Cybersecurity & Tech Surveillance & Privacy

A Puzzling Encryption Story

Paul Rosenzweig
Wednesday, August 19, 2015, 3:16 PM

This one has been puzzling me for several days. Since I have not yet been able to figure it out, I thought I would "bleg" for assistance from our encryption-savvy readership. According to the Sun Sentinel, a South Florida man was recently convicted of stealing military secrets. I am less concerned with what he stole or why than with what the story says about how the evidence against him was identified and used. Here is the relevant part of the story:

Published by The Lawfare Institute
in Cooperation With
Brookings

This one has been puzzling me for several days. Since I have not yet been able to figure it out, I thought I would "bleg" for assistance from our encryption-savvy readership. According to the Sun Sentinel, a South Florida man was recently convicted of stealing military secrets. I am less concerned with what he stole or why than with what the story says about how the evidence against him was identified and used. Here is the relevant part of the story:

Glenn read up on the art of espionage and used an elaborate encryption system, TrueCrypt, with a decoy computer drive to distract investigators from another hidden drive that he protected with a complex 30-character password, army counterintelligence expert Gerald Parsons testified.

Though prosecutors said Glenn emailed a friend a link to an article headlined "FBI hackers fail to crack TrueCrypt" in October 2011, he wasn't as lucky in his efforts.

The FBI's counterintelligence squad in South Florida was able to crack Glenn's code, Parsons said.

Parsons said he didn't know how the FBI agents did it but he estimated it would have taken "billions" of years to crack the code using traditional methods.

I have always been of the same understanding as Glenn -- that TrueCrypt was, essentially, uncrackable if properly implemented. I've always also understood that the encryption was, of course, subject to an endpoint attack of some sort. A key-logger, for example, could read the 30-character password when it was typed in and convey it to the police. But that isn't how the story reads. Assuming its accuracy, the story suggests that the FBI was able to decrypt the TrueCrypt encrypted volume using some decryption method. And if that's the case, that would be the first time I've ever seen a public report to that effect.

So, my bleg: Any crypto folks out their have an idea of how this might be achieved? Or do you think this is a case of misreporting?

And, finally, on a short policy note: If the FBI can, in fact, decrypt very strong encryption like TrueCrypt, maybe this whole "Going Dark" debate we are having is moot?


Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare