UK, US able to crack most encryption used online

UK, US able to crack most encryption used online

Summary: By weakening encryption standards, inserting vulnerabilities into vendors' technology, and using supercomputer-backed password crackers, the US and the UK are able to break encryption used to back technologies like SSH, HTTPS, and VPNs.


Spy agencies in the UK and the US are reportedly able to crack the same encryption used online to routinely secure information.

The reveal is the latest part of the cache of documents leaked by former US Defence contractor Edward Snowden. According to The Guardian and The New York Times, the US National Security Agency and the UK counterpart, the Government Communications Headquarters (GCHQ), have been working to ensure that encryption has been undermined in three broad ways. The methods used by the spy agencies are controlling international encryption standards; working with technology companies and online service providers to insert weaknesses in technology and software; and the use of supercomputer brute force encryption keys.

The US program around vulnerability insertion targets "commercial encryption systems, IT systems, networks, and endpoint communications devices". It has been called the SIGINT (Signals Intelligence) Enabling Project, and is reported to be a US$250 million a year initiative.

The US documents also outline where the NSA expects its capabilities to be for the 2013 financial year. These include achieving full SIGINT access to an unnamed, but "major communications provider", as well as a "major peer-to-peer voice and text communications system".

The UK documents around its "BULLRUN" system are more general, and note that its US ally has been leading the charge against "defeating network security and privacy". Its decryption efforts appear to focus mostly around network communications, and the program is run from its Penetration Target Defences (PTD) division.

"The various types of security covered by BULLRUN include, but are not limited to, TLS/SSL, https (eg, webmail), SSH, encrypted chat, VPNs, and encrypted VoIP."

Analysts using the BULLRUN system are required by GCHQ to be kept in the dark, noting that they should not necessarily be told how the data they are working on was acquired.

"Access to BULLRUN does not imply any 'need-to-know' the details of sources and methods used to achieve exploitation, and, in general, there will be no 'need-to-know'," the UK document says.

Ironically, the UK document emphasises that the existence of BULLRUN must never be known.

"Any admission of 'fact of' a capability to defeat encryption used in specific network communication technologies or disclosure of details relating to that capability must be protected by the BULLRUN [community of intelligence] and restricted to those specifically indoctrinated for BULLRUN."

France, Australia, and New Zealand appear to be lagging behind the UK's efforts, as the UK document indicates that they are only expected to introduce BULLRUN at a later date.

Topics: Security, Government, Government AU, Government US, Government UK

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I should note . . .

    I should note that these are broad categories - underneath things like TLS/SSL and HTTPS are various ciphers, versions of the ciphers, and key lengths. It is not necessarily the case that they have broken the strongest of encryption, but perhaps the most popular of encryption.

    That will change in the future, as stronger encryption is used by more places.
    • And as better decryption algorithms and more

      shear compute power becomes available. File this under lions and tigers and bears oh my.
      Johnny Vegas
  • Please tell something we have not already known

    Common sense tells us that with a supercomputer or two, pretty much anything is possible.
    John Zern
    • It's not just me then!

      With the resources and recruiting options for the intelligence services, this story really doesn't surprise me. Totally plausible.

      Then again, I'm surprised at other people's surprise about the snowden revelations.
      Little Old Man
    • Re: pretty much anything is possible.

      Including solving the halting problem?
      • Could be why he said

        "pretty much"?
        William Farrel
        • Re: Could be why he said "pretty much"?

          So, pretty much wrong, then.
  • Skeptical

    We should probably be a bit skeptical abut claims that signals intelligence agencies have (a) arranged for back doors to be built into encryption algorithms, and (b) had the cooperation of vendors to incorporate weaknesses into encryption software.
    All commercial algorithms are published and peer reviewed; contemporary cryptanalysis for decades now has relied on extensive independent assessment and testing of DES, DES-3, RSA, AES, DSA, SHA-X etc etc. Unless the NSA's cryptographers are vastly better than all the world's cryptographers combined, we would have seen the back doors by now.
    As for conspiring with vendors, if this was happening it would be harder to keep secret in the commercial sector than in government circles. News of this kind of conspiracy would have been leaked long before Snowden came along.
    • There is just one place for cracking for such a money= fascistic USA

      There is just one place for cracking for such a money= fascistic USA, so they are the best in cracking logically
    • GovComm 35t

      You are a good American Steve....
      By the way, you should remove the photos of the girl in your photo library on drive D:
      She is under-aged.

      We are the Government, we are here to help.
    • RSA took $10 Million from NSA

      This didn't come out before Snowden, because it was buried too deep along with the fact that there is lot's of money involved. $10 million may sound small, but it's 1/3 of RSA's income. Here's the article:

      So...who else took money? DES, DES-3, AES, DSA, SHA-X? Microsoft, Google, Yahoo!, Apple? Face it, the NSA has co-opted many of the Security & Tech Companies.

      ~ M
  • I Don't Think There Are Backdoors In Openly-Designed Protocols

    AES, SSL/TLS etc were designed in very public processes; any attempted intervention by spooks would have set off alarm bells all over the place.

    But remember: any security system is only as strong as its weakest link. Look at the pattern of actual security breaches over the last few years: subversion of Certificate Authorities, weakness in random-number generators, traffic analysis, side-channel attacks ... those are where the weaknesses lie.
    • Gov Reply

      Who are you calling "spooks"?
    • Backdoors Openly-Designed Protocols

      Why couldn't there be Backdoors in Openly-Designed Protocols? Unless you know 100% who is working on the project or where all of the code is coming from, then there is always the chance that backdoors will be there. Besides, many programmers put backdoors in their software -- even the "Good Guys." So, don't kid yourself...there are backdoors.

      ~ N
  • Any new encryption method must be reviewed

    For many years it has been required that ANY encryption formula be FIRST submitted to federal government intelligence agencies for review.
    • GovReply1a

      As well it should be.
  • I thought Eliptic Curves would be the answer...

    ...but because the NSA recomends their use, maybe they (eliptic curve cryptography) cannot be trusted.
  • Bullrun

    Isn't Bullrun an NSA project? My understanding was that the GCHQ equivalent is called Edgehill.
    Caro B