NSA Still Ahead In Crypto, But Not By Much

Hugh Pickens writes "Network World summarizes an RSA Conference panel discussion in which former NSA technical director Brian Snow said that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years, but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt. 'I do believe NSA is still ahead, but not by much — a handful of years,' says Snow. 'I think we've got the edge still.' Snow added that that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. 'Now we are very close together and moving very slowly forward in a mature field.' The NSA has one key advantage (besides their deep staff of Ph.D. mathematicians and other cryptographic experts who work on securing traffic and breaking codes): 'We cheat. We get to read what [academics] publish. We do not publish what we research,' he said. Snow's claim of NSA superiority seemed to rankle some members on the panel. Adi Shamir, the "S" in the RSA encryption algorithm, said that when the titles of papers in NSA technical journals were declassified up to 1983, none of them included public key encryption; 'That demonstrates that NSA was behind,' said Shamir. Snow replied that when technologies are developed separately in parallel, the developers don't necessarily use the same terms for them."

Rob Malda's tranny died under mysterious circumsta

Rob Malda's tranny died under mysterious circumstances

New details about Rob Malda's past may come out in the divorce proceedings with his wife of 8 years, Kathleen. Page 6 speculates that she may fight the prenup, citing Malda’s infidelity with various street trannies.

In 2007, Malda was caught by Dexter police with a transvestite hooker in his car. He told his wife that he “stopped to help a person crying.” Several other hookers sold tales of Malda’s solicitation to the tabloids, and all of them were convinced to recant, with one exception:
Paul Barresi, a private detective who claims he was hired for damage control by Malda when the scandal broke, tells Page Six: “I called [Malda attorney] Marty ‘Bull Dog’ Singer and told him I could round up all the transsexuals alleging sexual dalliances with Malda.” And they would all recant their stories.

“In less than 10 days,” Barresi says, “I got them all to sign sworn, videotaped depositions, stating it wasn’t Malda himself, but rather a look-alike, who they’d encountered - with the exception of Suiuli.” In 2008, she fell to her death from her Dexter roof.

Atisone Suiuli was the tranny found in Malda’s car in 2007. After being caught by police, she had proof that she was with Malda and wouldn’t change her story. How convenient for him that she died soon afterwards.

they aren't very well going to admit defeat.

[timmarhy]

what else would you expect from a public servant. he won't admit the private sector has them beat because it'd be the end of his job.

Re:they aren't very well going to admit defeat.

[ipquickly]

We do not publish what we research

And they also do not publish what they don't research.
Or if and when they suffer or do not suffer defeat.

Re:they aren't very well going to admit defeat.

[introspekt.i]

I believe the article said he was a Former NSA technical director.

Re:they aren't very well going to admit defeat.

[zappepcs]

It occurs to me to think that real encryption is not beatable, but workable encryption is. The problem is not who has the best or admits to not having it, it's who has best real encryption that is workable between arbitrary peers. I can easily encrypt a drive that you will NEVER decrypt, but then neither will I be able to. It's the secrecy of the key that is the quest, not the encryption particularly. Hiding the key when it is shared publicly is a problem, will always be a problem, and the race is not necessarily one brain trust against another for the best hiding technique, but rather a race to figure out the best way to hide it for a reasonable amount of time from the most people. The fastest car on the planet is not declared the Indy500 winner, only the car that conforms to the rules of the race is. This race is not winable in the long term, and only valid as a race in the very short term. Don't count on your encrypted hard drive to protect your data from everyone, for all time. That's simply not going to happen.

Re:they aren't very well going to admit defeat.

[MoeDumb]

"I can easily encrypt a drive that you will NEVER decrypt, but then neither will I be able to. It's the secrecy of the key that is the quest..."

Why wouldn't you be able to decrypt it? Memorize a long, unguessable password you keep in your head that's never written down or shared. I won't be able to decrypt the drive but you will.

Re:they aren't very well going to admit defeat.

You sound like an English major who was forced to write a technical essay.

Re:they aren't very well going to admit defeat.

[sopssa]

I don't think hiding the key has been a problem. Public-key cryptography already enables the other key to be publicly known and it doesn't reveal the private key required to encrypt in that. Also if you're using password based key, then obviously you cannot make it public. In the end all of the cryptos are breakable by brute-forcing, it's just about making that part harder. Currently "breaking" the encryption techniques have been mostly about trying to lower the amount of brute-forcing you need to do. The race is mostly about developing stronger cryptos which also wouldn't have those weaknesses.

But for that matter, even the publicly used cryptos now a day aren't really breakable. Unless, of course, if NSA at some point designed a backdoor in the algorithms. But if so, that won't be used just randomly as it would leak really fast.

Re:they aren't very well going to admit defeat.

[bytesex]

Do you know where your private key is now ? And it's protected by what ?

Re:they aren't very well going to admit defeat.

[bytesex]

If you're never going to be able to decrypt the data, then you might as well cat /dev/random > /dev/sda. Because it's indistinguishable from random chaos.

Re:they aren't very well going to admit defeat.

[aussie_a]

You don't think someone, given enough time, would be able to brute-force your password? The use of Never in zeppepcs post would imply he means literally NEVER. Not "in a reasonable amount of time" or "within a timeframe that the information stored is still valuable" but NEVER IN ALL TIME!!!

Re:they aren't very well going to admit defeat.

[siloko]

Belly Laugh - I'd mod you up but I want to comment . . .

Re:they aren't very well going to admit defeat.

[siloko]

Let's be honest if a key resides on my head then the kind of 'brute force' method of recovery is likely to hit against my singular lack of resolve - being a geek and not a spy I don't tend to fare well under torture!

Re:they aren't very well going to admit defeat.

Yes, really and truly, never in all time.

A 256 bit key has 2^256 possibilities. That's 1.15x10^77 possibilities. If you can try 10 million keys in a second, then you "only" need 1.15x10^70th seconds. If you can multiply that speed by a factor of a thousand, then you "only" need 1.15x10^67th seconds. That's 3.67x10^59th years. The universe is only 1.3x10^10 years old.

So never is more than fair. You would literally have to generate universes to generate universes to decrypt via brute force. By our current understanding of reality, impossible is correct, and anything shy of that is literally science ficition.

Re:they aren't very well going to admit defeat.

[Holmwood]

Except he's (more or less) right. James Ellis, at GCHQ (roughly the UK equivalent of NSA) had developed the basics of public key cryptography by the end of 1969. This was about 6 years ahead of Diffie Hellman and Merkle. In 1973, a GCHQ cryptographer, Clifford Cocks, realized that one-way functions would be an elegant way of achieving Ellis' insight. See http://cryptome.org/ukpk-alt.htm for example. This was some years ahead of RSA.

GCHQ and the NSA definitely would have exchanged this information. It's also quite possible that the US made some of these breakthroughs even earlier than the British; I've not paid much attention to anything NSA-related that has declassified in the last 5+ years.

Re:they aren't very well going to admit defeat.

[timmarhy]

it's protected by a strong passphrase you'd need about 10000000 years to brute force. good enough for you?

Re:they aren't very well going to admit defeat.

[JasterBobaMereel]

Public key encryption, that would be the crypto system invented at GCHQ in the UK by public servants .... but not published and then re-invented (independently) by RSA 6-7 years later ...

Re:they aren't very well going to admit defeat.

[JackieBrown]

being a geek and not a spy I don't tend to fare well under torture!

You'll never know until you try :)

Re:they aren't very well going to admit defeat.

[aussie_a]

Wait, I'm assuming we're talking a 256 character long password. Because I'd sure love to see someone memorise a string of 1 and 0 that is 256 digits long.

Re:they aren't very well going to admit defeat.

[Chatterton]

Somes love to memorise thousands of digits of PI. Why it could not be conceivable to memorise only 256 bits or 64 Hex digits or 50 [A-Z0-9] chars or 43 [A-Za-z0-9] chars... I know i could not memorise something like that, but some people can.

Re:they aren't very well going to admit defeat.

A (completely random) 256 character password would actually have 2048 bits of entropy (i.e. much more than needed). Theoretically, a 32 character password should be enough, as long as it is chosen at random from all possible 256-bit strings (not very likely, given than people tend to use 7-bit ASCII characters for passwords).

Aaaaanyway... realistically, you don't even need to memorize such a hard password: it suffices to memorize a phrase (which _should_ be easier to memorize than a random 256-bit string) and use salt+password strengthening (i.e. iterate your password+salt through SHA1 10000 times; whatever comes out is your "working password"). This way, it becomes much "easier" for crackers to just attempt to crack directly the whole 256-bit space (which, as someone shown above, is quite hard) than to try to crack it via dictionary (having to do 10000 SHA1 calculations per key attempt isn't nice). It's important to notice that the password strengthening phase (iterating SHA1 a bunch of times) costs basically nothing if you're doing it only once (i.e. you know the passphrase and you want to decrypt your data), but ends up being very costly for someone attempting to crack your encryption using dictionary attacks.

Re:they aren't very well going to admit defeat.

[muckracer]

> I'm assuming we're talking a 256 character long password.
> Because I'd sure love to see someone memorise a string of 1 and 0 that is 256 digits long.

1 Character != 1 Bit of entropy.

But anyway...with a diceware-like approach (http://www.diceware.com) you'll get approximately 12.92 bits of entropy per randomly chosen word. So you'd need only 20 words from the diceware list for your passphrase to actually match and surpass the 256-bit security of the underlying crypto algorithm. 20 words are not that hard to remember. Hell, in literature we had to memorize and recite "The sorcerer's apprentice", which is *pages* long!.

Re:they aren't very well going to admit defeat.

[alanw]

Because I'd sure love to see someone memorise a string of 1 and 0 that is 256 digits long.

You don't memorise ones and zeros, you pack them into characters.

The life that I have is all that I have
And the life that I have is yours
The love that I have of the life that I have
Is yours and yours and yours.
A sleep I shall have, a rest I shall have
Yet death will be but a pause
For the peace of my years in the long green grass
Will be yours and yours and yours.

306 characters: far far more than is needed.

The author of the poem was a truly remarkable man who led an amazing life.

Re:they aren't very well going to admit defeat.

[Threni]

Also, if your public key is published then you can keep encrypting random/all possible plaintexts using it, and when one of your encrypts matches the encrypted data you want to decrypt then you have a match.

Re:they aren't very well going to admit defeat.

[muckracer]

> > being a geek and not a spy I don't tend to fare well under torture!

> You'll never know until you try :)

Just imagine the geeky & fun role-playing games you can have with your SO.

She (in german Nazi-Uniform):
"You WILL give me ze passphrase jetzt!!"

You (unfortunate prisoner):
"No! Never!!"

She (in german Nazi-Uniform):
"Zen I will have to beat zis information out of you!"

You (unfortunate prisoner):
"Oh no's! Not the whip again!! Well...do what you must..." ^__^

Of course, make sure you have a safe word when playing so you can stop. Low entropy is a feature in this case, whereas 512-bit hashes are, well, not that ideal ;-)

Re:they aren't very well going to admit defeat.

[hughperkins]

Probably time for you to change your password now ;-)

Re:they aren't very well going to admit defeat.

Exactly. Using keyphrases (especially with salted hashing) it's easy to obtain a password with more than 256 bits of entropy. Hell, even this has more than 256 bits of entropy: We're no strangers to love. You know the rules and so do I. A full commitment's what I'm thinking of. You wouldn't get this from any other guy.

Re:they aren't very well going to admit defeat.

[Kjella]

You don't think someone, given enough time, would be able to brute-force your password? The use of Never in zeppepcs post would imply he means literally NEVER. Not "in a reasonable amount of time" or "within a timeframe that the information stored is still valuable" but NEVER IN ALL TIME!!!

No, and there's good physical arguments to "NEVER IN ALL TIME!!!" despiate your attempts at hyperbole. Currently the best theories we got suggests there's a lower entropy limit of kT*ln 2 (the Von Neumann-Landauer limit) per operation, which is on the order of 10^-23 joule. The energy of the sun via E=mc^2 is on the order of 10^47 joule. So at most you can do is 10^70 operations but 2^256 = ~10^77. In other words you can't get through the keyspace before you run out of energy, even taking ideal assumptions.

Granted, this doesn't account for all the matter in the universe. If you include that, you probably have to move to a 384 bit key but it's still quite finite as opposed to burning through every star in every galaxy in the observable universe. Of course, this is only if you have a 256-bit cipher with no cryptological attacks. AES256 is already shown to be flawed with a strength of only 119 bits, though that too is considered practically impossible but not nearly as physically impossible. But I'm sure we will find such a cipher, it's just that we'll never know when we're there.

Re:they aren't very well going to admit defeat.

[smallfries]

While it is true that it would not be in his interest to admit if they are beat that does not imply that they are beat. And you would have to be an idiot to believe that they are. To pick up on three points from the video:

• They employ several hundred PhDs and have a budget that would make any company or university in the sector weep.
• They can read the literature and take ideas but don't have to reciprocate by publishing their work.
• They are not handicapped by inconveniences like the law when it comes to experiments on traffic analysis.

Re:they aren't very well going to admit defeat.

[TheLink]

> Of course, make sure you have a safe word when playing so you can stop.

Sounds simple to me:

red = stop right now
yellow = not feeling comfy with things
green = go!

But I'm one of those Slashdot virgins with no SO, so what would I know :p.

p.s. this might actually be a steganographic message, or maybe just a noise message to foil traffic analysis. ;)

Re:they aren't very well going to admit defeat.

[muckracer]

> > Of course, make sure you have a safe word when playing so you can stop.

red = stop right now
yellow = not feeling comfy with things
AHHH....OUUUUUCHH!!! = go!

There...fixed it for 'ya. ;-)

Re:they aren't very well going to admit defeat.

[Ed+Avis]

You would literally have to generate universes

Isn't that what quantum computing does?

Re:they aren't very well going to admit defeat.

[xtracto]

You are assuming that whoever wants to break the encryption is doing a brute force attack.

The classical

encryption breaking methods are mainly based on frequency and statistics. I am sure nowadays the NSA and other entities in charge of breaking encrypted content have more sophisticated methods.

Re:they aren't very well going to admit defeat.

[divisionbyzero]

Yes, really and truly, never in all time.

A 256 bit key has 2^256 possibilities. That's 1.15x10^77 possibilities. If you can try 10 million keys in a second, then you "only" need 1.15x10^70th seconds. If you can multiply that speed by a factor of a thousand, then you "only" need 1.15x10^67th seconds. That's 3.67x10^59th years. The universe is only 1.3x10^10 years old.

So never is more than fair. You would literally have to generate universes to generate universes to decrypt via brute force. By our current understanding of reality, impossible is correct, and anything shy of that is literally science ficition.

Uh, no. You are assuming that things will always work the way that they do. By that I mean, presumably, you think 10 million keys is a lot of keys, but what if we could test 2^256 keys per second? Then it's easily decrypted. Obviously given the way we currently do things that's not possible but we may be able to do it with quantum computing (or maybe not). Finally, if you are so keen on constraining things according to the real world, then it's unlikely we'd need to resort to brute-force. All encryption relies on algorithms and algorithms must be implemented. Any given implementation is susceptible to compromise even quantum encryption. So, I'd say it's a safer bet that any encryption can be broken rather than vice versa.

Re:they aren't very well going to admit defeat.

[MoeDumb]

"Memorize a long, unguessable password you keep in your head that's never written down or shared. I won't be able to decrypt the drive but you will." (quoting myself somewhere above). Here's an illustration: Memorize that poem. Take the first letter of each word. Capitalize every fifth letter. Precede and end the result with five predetermined numbers. Now you have your *unbreakable* password.

Re:they aren't very well going to admit defeat.

[vlm]

Wait, I'm assuming we're talking a 256 character long password. Because I'd sure love to see someone memorise a string of 1 and 0 that is 256 digits long.

Three hours later and no one noticed his post was 155 characters long (at least wc -l claims that). You can look at that as about 8 bits per byte of raw very non random data, giving 1240 bits of nonrandom data and he only needs 256 bits. Pessimistically you might pull 2 bits of randomness out per byte, yielding a whopping 310 bits of randomness. Anyway, thats more than enough to feed a hash function to get a nice even 256 bits. I pushed his post thru sha256sum and got the following 256 bit hash:

d254ed3793668c774d24c55b8553036becb1a9bf1b11401cde27b4bf7bc02f89

Can the OP memorize that hash? Probably not. Can he memorize his post, including his misspelled "memorize" word? Most likely. Everyone works with some clown who memorized every star trek and star wars script, so memorizing one slashdot post is not exactly a heroic achievement.

Even if you only pull one bit of stinky randomness out per byte, his post would still be 155 bits strong, frankly not bad. Add a couple bits of salt (not too many) and it'll do, it'll do.

Re:they aren't very well going to admit defeat.

[CODiNE]

That's 1.15x10^77 possibilities.

Are you aware that randomly generating a specific protein is much more difficult than that? I've heard a number around 1 in 10^113. That would be just ONE of the proteins we need for life.

So. Either it needs to be rethought what is actually numerically possible, or that the genetic make-up of life was guided by chance.

Re:they aren't very well going to admit defeat.

[vlm]

Currently the best theories we got suggests there's a lower entropy limit of kT*ln 2 (the Von Neumann-Landauer limit) per operation, which is on the order of 10^-23 joule. The energy of the sun via E=mc^2 is on the order of 10^47 joule. So at most you can do is 10^70 operations but 2^256 = ~10^77. In other words you can't get through the keyspace before you run out of energy, even taking ideal assumptions.

Well, if your strategy is guess and check, sure, OK. Wouldn't this plan be a hell of a lot cheaper:

Estimate the total number of operations a genius level human brain can accomplish per second. I will be wildly optimistic and give it 10^3. Lets assume all thought is directed toward crypto and no daydreaming about the young lady working in accounting, or arguing about which was better, Kirk or Picard.

Estimate the age of the NSA. Wikipedia claims formed in 1952 but theres plenty of cloak and dagger stuff going on before, so we'll round it to 10^3 years

Estimate the total number of geniuses the NSA has hired over the years. The holy font of all wisdom, wikipedia, claims the number of employees is classified. However, they claim there's 18000 parking spaces at HQ. What the hell they do with 18K people is a mystery to me. My guess is theres 17990 supervisors, managers, directors, HR personnel, diversity directors, marketing personnel, and other executives and about 10 guys with pocket protectors doing all the work, in between their slashdot breaks. But lets say on a very long term average they have 10^5 geniuses working at any given instant.

Lets further assume they never eat, sleep, have sex (duh, they're math majors). That gives us 31 million seconds per year. Well, we'll round that down for time to watch star trek reruns, eat pizza rolls, and read slashdot, so call it 10^7 seconds per year.

So, you need to do about 10^3 * 10^3 * 10*5 * 10^7 = about 10^18 crypto related thought operations over the total lifetime of the NSA.

In conclusion, you need to run WELL under 10^18 thought operations to figure out the back door they put into your encryption algorithm and/or reverse engineer their top secret decryption technology. A wee bit less than your 10^70 operations required to brute force one message. Plus, when you crack the entire algorithm, you've cracked all messages ever sent with it, not just one message.

Re:they aren't very well going to admit defeat.

That's orders of magnitude more difficult than calculating the private key from the public one, genius.

Re:they aren't very well going to admit defeat.

[sheehaje]

Why would I memorize it when I can put it on one big sticky note?

Re:they aren't very well going to admit defeat.

*If* you *had* broken RSA and were reading everyone's stuff, would you tell anyone about it? No.

They're not exactly going to say "Oh hey, FYI, we broke all your codes."

Re:they aren't very well going to admit defeat.

But you forgot Moore's law. In 3 years there is 4 times the compute capacity available. Every 40 years there should be 67M times as much compute capacity as today. Assuming 1B keys/sec to start (gpgpu), in 200 years, a 256-bit cipher will be brute forced by a home PC in a year (67^32 times as fast). Still pretty good, but nowhere near 3.67*10^59 years.

Re:they aren't very well going to admit defeat.

Unfortunately though, Clifford Cocks' name was misspelled on various internal memos, which resulted in non-classified members of GCHQ inventing the Funniest Joke Ever II.

Re:they aren't very well going to admit defeat.

[ciggieposeur]

Are you aware that randomly generating a specific protein is much more difficult than that?

I've highlighted the key word: randomly. Specific proteins were not actually generated randomly, but were directed to viable structures via selection.

If there was a way to direct the key search to one of the potential keys that could decrypt the ciphertext into some meaningful plaintext, i.e. selection, then one could break the encryption in a more feasible time frame.

Re:they aren't very well going to admit defeat.

Depends on your interpretation. Many-worlds: perhaps, Copenhagen: not so much. Not that it helps you, because the observation collapses the output. If it didn't, BQP would contain NP and we wouldn't need programmers at all.

Re:they aren't very well going to admit defeat.

Just because the maximum possible amount of time to find an exact value is a given amount does not necessarily mean it will take that maximum amount of time to generate what you're looking for. If you start at 000...0 and end at ZZZ...Z for just brute forcing, you're a lot more likely to hit the correct combination long before the maximum possible amount of time passes. If you've got certain things converging then just because there are that many possible combinations doesn't mean you need to try them all when you can see certain parts are working, like a key in a lock; you keep the parts that work and continue working on the rest.

While cryptography does not work that way, life does. THEREFORE BE LOGIC: your premise is flawed.

Re:they aren't very well going to admit defeat.

[rrossman2]

if it resides ON your head, they'll just pick the key up and use it.

Now, if it resides *IN* your head, then they'll just crack your head open, pick up the key and use it.

Re:they aren't very well going to admit defeat.

it's protected by a strong passphrase you'd need about 10000000 years to brute force. good enough for you?

And there is no one you love enough that you'd be willing to give up that pass phrase to save their life? There's nothing on my hard drive that's worth my wife's life and well being or mine or my parents, my in-laws or, to be honest, my friends or most of my co-workers.

Re:they aren't very well going to admit defeat.

[ChaosCon]

You fallaciously assume decryption will *always* require trying *every* possible key -- you could get lucky and get the correct key on the first attempt. You don't "only" need 1.15E70 seconds, you need "at most" 1.15E70 seconds.

Re:they aren't very well going to admit defeat.

i love that story.

iirc the guy who did it took 30 mins one evening to think of it. it wasn't even his project, someone just asked his opinion as to a mathematical padlock.

Re:they aren't very well going to admit defeat.

Every 40 years there should be 67M times as much compute capacity as today.

So in 40 years, we will finally have computers that will run Vista normally?

Re:they aren't very well going to admit defeat.

Your understanding of "entropy" is incorrect.

"We're no strangers to love. You know the rules and so do I. A full commitment's what I'm thinking of. You wouldn't get this from any other guy." does not contain anywhere near 256 bits of entropy.

An attacker could assemble a list of common poetry, songs, books, etc (especially in topics you have an interest in). All they have to do is for each poem or song; split out some phrases, try a few character substitution tricks (example: every X'th character is uppercase) and hope that it's easier to guess your clever key generation technique than it would be to brute force crack the key itself.

2^256 is a massive number to comprehend.

If you're using the Diceware symbol set (N=7776 words in the set) and want an effective bit strength of H=256bits, you'll need L=(H*log(2))/log(N)=20 randomly selected words in your passphrase.

However if you're applying your own clever key generation technique based on poetry, songs, books or other sources of text, the level of entropy is most certainly not counted by the number of words or characters in the resulting pass phrase. Attackers aren't going to brute force a key when they know or assume information about how the key was generated.

See http://en.wikipedia.org/wiki/Password_strength for more details.

Re:they aren't very well going to admit defeat.

it's protected by a strong passphrase you'd need about 10000000 years to brute force. good enough for you?

And there is no one you love enough that you'd be willing to give up that pass phrase to save their life? There's nothing on my hard drive that's worth my wife's life and well being or mine or my parents, my in-laws or, to be honest, my friends or most of my co-workers.

However you forget this is Slashdot! Most of the posters here are arrogant, asocial (if not anti-social) pricks and so their list of vectors for this attack is much shorter, usually only themselves and maybe their parents and/or siblings.:p

Re:they aren't very well going to admit defeat.

[DudeTheMath]

Agreed! PK crypto, block ciphers, etc., was in my Elementary Number Theory textbook (1984, Kenneth Rosen). No freakin' way NSA didn't know how to do that before 1983--as he said, if it's not in a title, then they called it something else.

Re:they aren't very well going to admit defeat.

[MikeBabcock]

Those 256 bit keys are 256/8 bytes just FYI. Also,in typical usage they're randomly generated keys which are themselves encrypted by public key encryption.

Re:they aren't very well going to admit defeat.

[AVee]

There is no such thing as Former NSA. There is only 'in line' and 'dead before dawn'.

Re:they aren't very well going to admit defeat.

I am sure nowadays the NSA and other entities in charge of breaking encrypted content have more sophisticated methods.

Of course they do.

However, any modern cryptographic algorithm worth the name has no feasible known attacks with (meaningfully) better efficiency than a brute-force search of the entire key-space. In fact, achieving that specific property is the fundamental goal for the design of any modern cryptographic algorithm. Everything else is lower priority.

Re:they aren't very well going to admit defeat.

Those are not mutually exclusive. I would say that we _both_ need to rethink what is actually numerically possible _and_ the genetic make-up of life _was_ driven "by chance".

The difference between generating a specific protein [in a universe] and cracking a specific ciphertext [in a computer] is that the universe is _quite a bit_ more parallel and complex than a (classical, dumb, serial) silicon computer: it's not like the universe is sequentially trying all possible combinations of amino acids until a working protein automagically appears.

Also, if you have a better theory on how the genetic make-up of life came to be other than "by chance", I would like to hear it (oh, and please refrain from posting theories which require the existence of even-more-complex-things-than-life-as-we-know-it as a way to explain the observed complexity of life).

Re:they aren't very well going to admit defeat.

[steelfood]

There's probably natural selection at play here too. The useful proteins continue to replicate, while the useless or harmful ones die out.

Or perhaps one can say, all proteins are useful until they become unuseful.

Re:they aren't very well going to admit defeat.

You are assuming that things will always work the way that they do. By that I mean, presumably, you think 10 million keys is a lot of keys, but what if we could test 2^256 keys per second? Then it's easily decrypted.

Forgive me if I come off as being rude here, but it appears to me that you might have tried to divide by zero a few times too many, and you might want to cut down on that particular activity for a while.

You might also want to contemplate the relative size of 2^256 as compared to the number of elementary particles in the known universe as well as the number of Planck times that have passed since the universe came into being based on current estimates.

In short: I think you are a loony.

Re:they aren't very well going to admit defeat.

[es330td]

I don't think "never" should be used in this case. My understanding of the subject is lacking, but I believe that some of the appeal of quantum computing is that a qbit computer can represent all states at once. While I don't know how the q-computer can be used to test against the encrypted drive, if the alternate timeframe is 10^59th years my guess is they will figure out how to use the q-computer for this before then. While it is not a traditional "test, increment, test again" brute force methodology, a device that can test everything at once has as much chance of failure as the person who buys all the possible lottery picks.

Re:they aren't very well going to admit defeat.

[steelfood]

Just pick an easy-to-remember line from a book you like. Add extra punctuation and mix up the characters a bit to make things interesting.

Re:they aren't very well going to admit defeat.

[Panaflex]

Can he memorize his post, including his misspelled "memorize" word?

You insensitive clod, he's BRITISH! He can't help it... not even their teachers know how to spell. The most a very bright and motivated student can hope for is ox training classes in Cambridge. Just leave him alone!

Re:they aren't very well going to admit defeat.

Bullcrap. Using Shannon's definition of entropy, the entropy of the phrase I typed is the smallest possible representation (i.e. best possible lossless compression) of said phrase. Unless you can express that phrase (in a way that a computer can output it) in less than 32 octets, you have yet to prove that it contains less than 256 bits of entropy. Since, on average, English words contain about 1 to 1.5 bits of entropy, I would say that said phrase _probably_ has 256 bits or something close to it and you have yet to prove me wrong

Even if an attacker assembles a dictionary with _all known literature to man_, it still has to try _each one of those possibilities_. If you actually use some form of decent password strengthening, the attacker might as well attack the whole 256 bit keyspace directly. So, even _if_ said phrase doesn't contain 256 bits of entropy, after key strengthening it should.

See http://en.wikipedia.org/wiki/Key_strengthening for more details (especially that part that says that if the key strengthening phase requires 2^n operations, the resulting key will have an additional n bits of entropy).

Regardless, my point stands: everyone's brain is full of cultural information (music, poems, literature) which can be easily used to generate secure 256 bit entropy passwords, as long as key strengthening and salting is used.

"Attackers aren't going to brute force a key when they know or assume information about how the key was generated." Ok. Assume I use SHA1 to generate the key: that is not very helpful for an attacker. Assume I use a poem or a music to generate the key: that is _still_ not very helpful for an attacker. Given that there are SHITLOADS words out there, there are SHITLOADS^SHITLOADS possible (portions of) phrases, poems, lyrics that can be used: he still has to guess punctuation, letter case and random added stuff _for each possible phrase_ (assuming people don't prepend/append a few seemingly random words/digits at the end of the keyphrase).

Re:they aren't very well going to admit defeat.

What about having 10 million planets work on it?

If computational speed increases, the amount of time required will decrease. Of course, there is a limit, and it still works out to "completely infeasible", but probably less than 10^59 years.

Re:they aren't very well going to admit defeat.

[kgo]

http://en.wikipedia.org/wiki/Brute_force_attack#Theoretical_limits

Re:they aren't very well going to admit defeat.

[kgo]

The way the math works out, the average time to crack a key will be half the total time, assuming a reasonably random key. Awaiting lame Spaceballs jokes.

Re:they aren't very well going to admit defeat.

[divisionbyzero]

So, what's your point exactly?

Re:they aren't very well going to admit defeat.

[AdamTrace]

Ha! Can you imagine!

"Boss, we decrypted the message! They key was 0x0000...01!"

Re:they aren't very well going to admit defeat.

[gknoy]

A 256 bit key has 2^256 possibilities. That's 1.15x10^77 possibilities. If you can try 10 million keys in a second, then you "only" need 1.15x10^70th seconds. If you can multiply that speed by a factor of a thousand, then you "only" need 1.15x10^67th seconds. That's 3.67x10^59th years. The universe is only 1.3x10^10 years old.

Wrong. You only are likely to need that time. A random key in that keyspace, however, might be the fifth one you try, or the five millionth one, or might be the very last one you try. You won't know until you try them, but once you find a key that works, you don't need to test any further. That could occur in the first minute, the first month, the first year, or the first centurey of trying keys.

You're right, though, that the odds of the key being in the first-tried slice of the keyspace are slim, and the odds of them being in the first $TIME of key-testing decrease as your keyspace increases.

Re:they aren't very well going to admit defeat.

It's a while since I read this wonderful book that covers this bit of history:
http://www.amazon.com/Code-Book-Science-Secrecy-Cryptography/dp/0385495323/ref=sr_1_1?ie=UTF8&qid=1268154140&sr=8-1-spell ...but if I remember right, the GCHQ didn't really appreciate the significance on what Ellis and Cocks had discovered and didn't do a whole lot with it. (Insert rant about government efficiency here). I wouldn't be surprised if they didn't pass it on to the NSA simply because nobody cared very much. The state of the art one-time pads are (and remain) totally unbreakable, and they were satisfied enough with these. It was a fun math project that people were pretty much doing in their spare time.

Correct me if I'm remembering wrong...

Re:they aren't very well going to admit defeat.

[multi+io]

I couldn't decide whether to mod this "funny" or "insightful".

Re:they aren't very well going to admit defeat.

[afabbro]

If you encrypt your drive using a one time pad then, yes, it is encrypted and safe for all time and is provably unreadable without someone having the key. Of course, if it's a 1TB drive, then you need a 1TB key, and you can only use it once...

Re:they aren't very well going to admit defeat.

Huh. That's interesting. Reminds me of an episode of Spooks where someone apparently "breaks" some sort of fictional encryption scheme used in everything on the Internet. I can only assume they meant public key encryption. The guy who did it turns out to work for GCHQ, and was the brains behind the invention of it in the first place- but the fictional scheme was invented in the US by a couple of researchers.

Re:they aren't very well going to admit defeat.

[Sir+Lollerskates]

It's not very hard, just use a mnemonic device.... and make the long form of it your password.

Re:they aren't very well going to admit defeat.

[steveb3210]

You don't think someone, given enough time, would be able to brute-force your password? The use of Never in zeppepcs post would imply he means literally NEVER. Not "in a reasonable amount of time" or "within a timeframe that the information stored is still valuable" but NEVER IN ALL TIME!!!

Never eh? Suppose we do this:

Hard Drive A - has your data
Hard Drive B - same size, write random bits to it.
Hard Drive C - A xor B

Now suppose I crush hard drive A and B. Recovering the data is pretty impossible as it could decrypt to anything!

You've been one time pad'd..

Re:they aren't very well going to admit defeat.

[Agripa]

Are you aware that randomly generating a specific protein is much more difficult than that? I've heard a number around 1 in 10^113. That would be just ONE of the proteins we need for life.

So. Either it needs to be rethought what is actually numerically possible, or that the genetic make-up of life was guided by chance.

But that is randomly generating a specific protein without working from an earlier protein. Asimov called that the hemoglobin number and used it as an example of why evolution could not work using blind chance. Hemoglobin is just part of a family of proteins called globins and the actual differences among them are relatively small. The evolution of hemoglobin did not happen by chance all in one step but by accumulating change via many much smaller steps from an existing protein.

Strong cryptographic algorithms are specifically designed to be resistant to the type of analysis which would allow you to derive parts of the key until you have the whole thing. Either you have it all, or you have nothing. Evolution of proteins does not work that way.

Re:they aren't very well going to admit defeat.

[steveb3210]

You would literally have to generate universes to generate universes to decrypt via brute force. By our current understanding of reality, impossible is correct, and anything shy of that is literally science ficition.

Where exactly then does Shor's Algorithm get its exponential speedup from classical algorithms?

Re:they aren't very well going to admit defeat.

[Kjella]

Well, if your strategy is guess and check, sure,

Well, the post I was replying to said brute force and that's pretty much the definition of brute force.

In conclusion, you need to run WELL under 10^18 thought operations to figure out the back door they put into your encryption algorithm and/or reverse engineer their top secret decryption technology. A wee bit less than your 10^70 operations required to brute force one message. Plus, when you crack the entire algorithm, you've cracked all messages ever sent with it, not just one message.

Uh, wtf kind of logic is that? Since the 1960s millions of people have thought of a "warp drive", that doesn't make it possible. For example, take the RSA algorithm. It depends on p*q = n being trivial to do just like you learned in elementary school, while factoring n to p*q is something mathematicians have spent 2200 years on and not found a really good way of doing. Symmetric encryption is probably even harder because you lack the key entirely. If you look at the list of symmetric ciphers, most of them have never been broken. For example DES published in 1977 *still* has no better published solution than brute force - it's just that 56 bits is way too little with today's computing power.

Re:they aren't very well going to admit defeat.

[spazdor]

Evolutionarily stable strategy.

Proteins come from one, keypairs do not.

Re:they aren't very well going to admit defeat.

[kgo]

This mythical quantum computer with it's mythical algorithm is still subject to thermodynamics...

Re:they aren't very well going to admit defeat.

[jdh3.1415]

You forgot to consider future advances in technology. If you assume that Moore's law stands, every two years computing speed doubles, and today we can consider 10e6 keys per second. In about 416 years, a computer can be built that can consider 2^256 keys in one year.

Such a computer could be built much sooner depending on advances in mathematics or quantum computing.

Throughout history, many "unbreakable" encryption schemes have been invented. Eventually, they are all broken.

Re:they aren't very well going to admit defeat.

[Garridan]

But there is such a thing as "former NSA technical director". As in, no longer the technical director of NSA, and now cannot divulge his proper title.

Re:they aren't very well going to admit defeat.

[Garridan]

I've memorized at least two 256-bit binary strings... took me no time at all. I bet you can guess them, though.

Re:they aren't very well going to admit defeat.

[Sulphur]

I doubt anyone is really trying to read this. Lets reuse the one time pad just once.

Re:they aren't very well going to admit defeat.

[divisionbyzero]

This mythical quantum computer with it's mythical algorithm is still subject to thermodynamics...

Ah, I see. You don't understand how a quantum computer theoretically works.

Re:they aren't very well going to admit defeat.

[xiong.chiamiov]

You are assuming that whoever wants to break the encryption is doing a brute force attack.

Well, yes, because he was responding to:

You don't think someone, given enough time, would be able to brute-force your password?

Re:they aren't very well going to admit defeat.

[thoth]

Brute forcing may be infeasible, but if you're talking about encrypting a disk drive... I don't know if you can be so sure. Between all the metadata about the particular file system and disk format, plus stuff about known files and/or directory layout, I'm sure "the pros" can reduce the number of possibilities significantly.

These aren't the same order of magnitude, but the Rubik's cube is 10^19 states, yet solvable in 30 seconds by the knowledgeable. The Enigma was 10^23 states, yet also breakable given some other info and genius level insight. So algorithms exist for those problems that seriously prune the states the solver needs to work through. And in a similar way, handing somebody a 256 bit key may mean 10^77 states to start with, but adding info like "this is an encrypted ntfs/ext2/hpfs/whatever drive" supplies a huge amount of extra info that might prune things down quite a bit.

Re:they aren't very well going to admit defeat.

[PingPongBoy]

If you're never going to be able to decrypt the data, then you might as well cat /dev/random > /dev/sda. Because it's indistinguishable from random chaos

If only I had learned this before I hired a thousand monkeys and purchased a thousand keyboards. Dammit.

Re:they aren't very well going to admit defeat.

[a-zA-Z0-9$_.+!*'(),x]

1. Various encryption schemes often have quirks that reduce the search space enormously. 2. While a single "processor" may take many years, multiple processors and parallel techniques reduce that burden. As well, the silicon/galium-arsenide/dna gets faster each year.

Re:they aren't very well going to admit defeat.

Thanks, I very much enjoyed that. The problem is exhausting key space is a mechanical process, so you don't waste time trying an old key over and over. By contrast coming up with a way to access a backdoor requires a new way of combining "crypto related thought operations" such that the final product is a novel idea. Making people think about crypto is easy but cannot be guaranteed to come up with new thought combination every time (on the contrary most people solve problems by getting stuck somewhere close to real solution, trying variations of the futile idea for a long long time before they finally find the key.) Computers can be meticulous and exhaustive but making "crypto related thought operations" is ill defined for them and the whole concept is most probably limited by the imagination of the programmer. So, your idea doesn't work except in the sense that best way to crack crypto is pay for 10^7 genius.years.

Re:they aren't very well going to admit defeat.

Can the OP memorize that hash? Probably not. Can he memorize his post, including his misspelled "memorize" word?

Actually, "memorise" is how it is spelt. Unless you're an American who thinks you invented the English language.

Those of us who invented the English language get to spell words how we like.

Jerk!

Right...

That's what they want you to think.

Their latest decoded message:

[WegianWarrior]

Be sure to drink your Ovaltine.

Re:Their latest decoded message:

[ipquickly]

Be sure to drink your Ovaltine.

No, it was

"and don't forget the coffee!"

Re:Their latest decoded message:

[bmo]

The point of the joke went so far over your head all you saw was a contrail.

--
BMO

Re:Their latest decoded message:

[ipquickly]

The point of the joke went so far over your head all you saw was a contrail.

I saw no such thing!

(I was looking down)

Re:Their latest decoded message:

[donaggie03]

The point of the joke went so far over your head all you saw was a contrail.

I saw no such thing!

(I was looking down)

*sigh* Your link + "A Christmas Story" = ??

Re:Their latest decoded message:

[donaggie03]

Heh . that's actually IN the link. Disregard my commend :)

Re:Their latest decoded message:

[spartacus_prime]

Son of a BITCH!

key areas of competition

The reality is that any private organisation will always say that their software is best or their crypto rocks the world.. There is one big difference with the NSA and that is they have very deep pockets when it comes to cracking encryption which very very few private organisations can afford. Which president would turn the NSA down if they came asking for money with a request like... 'we have managed to get xyz encrypted file that we need xyz cpu's to crack so that we can identify a leak who is selling secrets to the taliban/chinese/bob next door'.

Whatever!

[martin-boundary]

"We know Saddam has WMD, but we can't show you what we know because it's secret!". Everybody knows how that argument went in Iraq.

I'm with Shamir, the only correct response here is: "Yeah, right, whatever", not "OMGOMGOMG, the NSA cAn readz my stuffz!!1".

Frankly, I don't see how any mathematician would want to waste his talent working for the NSA.

Re:Whatever!

Exactly. The USA intelligence agencies have shown their moronity and so many occasions. I'm not sure which is their greatest hit: helping traffic cocaine into American cities to fund arms transfers to Iran OR helping Osama Bin Laden build and develop the Al-Qaeda network. The NSA/CIA/FBI might be able to catch child porn wankers and craigslist hookers but the Chinese/Israelis/Indians will eat them for lunch. Go to a computer science dept. anywhere: You will see almost all Phd students are Chinese/Jewish/Indian. The NSA makes me laugh.

Even if they could decrypt the shit they probably don't have anyone who can read whatever language it's fucking written in! Don't worry about encryption just write the shit in Bengla they won't figure out for five years...

Re:Whatever!

[bytesex]

The problem is, that in his historic recount, he is correct. So there is no reason to disbelieve him when he says things about the current state of affairs.

Except of course, that he is a spook.

Re:Whatever!

[chuckymonkey]

Let me tell you from firsthand experience. You cannot even fathom the awesomeness that goes on inside the cube unless you work there. It is not like Hollywood portrays it, but there is a whole lot of cool going on in there. That is why people work for the NSA. Now, I have philosophical disagreements with how the NSA ran business during the Bush years and I left that industry for aerospace. That being said if any of my former colleagues tell me that things have changed I think that I would go back.

Re:Whatever!

[martin-boundary]

Sure, I accept that the toys are great, but scientifically? It's time wasted. At some point people are going to ask what did you accomplish?

If you're a mathematician especially, you'll have nothing to show for it, and if your reports ever get published in the future, they'll be long obsolete and irrelevant.

Re:Whatever!

I don't believe it. The government wants everyone to believe they are all powerful and know everything but obviously they don't. Either that or they let 9/11 happen on purpose. One or the other they suck. Look at that bunch of CIA douchebags that got suicide bombed by their own informant. How clueless can you be. It's so obvious the ISI are the ones in control in South Asia. All your high tech gizmos and satellites and some stone age goat farmers with Kalishnikovs are beating you. Haha.

Re:Whatever!

[jpmorgan]

Academia is not the only profession that provides job satisfaction and a sense of fulfillment. Guess what, 99.9% of the world's population lives a happy life without ever publishing anything.

Re:Whatever!

>just write the shit in Bengla
Writing in good English would be a start, dickwad.

Re:Whatever!

[Btarlinian]

Sure, I accept that the toys are great, but scientifically? It's time wasted. At some point people are going to ask what did you accomplish?

If you're a mathematician especially, you'll have nothing to show for it, and if your reports ever get published in the future, they'll be long obsolete and irrelevant.

Who cares? You're getting paid to do what you love and are provided with all the toys you can think of to do that stuff with. If I was a mathematician, I wouldn't really consider that sort of job to be unfulfilling. (Ethical and moral dilemmas are another matter.)

Re:Whatever!

[timmarhy]

thats because if your a mathematician. the ONLY thing you can do that would seem like much of an acomplishment is publish a scrape of paper.

for people working in the real world, they can achieve real world outcomes (god i'm damned to management aren't I?).

Re:Whatever!

[Kjella]

At some point people are going to ask what did you accomplish?
If you're a mathematician especially, you'll have nothing to show for it

"I could tell you, but then I'd have to kill you afterwards". And to be honest, I doubt anyone with "Mathematician, NSA" on their CV will ever have trouble finding work. Lots of others with science degrees work for private research, you'll just be another one of those.

Re:Whatever!

[AHuxley]

They are all learning from US books under US profs and going back home with US ideas ...
Its just the old cold war idea of get them young.
Years later your "Chinese/Jewish/Indian" is going to sit in front of a mutil billion $ contract with a local build %.
If trained in the US who do you think they will recall fondly ?
France, Italy, Brazil, Germany, Russia?
The USA hopes years of quality education will give them that "reality distortion" edge.
Then when they sign up for a few billions of $ worth of US hardware and software - its happy times in the NSA as they are now connected directly or via soft/hardware upgrades.
If not your left with the digital version of "Iranian Tomcats".
As for Al-Qaeda they have learned via CIA death squads or state sponsors not to trust tech beyond dead drop for propaganda uploads.

Re:Whatever!

[JohnFluxx]

99.9% of the world's population is, well, the bottom 99.9% of the world. We're talking about the very smartest and most gifted people. The sort that shouldn't be happy if they do not achieve something.

Re:Whatever!

Guess what, 99.9% of the world's population lives a happy life without ever publishing anything.

Yes but 99.9% of the world is not populated by mathematicians.

Re:Whatever!

[Sir_Lewk]

Who says the best always have to get their kicks off with public masturbation? While they may never be able to publish, it is also quite likely they will be exposed to concepts and ideas they never would have had the chance to be exposed to otherwise. I'm sure a very large percentage of these sorts of people are driven by a desire to self-improve.

Re:Whatever!

[Bakkster]

If you're a mathematician especially, you'll have nothing to show for it

So you can't brag to your friends, you can still feel quite fulfilled knowing that your work is not only important, American (or your home nation, for other intelligence agencies) lives may be saved by your hard work.

Furthering science isn't the only way a scientist, engineer, or mathemetician can feel fulfilled.

Re:Whatever!

[kaiser423]

Having read lots of publications, let me tell you that there's a big difference between publishing something, and achieving something.....

Silly academics with their insular communities. Here in my side of the world, publishing means nothing, but saving the government money or saving some lives means everything.

Re:Whatever!

[elrous0]

lives may be saved by your hard work.

Considering the way the NSA has behaved in the last 9 years, I'd say it was way more likely that your work would be used to spy on innocent Americans, prop up phony wars, gather dirt on Administration political opponents, etc.

Re:Whatever!

[styryx]

> Guess what, 99.9% of the world's population lives a happy life without ever publishing anything.

Citation needed.

Re:Whatever!

[Bakkster]

lives may be saved by your hard work.

Considering the way the NSA has behaved in the last 9 years

You mean, considering the reports we have heard. There's a pretty obvious selection bias, in that only the illegal activities (which there certainly are, sanctioned or otherwise) will be notable enough to publish and publicize. I highly doubt that illegal activities accounted for more than 1% of work performed by the NSA (again, including both sanctioned and unsanctioned activities), let alone 51% for cryptologic work to be 'more likely' to be used illegaly.

Re:Whatever!

that 99.9% of the world's population is just a different portion than the publishing portion. the non-publishers aren't the "bottom" portion of this.

Re:Whatever!

Most of the Manhattan project scientists made out okay.

Re:Whatever!

[Arccot]

99.9% of the world's population is, well, the bottom 99.9% of the world. We're talking about the very smartest and most gifted people. The sort that shouldn't be happy if they do not achieve something.

You are confusing genius with ambition. Not all geniuses want to take over the world. Some just want to lead a happy life.

Re:Whatever!

[c6gunner]

"We know Saddam has WMD, but we can't show you what we know because it's secret!". Everybody knows how that argument went in Iraq.

We do?

They did show us what they knew. It just turned out to be crap. Did you really need to venture into historical revisionism in order to support your point?

Re:Whatever!

It depends what drives you. If you want to be recognized as a mathematician, you publish proofs. New ideas and proofs of them are even better. If your motivation is money, you could create RT trading algorithms to squeeze human traders out of their money, Now, if you don't care about recognition, or money, but about toys and "working for the country" like a some secret agent, then yes, maybe NSA is for you.

Re:Whatever!

Exactly. The USA intelligence agencies have shown their moronity and so many occasions. I'm not sure which is their greatest hit: helping traffic cocaine into American cities to fund arms transfers to Iran OR helping Osama Bin Laden build and develop the Al-Qaeda network. The NSA/CIA/FBI might be able to catch child porn wankers and craigslist hookers but the Chinese/Israelis/Indians will eat them for lunch. Go to a computer science dept. anywhere: You will see almost all Phd students are Chinese/Jewish/Indian. The NSA makes me laugh.

Even if they could decrypt the shit they probably don't have anyone who can read whatever language it's fucking written in! Don't worry about encryption just write the shit in Bengla they won't figure out for five years...

Nice attempt at anti-semitism. Jewish does not equal Israeli. Israeli citizens do not all have the same religion. There are many different religions practiced by Israelis.

Re:Whatever!

But you have to live in Virginia or Maryland. Yay, DC or Baltimore! Holy moly that traffic, the crime, that terrible weather, everything about that region: SUCKS.

Re:Whatever!

lives may be saved by your hard work.

Considering the way the NSA has behaved in the last 9 years, I'd say it was way more likely that your work would be used to spy on innocent Americans, prop up phony wars, gather dirt on Administration political opponents, etc.

Elect better leaders... the NSA didn't randomly decide to do what they did out of boredom, they were TOLD to do it by the President. When that order comes down, what would YOU do?

Re:Whatever!

[DragonWriter]

Academia is not the only profession that provides job satisfaction and a sense of fulfillment. Guess what, 99.9% of the world's population lives a happy life without ever publishing anything.

I kind of have to dismiss out of hand any claim that requires accepting, sans evidence, that "99.9% of the world's population lives a happy life", much less that plus other stuff piled on top of it.

Re:Whatever!

[gardyloo]

Yes but 99.9% of the world is not populated by mathematicians.

Maybe even twice that percentage!

Re:Whatever!

There's a selection bias running the other way, too, in that the only illegal activities that get published are those that get caught.

Re:Whatever!

"We know Saddam has WMD, but we can't show you what we know because it's secret!"

That was CIA's fuckup, not NSA's.

Hell, I'll bet that if NSA had access to every email between Saddam's scientists and Saddam himself, they'd all read something like "Yes, Sir, the frickin' lasers are being attached to the sharks' heads this morning!", because the people writing memos like that were the only scientists Saddam hadn't shot :)

Until

[Dyinobal]

Until a working quantum computer is made.

Re:Until

There are already algorithms (that are being implemented!) that quantum computers cannot easily break.

Re:Until

You don't think the NSA will be one of the first to use a quantum computer to factor large primes and brute-force private key passphrases?

Though with their long history of Tempest one wonders why they need to bother cracking crypto.

Re:Until

[base3]

I can factor large primes for you, no sweat, no quantum computer required. Now composites of large primes, there a quantum computer might help you.

Re:Until

[arethuza]

So what, I can factor large primes in my head!

Re:Until

You can't use a quantum computer to solve private key crypto. Well, using Grover's algorithm, you can halve the keylength, but your nice 256-bit cryptosystem now is "merely" a 128-bit cryptosystem, and that doesn't take into account that the quantum computer is probably going to be a lot slower in practice per key than a classical computer of the same year (simply because classical computers have been around longer).

Now public key crypto, that you can solve using a quantum computer. But unless you can show that a quantum computer can solve NP-complete problems, good luck trying to solve AES with it.

Re:Until

[base3]

I used to be able to but these days I have trouble memorizing the digits.

NSA didn't know about public key crypto?

[jpmorgan]

I don't think so... public key cryptography was discovered by the GCHQ at least a decade before it was discovered in the public sphere: http://cryptome.org/ukpk-alt.htm

Re:NSA didn't know about public key crypto?

[WegianWarrior]

Just because GCHQ came up with it before it was rediscovered in the public sphere does not mean that NSA was told - the best way of keeping something secret is simply not to tell anyone about it and I don't think the British would risk compromising their new 'high ground' in encryption by telling even an ally. During WWII very little was shared between the allies on their respective crypto-systems - they basically had to build a third system to communicate. Even of the how-to of breaking the opponients chippers were well guared secrets.

Re:NSA didn't know about public key crypto?

Given the nature of UK / USA relations it is almost impossible to imagine that the NSA wouldn't have known about this, and it is very likely that it was shared - like nuclear weapon designs were shared by the US.

Re:NSA didn't know about public key crypto?

RELTO FVEY ftw

Re:NSA didn't know about public key crypto?

[makomk]

The US was only willing to share nuclear weapon designs with the UK after it became clear that the UK was quite capable of designing and building its own nukes - and even then, it was on the condition that the US effectively still owned them and had control of their use.

Re:NSA didn't know about public key crypto?

[arethuza]

The US does not have "ownership" of UK nukes and certainly doesn't have hard controls that could stop them being used if the UK wanted to but the US didn't. Royal Navy Trident submarine commanders still have the ability to launch under their own authority (albeit with plenty of procedural controls, involving hand written letters and BBC Radio 4).

Crypto is only the Beginning

[introspekt.i]

Crypto's not the weak link in security anymore, nor has it been for a long time. I think the real security money now is in automated (or proven) software verification and model checking. Private industry is only beginning to understand this, and as a whole, probably will not employ it for some time to come. Why bother testing for security errors when you can prove they don't exist?

Re:Crypto is only the Beginning

[phantomfive]

Crypto's not the weak link in security anymore

That's what you think.

Re:Crypto is only the Beginning

[Antiocheian]

Crypto's not the weak link in security anymore

That's what you think.

Unfortunately most people won't find this insightful.

Re:Crypto is only the Beginning

Model checking and software verification are powerful, but I think it's safe to assume it has its limits too, if only for the fact that it is so computationally expensive.

Re:Crypto is only the Beginning

[bytesex]

Nah. The money is now in electromagnetic remote sensing; reading your screen and listening to your keyboard from a mile away. That, and psy-ops. Humans still control keys. Humans always make at least one mistake. Google's mail accounts were cracked because their subjects could be coaxed to visit malicious websites, after all.

Re:Crypto is only the Beginning

[lucian1900]

Verification is still in its infancy, it has a long way to go before it'll be practical to use over test-driven development. And nothing is actually unequivocally proven anyway, so it's not the silver bullet people make it out to be. Model checking right now is in evolutionary cul-de-sac because people focus on stuff like VDM instead of integrating model checking into existing good languages.

Re:Crypto is only the Beginning

[dcollins]

"I think the real security money now is in automated (or proven) software verification and model checking. Private industry is only beginning to understand this, and as a whole, probably will not employ it for some time to come. Why bother testing for security errors when you can prove they don't exist?"

Yeah, we were laughing about this in my college CS classes 20 years ago. So the drunken party's back again, eh?

Re:Crypto is only the Beginning

Enjoy your infeasible exponential verification process while I, the competitor, release my product to the masses and issue updates when bugs are located. It won't matter to the masses, look at how wide-spread Adobe's slew of products are.

Re:Crypto is only the Beginning

[JackieBrown]

That's what you think.

Unfortunately most people won't find this insightful.

Because it's not.

Of course that is what introspekt.i thinks. That is why he wrote it.

phantomfive did not offer any new or insightful discussion to this tread.

Re:Crypto is only the Beginning

A mile away? References?

Re:Crypto is only the Beginning

[TheLink]

> > I think the real security money now is in automated (or proven) software verification and model checking.
> > Why bother testing for security errors when you can prove they don't exist?"
> Yeah, we were laughing about this in my college CS classes 20 years ago. So the drunken party's back again, eh?

Yeah, why bother testing his slashdot post for errors if he can prove (via "post verification and checking") that his post on Slashdot was exactly what he wanted to post?

Software verification has its uses, but it is not as useful as some people think it is.

Re:Crypto is only the Beginning

[Antiocheian]

Compare the percentage of an 80s CPU being used in encryption vs the percentage of a modern CPU being used in encryption.

Are you certain that modern CPUs are not being used to brute force their way in encrypted data ?

Re:Crypto is only the Beginning

[Schraegstrichpunkt]

Crypto's not the weak link in security anymore

When I read other people's crypto code, I still find they get it wrong the majority of the time.

Re:Crypto is only the Beginning

[Sir_Lewk]

If the key-size is adequate, then yes. I am. You can not brute force a 256bit symmetric key cipher, not on this planet anyways. I defy you to aquire all of the power that would be needed to make modern computers count from 0 to 2^256. That number is a hell of a lot bigger than I think you think it is.

Now, could the NSA be using other, perhaps unknown attacks, on things like AES256? That's entirely possible, but they are not brute forcing it.

Sure

[FooRat]

"Snow replied that when technologies are developed separately in parallel, the developers don't necessarily use the same terms for them."

Sure, and I invented cars 200 years ago, but I didn't call it a car so someone else got the credit.

The NSA may have a "deep staff of Ph.D. mathematicians and other cryptographic experts who work on securing traffic and breaking codes" but let's face it, government departments are not exactly known for being the most motivated of the various sectors, and that's further exacerbated if you know you aren't going to get credit for your work as opposed to being kept secret ... I mean, in academia, one of the major motivations for leading scientists is that they get widespread recognition for their work. I suspect the funding to maintain that "deep staff" of experts probably serves more to keep those experts from being more productive 'elsewhere'. And of course they have to maintain that they are 'ahead' if they want to keep getting funded year after year, so I'd take it with a pinch of salt.

Re:Sure

Yeah, but the way most intelligence services work is that it's not like the employees show up at the NSA building every day and sit in a cubicle doing encryption research. At least with the CIA and DOD they just put civilian academic researchers on the payroll and get "first dibs" on new stuff and also get to direct their research. The CIA does this with journalists too. They still work at the NY Times etc. but the CIA sees all their information first and decides what will get printed and what will stay private.

Re:Sure

"Snow replied that when technologies are developed separately in parallel, the developers don't necessarily use the same terms for them."

Sure, and I invented cars 200 years ago, but I didn't call it a car so someone else got the credit.

*You* invented the automobile? Amazing!

Re:Sure

[ExplitiveNOW]

Yeah, but the way most intelligence services work is that it's not like the employees show up at the NSA building every day and sit in a cubicle doing encryption research. At least with the CIA and DOD they just put civilian academic researchers on the payroll and get "first dibs" on new stuff and also get to direct their research. The CIA does this with journalists too. They still work at the NY Times etc. but the CIA sees all their information first and decides what will get printed and what will stay private.

Agreed, plenty of people are spies who don't know that they are. It just to easy and economical to do otherwise.

Re:Sure

[G00F]

The CIA does this with journalists too. They still work at the NY Times etc. but the CIA sees all their information first and decides what will get printed and what will stay private.

Not disagreeing, but do you have a source for this? I like to make sure facts are correct before I accept it as truth . . . .

ROFL

I'm sure that you, TripMasterFucktard, are well aware that the NSA has the crypto keys to your beloved Windows install, correct?

You're cool with that, right?

Re:ROFL

[sopssa]

And with SELinux and NSA contributions to the Linux kernel your world domination plans aren't safe there either. They're everywhere, man.

Re:the NSA has motivation

You mean like say 9/11? Like invading one country for WMDs and finding out the country with the WMDs was it's neighbor? Stuff like that?

Re:the NSA has motivation

racism is not insightful

RSA

[Rising+Ape]

The NSA may not have had RSA, but GCHQ did - and they developed it years before R, S and A.

NSA vs. PUBLIC

[muckracer]

> cryptographers for the NSA have been losing ground to their
> counterparts in universities and commercial security vendors for
> 20 years, but still maintain the upper hand in the sophistication
> of their crypto schemes and in their ability to decrypt.

Nevermind the intellectual "my code's better than yours" games
between arguably otherwise brilliant researchers.

Where the NSA certainly has 'maintained the upper hand' is in real
life versus ordinary people. The technology of surveillance has
gotten orders of a magnitude better and surrounding laws have been
adapted to make it fully legal to use that technology to the max
against The People (whereever they may be). Who in this discussion
encrypts their e-mails or uses 'sophisticated crypto schemes' as a
matter of course? At best it's maybe SSH here and there and the
occasional SSL site. The vast majority of traffic is plain-text, as
it's been since the days of papyrus. Hell, back in those days at
least only a few people could read it and thus had better privacy
than we mostly have today. Nevermind the ramifications of Facebook
and similar tools.

Mr. Shamir can engage in discussions of who developed Public Key
Cryptography first or not. It's all nonsense, because as brilliant
as the concept is, the PUBLIC has no part in it to 99.99% and
therefore we can consider it a complete FAILURE on grounds of lack
of acceptance and widespread use. Meanwhile the NSA sits back and
laughs, as their electronic tentacles filter through PUBLIC('s)
traffic...any traffic...and mostly doesn't have to bother with
breaking anything. Cuz we 'oh-so-clever' geeks have failed
miserably. If the NSA has any problem, then it's to store and
process/search through the data they get...not the acquisition.

Re:NSA vs. PUBLIC

[gazbo]

THANK YOU!

I'm never happy with the way my browser handles line-breaking, so I'm eternally grateful to you for taking the initiative and doing it yourself.

Re:NSA vs. PUBLIC

[muckracer]

> I'm never happy with the way my browser handles line-breaking, so I'm
> eternally grateful to you for taking the initiative and doing it yourself.

More a result of using an external editor. And even though I have a feeling you
were being ironic, I DO find it easier to read with a normal line-length, as
opposed to reading across the whole damn (wide)screen. ;-)

Re:NSA vs. PUBLIC

[EmagGeek]

That's absolutely true. In addition to brute-force decryption and other methods, the NSA has discovered what scammers have known all along. You don't need to decrypt someone's stuff if they'll give you the keys themselves. It's easier to compromise someone's box and keylog their keys than it is to decrupt the information by force.

The NSA spends a tremendous amount of effort on social engineering and subversive key acquisition. Those methods are much faster and easier.

Re:NSA vs. PUBLIC

[girlintraining]

If the NSA has any problem, then it's to store and process/search through the data they get...not the acquisition.

Well that, and interagency cooperation, which the Department of Homeland Security was designed to fix. Instead, it now pursues its own agenda and has proven counterproductive towards those ends. The value of intelligence is not in whether or not you can acquire the information, but whether you can do so in a timely and reliable fashion, and have the resources to analyze it to determine trends, form conclusions, and execute decisions in a timely manner. Intelligence operations don't have a defined start and end point. They are organic cycles which vary over time depending on current policy decisions. But it is a continual process, not a linear one as many here seem to think.

Breaking codes is just a small part of the NSA's overall role within the government. Not only that, but they're not the ones spying on you domestically (generally); That's the job of the FBI (generally) unless a foreign national is involved or they suspect you have international ties with a terrorist organization or individual, or are pursuing criminal enterprise that could endanger national security (for example, if you're a network administrator at Honeywell, which does defense work), or if you are related to any of the above. And frankly, the FBI has a pattern of only investigating high value targets or those that gather media attention because their internal organizational structure is so inefficient that most of their resources are eaten in administrative overhead, leaving very little for actual field work. Unlike marines that live for the day they get to go outside the wire, most at the FBI are content to work 9-to-5 shifts moving papers from one desk to the next. Believe it or not, a major portion of the FBI's intelligence gathering is still open source, even given the low barriers to nearly unlimited access to anything in the private sector.

That said, intelligence gathering proactively in sigint is a rarity -- it can provide leads, but generally it is reactive in nature. You have your boots in the ground finding names and getting a lay of the land. sigint resources are then allocated against the target to see if anything interesting can be found. In other words, the fact that the NSA has all your emails, phone records, etc., doesn't mean anything unless somebody files a report saying "Hey, check this guy out." There's plenty of files they have where they have good reason to suspect criminal activity but don't invest resources in it because it just isn't costing society enough yet to justify the judicial process.

Re:NSA vs. PUBLIC

[Man+Eating+Duck]

And even though I have a feeling you were being ironic, I DO find it easier to read with a normal line-length, as opposed to reading across the whole damn (wide)screen. ;-)

A friendly suggestion: with flowed content such as html you should never impose linebreaks for non-formatting purposes, i.e. you could use them with code or poems. Otherwise one line equals one paragraph. Your editor can surely soft-wrap the display while retaining proper flow in the text.

The browser handles the flowing, if you prefer shorter
lines,
configure your browser for it by for instance resizing
your browser
window or introduce custom css. On a phone your post
might very
well end up looking like this paragraph, or even worse.

Otherwise, excellent original post :)

Re:NSA vs. PUBLIC

[muckracer]

OK, thanx for the tip. Shall now use:

":set wrap linebreak textwidth=0"

This will soft-wrap the lines.
The written text will still go to the end of the editor/display though. Haven't yet found a way to limit the line length (say, 70 characters) for easy reading, yet still have it only soft-wrapped for final posting to /..

Re:NSA vs. PUBLIC

[a-zA-Z0-9$_.+!*'(),x]

You're wrong about public key. It may be 0.1% of the traffic because it is so calculation-intensive, but what it transmits are private keys for the remaining 99.9% of traffic.

Why do I have doubts about this post?

[Kupfernigk]

You cannot even fathom the awesomeness that goes on inside the cube ...there is a whole lot of cool going on in there

But not, apparently, a lot of grown up usage of the English language.

Some people like knowing things that other people don't know and having secrets. Some people like adding to the store of human knowledge, and knowing that they have left the world a slightly better informed or capable place. Personally, I know from experience which type I prefer to work with, and it's not the "I'm a member of the in crowd, you're not" type.

More goverment disinformation...

[3waygeek]

In truth, the NSA is hundreds of years ahead of the rest of the world when it comes to cryptography.

Would anyone?

[tjstork]

what else would you expect from a public servant. he won't admit the private sector has them beat because it'd be the end of his job.

I don't think gov't vs private sector has the same meaning here. Would anyone flat out admit that another institution of any kind has them beat, and thus lose his or her job?

Right, that's when the NSA fails

[r00t]

If that isn't motivation, nothing is.

The sad thing is that the NSA rarely gets credit for all the shit they stop. Usually they can't talk because that would reveal methods. All they ever get is blame for the times they fail.

The job is similar to fixing bridge corrosion, preventing food poisoning, finding cracks in aircraft wings, and so on. Nobody appreciates when you do well, but they sure bitch about the fuckups.

The next time bad shit happens, thank the NSA for all the times they made sure it didn't happen.

can't have racism without race

[r00t]

Religeon isn't a race. It's a choice, except maybe in the dozen countries where leaving Islam carries the death penalty.

As for the Chinese spies, that's a nationality plus an occupation. I have a great deal of awe regarding how they kick our asses. I sincerely wish we could return the favor.

Failure to admit the existance of cultural/ideological enemies is a sure way to lose.

Re:can't have racism without race

I sincerely wish we could return the favor.

If we are, most of us would - and should - never know.

So who says we aren't? :)

The wonderful unlimited budget

[gatkinso]

Go get your quantum computer - NSA will just build a 10 bazillion node cluster of them.

They will just brute force your solution into the mud if it comes to that.

Peer review?

[AusIV]

'We cheat. We get to read what [academics] publish. We do not publish what we research,'

That's all well and good for cryptanalysis, which is more or less provable, but for new encryption algorithms the more eyes you have looking at your algorithm the more certain you can be of its strengths. Not letting people look at your encryption algorithms seems to be relying on security through obscurity.

Re:Peer review?

[ServerIrv]

'We cheat. We get to read what [academics] publish. We do not publish what we research,'

That's all well and good for cryptanalysis, which is more or less provable, but for new encryption algorithms the more eyes you have looking at your algorithm the more certain you can be of its strengths. Not letting people look at your encryption algorithms seems to be relying on security through obscurity.

It isn't about security through obscurity. They are cheating because they get ideas from the academics but don't have to return the favor. It becomes a pull relationship and ignores the push.

Think of it this way (with made up stats), NSA has 40% of all available industry resources and ideas, while the academics have the remaining 60%. So, while the NSA only has 40% but gets to view 100%, while academics have 60% but are stuck at 60%. If you use your position of power to use all available resources, even ones that are not yours without allowing others access to your resources, then that is cheating.

Re:the NSA has motivation

[DJoffe]

And how has the NSA "won" exactly? You think they have secret 'backdoors' for all major encryption algorithms? And if they haven't actually "won", why hasn't there been the disaster you predict?

Mandatory XKCD

http://xkcd.com/538/

How I know this is bullshit:

[Hurricane78]

Original quote:

'I do believe NSA is still ahead, but not by much -- a handful of years,' says Snow. 'I think we've got the edge still.'

Slashdot headline:

NSA Still Ahead In Crypto, But Not By Much

Sorry, Snow. But someone “thinking” that something is that way, has nothing to do with what it actually is.
There are people out there who still “think” that earth is flat, the sun revolves around it, and that there is a bearded man in the sky.

Then again, if you follow the money/power, you realize quickly, why that empty and pointless quote gets thrown around the Internet...
Yeees NSA... you’re still the best... mama still loves you... really! *pat-pat* ;)

I wish that NO agency of any country is “ahead” in crypto. It’s like saying that Jack the Ripper is still ahead of the police. Not a world you want to live in.

Re:How I know this is bullshit:

...There are people out there who still “think” that ... the sun revolves around [the Earth] ...

Ah, but the Sun does revolve around the Earth. The Sun also revolves around Mars, Jupiter, etc. And at the same time, all the planets revolve around the Sun.
It's all relative.

True, it is "more" logical to view the act of revolving from the Sun's point of view because of it's mass and other properties (well, it being a star and all) but you can't say that it's wrong to view the Sun as revolving around the Earth.

Quantum of Solace

[neoshroom]

[D]irector Brian Snow said that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years.

Until a working quantum computer is made.

That's just what they want you to think. Secretly, they already have a quantum computer that can decrypt anything near-instantly. They call it TRANSLTR. Okay, maybe not, but it would make a great Dan Brown novel.

Shamir should know NSA did invent Public-Key first

[TwineLogic]

According to the journalism of John Young, famously of cryptome.org, the name NSA used for what we call "public key" cryptography is thare called "non-secret cryptography" meaning that one of the keys is not secret. John Young's article can be read here: http://cryptome.org/nsa-nse/nsa-nse-01.htm

Anonymous Coward

He was not a Number... he was a Free Man!

Re:Rob Malda's tranny died under mysterious circum

So Rob Malda is secretly Eddie Murphy? Hmm, come to think of it, I've never seen the two of them in the same room at the same time.

dod dy

99754106633f94d350db34d548d6091a - That's life.

passwords on postit notes under keyboards

[garethharris]

People spend a lot of time worrying about information security when their physical procedures are like a colander.

Brian Snow is smart -- and a heck of a nice guy

[Ranten_N_Raven]

Had a chance to get to know Brian Snow many years ago. The guy is not only so smart it's scary, he's also a very kind man. He cares for those around him and shows that in how he relates to those of "lesser stature." Never talked down to any of us, always polite, and very creative with a thoughtful going away gift when I left. NSA technical director? Wow! Glad to see he rose t the heights he deserved.

The nation's secrets are safe...

[grikdog]

No badguy encryption is safe against Abby and McGee's secret decoder groups and rings, codenamed GRRR. And even if that doesn't work, we can always get Sigourney Weaver to stare at a screenful of alien gobbledygook for a few hours.

Kidding aside, the NSA does not indulge in bragadoccio without a reason. In the present instance, the motive may simply be to panic Ted and Alice into changing not just their keys, but their algorithms, hopefully forcing them to use beta (and buggy) software before its time. The attack is against weakness (i.e., pointy-haired managers) and not against techs (must...restrain...Fist...of...Death....)

The only point of interest in this is how NSA capabilities fare versus similar shops, for example, Mossad, the Russians, the British, the French, the North Koreans, China, India, Toodai, Al Qaeda, NHK, some group you'd never dream of.

Re:the NSA has motivation

[r00t]

It's not one battle. They win many, and you rarely hear of it. They lose many, and you hear of every case that doesn't get stopped elsewhere. (getting "stopped elsewhere" could be that the NSA loses but then Mr. Terrorist gets kneecapped by his local loanshark)

There are plenty of bombings that succeed, every year. We quickly forget anything less dramatic that 9/11, but it's happening. Suppose that is just 1% of the ones that were planned.

Re:What did you accomplish?

[drissel]

I once saw the resume of a man who went to work for NSA at age 18. The entire Work Experience part of the resume was like: "Mr. X has served in a variety of technical and management positions at the National Security Agency for N years."