Using 'Terrorist Encryption' Is a Good Way to Get Noticed by the NSA

Terrorist using homegrown crypto are easy targets for NSA's XKEYSCORE.

Jul 2 2015, 6:10pm

Image: Carsten Reisinger/Shutterstock

If you're a terrorist, perhaps you shouldn't use terrorist-made encryption software—unless you want to paint a giant digital target on your back.

In the wake of the Edward Snowden revelations, which have laid bare a long list of NSA's spying activities and techniques, many have feared that extremist groups such as Al Qaeda or ISIS would change their communication habits to avoid being spied on. In fact, several groups supporting Al Qaeda have gone so far as to develop three different versions of encryption software to scramble communications, according to a recent report.

But homegrown terrorist crypto might actually be good news for the NSA. According to new Snowden documents published on Wednesday by The Intercept, NSA analysts can easily identify messages sent using terrorist groups' homegrown encryption tools.

Homegrown terrorist crypto might actually be good news for the NSA.

The documents provide more detail on a previously disclosed NSA system called XKEYSCORE, the agency's all-powerful Google-like search tool. XKEYSCORE is graphical interface designed so that NSA analysts can easily search and sift through data captured by the spy agency's myriad wiretaps on global internet fiber optic cables.

Analysts can use pre-determined, or customized, filters and keywords to look for, say, "individuals in Pakistan visiting certain German message boards," all emails mentioning a certain word or phrase—or for anyone using the infamous terrorist crypto software known as Mojahedeen Secrets or Asrar al-Mujahideen.

Screen Shot 2015-07-01 at 7.27.18 PM.png

As the NSA slide above clearly shows, Mojahdeen Secrets includes a unique string ("Begin ASRAR El Mohjadeen v2.0 Encrypted Message") at the beginning of every message encrypted with the program.

What this means is that searching that string through XKEYSCORE, the NSA can easily identify every instance in which the program was used. In fact, that's exactly one of the examples of what an analyst can do using XKEYSCORE.

"I'm an analyst in CT [counterterrorism] - I want to find anytime Mojoahdeen Secrets is seen in DNI traffic," one of the slides lists as a potential use for XKEYSCORE.

Analysts can use fingerprints, which are "keyword or regular expression based signatures," to flag certain types of data within XKEYSCORE. An analyst can "easily" create his or her own fingerprint, an NSA slide says, but as chance would have it, XKEYSCORE already, and conveniently, contains a fingerprint to identify the use of Mojahdeen Secrets.


Thanks to this fingerprint, even if the spy agency isn't able to crack the encryption to figure out what the message says, the NSA knows who's likely a terrorist, and who he or she is communicating with.

"It goes without saying that using an encryption program that identifies itself is going to make your use of that program known to government agencies," Matthew Green, a cryptography expert at Johns Hopkins University, told Motherboard in an email. "Using encryption at all on a Jihadi forum or mail server is probably enough of a red flag that the NSA will be able to catch it no matter what you do."

"If you use a 'terrorist encryption program,' you are an idiot."

And there's a good chance that the NSA might not just know what you're using, but also crack the encryption and read the messages. That's because custom encryption programs are more likely to have bugs or flaws that can allow an agency that employs skilled mathematicians such as the NSA to break it.

"In encryption, it is very easy to write implementations that are easy to attack. You need a good grounding in the subject to avoid inadvertently leaving your implementation vulnerable," Alan Woodward, a cryptography expert from the computing department at the University of Surrey, told Motherboard in an email. "It is surprising that in this day and age anyone would try to build their own encryption unless they were really expert in the field."

In other words, as Christopher Soghoian, a technologist at the American Civil Liberties Union, put it in a tweet, "if you use a 'terrorist encryption program,' you are an idiot."