Bullrun (stylized BULLRUN) is a clandestine, highly classified program to crack encryption of online communications and data, which is run by the United States

National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

(NSA). The British

Government Communications Headquarters Government Communications Headquarters, commonly known as GCHQ, is an intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance (IA) to the government and armed forces of the Uni ...

(GCHQ) has a similar program codenamed Edgehill. According to the Bullrun classification guide published by ''

The Guardian ''The Guardian'' is a British daily newspaper. It was founded in 1821 as ''The Manchester Guardian'', and changed its name in 1959. Along with its sister papers '' The Observer'' and '' The Guardian Weekly'', ''The Guardian'' is part of the ...

'', the program uses multiple methods including computer network exploitation, interdiction, industry relationships, collaboration with other intelligence community entities, and advanced mathematical techniques. Information about the program's existence was leaked in 2013 by

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...

. Although Snowden's documents do not contain technical information on exact cryptanalytic capabilities because Snowden did not have clearance access to such information, they do contain a 2010

GCHQ Government Communications Headquarters, commonly known as GCHQ, is an intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance (IA) to the government and armed forces of the Uni ...

presentation which claims that "vast amounts of encrypted Internet data which have up till now been discarded are now exploitable". A number of technical details regarding the program found in Snowden's documents were additionally censored by the press at the behest of US intelligence officials. Out of all the programs that have been leaked by Snowden, the Bullrun Decryption Program is by far the most expensive. Snowden claims that since 2011, expenses devoted to Bullrun amount to $800 million. The leaked documents reveal that Bullrun seeks to "defeat the encryption used in specific network communication technologies".

Naming and access

According to the NSA's Bullrun Classification Guide, Bullrun is not a Sensitive Compartmented Information (SCI) control system or compartment, but the codeword has to be shown in the classification line, after all other classification and dissemination markings. Furthermore, any details about specific cryptographic successes were recommend to be additionally restricted (besides being marked

Top Secret Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to kn ...

// SI) with Exceptionally Controlled Information labels; a non-exclusive list of possible Bullrun ECI labels was given as: APERIODIC, AMBULANT, AUNTIE, PAINTEDEAGLE, PAWLEYS, PITCHFORD, PENDLETON, PICARESQUE, and PIEDMONT without any details as to what these labels mean. Access to the program is limited to a group of top personnel at the

Five Eyes The Five Eyes (FVEY) is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. These countries are parties to the multilateral UKUSA Agreement, a treaty for joint cooperation in sig ...

(FVEY), the NSA and the

signals intelligence Signals intelligence (SIGINT) is intelligence-gathering by interception of '' signals'', whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly used in communication ...

agencies of the United Kingdom (

), Canada (

CSE CSE may refer to: Education Examinations * Certificate of Secondary Education, a secondary school qualification in the United Kingdom, replaced by the GCSE * Civil Services Examination, an examination to qualify for government service in India Fi ...

), Australia ( ASD), and New Zealand ( GCSB). Signals that cannot be decrypted with current technology may be retained indefinitely while the agencies continue to attempt to decrypt them.

Methods

Through the NSA-designed

Clipper chip The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured "voice and data messages" with a built-in backdoor that was intended to "allow Federal, State, ...

, which used the Skipjack cipher with an intentional backdoor, and using various specifically designed laws such as CALEA,

CESA Cesa is a '' comune'' (municipality) in the Province of Caserta in the Italian region Campania, located about north of Naples and about southwest of Caserta. Cesa borders the following municipalities: Aversa, Gricignano di Aversa, Sant'Antimo, ...

and restrictions on export of encryption software as evidenced by ''

Bernstein v. United States ''Bernstein v. United States'' is a set of court cases brought by Daniel J. Bernstein challenging restrictions on the export of cryptography from the United States. History The case was first brought in 1995, when Bernstein was a student at U ...

'', the U.S. government had publicly attempted in the 1990s to ensure its access to communications and ability to decrypt. In particular, technical measures such as

key escrow Key escrow (also known as a "fair" cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. These third pa ...

, a euphemism for a backdoor, have met with criticism and little success. The NSA encourages the manufacturers of security technology to disclose backdoors to their products or encryption keys so that they may access the encrypted data. However, fearing widespread adoption of encryption, the NSA set out to stealthily influence and weaken encryption standards and obtain master keys—either by agreement, by force of law, or by computer network exploitation ( hacking). According to a Bullrun briefing document, the agency had successfully infiltrated both the

Secure Sockets Layer Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...

as well as some virtual private networks (VPNs). The ''New York Times'' reported that: "But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government's nuclear department and another's Internet service by cracking the virtual private networks that protected them. By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300." As part of Bullrun, NSA has also been actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets". ''The New York Times'' has reported that the random number generator

Dual_EC_DRBG Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) is an algorithm that was presented as a cryptographically secure pseudorandom number generator (CSPRNG) using methods in elliptic curve cryptography. Despite wide public crit ...

contains a back door, which would allow the NSA to break encryption keys generated by the random number generator. Even though this random number generator was known to be insecure and slow soon after the standard was published, and a potential NSA

kleptographic Kleptography is the study of stealing information securely and subliminally. The term was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology—Crypto '96.A. Young, M. Yung, "The Dark Side of Black-Box Cryptography ...

backdoor was found in 2007 while alternative random number generators without these flaws were certified and widely available,

RSA Security RSA Security LLC, formerly RSA Security, Inc. and doing business as RSA, is an American computer and network security company with a focus on encryption and encryption standards. RSA was named after the initials of its co-founders, Ron Rive ...

continued using Dual_EC_DRBG in the company's

BSAFE toolkit Dell BSAFE, formerly known as RSA BSAFE, is a FIPS 140-2 validated cryptography library, available in both C and Java. BSAFE was initially created by RSA Security, which was purchased by EMC and then, in turn, by Dell. When Dell sold the RSA ...

an
Data Protection Manager
until September 2013. While RSA Security has denied knowingly inserting a backdoor into BSAFE, it has not yet given an explanation for the continued usage of Dual_EC_DRBG after its flaws became apparent in 2006 and 2007. It was reported on December 20, 2013 that RSA had accepted a payment of $10 million from the NSA to set the random number generator as the default. Leaked NSA documents state that their effort was “a challenge in finesse” and that “Eventually, N.S.A. became the sole editor” of the standard. By 2010, the leaked documents state that the NSA had developed "groundbreaking capabilities" against encrypted Internet traffic. A GCHQ document warned however "These capabilities are among the

SIGINT Signals intelligence (SIGINT) is intelligence-gathering by interception of '' signals'', whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly used in communication ...

community's most fragile, and the inadvertent disclosure of the simple 'fact of' could alert the adversary and result in immediate loss of the capability." Another internal document stated that "there will be NO '

need to know The term "need to know", when used by government and other organizations (particularly those related to the military or espionage), describes the restriction of data which is considered very sensitive. Under need-to-know restrictions, even if ...

.'" Several experts, including

Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...

and

Christopher Soghoian Christopher Soghoian (born 1981) is a privacy researcher and activist. He is currently working for Senator Ron Wyden as the senator’s Senior Advisor for Privacy & Cybersecurity. From 2012 to 2016, he was the principal technologist at the Amer ...

, had speculated that a successful attack against

RC4 In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...

, an encryption algorithm used in at least 50 percent of all SSL/TLS traffic at the time, was a plausible avenue, given several publicly known weaknesses of RC4. Others have speculated that NSA has gained ability to crack 1024-bit RSA/ DH keys. RC4 has since been prohibited for all versions of TLS by RFC 7465 in 2015, due to the RC4 attacks weakening or breaking RC4 used in SSL/TLS.

Fallout

In the wake of Bullrun revelations, some open source projects, including

FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...

and

OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HT ...

, have seen an increase in their reluctance to (fully) trust hardware-based

cryptographic primitive Cryptographic primitives are well-established, low-level cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. These routines include, but are not limited to, one-way hash functions and ...

s. Many other software projects, companies and organizations responded with an increase in the evaluation of their security and encryption processes. For example, Google doubled the size of their TLS certificates from 1024 bits to 2048 bits. Revelations of the NSA backdoors and purposeful complication of standards has led to a backlash in their participation in standards bodies. Prior to the revelations the NSA's presence on these committees was seen as a benefit given their expertise with encryption. There has been speculation that the NSA was aware of the Heartbleed bug, which caused major websites to be vulnerable to password theft, but did not reveal this information in order to exploit it themselves.

Etymology

The name "Bullrun" was taken from the

First Battle of Bull Run The First Battle of Bull Run (the name used by Union forces), also known as the Battle of First Manassas

, the first major battle of the

American Civil War The American Civil War (April 12, 1861 – May 26, 1865; also known by Names of the American Civil War, other names) was a civil war in the United States. It was fought between the Union (American Civil War), Union ("the North") and t ...

. Its predecessor "Manassas", is both an alternate name for the battle and where the battle took place. "EDGEHILL" is from the

Battle of Edgehill The Battle of Edgehill (or Edge Hill) was a pitched battle of the First English Civil War. It was fought near Edge Hill and Kineton in southern Warwickshire on Sunday, 23 October 1642. All attempts at constitutional compromise between ...

, the first battle of the

English Civil War The English Civil War (1642–1651) was a series of civil wars and political machinations between Parliamentarians (" Roundheads") and Royalists led by Charles I (" Cavaliers"), mainly over the manner of England's governance and issues of r ...

References

{{reflist, 30em

External links

* https://www.eff.org/deeplinks/2013/09/crucial-unanswered-questions-about-nsa-bullrun-program * https://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=0 * https://www.schneier.com/blog/archives/2013/10/defending_again_1.html
Cryptography Opening Discussion: Speculation on "BULLRUN"

John Gilmore John Gilmore may refer to: * John Gilmore (activist) (born 1955), co-founder of the Electronic Frontier Foundation and Cygnus Solutions * John Gilmore (musician) (1931–1995), American jazz saxophonist * John Gilmore (representative) (1780–1845) ...