‘We cannot trust them anymore’: Engineers abandon encryption chips after Snowden leaks
Journalist Richard Chirgwin of the UK IT website The Register reported on Monday this week that the developers of the free, Unix-like OS have abandoned faith in two random number generators — Intel’s “RDRAND” and Taiwanese company Via Technology's “Padlock”— after leaked NSA documents attributed to Mr. Snowden have suggested that the United States government and their allies at foreign intelligence agencies have compromised the security of major cryptographic tools.
Chirgwin was the first reporter to catch wind of the news that FreeBSD decided during a developer summit in Malta this past September to relinquish trust in those companies’ random number generators, or RNGs, and meeting minutes obtained by Dan Goodin of the website Ars Technica confirms that programmers became suspicious after leaked documents within the trove pilfered by Snowden accused the NSA of breaking widely-used encryption protocols.
FreeBSD has until now relied on a “random generator framework” within the OS, according to the notes spotted by Chirgwin, containing three RNGs: RDRAND, Padlock and another named Yarrow, designed in 1999 by security wiz Bruce Schneier, among others. Individually and in tandem, these generators rely on digital entropy to randomize a computer’s output, thus masking operations through multiple layers of encryption that were once thought largely impossible to crack. Recently leaked NSA documents, however, have suggested otherwise.
The OS is on the verge of releasing their latest version, FreeBSD 10, but any users that upgrade to that edition won’t be able to rely solely on Intel or Via’s RNGs anymore.
“For 10, we are going to backtrack and remove RDRAND and Padlock backends and feed them into Yarrow instead,” reads an excerpt from FreeBSD’s summit “special status report.”
The developers go on to acknowledge that it will still be possible for end users of FreeBSD to access hardware RNGs — namely RDRAND and Padlock — but the programmers behind the OS say, “we cannot trust them anymore.”
In the Developer Summit minutes discovered by Goodwin, FreeBSD offers some insight into why exactly they’ve decided to abandon two highly-used encryption chips. They reference Snowden by name and admit that his leaks suggest there’s a “v[ery] high probability of backdoors” in some hardware RNGs, and that those generators simply can no longer be trusted to provide “good entropy directly.”
This year’s FreeBSD Developer Summit was an invite-only event in late September that was hosted roughly three weeks after reporters with The New York Times, ProPublica and The Guardian simultaneously released a report detailing the NSA’s attack on encryption methods that drew from never-before-published top-secret documents leaked by Snowden.
The NSA, the outlets reported on Sept. 5, “is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age.”
Elsewhere in the report, the journalists said the NSA has spent billions of dollars during the last several years to break complex encryption algorithms — and in other instances where supercomputers weren’t successful, they compelled the makers of those tools to install government-friendly backdoors.
“Cryptanalytic capabilities are now coming online,” reads a 2010 memo supplied to the reporters by Snowden. “Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
Schneier, the crypto-expert partially responsible for the Yarrow RNG, worked with The Guardian on disseminating those Snowden documents ahead of publication and described the revelations contained therein as “explosive” when they were finally printed.
“Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on,” he wrote in an early Sept. essay for the Guardian. “If the back door is discovered, it's explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.”
The NSA documents failed to name any specific manufacturers that have aided the intelligence community’s operations, but security experts were quick to voice suspicion, and RSA, the makers of one of the world’s most widely-used RNGs, told customers they should discontinue using some of their products after the early-Sept. Snowden leak.
That same week, MIT-educated cryptographer and Linux developer Theodore Ts’o stated publically that he was happy with his decision to resist earlier pleads from Intel engineers to have that operating system commit entirely to RDRAND for encryption.
“Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea,” Ts’o said. Now just three months later, FreeBSD is rescinding their reliance on Intel and Via’s RNGs.
When a petition began circulating in mid-Sept. imploring Linux to stop relying on RDRAND, one of the OS’s leading developers, Linus Torvalds, called those who made those pleads “Ignorant.”