How can a small country exploit breaking HTTPS to destory a larger country while growing its own strength?

Inspired by my answer to this question: How to take down the internet?.

Lets say that a small ideological country has recently broken one of the most common HTTPS encryption schemes for public-private key style encryption (I don't care which specifically). They can easily decrypt any message encrypted with this scheme so long as they have the public key used for the encryption. No one is aware that the scheme has been broken at this time.

The country wants to do two things.

Improve its standing in the larger community, gaining both more wealth and more political power without angering anyone enough to trigger an invasion, sanctions, or any other political suicide.
Terrorize, damage the economy of, or destroy one other technically capable country that it passionately hates for ideological reasons. Assume the country it hates is first world economically. The hated country is larger then the country that broke the encryption, but still small compared to say the USA. However, the hated countries military is still a significant threat and thus our small country does not want to risk triggering an overt war.

I know those two goals may seem counter to each other, and rationally they may well be. However, rationality is not always humanities strong suit. Thus assume that their hatred for the other country is significant enough for them to act against them, even if not acting would be smarter; and they are not willing to wait 20-30 years of planning before trying to destroy the economy of the other nation. However, they need to be careful not to do anything that will trigger a direct invasion, by the country they hate or by any larger nations. In addition, if people realize that the encryption algorithm is broken they can switch to an alternate algorithm in the future, negating the countries advantage.

Generally I'm more interested in the terrorism and other evil that the nation can do by breaking HTTPS then I am in how they would build their own nation, but the two issues seem closely enough related that I wanted to mention both goals and stress that terrorism goal need not result in foolish actions or prevent them from attempting to profit as well.

As a small nation they have little infrastructure in place for supporting their exploitation of the encryption algorithm. For instance they don't already have dozens of computers in place for man-in-the-middle attacks just waiting to be tapped. They are not above growing this capability, just don't assume it already exists. However, if necessary to make them able to do anything interesting, you may assume that the nation is physically located between two large first world nations or the hated nation and the rest of the world; thus making it possible that data will often be routed through them.

What strategies do they have available to exploit their ability to see through HTTPS in order to better themselves and destroy their hated country?

ps. I really should name these countries to make it clear the distinction, but the only names I can come up with are Foo and Bar. Any naming suggestions?

dsollen

Posted 2015-12-18T16:41:37.203

Reputation: 28 319

1Better get your technical details right. Public keys aren't used to encrypt messages, they're used to encrypt symmetric keys that are used to encrypt messages. And AES isn't a public key encryption protocol, it's a symmetric protocol. – Mike Scott – 2015-12-18T17:07:41.030

you are correct about AES, my fault, I wasn't thinking. However, I think that my phrasing is accurate for public key encryption. Yes usually public keys encrypt symemetric keys, but it doesn't have to be that way. Someone could send a short message using only public key encryption in theory, or just refuse to every switch to symmetric. The idea is that the public-private key encryption is broken only, which likely breaks the symmetric indirectly since you can read symmetric keys sent this way. – dsollen – 2015-12-18T18:11:03.193

I haven't read the question in detail, but to provide a bit of context: "breaking" HTTPS means breaking TLS, in a context where strict certificate checking is commonplace and certificate pinning is far from unheard of. If you are able to do that, you can pretty much break TLS for everyone. And TLS is used for tons more than just web browsing. Smaller countries also are often (far from always) less reliant on technological infrastructure than larger countries, giving the smaller country the upper hand in another way as well. – a CVn – 2015-12-18T18:11:56.517

@MichaelKjörling I agree with everything you said about HTTPS, but I'm not certain I understand what sort of change you are recommending to the question itself. I thought the specifics were clear enough, is there something you felt was to ambiguous? I don't require limiting to HTTPS of course. Perhaps your suggesting I simply update the question to better match the question description? I choose to simply say HTTPS to allow a short question, if you can suggest a better question to express the idea of the detail better I'm happy to update the question :) – dsollen – 2015-12-18T18:19:11.737

It's not really as much about how to change the question, as it is about the implications of a country being able to do what you ask about. – a CVn – 2015-12-18T18:30:54.253

@MichaelKjörling sorry, I must just be slow today (and you know, the other 364 days of the year), but I'm not sure I follow you still. Your first comment seemed to be implying, if anything, that the country would be more able to cause harm then I may believe due to their breaking more then web browsing (though I wasn't meaning to limit myself to just web browsing), your second comment seems to be implying they would be less able to? I'm not sure all TLS is broken anyways, since they only actually broke one encryption method. – dsollen – 2015-12-18T18:38:32.127

Is this an online break, like a Man in the Middle, where you can only intercept the communication while it is occurring, or is it an offline break that permits you to read any recorded HTTPS session? – Cort Ammon – 2015-12-18T18:47:33.480

@CortAmmon It is a break that allows decoding an encrypted string using only it's public key. If you can get hold of encrypted string and public key it's broken. Obviously that's most easily done with Man in the Middle style attacks, but if you get hold of the recorded message and public key in some other manner you could still break it. – dsollen – 2015-12-18T18:54:27.480

Answers

As Michael Kjörling pointed out in the comments, to break HTTPS, you really break TLS, which is a very standard way of ensuring secure point-to-point communication ranging from HTTPS to VPNs.

Accordingly, the question dsollen asks comes with a secondary question which may be even more important than the technical details: how do you take advantage of a secret without letting anyone else in on the fact that you know the secret?

This is a fundamental problem in spy vs. spy style conflict, which has not been solved in thousands of years, and may not even be provably solvable. Consider the Enigma from WWII. We broke it! Yay! Now what? If we act too suspiciously, they'll realize we broke it, and change it.

The solution is actually all over this forum, in the form of the wonderful Rynn questions. You need to ensure your opponent cannot distinguish what you are doing from sheer luck by enough of a degree to get curious. The Allies did just that. We never sent a destroyer directly to the location of a UBoat. We always had a scout plane serendipitous over the UBoat to spot them first. The likelyhood of a scout plane seeing a UBoat while doing its job was much higher than the likelyhood of a destroyer happening to lumber over it. This made it harder to distinguish their behavior from just getting lucky (or perhaps they were just flying more often... the Germans didn't have perfect information about our flight patterns).

So, with the TLS break, you have access to quite a lot of information. Consider FireSheep, which was used to intercept non-encrypted sessions at places like coffee shops. When this occurred, the security community laughed at the victims and said, "we told you it was unsecured, use HTTPS dummy!" This time, we're using a break that nobody believes possible, so nobody is even looking for a solution.

Consider what sorts of information your spies could glean for you. Send them to an uptown coffee shop in New York and just start slurping up TLS traffic. You don't have to have the secret there (which might have been inspected and seized when you crossed the border). You just collect and relay that information back to your home. This information could be literally worth a goldmine in the stockmarket. This will be the source of wealth, if you keep your noise level down to Rynn's level.

As for attacking the other country, Rynn would never develop a sure-fire way to attack any country. She'd always observe the other country for weaknesses first. Perhaps that country trusts TLS. Many of the major world powers prefer to do their key exchange the old fashioned way, with physical devices, but maybe this country wants a leg up, and is willing to manage their keys in a more risky fashion. If so, you have access to military secrets joy! Perhaps they don't trust TLS. In this case, they may need to be encouraged to share with you. Permit them to overextend just a bit. If you're observing them close enough, you'll see where to go. In the words of Frank Herbert's Tleilaxu in his universe of Dune:

Here lies a toppled god.
His fall was not a small one.
We did but build his pedestal,
A narrow and a tall one.

Play to their ego. You have more information than anyone else in the world about virtually every country and every company in the world. If you can't use this to encourage your great enemy to overextend, you should really think your violent schemes.

Cort Ammon

Posted 2015-12-18T16:41:37.203

Reputation: 121 365

@JDługosz Typo. Should have been "use HTTPS, dummy!" I've fixed it. When FireSheep came out, many sites, including Facebook, did not default to using HTTPS – Cort Ammon – 2015-12-19T02:55:45.683

Use your control over https to encourage/manipulate the country you hate to take negative policies.

If they're far enough away, that might mean trying to make them go to war. If they're close, that might be too risky. But you could still use a variety of other tactics:

Create "authentic" terror threats. Grid shutdowns, a super hacker. Use this to damage them economically.
Infiltrate large companies based in the country, and leak their private/customer data. This will hurt them economically.
Manipulate their social networks to encourage public opinion in ways that will hurt the country.
Manipulate voting results to get incompetent/reactionary politicians into office.
If you feel it's "safe", aggravate the country so that it becomes an aggressor against another, stronger country, possibly going so far as war. Like maybe the super hacker above is from another, third enemy country.

Simultaneously, use your knowledge of the events that are about to happen to improve your own country's economics. Just before a big leak is going to happen in a telecommunications company, short some of the stock. Or buy stock in a competitor. Build infrastructure and companies ahead of time in areas that you're going to hurt them with. Cultivate relationships with the third enemy creature and provide them with weapon contracts.

Dan Smolinske

Posted 2015-12-18T16:41:37.203

Reputation: 33 066

IF you break TLS, you break the whole Internet and you can, by these means, even attack USA, Russia, and China, causing proportional damages to each country.

Just to clarify: Breaking the RSA (the most commonly used algorithm) will involve breaking 2048 bit-length keys with brute force, or have a Shor-resolver quantum machine (which was not yet invented; at least not publicly-known). For the former case, perhaps you're Franklin Richards, you create a pocket universe, spend the whole energy on it to power a super-duper computer which will somehow resolve the problem.

But I assume somehow you break it. How do you seize your new power?

For this to work, you must perform a Man-in-the-Middle attack, which involves somehow:

Knowing which IP addresses you want to target.
Knowing where do they connect (what IP addresses they connect to).
Knowing the routes (usually you use tracert command in Windows, but now it is up to the attackers once invaded a target machine to do that) you can invade, if you cannot access their machines.

For this, I will assume no social engineering would work (otherwise, a sniffer virus could serve the purpose).

The first attack point, and the most important and subtle, is in the economy. Powerful -and hateable- countries are self-claimed liberal countries, so attacking their economies would not mean, by default, a direct terrorist attack. However beware! Most of their circuits (e.g. stock markets) are closed lines and I'm not quite sure you can attack them just by knowing their keys, but you need to somehow know how to physically infiltrating the physical cables to the physical network, physically. If you can, however, get a friend over several ISPs who let you connect and sniff the data to known online banking tools. However, you will mostly attack civilians in this way, and perhaps reach the media with low impact - i.e. just a regular hacker/thief.
Energy is the second point regarding costs, but the main point regarding impact. You could connect to their systems, as long as they remain in normal internet lines.
Healthcare records!! You can attack those systems (which most of the times, if not all of them, are being connected via regular internet connections and not closed circuits).
Government offices. You can spy, collaborate with Wikileaks, understand their plans and operatives, know passwords, any kind of sensitive data is actually harmful:
- Passwords for online banking accounts of specific government accounts.
- Details about infrastructure regarding how to reach other systems (e.g. where do I connect to if I want secret military research blueprints; or even actual blueprints if copied).
- Dirty details regarding espionage to supposedly allies, and you screw diplomatic relationships.

Yes. You can do a lot of harm if you reach into sensitive data. But beware!!:

You still need to know where do you need to put the eye. You cannot mess -unless it is an indirect way- into cc-connected systems.
You still need to wait to know appropriate authentication credentials (via sniffing). If the needed person does not connect to the system, or you cannot identify them when they connect, you will never know they login credentials, no matter how much do you sniff.
You need a lot of friends to make they connect you to ISPs so you can sniff, since you cannot sniff if you are in unrelated network segments.
Every movement is tracked and, finally, you cannot force a server to act as you want, beyond the commands it accepts from you. If somehow the server performs a backup and enters maintenance mode, you are out of luck.
Make sure you use Tor to perform the 2nd phase (the actual attack), or they will catch you.
You are out of luck with MFA logins, since perhaps other factors involve hacking the cellphone and most of the times it is no up to you to know that.

So, summary: There's more than just hacking the SSL system you need to know before planning any kind of attack. Security is much more than just SSL/TLS.

Luis Masuelli

Posted 2015-12-18T16:41:37.203

Reputation: 581