State Attacker................... 17 2.3.1 Near Superset Attacker....................... 17 2.3.2 Specialization............................ 19 2.3.3 Non-Symmetric Defeats...................... 21 2.3.4 Distant Return Horizons...................... 24 2.4 Constraints of a Nation State Attacker................... 25 2.4.1 Scale................................ 25 2.4.2 Human Capital........................... 28 2.4.3 Oversight.............................. 31 2.4.4 Required Hard Victims....................... 33 2.5 Differences between Nation State Attackers................ 35 2.5.1 Treatment of Domestic Victims.................. 35 2.5.2 Acceptability of Public Attribution................ 36 2.5.3 Delegating Operations....................... 37 ii 2.6 Accounting for NS-Attackers........................ 39 2.6.1 Individual Perspective....................... 40 2.6.2 Organizational Perspective..................... 42 2.6.3 Researcher Perspective....................... 44 3 Impact on Computer Security ........................... 47 3.1 Background................................. 49 3.1.1 National ID Cards......................... 49 3.1.2 I-Voting Server Infrastructure................... 51 3.1.3 Voting Processes.......................... 53 3.2 Observations................................ 55 3.2.1 Inadequate Procedural Controls.................. 55 3.2.2 Lax Operational Security...................... 56 3.2.3 Insufficient Transparency...................... 57 3.2.4 Vulnerabilities in Published Code................. 60 3.3 Experimental Methodology......................... 60 3.3.1 Mock Election Setup........................ 61 3.3.2 Threat Model............................ 61 3.4 Attacks................................... 62 3.4.1 Client-side Attacks......................... 63 3.4.2 Server-side Attacks......................... 66 3.4.3 Attacking Ballot Secrecy...................... 68 3.5 Discussion.................................. 69 3.6 Conclusions................................. 70 4 Explaining and Evaluating Operations ...................... 73 4.1 Diffie-Hellman Cryptanalysis........................ 75 4.2 Attacking TLS................................ 78 4.2.1 TLS and Diffie-Hellman...................... 79 4.2.2 Active Downgrade to Export-Grade DHE............. 80 4.2.3 512-bit Discrete Log Computations................ 82 4.2.4 Active Attack Implementation................... 84 4.2.5 Other Weak and Misconfigured Groups.............. 85 4.3 State-Level Threats to DH......................... 87 4.3.1 Scaling NFS to 768- and 1024-bit DH............... 88 4.3.2 Is NSA Breaking 1024-bit DH?.................. 92 4.3.3 Effects of a 1024-bit Break..................... 95 4.4 Recommendations.............................. 97 4.5 Disclosure and Response.......................... 99 4.6 Conclusion................................. 99 5 Identifying and Analyzing Vulnerabilities ..................... 102 5.1 Background................................. 103 5.1.1 Forward Secrecy in TLS...................... 104 5.1.2 Session Resumption........................ 104 iii 5.1.3 Reusing Ephemeral Values..................... 106 5.1.4 Changes in TLS 1.3........................ 106 5.2 Data Collection............................... 107 5.3 TLS Secret State Longevity......................... 108 5.3.1 Session ID Lifetime........................ 109 5.3.2 Session Ticket Lifetime...................... 110 5.3.3 STEK Lifetime........................... 110 5.3.4 EC(DHE) Value Lifetime..................... 112 5.4 TLS Secret State Sharing.......................... 114 5.4.1 Shared Session ID Caches..................... 115 5.4.2 Shared STEKs........................... 116 5.4.3 Shared (EC)DHE Values...................... 116 5.5 Crypto Shortcut Dangers.......................... 118 5.5.1 Exposure from Session Tickets................... 118 5.5.2 Exposure from Session Caches................... 119 5.5.3 Exposure from Diffie-Hellman Reuse............... 120 5.5.4 Combined Exposure........................ 121 5.6 Nation-state Perspective........................... 121 5.6.1 The STEK as an Enabling Vector................. 122 5.6.2 Target Analysis: Google...................... 123 5.7 Discussion.................................. 125 5.7.1 Security Community Lessons................... 125 5.7.2 Server Operators Recommendations................ 126 5.8 Conclusion................................. 127 6 Future Work and Conclusion ............................ 129 6.1 Going Forward............................... 129 6.2 Conclusion................................. 131 Bibliography ...................................... 133 iv LIST OF FIGURES 1.1 NSA’s Scale of Attackers—Stratification of attackers according to an internal NSA presentation [74]. The classes are reasonably believed to be grandmother, 13 year old in the US, script kiddie, 16 year old in Romania, has some talent, has talent, and nation-state [380, 397].......................3 2.1 Definition of “person”—Privacy and Civil Liberties Oversight Board’s defi- nition of “persons” in relation to Section 702 [234]................7 2.2 Area Specialization—NSA’s collaborative effort for exploiting VPN traffic for intelligence [309]................................ 20 2.3 Single-Target Pseudocode ............................ 22 2.4 Multi-Target Pseudocode ............................ 22 2.5 Tiered Data Types—The tiers of network traffic and the NSA systems which store and handle that traffic [425]......................... 26 2.6 NSA’s Technology Risk Matrix—NSA’s risk analysis matrix used to priori- tize technologies for resource expenditure [288]................. 30 2.7 Tactical Choke Point—An example of a tactical choke point with one force stationed north of the river, and its opposition located across the river to the south [62]..................................... 42 2.8 Network Choke Point—An example of network structure with an underlying choke point [57].................................. 42 2.9 Vuvuzela System Architecture—The design of the Vuvuzela private messag- ing system [411].................................. 44 2.10 Hornet System Architecture—The design of the HORNET onion routing system [55]..................................... 44 3.1 I-voting client—Estonians use special client software and national ID smart- cards to cast votes online............................. 50 3.2 Verification app—A smartphone app allows voters to confirm that their votes were correctly recorded. We present two strategies an attacker can use to by- pass it......................................