Bullrun and EDGEHILL

Audio readout of this entry.

Background and context

The institutional context within which Bullrun and EDGEHILL emerged was the post-2000 expansion of internet-based encrypted communications and the recognition within NSA that the broad consumer adoption of cryptographic protection on the internet would constitute a significant threat to the SIGINT collection enterprise.

Across the 1947–2000 period the principal NSA cryptanalytic challenges had been the military-grade systems of Soviet, Chinese, and adjacent state-actor adversaries — categories the agency's cryptanalytic capability had developed against over decades. The post-2000 environment was different in kind. Mass adoption of consumer-grade cryptographic protection — most prominently the SSL/TLS protocol underlying HTTPS web traffic, SMTP-over-TLS email transport, and the broader application-layer ecosystem — placed encryption between the agency and a substantial proportion of internet traffic that, before the protocol's general adoption, had been collected in plaintext.

The institutional NSA response was the coordinated programme that became Bullrun. The paired GCHQ response was EDGEHILL. The operational substance of both was the systematic effort to undermine the consumer-grade cryptographic infrastructure to preserve the SIGINT-collection capability that broad cryptographic adoption threatened.¹

Influence on cryptographic-standards bodies

The most documented operational category was the coordinated NSA influence on cryptographic-standards bodies — the National Institute of Standards and Technology (NIST), the Internet Engineering Task Force (IETF), the International Organization for Standardization (ISO), and adjacent international standards-development bodies.

The canonical case is the Dual_EC_DRBG random-number-generator algorithm in NIST Special Publication 800-90A. The Dual Elliptic Curve Deterministic Random Bit Generator was introduced in the 2006 release of SP 800-90A as one of four approved random-number-generator algorithms within the broader standard. Concern about the algorithm was raised at the CRYPTO 2007 rump session by Microsoft cryptographers Dan Shumow (Microsoft Research) and Niels Ferguson in the presentation On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng. Their analysis showed that the specific elliptic-curve constants the standard published would enable a party in possession of the related secret-constant value (designated d in the cryptographic literature) to predict the generator's output from a small number of observed outputs.²

The substance of the Dual_EC_DRBG question was that NSA had known the specific value of d — and thus could decrypt cryptographic operations whose key material derived from Dual_EC_DRBG output. The September 2013 New York Times and ProPublica reporting confirmed the agency's role in placing the algorithm in the standard.

The NIST response was the 2014 removal of Dual_EC_DRBG from SP 800-90A Revision 1 (published in June 2015) and broader institutional reform of the cryptographic-standards-development process — enhanced transparency requirements, broadened public-comment processes, and sustained engagement with the academic cryptography community.³

Covert intervention with US technology vendors

The second operational category was the coordinated NSA intervention with US-based technology vendors to alter their cryptographic implementations.

The canonical case is the approximately $10 million payment from NSA to RSA Security in approximately 2004 in exchange for RSA's adoption of Dual_EC_DRBG as the default random-number generator in the RSA BSAFE cryptographic library — the commercial cryptographic library used in a substantial portion of commercial cryptographic deployment across the post-2006 period. The payment was disclosed by Joseph Menn in Reuters on 20 December 2013, in Exclusive: Secret contract tied NSA and security industry pioneer. RSA Security's response was a denial of knowledge of the Dual_EC_DRBG backdoor — a position that academic cryptographers have substantially disputed in the subsequent literature.⁴

The broader pattern of NSA-vendor intervention has been the subject of academic and policy literature across the post-2013 period. The documented pattern has included interventions with multiple US-based technology vendors to alter cryptographic implementations, introduce specific operational vulnerabilities, and favour cryptographic standards against which the agency had cryptanalytic capability.

Bulk decryption capability

The third operational category was the cryptanalytic capability against the encrypted traffic that NSA was already collecting through other access programmes. The documented capability extended across the major then-prevalent protocols — SSL/TLS, the principal VPN protocols (PPTP, IPsec/IKE, SSL VPN), SSH, and adjacent application-layer cryptographic systems.

The specific cryptanalytic-capability disclosures have been the subject of subsequent academic and journalistic commentary. Documented capability included three categories. First, exploitation of implementation-level vulnerabilities — the documented exploitation of poor random-number-generator implementations across multiple product categories. Second, exploitation of poorly chosen Diffie-Hellman group parameters — the 2015 academic Logjam attack and its associated paper Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (Adrian and colleagues, Communications of the ACM, January 2019, 106–114) explained how the agency could decrypt substantial portions of then-active VPN traffic through precomputation against widely deployed Diffie-Hellman parameter values. Third, broader exploitation of weak cryptographic-implementation patterns across the commercial-cryptographic-product landscape.⁵

SSL/TLS-specific operational reach

The institutional pattern of NSA reach into the SSL/TLS ecosystem — the principal cryptographic-protection framework for internet communications across the post-2000 period — has been documented in three principal forms.

The first is certificate-authority compromise. The substantial cohort of certificate authorities institutionally trusted by major browsers means that any compromised certificate authority can issue fraudulent SSL/TLS certificates that the major browsers will trust. The operational consequence is the capability to mount man-in-the-middle interception against TLS sessions whose users have no indication that the certificate was not issued by the named CA.

The second is man-in-the-middle interception at strategically located internet-routing infrastructure. The paired Bullrun-and-Upstream pattern operated at major US-domestic internet-exchange-point infrastructure, where the agency's collection access combined with TLS-degradation capability against specific implementations.

The third is cryptanalytic capability against specific weak SSL/TLS implementations — the same pattern as the bulk-decryption category, scoped to TLS specifically.

The institutional response across the post-2013 period has included substantial reform of the SSL/TLS landscape. The certificate-transparency framework — the Google-initiated programme requiring certificate authorities to publish all issued certificates to public-auditable logs, deployed from 2013–2014 onward — directly addresses the CA-compromise pattern. The HTTPS-by-default shift across major web platforms expanded the encrypted surface beyond what the post-2000 deployment level had reached. The post-quantum cryptography standards-development process is the ongoing institutional response to the longer-horizon question of cryptographic durability.⁶

Disclosure and aftermath

The institutional disclosure of Bullrun and EDGEHILL proceeded across the joint 5–6 September 2013 New York Times, Guardian, and ProPublica reporting drawn from the Snowden archive.

The principal articles were N.S.A. Able to Foil Basic Safeguards of Privacy on Web by Nicole Perlroth, Jeff Larson, and Scott Shane (The New York Times, 5 September 2013); Revealed: how US and UK spy agencies defeat internet privacy and security by James Ball, Julian Borger, and Glenn Greenwald (The Guardian, 5 September 2013); and Revealed: The NSA's Secret Campaign to Crack, Undermine Internet Security by Jeff Larson, Nicole Perlroth, and Scott Shane (ProPublica, 5 September 2013).⁷

The disclosure documented operational details that included the approximately $250 million per year NSA budget for the cryptographic-defeat programme; the coordinated pattern of standards-body influence and vendor intervention; the specific Dual_EC_DRBG identification; and the broader operational pattern of bulk decryption against collected encrypted traffic. The RSA-Security payment disclosure followed in the December 2013 Reuters reporting; the Logjam and Imperfect Forward Secrecy technical work followed in 2015.

Legacy and implications

The institutional consequences of Bullrun and EDGEHILL across the post-2013 period have been substantial.

The reform of the NIST cryptographic-standards-development process has produced lasting institutional change: the 2015 removal of Dual_EC_DRBG, the broadened public-comment process, the formalised academic-community engagement, and the post-2016 transparency standards for the development of the post-quantum cryptographic algorithms have shifted the institutional landscape toward greater transparency in cryptographic-standards work.

The reform of the SSL/TLS landscape has been similarly substantial. The certificate-transparency framework, the HTTPS-by-default shift across major web platforms, and the post-quantum cryptographic standards-development process have shifted the institutional landscape toward greater resilience against the cryptographic-defeat operational pattern Bullrun documented.

The continuing institutional question Bullrun and EDGEHILL raise — whether the intelligence-services pattern of cryptographic defeat serves the broader public interest in cryptographic protection of civilian internet communications — has been the subject of sustained academic, policy, and political commentary. The settled academic position is that coordinated cryptographic-defeat operational patterns impose significant institutional costs on the broader cryptographic-protection landscape; the disputed question is whether the resulting intelligence product justifies the cost.

Related agencies

• National Security Agency — the principal institutional operator of Bullrun
• Government Communications Headquarters — the principal institutional operator of EDGEHILL

Sources and further reading

1. Nicole Perlroth, Jeff Larson, and Scott Shane, N.S.A. Able to Foil Basic Safeguards of Privacy on Web, The New York Times, 5 September 2013 — the principal initial Bullrun disclosure.
2. Dan Shumow and Niels Ferguson, On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng, presentation at the CRYPTO 2007 rump session — the principal prior academic identification of the Dual_EC_DRBG vulnerability.
3. National Institute of Standards and Technology, Special Publication 800-90A Revision 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators, June 2015 — the Dual_EC_DRBG-removal revision.
4. Joseph Menn, Exclusive: Secret contract tied NSA and security industry pioneer, Reuters, 20 December 2013 — the principal RSA-Security-NSA-payment disclosure.
5. David Adrian, et al., Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, Communications of the ACM, January 2019, 106–114 — the principal academic Logjam paper.
6. Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 2 July 2014 — the principal post-disclosure institutional review of the Section 702 framework adjacent to Bullrun.
7. James Ball, Julian Borger, and Glenn Greenwald, Revealed: how US and UK spy agencies defeat internet privacy and security, The Guardian, 5 September 2013; Jeff Larson, Nicole Perlroth, and Scott Shane, Revealed: The NSA's Secret Campaign to Crack, Undermine Internet Security, ProPublica, 5 September 2013.
8. Susan Landau, Listening In: Cybersecurity in an Insecure Age, Yale University Press, 2017 — the principal academic-policy treatment of Bullrun and the broader cryptographic-policy landscape.