Bullrun (decryption program)

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Bullrun classification guide published by theguardian.com

Bullrun (stylized BULLRUN) is a clandestine, highly classified decryption program run by the United States National Security Agency (NSA).[1][2] The British signals intelligence agency Government Communications Headquarters (GCHQ) has a similar program codenamed Edgehill.

Information about the program's existence was leaked in 2013 by Edward Snowden. Although Snowden's documents do not contain technical information on exact cryptanalytic capabilities because Snowden did not have clearance access to such information,[3] they do contain a 2010 GCHQ presentation which claims that "vast amounts of encrypted Internet data which have up till now been discarded are now exploitable".[1] A number of technical details regarding the program found in Snowden's documents were additionally censored by the press at the behest of US intelligence officials.[4]

Naming and access[edit]

According to the NSA's BULLRUN Classification Guide, which was published by The Guardian, BULLRUN is not a Sensitive Compartmented Information (SCI) control system or compartment, but the codeword has to be shown in the classification line, after all other classification and dissemination markings. Furthermore, any details about specific cryptographic successes were recommend to be additionally restricted (besides being marked Top Secret//SI) with Exceptionally Controlled Information labels; a non-exclusive list of possible BULLRUN ECI labels was given as: APERIODIC, AMBULANT, AUNTIE, PAINTEDEAGLE, PAWLEYS, PITCHFORD, PENDLETON, PICARESQUE, and PIEDMONT without any details as to what these labels mean.[1][2]

Access to the program is limited to a group of top personnel at the Five Eyes (FVEY), the NSA and the signals intelligence agencies of the United Kingdom (GCHQ), Canada (CSE), Australia (ASD), and New Zealand (GCSB). Signals that cannot be decrypted with current technology may be retained indefinitely while the agencies continue to attempt to decrypt them.[2]


Slide published by the Guardian diagramming the high-level architecture of NSA's "Exploitation [Cracking] of Common Internet Encryption Technologies"

Through the NSA-designed Clipper chip and the Skipjack algorithm it implemented, CALEA, the Cyberspace Electronic Security Act and restrictions on the export of encryption software, the U.S. government had publicly attempted in the 1990s to ensure its access to communications and ability to decrypt.[5][6] The government's promotion of key escrow, a euphemism for a backdoor, had met with criticism and little success.

Fearing widespread adoption of encryption, the NSA set out to stealthily influence and weaken encryption standards and obtain master keys—either by agreement, by force of law, or by computer network exploitation (hacking).[7]

According to the New York Times: "But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government’s nuclear department and another’s Internet service by cracking the virtual private networks that protected them. By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300."[8]

As part of Bullrun, NSA has also been actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets".[9] The New York Times has reported that the random number generator Dual_EC_DRBG contains a back door from the NSA, which would allow the NSA to break encryption keys generated by the random number generator.[10] Even though Dual_EC_DRBG was known to be an insecure and slow random number generator soon after the standard was published, and the potential NSA backdoor was found in 2007, and alternative random number generators without these flaws were certified and widely available, RSA Security continued using Dual_EC_DRBG in the company's BSAFE toolkit and Data Protection Manager until September 2013. While RSA Security has denied knowingly inserting a backdoor into BSAFE, it has not yet given an explanation for the continued usage of Dual_EC_DRBG after its flaws became apparent in 2006 and 2007.[11] It was reported on December 20, 2013 that RSA had accepted a payment of $10 million from the NSA to set the random number generator as the default.[12][13] Leaked NSA documents state that their effort was “a challenge in finesse” and that “Eventually, N.S.A. became the sole editor” of the standard.[7]

By 2010, the NSA had developed “groundbreaking capabilities” against encrypted Internet traffic. A GCHQ document warned however “These capabilities are among the Sigint community’s most fragile, and the inadvertent disclosure of the simple ‘fact of’ could alert the adversary and result in immediate loss of the capability.”[8] Another internal document stated that “there will be NO ‘need to know.’”[4] Several experts, including Bruce Schneier and Christopher Soghoian, have speculated that a successful attack against RC4, a 1987 encryption algorithm still used in at least 50 per cent of all SSL/TLS traffic, is a plausible avenue, given several publicly known weaknesses of RC4.[14] Others have speculated that NSA has gained ability to crack 1024-bit RSA and Diffie Hellman public keys.[15]


In the wake of BULLRUN revelations, some open source projects, including FreeBSD and OpenSSL, have seen an increase in their reluctance to (fully) trust hardware-based cryptographic primitives.[16][17]

Many other software projects, companies and organizations responded with an increase in the evaluation of their security and encryption processes. For example, Google doubled the size of their SSL encryption keys from 1,024 bits to 2,048 bits.[18]

Revelations of the NSA backdoors and purposeful complication of standards has led to a backlash in their participation in standards bodies.[19] Prior to the revelations the NSA's presence on these committees was seen as a benefit given their expertise with encryption.[20]

There has been speculation that the NSA was aware of the Heartbleed bug, which caused major websites to be vulnerable to password theft, but did not reveal this information in order to exploit it themselves.[21]


The name "BULLRUN" was taken from the First Battle of Bull Run, the first major battle of the American Civil War.[1] Its predecessor "Manassas",[2] is both an alternate name for the battle and where the battle took place. "EDGEHILL" is from the Battle of Edgehill, the first battle of the English Civil War.[22]

See also[edit]


  1. ^ a b c d Ball, James, Borger, Julian, and Greenwald, Glenn (September 5, 2013). "US and UK spy agencies defeat privacy and security on the internet". The Guardian. 
  2. ^ a b c d Perlroth, Nicole, Larson, Jeff, and Shane, Scott (September 5, 2013). "The NSA’s Secret Campaign to Crack, Undermine Internet Security". ProPublica. "This story has been reported in partnership between The New York Times, the Guardian and ProPublica based on documents obtained by The Guardian. For the Guardian: James Ball, Julian Borger, Glenn Greenwald; For the New York Times: Nicole Perlroth, Scott Shane; For ProPublica: Jeff Larson" 
  3. ^ Sean Michael Kerner (2013-09-09). "NSA Bullrun, 9/11 and Why Enterprises Should Walk Before They Run". Eweek.com. Retrieved 2014-01-23. 
  4. ^ a b http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=2&_r=0
  5. ^ Mike Godwin (May 2000). "Rendering Unto CESA: Clinton's contradictory encryption policy.". Reason. Retrieved 2013-09-09. "[...] there was an effort to regulate the use and sale of encryption tools, domestically and abroad. [...] By 1996, the administration had abandoned the Clipper Chip as such, but it continued to lobby both at home and abroad for software-based "key escrow" encryption standards." 
  6. ^ "Administration Statement on Commercial Encryption Policy". July 12, 1996. Retrieved 2013-09-09. "Although we do not control the use of encryption within the US, we do, with some exceptions, limit the export of non-escrowed mass market encryption to products using a key length of 40 bits." 
  7. ^ a b http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=3&_r=0
  8. ^ a b http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=4&_r=0
  9. ^ "Secret Documents Reveal N.S.A. Campaign Against Encryption". New York Times. 
  10. ^ "New York Times provides new details about NSA backdoor in crypto spec". Ars Technica. 
  11. ^ Matthew Green. "RSA warns developers not to use RSA products". 
  12. ^ Menn, Joseph (December 20, 2013). "Exclusive: Secret contract tied NSA and security industry pioneer". San Francisco: Reuters. Retrieved December 20, 2013. 
  13. ^ Reuters in San Francisco (2013-12-20). "$10m NSA contract with security firm RSA led to encryption 'back door' | World news". theguardian.com. Retrieved 2014-01-23. 
  14. ^ http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/
  15. ^ http://www.pcworld.com/article/2064960/google-strengthens-its-ssl-configuration-against-possible-attacks.html
  16. ^ Goodin, Dan (2013-12-10). "“We cannot trust” Intel and Via’s chip-based crypto, FreeBSD developers say". Ars Technica. Retrieved 2014-01-23. 
  17. ^ http://www.theregister.co.uk/2013/09/10/torvalds_on_rrrand_nsa_gchq/
  18. ^ http://googledevelopers.blogspot.com/2013/07/google-certificates-upgrade-in-progress.html
  19. ^ http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying
  20. ^ http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html
  21. ^ http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
  22. ^ Ward, Mark (6 September 2013). "Snowden leaks: US and UK 'crack online encryption'". BBC News. Retrieved 6 September 2013. 

External links[edit]