Extra Unofficial XKEYSCORE Guide:
Jihobbiests, Mojahaden Secrets, and PGP

Nicholas Weaver
Jul 5, 2015 · 5 min read

There is now a large amount of documentation about the NSA’s vast Internet spying system, XKEYSCORE. But what can really be done with it? A lot. This will be the first in a series of unofficial guides for interesting analyses possible using XKeyscore and the other tools available to the typical NSA analyst.

This should serve two purposes: a guide to the rest of the world on just how powerful the NSA’s systems really are, and a set of interesting routines for NSA analysts. If they’ve thought of these techniques already, cool. If they haven’t, listen up: the NSA has committed itself to spying on everyone, they should at least do the best job possible. Anyone in the NSA should feel free to spread this around, put it on internal wikis, email it to friends, whatever.

To begin with, XKEYSCORE is not about “finding needles in haystacks” but “pulling threads”, starting with some known piece of information and using that as a guide to explore a vast world of Internet communications. So lets pull some threads.

Now all the NSA analysts out there are undoubtedly familiar with Mojahaden Secrets 2 (MS2), the (formerly) favorite crypto program for jihobbiests around the world. MS2 is a wonderful program, who’s very use broadcasts to anyone listening “hey, I’m a wannabee jihadi, drone me now”. Its so easy to recognize that the NSA uses it as a XKEYSCORE 101 example as a single query, “Show me all MS2 encrypted communication sent as vBulletin private messages” used to get pretty much every jihobbiest on the planet.

There are some reports that even the jihobbiests finally figured out that MS2 is bad, after all, if “use dumb crypto == get a Hellfire”, pretty soon Darwin ensures that they learn (since they obviously haven’t gone extinct). So they started stripping out the headers, but no matter, MS2 payloads are still trivially detected. After the recent Intercept document dump, nobody should ever use it again.

There is no need for NSA analysts to despair. The most likely scenario is the jihobbiests move on to some other jihadi encryption which will certainly have the same sort of weaknesses but just different branding. But what if they instead turn to the gold standard of message encryption, PGP? What Now?

Well, XKEYSCORE almost certainly understands PGP just as well as it does MS2 and whatever off-brand crypto the Jihobbiests decide to play with. Fortunately for the NSA, PGP is remarkably chatty: in order to encrypt a message, it creates a series of blocks, one for the sender and one for each recipient, encrypting the message key with the recipient’s public key. It is easy to see the makeup with pgpdump.

One of the first things anyone should notice is that the session key blocks include the PGP KeyID of the public key: an 8 byte sequence that (mostly) uniquely identifies the key. This is PGP’s internal KeyID, not the 4 byte KeyID often displayed in PGP related tools. Now there is a hidden option that suppresses this ID, forcing the recipient to simply try every key, but no PGP system defaults to this and almost nobody (except @thegrugq) knows about this option.

And, of course, the PGP microplugin in XKEYSCORE almost certainly extracts these KeyIDs. This provides the perfect tool for mapping out a PGP-based communication network.

Lets say the starting thread is “Nicholas Weaver”. Well, a little bit of searching finds my PGP key, with KeyID 0x6D81D70F920E2FEE. Now a simple query of “All PGP encrypted messages which include KeyID 0x6D81D70F920E2FEE” will pick up every encrypted message that I wrote or which was sent to me, and also give the content of the message if it hasn’t aged off.

Then query for all of those keys, and this gets my two-hop communication network, starting with just my key. Map the communication network, and you map the social relationships, patterns and timing of communication, key targets, weak points, and pretty much now have the perfect starting point to continue onward. Even if one never see the contents of a single email, as the saying goes, “the Metadata is the Message”.

But wait, there is still more that can be done. The crypto wizards, hiding behind their BULLRUN compartment, undoubtedly have a repository of every PGP private key ever captured. For example, its almost certain that XKEYSCORE forwards every PGP private key it discovers on to the crypto division. So when an analysts gets a PGP encrypted message, they are supposed to forward it to the crypto wizards. But if the crypto wizards don’t have the key, the analyst will get back “No decrypt available for this PGP message ”.

Now the crypto wizards tell the NSA analysts “Don’t speculate on how we work”. But really, acknowledging the wizards’ mastery of applied kleptography (that is, simply stealing keys) means the analyst can get a lot farther. With a target’s whole communication network, expanding out two hops, odds are now better that at least one node in that network is already compromised with its key sitting in that secret stash.

So an analyst shouldn’t just hand a single intercept to the crypto wizards, but he should instead select enough intercepts so that every key in the target’s network features in at least one intercept. Once the crypto wizards get a hit, the analyst can go back and request decryption of all intercepts with those keys, obtaining a view into the actual communication with its place in the larger behavioral graph.

Yet even if the crypto wizards fail, all is not lost. The analyst can look at the communication network and find a couple of supernodes, individuals with a high degree of connectivity. These are the folks who’s keys are the most valuable, able to provide a substantial window into the target’s communication network. PGP doesn’t have “forward secrecy”, if you steal a key you can read all the old messages encrypted with that key.

The analyst now finds the supernodes identity by looking for activity involving their PGP key (again, XKEYSCORE FTW: “all messages signed with target KeyID” is a good place to start, and then start searching by email address) and, once identified, gets the TAO (“Tailored Access Operation” aka the NSA hackers) folks to use QUANTUM to shoot an exploit at the targets.

After their computer is pwned, the analyst can explicitly simply steal their private keys, ship them off to the crypto wizards, and ask them to decrypt all those messages they couldn’t decrypt before. That is, if the basic implant doesn’t automatically steal all PGP private keys during its standard system validation process.

The ugly reality is PGP is not proof against targeting by the NSA.

An analyst does have to work for it, and the NSA’s systems are unable to do bulk keyword scanning or similar mass attacks on PGP-protected communication. But if a target’s communication network uses PGP, the odds are pretty good that the NSA can defeat it: use PGP’s lack of metadata protection to map the graph, and then target weak-spots.

So why be afraid of Jihobbiests upgrading to PGP?

Disclaimer and legal: The author has never held a security clearance, and has no access to unpublished documents. This is released under Creative Commons Attribution/No Derivatives license, but for US government distribution, it is also acceptable to redact any sections needed to obtain a particular level of clearance.

    Nicholas Weaver

    Written by

    Researcher: International Computer Science Institute & Lecturer @ UC Berkeley