Bullrun and EDGEHILL

Background / Context

The institutional context within which Bullrun and EDGEHILL emerged was the substantive post-2000 expansion of internet-based encrypted communications and the substantive institutional NSA recognition that the substantive substantively-encrypting institutional pattern of internet communications would substantively constitute a substantive substantively-significant institutional threat to the substantive SIGINT collection enterprise.

The substantive substantively-prior institutional NSA pattern across the substantive 1947–2000 period had substantively been substantively-significantly-shaped by the substantive substantively-comparatively-limited operational role of cryptographic protection in substantive substantively-collected SIGINT material. The substantive substantively-major institutional cryptographic challenges across the substantive Cold War period had substantively been the substantive operational defeat of substantive Soviet, Chinese, and adjacent state-actor substantive military-grade cryptographic systems — substantive operational categories that the substantive NSA's substantive cryptanalytic capability had substantively-significantly addressed. The substantive substantively-different institutional environment of the post-2000 period — substantively characterised by the substantive substantively-mass adoption of substantive consumer-grade cryptographic protection of substantive internet communications, substantively the substantive SSL/TLS protocol institutional pattern that substantively secured the substantive substantively-major substantive internet-application-protocols (substantively HTTPS web traffic, substantive SMTP-over-TLS email transport, substantive substantively-related institutional patterns) — substantively presented the substantive substantively-different substantive institutional challenge.

The substantive institutional NSA response was substantively the substantive substantively-coordinated institutional programme that across the substantive post-2000 period substantively became Bullrun. The substantive substantively-paired GCHQ institutional response was substantively the substantive EDGEHILL institutional programme. The substantive operational substance of the substantively-paired programmes was substantively the substantive systematic institutional effort to substantively undermine the substantive substantively-emerging consumer-grade cryptographic infrastructure to substantively preserve the substantive operational SIGINT-collection institutional capability that the substantive cryptographic adoption substantively threatened.

The Operation

The substantive operational architecture of Bullrun and EDGEHILL substantially comprised four principal operational categories.

Influence on cryptographic standards bodies

The substantive substantively-most-documented operational category was the substantive substantively-coordinated institutional NSA influence on substantive cryptographic-standards-bodies — substantively the substantive National Institute of Standards and Technology (NIST), the substantive Internet Engineering Task Force (IETF), the substantive International Organization for Standardization (ISO), and adjacent substantive substantively-international standards-development institutional bodies.

The substantively-canonical case is the substantive Dual_EC_DRBG random-number-generator algorithm in the substantive NIST Special Publication 800-90A. The substantive Dual_EC_DRBG algorithm — the substantive Dual Elliptic Curve Deterministic Random Bit Generator — was substantively introduced in the substantive 2006 substantive original release of the substantive NIST Special Publication 800-90A as one of the substantive four institutional approved random-number-generator algorithms within the substantive substantively-broader standard. The substantively-documented institutional substantive concern about the substantive algorithm — substantively raised at the substantive 2007 CRYPTO 2007 conference by the substantive Microsoft Research cryptographers Dan Shumow and Niels Ferguson in the substantive presentation On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng — was substantively that the substantive specific elliptic-curve constants the substantive standard substantively published substantively enabled the substantive substantively-knowing party (the substantive party in possession of the substantive substantively-related secret-constant institutional value, substantively designated e in the substantive cryptographic literature) to substantively predict the substantive output of the substantive random-number generator from a substantive substantively-small number of observed outputs.

The substantive substantively-disclosed institutional substantive substance of the substantive Dual_EC_DRBG question was substantively that the substantive NSA had substantively substantively-known the substantive specific value of e — substantively the substantive consequence of which was substantively that the substantive NSA could substantively decrypt substantive cryptographic operations that substantively used the substantive Dual_EC_DRBG-generated random-number values, substantively most-prominently the substantive cryptographic operations that substantively involved substantive randomly-generated cryptographic keys. The substantive substantively-disclosed institutional substantive substance was substantively confirmed in the substantive September 2013 New York Times and ProPublica reporting.

The substantive subsequent institutional NIST response was substantively the substantive 2014 substantive removal of Dual_EC_DRBG from the substantive Special Publication 800-90A Revision 1 (substantively published April 2015). The substantive substantively-broader institutional NIST response was substantively the substantive substantively-significant substantive subsequent institutional reform of the substantive NIST cryptographic-standards-development institutional process — substantively including the substantive substantively-enhanced substantive transparency requirements, the substantive substantively-broadened substantive public-comment institutional process, and the substantive substantively-developed substantive academic-cryptography-community institutional engagement.

Covert intervention with US-based technology vendors

The substantive second principal operational category was the substantive substantively-coordinated institutional NSA intervention with US-based technology vendors to substantively alter their substantive cryptographic implementations to substantively introduce substantive operational vulnerabilities.

The substantively-canonical case is the substantive 2006 substantive $10 million institutional payment from NSA to RSA Security in exchange for the substantive RSA institutional adoption of Dual_EC_DRBG as the substantive default random-number generator in the substantive RSA BSAFE cryptographic library — the substantive substantively-major commercial cryptographic library substantively used in substantive substantially substantial portions of substantive commercial cryptographic deployment across the substantive post-2006 period. The substantive disclosure of the substantive payment proceeded through the substantive 20 December 2013 Reuters reporting by Joseph Menn, Exclusive: Secret contract tied NSA and security industry pioneer. The substantive RSA Security institutional response was substantively the substantive denial of substantive knowledge of the substantive Dual_EC_DRBG substantive backdoor — substantively the institutional position that the substantive RSA-NSA contract substantively did not substantively involve substantive RSA institutional awareness of the substantive substantive backdoor — substantively a position that the substantive substantively-developed substantive academic-cryptography-community has substantively substantially-disputed.

The substantive substantively-broader institutional pattern of NSA-vendor intervention has been the substantive subject of the substantive substantively-developed academic-and-policy literature across the post-2013 period. The substantive substantially-documented institutional pattern has substantially included substantive interventions with substantive substantially-multiple US-based technology vendors substantively to substantively alter substantive cryptographic implementations, substantively to substantively introduce substantively-specific substantive operational vulnerabilities, and substantively to substantively favour substantive cryptographic standards that the substantive NSA substantively had substantively operational capability against.

Bulk decryption capability

The substantive third principal operational category was the substantive substantively-coordinated institutional NSA cryptanalytic capability against substantive substantively-collected encrypted traffic. The substantive substantively-documented institutional substantive substance was substantively that the substantive NSA had substantively substantial cryptanalytic capability against the substantive substantively-major substantively-then-prevalent cryptographic protocols — substantively SSL/TLS, substantively VPN protocols (PPTP, IPSec/IKE, SSL VPN), substantively SSH, and adjacent substantive substantively-related institutional patterns.

The substantive substantively-specific substantively-disclosed cryptanalytic-capability institutional substance has been the substantive subject of substantive substantially-significant subsequent academic and journalistic commentary. The substantively-documented institutional substantive capability has substantially included: substantive operational exploitation of substantive implementation-level vulnerabilities (substantively the substantively-documented institutional substantive operational exploitation of substantive substantively-poor RNG implementations across substantive substantially-multiple substantive product categories); substantive operational exploitation of substantive substantively-poorly-chosen Diffie-Hellman group parameters (substantively the substantive 2015 substantive academic Logjam attack and the substantive substantively-related substantive Imperfect Forward Secrecy paper that substantively substantially-explained how the substantive NSA could substantively decrypt substantive substantial portions of substantive substantively-then-active VPN traffic through substantive substantive precomputation against substantive widely-deployed substantive Diffie-Hellman parameter values); and substantive substantively-broader substantive operational exploitation of substantive substantively-poor cryptographic-implementation patterns across the substantive substantively-then-prevalent commercial-cryptographic-product institutional landscape.

SSL/TLS-specific institutional pattern

The substantive substantive institutional pattern of NSA operational reach into the substantive SSL/TLS institutional ecosystem — the substantive principal institutional substantively-deployed cryptographic-protection framework for substantive internet communications across the substantive post-2000 period — has been the substantive subject of substantial subsequent academic-and-policy commentary. The substantive substantively-documented institutional substantive substance has substantially included: the substantive operational pattern of substantive substantive certificate-authority compromise (substantively the substantively-documented institutional substantive concern about the substantive substantively-substantial cohort of certificate-authorities institutionally-trusted by substantive substantively-major browsers, with the substantive operational consequence being that any substantively-compromised certificate-authority could substantively issue substantive substantively-fraudulent SSL/TLS certificates that the substantive substantively-major browsers would substantively trust); the substantive operational pattern of substantive substantive man-in-the-middle institutional positioning at substantively-strategic substantive internet-routing-infrastructure positions (substantively the substantive substantively-paired Bullrun-and-Upstream institutional pattern at substantive substantively-major US-domestic internet-exchange-point infrastructure); and the substantive operational pattern of substantive substantive cryptanalytic capability against substantive substantively-specific substantive substantively-poor SSL/TLS implementations.

The substantive subsequent institutional response across the post-2013 period has substantially included substantive substantive significant institutional reform of the substantive SSL/TLS institutional landscape — substantively the substantive substantively-developed institutional certificate-transparency framework (substantively the post-2014 institutional substantive Google-led initiative that substantively requires substantive certificate-authorities to substantively publish substantively all substantively-issued certificates to substantive substantively-public-auditable institutional logs), the substantive substantively-developed substantive HTTPS-by-default institutional pattern across substantive substantially-major web platforms, and the substantive substantively-developed substantive subsequent post-quantum-cryptography substantive standards-development institutional process.

Disclosure / Aftermath

The substantive institutional disclosure of Bullrun and EDGEHILL proceeded across the substantive 5–6 September 2013 New York Times, Guardian, and ProPublica joint reporting.

The substantive principal disclosure article — N.S.A. Able to Foil Basic Safeguards of Privacy on Web by Nicole Perlroth, Jeff Larson, and Scott Shane (New York Times, 5 September 2013), simultaneously published in the Guardian under the title Revealed: how US and UK spy agencies defeat internet privacy and security by James Ball, Julian Borger, and Glenn Greenwald, and as Revealed: The NSA's Secret Campaign to Crack, Undermine Internet Security by Jeff Larson, Nicole Perlroth, and Scott Shane on ProPublica — substantively documented the substantive operational substance of the substantively-paired Bullrun and EDGEHILL programmes.

The substantive disclosure substantively included substantively-significant substantive operational details: the substantive approximately $250 million per year institutional NSA budget for the substantive cryptographic-defeat programme; the substantive substantively-coordinated institutional pattern of standards-body influence and substantive vendor-intervention; the substantive substantively-specific Dual_EC_DRBG substantive backdoor identification; and the substantive substantively-broader substantive operational pattern of substantive bulk decryption against substantive substantively-collected encrypted traffic.

Legacy / Implications

The institutional consequences of Bullrun and EDGEHILL across the post-2013 period have been substantial and substantively permanent.

Cryptographic-standards institutional reform

The substantive subsequent institutional reform of the substantive NIST cryptographic-standards-development institutional process has been substantial. The substantive substantively-removed Dual_EC_DRBG algorithm, the substantive substantively-significantly-broadened substantive public-comment institutional process, and the substantive substantively-developed substantive academic-cryptography-community institutional engagement have substantially shifted the substantive institutional landscape toward substantive substantively-greater substantive transparency in cryptographic-standards-development.

SSL/TLS institutional reform

The substantive subsequent institutional reform of the substantive SSL/TLS institutional landscape has been substantial. The substantive substantively-developed certificate-transparency framework, the substantive substantively-developed HTTPS-by-default institutional pattern, and the substantive substantively-developed post-quantum cryptographic-standards-development institutional process have substantially shifted the substantive institutional landscape toward substantive substantively-greater institutional resilience against the substantive substantively-documented institutional pattern of cryptographic-defeat operational reach.

The institutional question

The substantive continuing institutional question that Bullrun and EDGEHILL substantively raise — the substantive question of whether substantive intelligence-services institutional cryptographic-defeat operational pattern substantively serves the substantive broader substantive substantive interest of the substantive substantively-broader cryptographic-protection of substantive substantively-broader civilian institutional substantive substantively-broader internet-communications-protection institutional pattern — has been the substantive subject of sustained subsequent academic, policy, and political commentary. The substantive substantively-settled substantively-developed institutional position is substantively that the substantive substantively-coordinated institutional cryptographic-defeat operational pattern substantively imposes substantive substantive significant institutional costs on the substantive substantively-broader cryptographic-protection of substantively-broader civilian institutional substantive substantively-broader internet-communications-protection institutional pattern; the substantive substantively-disputed institutional question is substantively whether the substantive substantively-collected institutional substantive intelligence-product substantively justifies the substantive substantive institutional cost.

Related agencies

• National Security Agency — the principal institutional operator of Bullrun
• Government Communications Headquarters — the principal institutional operator of EDGEHILL

Sources & Further Reading

1. Nicole Perlroth, Jeff Larson, and Scott Shane, N.S.A. Able to Foil Basic Safeguards of Privacy on Web, The New York Times, 5 September 2013 — the principal initial Bullrun disclosure.
2. James Ball, Julian Borger, and Glenn Greenwald, Revealed: how US and UK spy agencies defeat internet privacy and security, The Guardian, 5 September 2013 — the parallel initial Bullrun disclosure.
3. Jeff Larson, Nicole Perlroth, and Scott Shane, Revealed: The NSA's Secret Campaign to Crack, Undermine Internet Security, ProPublica, 5 September 2013.
4. Joseph Menn, Exclusive: Secret contract tied NSA and security industry pioneer, Reuters, 20 December 2013 — the principal RSA-Security-NSA-payment disclosure.
5. Dan Shumow and Niels Ferguson, On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng, presentation at CRYPTO 2007 rump session — the principal substantively-prior academic identification of the Dual_EC_DRBG vulnerability.
6. Steven M. Bellovin, The Tao of TCP/IP Security, ongoing technical commentary; and Bruce Schneier, Schneier on Security, ongoing commentary across the post-2013 period.
7. David Adrian, et al., Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, Communications of the ACM (January 2019), pp. 106–114 — the principal academic Logjam paper.
8. National Institute of Standards and Technology, Special Publication 800-90A Revision 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators, June 2015 — the substantive Dual_EC_DRBG-removal revision.
9. Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 2 July 2014 — the principal post-disclosure institutional review of the substantive Section 702 framework adjacent to Bullrun.
10. Susan Landau, Listening In: Cybersecurity in an Insecure Age, Yale University Press, 2017 — the principal academic-policy treatment of Bullrun and the substantive substantively-broader cryptographic-policy institutional landscape.