Are the NIST Standard Elliptic Curves Back-doored?

IamTheRealMike writes "In the wake of Bruce Schneier's statements that he no longer trusts the constants selected for elliptic curve cryptography, people have started trying to reproduce the process that led to those constants being selected ... and found it cannot be done. As background, the most basic standard elliptic curves used for digital signatures and other cryptography are called the SEC random curves (SEC is 'Standards for Efficient Cryptography'), a good example being secp256r1. The random numbers in these curve parameters were supposed to be selected via a "verifiably random" process (output of SHA1 on some seed), which is a reasonable way to obtain a nothing up my sleeve number if the input to the hash function is trustworthy, like a small counter or the digits of PI. Unfortunately it turns out the actual inputs used were opaque 256 bit numbers, chosen ad-hoc with no justifications provided. Worse, the curve parameters for SEC were generated by head of elliptic curve research at the NSA — opening the possibility that they were found via a brute force search for a publicly unknown class of weak curves. Although no attack against the selected values are currently known, it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies. Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation, NIST re-opened the confirmed-bad standards for public comment. Unless NIST/the NSA can explain why the random curve seed values are trustworthy, it might be time to re-evaluate all NIST based elliptic curve crypto in general."

Meta review

[pr0nbot]

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Re:Meta review

[FriendlyLurker]

it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Exactly. A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable, and they should be put to task over the issue, removed from decision making posts and in the worst cases, professionally shunned by the community and excluded from all standards processes... the cost of not doing this is a return to business as usual once things settle down.

Re:Meta review

[mwvdlee]

Somehow I don't think these weaknesses were introduced through any formal part of the process.

Re:Meta review

[TWiTfan]

Don't worry, James Clapper has assured us that there is nothing to see here--and that the NSA's petabytes of storage, tens of billions of dollars of CPU muscle, and 35,000 employees are just being used to spy on a few diplomats in some embassy in some country that we don't like anyway (probably one of them commie ones).

Now let's all stop worrying about such silly matters and go buy new iPhones!

Re:Meta review

[Nerdfest]

... then perhaps a formal process is required.

Re:Meta review

[Phisbut]

Now let's all stop worrying about such silly matters and go buy new iPhones!

Yes, let's go buy new iPhones which will read your fingerprints and associate them with your name...

Re:Meta review

Exactly. A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable, and they should be put to task over the issue, removed from decision making posts and in the worst cases, professionally shunned by the community and excluded from all standards processes... the cost of not doing this is a return to business as usual once things settle down.

OK, calm down. Last time the community accepted NSA magic numbers, it made DES significantly stronger. I think the lesson here is never trust the NSA.

In the words of a great American philosopher, "Fool me once, shame on you. Fool me twice... um... you're not going to fool me twice!"

Re:Meta review

[Warbothong]

it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

I think the word "magic" is being used with two different meanings here. One meaning is "arbitrary but consistent": those numbers which must be standardised, such as the SHA seeds used to find these curves. The other meaning is "chosen for completely unknown reasons", which describes these particular seed values. The former is a requirement of most cryptographic standards, but the latter should be avoided. If we need to consistently choose an arbitrary number, let it be 1, or pi, or e. Anything else is suspicious.

Re:Meta review

So I can just replace the NSA's magic-numbers with my own generated from RdRand! *ducks*

Re:Meta review

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

That's easy to explain. Secret orders from secret courts and secret gag orders with secret threats that you will be "relocated" to a secret prison somewhere unless you comply (and keep your objections secret).

Re:Meta review

[afidel]

Suspicious yes, but not necessarily bad, remember that the NSA also manipulated the s-box values for DES to make them more resistant to differential cryptanalysis, a technique not yet known by the wider community.

Re:Meta review

[fsagx]

The modified constants supplied by the NSA did improve the design from a then unknown (outside the NSA) type of attack. It was not until years later that the reasons became clear. OTOH NSA also significantly shortened the key length....

http://en.wikipedia.org/wiki/Data_Encryption_Standard

Re:Meta review

[AHuxley]

RE it made DES significantly stronger?
Banks and businesses where to get a strong version. At some point the "industry" went for a weaker code for wider use.
Just good enough for commercial use, just weak enough for NSA/GCHQ to get in if needed.
http://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA.27s_involvement_in_the_design
...'to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key"
It seems the code was helped to be more protected (ie the significantly stronger aspect ) but was not going to be used without a way back in.

Re:Meta review

[Boronx]

When I was a kid in the '80s they tried to fingerprint the whole school "for our protection". I never could figure out how that protected us, but I seemed to be the only person who was concerned about.

I honestly don't remember whether or not they got me.

Re:Meta review

[postbigbang]

Even when pi or rho or other "random" numbers are used for seeds as "magic" numbers, additional hashing and rehashing is needed to give further difficulty to decryption by those NOT having the key numbers.

With each new algorithm there is an army chomping at the bit (pardon the pun) to decrypt it, if not for fun or enlightenment, for the profit of the decrypted information value-- if any.

The problem here is trust. The NSA has blown its trust completely, beyond identifiability. Other initiatives, like SELinux, and security initiatives are now also in question, as well as anything the NSA has touched. They're dirty, and make Americans and the world not trust in their own government. We were supposed to be the good guys, we Yanks, and guess what? It was all a lie. Now the NSA has made an enemy of civil people, and civil people will need to protect themselves extra-governmentally, because the government has proven it's not protecting the interests of its citizenry.

Sorry to astroturf, but seeds are no longer the problem. The problem is trust.

Re:Meta review

[Qzukk]

how do we explain the common practice of using magic numbers in cryptography standard, then?

They came from the government, and the government is here to help.

Re:Meta review

[Bill,+Shooter+of+Bul]

Wow. You butchered a butchered phrase. Truly, the student has become a more smart man- doesn't need school.

Its " fool me once, shame on - shame on you. Fool me - you can't get fooled again."

Re:Meta review

[Electricity+Likes+Me]

At the time the performance of DES was a big problem. Processors weren't nearly as fast, the habit of having dedicated coprocessors on portable devices/network cards hadn't yet emerged. There were a lot of good reasons to get the key-size down to something which would actually be usable at the time.

Its still a concern today - AES was selected because it was easier to implement in hardware, amongst other benefits.

Re:Meta review

[AmiMoJo]

Seriously though, why don't we do this and also depreciate all suspect PRNGs immediately? Every Linux/BSD distro should be scrambling to do it.

Re:Meta review

[mrspoonsi]

Time to kick NIST out of the loop. If all indicators are right, that they work to deliberately weaken, and backdoor standards then an alternative is required. And given the secret courts, this cannot be based in the USA.

Re:Meta review

[kelemvor4]

it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

Explainable magic numbers.

Re:Meta review

[AmiMoJo]

Unless they chose numbers that they could break, but which other country's agencies who also independently discovered differential analysis might not.

At this point I think we have to assume anything that the NSA ever did was malicious.

Re:Meta review

[GameboyRMH]

You might have seen the story about Linus Torvalds' reaction to calls for this...and he's right. Even if RdRand were entirely predictable, since it's only one input used to seed /dev/random, it could only help.

Re:Meta review

[GameboyRMH]

AFAIK there's no indication that NIST was complicit in this...but if they are I'd agree.

Re:Meta review

[Dan+Ost]

Because the designers of the Linux random number generator code designed things such that if RdRand is compromised, it doesn't reduce the strength of the random number generated. However, if it is not compromised, then the randomness is stronger.

Why should we give up a potential benefit if there is no possible harm?

Re:Meta review

[dkf]

Unless they chose numbers that they could break, but which other country's agencies who also independently discovered differential analysis might not.

That's a very unsafe assumption. It's always wise to assume that if you know an algorithmic weakness, others can find it too (either by independent discovery or by espionage). Even having a master key that can override individual secured systems is unsafe, even though keys are not themselves generally regarded as weaknesses, as it is incredibly valuable to search for what that key is and pretty easy to verify that it is correct once found.

The NSA's principle MO seems to be derived from signals intelligence though, i.e., working out what people are talking about without actually having the text of what they are saying. Collect enough of the graph of datapoints and you can know what is going on even without the knowing all the labels attached to those points...

Re:Meta review

[daremonai]

Iran is not a semitic country, by and large. The majority of the population is ethnic Persians who speak Farsi, an Indo-European language. The second largest group is the Azerbaijanis, who speak a Turkic language. I don't think the semitic population (mostly Arab and Assyrian) amounts to more than 10%.

Re:Meta review

[TheCarp]

Hmmm good point, I had it backwards, and thought the Persians and Azerbaijani's were both Semitic, but I think you are right, its mostly the Arabs, who are a minority there.

Re:Meta review

[Carewolf]

Iranians are NOT semitic, they are Aryan, the name Iran literally means home of the Aryans. Named so because that is the one common thing that separates the various Iranian people from their semitic neighbours the Arabs.

Re:Meta review

[brillow]

it's explained because dumbasses will apparently just accept whatever NIST says without critically evaluating this at all.

I don't know anything about this field, but it baffles me how this important and widely used document is just being analysed now.

Re:Meta review

[Goaway]

We know pretty much what happened then, because it was mostly IBM doing it and keeping it secret, not the NSA. And your theory makes no sense at all, and no evidence of anything remotely similar being even possible has been found in the decades of research that has gone into DES since.

Re:Meta review

[Goaway]

Say what one will about the NSA, they do have some of the very very best people when it comes to crypto, and the budget to design, build, or purchase whatever hardware is needed to implement what those people dream up.

It wasn't even the NSA that came up with differential cryptanalysis in the first place, it was IBM, and NSA made them keep it quiet.

Re:Meta review

[stanlyb]

That's very funny assumption. Please remind me, but what was the purpose of NSA? To make their job impossible?

Re:Meta review

[stanlyb]

I don't know who your math teacher is, but please, let him know he failed, miserably.

Re:Meta review

[stanlyb]

Or maybe that's the problem, that the formal process is....actually just formal...

Re:Meta review

[catfood]

I got some weird attention from other parents when I pointed out that the only real use for fingerprints is to identify your kid if they turn up dead somewhere.

Well? On what planet does the fingerprint deter a kidnapper or molester or whatever?

Re:Meta review

[AmiMoJo]

I wasn't talking about RdRand, I meant the PRNGs used with particular protocols that the NSA was trying to weaken. Some specifications mandate a certain PRNG because it is thought to be secure, rather than relying on the underlying OS to provide something that meets cryptographic standards. In the past many operating systems have had quite poor PRNGs,

This doesn't really affect the core OS, it is the bundled software, which is why I mentioned distros. Every package that uses cryptography needs to be checked to see if it uses a potentially broken PRNG implementation.

Re:Meta review

[X.25]

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Weaknesses?

It is simple. Weakness was 'trust'.

I did want to believe that NSA wouldn't be such cunts as to completely ruin the internet and open research by abusing the trust people gave them. I gave them my trust as well.

They basically destroyed the Internet as we knew it, because much of it was based on trust.

Welcome to collection of commercial networks interconnected for adveritising and content consuming purposes.

Because that's pretty much what's left of it.

Re:Meta review

[Boronx]

Do the patterns change, or are you just talking about size?

Re:Meta review

[Boronx]

Pretty much, but back then they could already do DNA tests, so I don't think they were very useful even for identifying bodies. Maybe the whole thing was just a waste of time and money.

Re:Meta review

[twotailakitsune]

Some people did that to the S-boxes in DES. They wanted to remove the "backdoor" they believed was there. It make their DES more crack-able.

Re:Meta review

[gweihir]

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

I am sure the people that put them in there did. After all, sabotage of critical infrastructure is something that has to be planned carefully.

Re:Meta review

[gweihir]

People are mostly stupid. Parents are no exception and may be worse.

Re:Meta review

[Goaway]

That's how the legend goes, but as far as I've been able to tell that is not actually true.

Re:Meta review

[Darinbob]

That's why I like some of the newer standards that have varying levels of key length or strength, so that you can pick a stronger variant when you can without breaking a standard, or pick a weaker one that is manageable with your processor.

Re:Meta review

[HiThere]

At that time it was, I believe, illegal to export cryptographic tools, like ssh. (Which is why some of them were developed in Europe.)

Also, at that time the NSA was avoiding spying on US citizens.

Both of these are no longer true. So we can't presume the current NSA will act as "benevolently" as the one of that time. (OTOH, I'm not sure that some cryptographic tools aren't still considered munitions, and therefore banned for export without a permit.)

Re:Meta review

[HiThere]

I haven't yet heard a plausible explanation from anybody. This makes the argument stronger. It doesn't really matter who raised the question if it can't be answered.

Re:Meta review

[Darinbob]

True, the NSA is concerned about security of governmental communications and information (as well as spying). Part of "national security" includes security of commercial infrastructures as well. It weakens national security to knowingly allow weaker encryption standards for banking transactions as that open the back door for economic attacks. If the NSA can break it you can bet that other countries and entities can break it also.

Re:Meta review

[PureFiction]

What is concerning are the twice refuted efforts for RDRAND to bypass the Linux kernel pool mixing entirely, and the design decisions which intentionally make RDRAND an inscrutable black box and trivial for a VMM to intercept and modify. These are not accidents.

While there is no harm in using RDRAND to complement entropy on a system, by no measure should it be used as the sole source of entropy in a system.

Re:Meta review

[Flere+Imsaho]

Meh - You say potato, I say potatoe http://www.youtube.com/watch?v=Wdqbi66oNuI

Re:Meta review

[mrspoonsi]

From the NYT: On Tuesday, N.I.S.T. attributed the allegations to confusion and noted that it was required, by statute, to consult with the N.S.A.

“There has been some confusion about the standards development process and the role of different organizations in it,” the agency’s statement read. “N.I.S.T. has a long history of extensive collaboration with the world’s cryptography experts to support robust encryption. The National Security Agency (N.S.A.) participates in the N.I.S.T. cryptography process because of its recognized expertise. N.I.S.T. is also required by statute to consult with the N.S.A.”


Confusion? What good is an open consultation?, you are just betting your experts (the non-affiliated experts around the world) against the experts at the NSA (or some other secret agency).

Let us not forget by intentionally weakening encryption, the NSA has made everyone who uses computers unsafe from attack.

Re:Meta review

[GameboyRMH]

Let us not forget by intentionally weakening encryption, the NSA has made everyone who uses computers unsafe from attack.

Yep that's the one thing in these leaks that actually surprised me. They weakened their own government's security to make their job easier. They assume their enemies are dumb instead of assuming they are as smart as themselves.

If NIST works to cut all ties with the NSA I'd be willing to assume they, like me, didn't think the NSA would risk sabotaging US government security.

Re:Meta review

[Burz]

Um, no... he's right and its your teachers who neglected to teach you about logical operators and cryptology.

hmmm

[wbr1]

Didn't TOR recently upgrade to the 'more secure' elliptic curve crypto?

This shit will not end until this country is bankrupt completely, or taken over (from within or without).

Re:hmmm

[TWiTfan]

The sad thing is that there is no way to ever put Humpty Dumpty back together again. The U.S. just permanently lost any position as a leading internet innovator. Nothing the U.S. leaders of industry can do now will ever earn back the trust of the rest of the world. No country or company in their right mind will ever trust a U.S. company with sensitive data ever again, and most of the companies that currently do are likely just biding time until they can find a non-U.S. based alternative (or some way to heavily encrypt their data).

Re:hmmm

Yes, but they are using curve25519 which is not one of the curves recommended by NSA or NIST, and which does not have any unexplained magic numbers in its definition.

Re:hmmm

And America will threaten and bluster about trade sanctions and how this is hurting US businesses. The rest of the world will point out that's not their problem.

This is a problem of their own making -- by turning your companies into an arm of your security apparatus, they become entities nobody else can trust. It's just sad that it took so long after the Patriot Act was passed for people to realize just how badly the US had decided it was their right to undermine the security of the rest of the world.

By undermining cryptography in general, when someone comes up with the next iteration, hopefully they'll make it in such a way that government agencies don't have ready access to. And hopefully they'll basically tell the government they're not interested in their input on the matter.

At this point, why any foreign government would trust Microsoft any more than something out of Iran I have no idea -- because as much as America likes to keep saying they're the good guys, nobody else can trust them.

You can own that, and when companies start cancelling deals with American companies, don't act like you're surprised or feel it's unfair to you.

It's sad, because the US was the only country in the world for a lot of years defending rights and freedoms -- but have more or less turned the corner and gone the other direction.

Now they've basically reverted to their 'manifest destiny' idiocy and a sense of entitlement about everything.

Re: hmmm

[sumdumass]

You will find that the majority of decision makers around the world, whether in buisiness or government, will not care as much about this in the long run as you do.

In other words, what you say should be true in book form but will not be true in practice. Many people/governments will not even bother looking to see who is behind what, they will be looking to see if it is an industry accepted standard and our personal concerns will rarely change those. If it could, we wouldn't see wireless at half these businesses.

Re:hmmm

Yes, but they also use ECDHE TLS p224 to negotiate TLS secret keys. Isn't that recommended by NIST?

I'm not an expert, I'm just asking.

Re:hmmm

[EmperorOfCanada]

Will take time. I suspect that companies like Cisco will sigh a breath of relief over the next few months when sales don't plummet. What they won't realizes is that the biggest companies that have no doubt issued directives for an end to end anti-US snooping overhaul will take a while to figure out what needs to be replaced and which products are best. So while these audits and re-architectings take place these companies will continue with business as usual. And even when the plan is deployed I doubt 100,000 employee companies will just toss all their stuff out on Friday to have it all replaced on Monday. They will start with the most critical bits and work their way down the information value chain. So at this point the Cisco type companies will see a slight drop in sales but even still the companies will continue with maintenance contracts to keep their gear going.

But at a certain point you will have an interesting problem. That is that these companies will begin to dump their Cisco gear onto the open market. So along with a sudden drop in sales to key customers you will have a glut of un-trusted gear flood the market.

I use Cisco as an example but you can sub in any American (or American stooge country) networking gear company.

I also expect to see a flourishing of cryptography in various foreign math departments around the world. If I were a Siemens I would be giving fairly large grants to German/Swedish/Norwegian etc math departments to do two things, check for backdoors and to come up with crypto systems that are quite unlike anything that the NSA has recommended.

But switching crypto systems is not as easy as just coming up with something that a bunch of math wizards think is solid. Things like AES crypto is baked right into many modern chip sets at the assembly instruction level. This is why AES based crypto is fantastically fast. So if your new system is different enough yet theoretically computationally equivalent to AES then it will be significantly slower on most chips.

One of the interesting changes that will probably come from this is that people won't trust anything. Thus they will run in 100 different directions. This will be a nightmare for the NSA because even if they can brake every crypto system that comes along they will have to spend the time to break them all.

But there is one system that can't be broken and that is one time pads. You have to physically share the pad but that is not so onerous for most companies as they have trusted employees going from branch to branch all the time. If the border people grab a copy of the OTP then you just toss it in the garbage. Plus one time pads can be layered. So you don't need to trust just one person taking one route.

Re:hmmm

The sad thing is that there is no way to ever put Humpty Dumpty back together again. The U.S. just permanently lost any position as a leading internet innovator.

And because having worked for NSA or NSA-linked contractors is seen as a black mark on one's academic career, NSA has also jeopardized its own ability to recruit the next generation of cryptographers.

There's give and take between the SIGINT and COMSEC missions, and nobody here (or within the IC) is privy to all the information. I fear that by the time it's all declassified in 25 years and can be analyzed in context, the decisions made over the past 12 years will have proven to be gross strategic errors that did far more harm than any harm they prevented.

Re: hmmm

[Boronx]

Their level of concern is proportional to how close their competitors are to the NSA.

Re:hmmm

[gstoddart]

But there is one system that can't be broken and that is one time pads. You have to physically share the pad but that is not so onerous for most companies as they have trusted employees going from branch to branch all the time.

I just don't see that as being as useful here. Or at least, not solving the general problem in a usable way.

Take a multi-national with say, 20 offices, which seems small ... don't you need a OTP for each pair of offices? That's going to turn into a rather large number of OTPs, plus the fun of trying to manage them all. And that assumes that each office only ever needs one set of crypto keys and doesn't have multiple different encrypted streams (routine stuff, secure stuff, really secure stuff for instance).

And assuming you are trying to run a VPN, you'd need an absolutely enormous OTP to handle all of the traffic you'd generate on a daily basis.

I can see a OTP being useful for stuff which has to be super secure, but I just don't see it being able to keep up with the sheer volume of data companies need to encrypt on a daily basis -- it seems like it would be an almost impossible task.

Of course, what I know about crypto probably fits on a single sheet of paper and comes from a single course 15+ years ago and what I've read in Tom Clancy novels -- so it's possible many of these are solved problems.

Re:hmmm

[intermodal]

One of my biggest fears is that you are correct.

Re:hmmm

[AHuxley]

Others govs may love of all this as many have been invited into the basic telco/phone tracking and deep packet efforts by contractors.
They can tap/log/track and are just as addicted to the daily file updates on all dissidents.
The US has not much to fear as the AC mentioned trade sanctions and US bilateral trade deals would have telco cooperation in the fine print.
If a US brand loses a contract due to "security questions" expect to see a reminder of what trade is in the local press and a powerful court/trade challenge.
Nation by nation the US hope to rebuild its image and branding via new products and soft loans.
Over time sockpuppets, trade deals and charm will solve all?

Re: hmmm

[Lumpy]

Or if the NSA back doors get compromised and are in the wild. Suddenly the Idiot CTO's will take notice.

Re:hmmm

[skids]

OTP is a bit of overkill, using a shared secret to generate intermediate keys buys you a lot of lifetime off a small amount of crypto material.

Re:hmmm

[gstoddart]

Except, in this case we're talking about how the algorithms themselves might be compromised.

At which point, is your key exchange and encryption all that secure?

From the sounds of it, if you can't trust the underlying crypto, you can't trust what you do with it.

Re:hmmm

[dbIII]

Cisco are quite evil without the help of unaccountable spooks, as seen when they had a Canadian man dragged out of a running court session by armed guards over some sort of copyright disagreement. They have zero respect for the law apart for what they can use as a blunt instrument.
Their hardware isn't at the leading edge any more either.

Re:hmmm

[mlts]

You could use a hub-and-spoke topology, assuming the hub can be trusted (it falls into the all eggs in one basket issue.) That way, each office only needs one OTP to worry about, and the hub needs one OTP for each office.

It isn't perfect, but it sure beats needing (n-1)! one time pads for each office, n being the number of offices.

There is also using the OTP as part of a Diffie-Hellman key exchange to protect the session key. This way, very little pad gets used and the remainder of the transaction can be done with conventional symmetric encryption using chained [1] ciphers. Of course, very secure info can always be transferred via OTP, but a lot of data can be moved across with conventional encryption and be secure enough.

[1]: One uses multiple cyphers not for more bits on a key, but as a way to ensure that if AES fails, Serpent will still protect the data, and if both fail, there is always Twofish.

Re:hmmm

[tburkhol]

And assuming you are trying to run a VPN, you'd need an absolutely enormous OTP to handle all of the traffic you'd generate on a daily basis.

Like a terabyte HD filled with /dev/rand. OTP is obviously not a good solution for routine encryption, but is a reasonable option for even fairly large amounts of sensitive data. Even video conferencing. Although frankly, if your pad is a couple of terabytes, you can probably reuse it safely, at least once or twice. It does require a shift of paradigm - many of us have gotten used to the notion that nearly-unbreakable encryption is "easy." Wrap your data in a 2048-bit symmetric-key algorithm, and bing-bang-bop, you're safe. The revelation that this might not be true will encourage people to return to tiered protocols, presumably concentrating "real" secrets into a narrower-bandwidth, more identifiable, but also more secure channel. If being one packet among trillions no longer provides any meaningful sense of anonymity, then you might as well put all your secret data in a big red box and protect that box very well.

Re:hmmm

[AHuxley]

The UK and US faced down an emerging French/German/Swedish/Norwegian ie EU zone crypto machine exports in the 1960's.
Go cheap (fronts/contacts with in firms) and set an international standard with the govs.
Something new will have to be used to bring the EU private sector back this time.

Re:hmmm

[AHuxley]

Other countries buy into crypto and telco products... imported... any standards they set are domestic.
Option one is to air gap, option two is to replace.

Re:hmmm

[jasax]

If I were a Swiss, I would start a "safe databank service" company right now. The slogan would be:
"We kept your money safe (and secret) for hundreds of years; we invented the cuckoo clock; we'll keep your secret data safe for the next thousands of years!!!"
Big business here :-) Kickstart the thing!

Re:hmmm

[joe_frisch]

I think that American users have more to fear from US government spying than foreign users do. Frankly I don't care if the Chinese government has access to all of my personal data - they have very little ability to or interest in interfering with my life. The US government on the other hand is much more likely to act against me in response to my (hypothetical) online mis-behavior. In the same way Chinese citizens have little to fear from the US government but a lot to fear from their own.

The very important exception to this is when you are dealing with industry trade secrets it is quite possible that foreign governments with links to industry represent a larger threat than your own. Of course while the NSA as an organization almost certainly does not sell trade secrets that they have obtained, it is possible that individuals working for the NSA might do so. Snowdon stole a bunch of information and turned it public, another man in the same situation might well have sold it.

Re:hmmm

[LagFlag]

I think your math is incorrect. If you wish each pair of offices to have a direct line between themselves, and every line to be secured by a pair of one-time pads, you would need n*(n-1)/2 pairs of one-time pads.

Re:hmmm

[mlts]

I stand corrected. That is the right function for calculating the number of node connections. Ten nodes maintaining 45 different OTPs isn't as bad as 3,628,800 (10!) OTPs, but it still is a lot to manage, and grows out of control the more offices added.

Re:hmmm

[stanlyb]

Other govs .N.E. other business entities.
You do know what the difference is, right?

Re: hmmm

[stanlyb]

Believe me, most of the other govs are "managed" by the local mafia. And usually, the mafia does not wanna to be exposed, especially if they have something to hide...

Re:hmmm

[HornWumpus]

The Swiss recently sold all the numbered account holders that didn't open their accounts prior to 1950 down the river.

The old money families (Kennedys, DuPonts etc) got to keep their secret accounts secret. Everybody else got fucked.

Re:hmmm

[stanlyb]

VPN over SSL. Custom algorithm. Yes, it is slower, but it is unusual. And not compromised. Yet.

Re:hmmm

[stanlyb]

Just like Nortel. And where is Nortel now?

Re:hmmm

[c0lo]

The U.S. just permanently lost any position as a leading internet innovator.

Unfortunatelly, no: it's still a leader in innovation... just not a leader in ethical application/development of that innovation.
Don't get me wrong, I'm not decrying the innovation leadership position of US, it is the ethical positition US chose that I see unfortunate.

Re:hmmm

[chill]

Those who don't know history are doomed to repeat it.

http://en.wikipedia.org/wiki/Crypto_AG

Re:hmmm

[EmperorOfCanada]

Yes and no. A carry-on suitcase with 20 3 TB Hard drives ought to do many companies' communications needs. If you are doing more then you will just need more couriers. But you never ever reuse a OTP; if you reuse a OTP it goes from the single best encryption scheme to one of the worst. I took a course where the professor gave us a few strings of OTP encrypted data and it was no problem to crack the encryption. Also I am not some kind of uber crypto mathematician. -

Re:hmmm

[EmperorOfCanada]

Yes the layered xoring approach would be best. But I don't know if you can get error correction at all with a OTP. Ideally there is no math in a OTP just pure randomness and xor.

Re:hmmm

[jasax]

I didn't say the Swiss system was nice. It isn't. See also what happened a few years ago with the pre-WWII Jew's accounts. However, if you leave an account holder untouched for >63 yrs it is arguable that the contents are archaeology... Perhaps today nobody knows that the holder exists anymore (original owners passed?).
Nevertheless, it is true that Switzerland is a stable country since many centuries, and also is the most prestigious "safe" of the world. A few years ago it was also the country which topped the "implicit spying" on citizens activity (huge number of cameras, dissemination of cards and automatic tolls, ATMs,... all this recorded) but given the recent info arising from the Snowden's docs, and the number of cameras in London, perhaps it is not anymore :-)
Despite (or because) all this, I think that Swiss could easy capitalize on this situation: just a few M&M (Money and Marketing) is needed...

Re:hmmm

[jasax]

Didn't know this fact. But it seems that not many people stopped sending their money faithfully to Switzerland after this case.
In the end it all reduces to the present "image" each country displays regarding keeping data secret: AFAIK Swiss' weren't touched by Snowden's docs, but on the other hand it seems that US agencies have easy access to any data kept in US companies... And perception of "image" is everything and this perception changes with time and marketing :-)

Re:hmmm

[chill]

"Image" is for fools. If you're serious about keeping it safe -- rather than just using Switzerland as a marketing slogan -- do some research about the location of where you want to set up shop.

The Crypto AG thing was just one tidbit on Switzerland. Are you aware they have a data retention ordinance? The "Federal Act on Surveillance of Postal and Telecommunications Traffic" is the name. Be prepared to keep logs of everything in and out for at least 6 months.

And, yes, fewer people are sending money to Switzerland.

Re:hmmm

[HornWumpus]

They weren't untouched for 63 years. No doubt they are now held by one of the grandchildren (or a family trust) of the original tax dodger.

Backing up a step for clarity. I'm all for tax evasion. I just think it's fucked that the Swiss screwed over those who might have actually earned their own money.

Re:hmmm

[Burz]

A reasonable assessment except for one detail:

So if your new system is different enough yet theoretically computationally equivalent to AES then it will be significantly slower on most chips.

"Most chips" are closed designs and cannot be audited except in a very superficial manner. Many of them are also designed in the US or US-toady countries.

Now, how fast are those open source CPUs?

It seems like the best bet in the near-term, besides switching to some of the more secure open source software, is to have plenty of heterogenaety in our systems including low-level network monitoring.

Why is EC more secure than RSA?

[pikine]

Color me ignorant, but could someone please explain that elliptic curve is more secure than RSA? Wikipedia even claims that a 128-bit EC key is equivalent to 3072-bit RSA key. Even if it's computation complexity brute forcing discrete log or integer factorization on a non-deterministic turing machine, it should differ by no more than a small constant factor, e.g. 512-bit versus 1024-bit, not by O(sqrt(n)) as Wikipedia claims. Wikipedia is simply quoting NSA.

Re:Why is EC more secure than RSA?

[foma84]

Increasing EC key-lenght yelds cyphertext that is more difficult to crack with respect to increasing RSA key-lenght. I don't remeber the numers or proportions, tho, so i'll just use a loose example (don't follow the numbers here strictly):
Doubling the RSA key-lenght will give you a cypher that's polynamialy more difficult to crack, while doubling EC key-lenght will give you a cypher that's exponentially more difficult.

Or something like that.

Re:Why is EC more secure than RSA?

The number field sieve relies on the smoothness of the integers modulo n. Using an elliptic curve group rather than the integers modulo n removes this smoothness, so the fastest algorithms available to determine the discrete logarithms are much slower (I believe they're based on Pollard's rho algorithm).

If that made no sense to you, go brush up on your number theory.

If you don't want to learn number theory, then accept that you are incapable of having an informed opinion on asymmetrical cryptography standards. (Which is okay, we can't all have an informed opinion on every issue; your brain can only hold so much stuff, right?)

Re:Why is EC more secure than RSA?

Because the problem being solved is different and therefore the algorithms used for attacks are different. The best known algorithms for factoring numbers are a lot faster than the best known algorithms for solving the problem that elliptic curve cryptography is based on. These best algorithms aren't just using brute force, by the way - they are not trying out all possibilities.

Re:Why is EC more secure than RSA?

[gnasher719]

A 1024 bit RSA key can trivially be cracked in 2^512 operations. An algorithm that uses 2^341 operations (cube root) and involves no more than high school maths was found about 1975. Then we need to go into deep maths, but there are algorithms that are significantly faster, and there is no good reason to think that more progress couldn't be made. 128 vs 3072 is a bit much, but factoring 1024 bit numbers in 2^128 operations doesn't seem impossible.

Re:Why is EC more secure than RSA?

Public key cryptography is based on mathematical operations which are easy to do but difficult to do in reverse. For example, it is easy to multiply two big prime numbers, but it is difficult to factorize the product. There are multiple such easy-difficult pairs. Currently none of the supposedly difficult problems has been proven to be difficult. It is just assumed that they are difficult because nobody has found an easy way, but people are working on making the difficult problem easier to solve, and advances in that regard weaken the associated cryptographic systems. Significant advances have been made in solving the difficult problem at the heart of RSA (but it's not publicly broken yet.) That's the reason for the recommendation to switch to a different easy-difficult pair for public key cryptography. The different key sizes are the result of the kinds of numbers which form the public and private keys in these different algorithms.

Re:Why is EC more secure than RSA?

The bit size of the key and the bit measure of the security provided by the key are not the same thing. For symmetric cryptos like AES or Blowfish they are often somewhat similar (if there weren't any known cryptanalytic attacks they would be exactly similar), but that's because keys for symmetric cryptos can be chosen as random numbers. They don't have to have any additional structure at all. Public key cryptos are more complicated; they need to have a trapdoor function that makes it possible to encrypt data (but not decrypt) and verify signatures (but not create them) without knowing the private key. This means that the keys must have more structure in order to work with this trapdoor function (a pair of primes in the case of RSA, a point on an elliptic curve in the case of ECC), and more structure means less entropy which means that you need a larger key to get the same amount of security. Public key cryptos differ in how much larger the keys need to be in order to provide the same level of security as a symmetric crypto, and RSA is considerably worse than ECC in this regard. And as an added bonus, RSA operations are also slower to compute than ECC operations at similar levels of security. There are cryptos that are even worse, for example many of the candidates for post-quantum public key crypto need to have keys that are many megabytes large in order to provide the same level of security as, say, a 2048 bit RSA key.

TL;DR: ECC keys are smaller and faster than RSA keys of similar security because of the different structures they are required to have. That doesn't mean that ECC is intrinsically more secure, you can just increase the key size of RSA. But it is more secure for the same amount bandwidth and CPU time, and as we need more and more security to withstand brute force attacks, RSA keys, and in particular the amount of computation required to do RSA operations, becomes unreasonably large.

Re:Why is EC more secure than RSA?

The discrete log problem on an elliptic curve is believed to be more computationally intensive than the discrete log problem in a ring of integers. For example, see http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866109-5/S0025-5718-1987-0866109-5.pdf and http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=F220DD223483B78B72C9CE243A62ADD7?doi=10.1.1.39.4125&rep=rep1&type=pdf

Re:Why is EC more secure than RSA?

[lordlod]

The elliptic-curve algorithm is much slower for future quantum based attacks. So it's future-proofing, which is required if you want your secrets to stay secret.

You could get similar results by adopting a 15000 bit RSA key... but that's getting rather large.

A paper with some classical and quantum time estimates, Elliptic-Curve vs RSA: http://arxiv.org/pdf/quant-ph/0301141v2.pdf

Re:Why is EC more secure than RSA?

Wikipedia even claims that

You do realize that the NSA is just as capable of editing Wikipedia as anybody else, right?

Wikipedia is best described as being a collection of "Cliff's Notes". Its goal is not to provide TRUTH, or even FACTS, but rather a summary of what the current general consensus is regards what the facts actually are.
It's NOT a place to go to discover truth- at best it's a place to start. Scroll down to the bottom read through the citations, and see if any of them contain credible evidence for what is in the Wiki. Read the Talk pages. Compare. You will be surprised how many articles contain information presented as "fact" with very little evidence to actually back up the claims.

Re:Why is EC more secure than RSA?

[complete+loony]

An RSA private key is two prime numbers, the public key is the product of those primes. You only have to find the smaller of the two secret primes, so a full brute force search only has to consider numbers that are prime and less than the square root of the public key size. And I believe there are a number of other shortcuts that can be used to reduce the search. Whereas for EC keys (AFAIK) practically all of the key space of 128-bit integers are valid private keys.

Re:Why is EC more secure than RSA?

[mlts]

I don't know about ECC, but with RSA, big-O is n^3 for signing and encryption.

That means that if I have a 2048 bit key, doing signatures and encryptions take eight times as long as if I had a 1024 bit key. An 8192 bit key takes 512 times as long as a 1024 bit key.

RSA has been secure so far, but adding keylength is making it burn up a lot of space and CPU cycles (a 16384 bit key takes up a lot of space, especially on a keyserver.) Having another protocol that is as secure but uses a 256 to 384 bit keylength and perhaps a doubling or quadrupling of time when a keysize doubles will help things out immensely.

Re:Why is EC more secure than RSA?

[delt0r]

One class of weak curves means you can map the DL problem over curve onto Z_p and use the powerful methods we have for that case. That is the strength comes from the fact that we do not know how to apply the current methods over a elliptic curve. Note that we do not have a general proof that there are trap door functions at all. It may in fact be easy to do DL problems generally and factorize easily. No one really believes this to be the case however.

Re:Why is EC more secure than RSA?

[cryptizard]

That... doesn't sound right. Using fast exponentiation, you have to do a number of multiplications on the order of the number of bits. That's one n. Each multiplication costs n log(n) with an FFT multiplier. So it is n^2 log(n) which is much closer to n^2 than n^3.

Re:Why is EC more secure than RSA?

[Splab]

Do you even begin to comprehend how big a number 2^128 is?

If you are capable of doing 2^32 operations per second, you are still looking at 2^96 seconds, double the computer power and you are looking at 2^95 seconds, double that again and you are at 2^94, so if you are using a cluster with 2^20 computers (about a million), you are still looking at 2^76 seconds, which is some 2,3*10^15 years (again give or take, we are talking geological time frames here). As long as you are only doubling stuff, it doesn't matter if your are looking for a solution in 2^128.

Re:Why is EC more secure than RSA?

It is because the math behind the 2 is very different. By using more bits in the RSA key, the numbers just get bigger. You have more numbers you have to test and that is easy to spread across many machines to break. It's like knowing that a car in the parking lot is yours and checking them all for the right VIN. If you have help, it goes faster. The number of cars is number of bits in this example.

ECC is different because part of the calculation is jumping from one point on a curve to another point on a curve many times mathematically. The larger key size means that there were many sequential hops. Its like having a list of directions that say start from car one, take the first number in the plate and move over that many cars. Repeat this process a set number of times. You don't have a VIN, just a number of steps. Those steps are the number of bits. This is more secure now because we don't know of a way to shortcut the algorithm (Yet) if the curve is strong.

If you could math mathematically bend the curve into a straight line, the calculations become trivial. There are many known weak curves and the issue is the list of strong curves we use was given to us by the NSA. This is a good and a bad thing. The good news is that they have improved the security of encryption before and we expected that this was the case here. I'm thinking about the S-Box calculation in DES where they insisted on changes to the constant numbers. It was later discovered some time later that DES had a weakness but the S-Box values that the NSA provided negated that weakness. I'll leave the bad news up to the reader.

These issues with the NSA are bad on so many levels. If we just assume they know encryption better then we do, we should feel safe letting them revise standards to increase security. Other countries that are paranoid about the NSA would opt to use something else that has vulnerabilities that they don't know about. That would make it easier for the NSA to break their encryption. But now we find out that we can't trust them either and we are concerned they created exploitable standards intentionally. We don't feel safe with them making us more secure.

Re:Why is EC more secure than RSA?

[rubycodez]

false, key size alone does not determine degree of security. I could make a "key" for the alphabet that is XOR'd...how secure is that? not at all.

computational difficulty of solving determines security.

Re:Why is EC more secure than RSA?

[muecksteiner]

Heh - I even remember the elliptic crypto being introduced on NeXTStep. Talk about being a bit old. :-)

In retrospect, it might be interesting to try and find out why it was taken out again, later. And if the NSA (or some other spook outfit) had anything to do with it.

Apple, the successor to NeXT, has seemingly always been a very anti-crypto company. See the difficulties people had and have integrating GPG into Mail.app. It works, but it is far from being as seamless as it could be. I already wondered about this many years ago - the obstinate indifference of Apple towards end user crypto always looked a bit like it had been a stance adopted at the suggestion of some other party. I mean, Apple was always not particularly customer friendly, just like NeXT before it (the character of the founder showing, basically). But the way they never even for a second seemed to consider leaving decent crypto hooks in their systems was (and is) a low, even by their standards.

Re:Why is EC more secure than RSA?

[sjames]

Note that the required key length doesn't necessarily correspond with overall security as long as you do use the appropriate key lengths.

What really matters is which problem is most likely to be cracked mathematically. Which one is least subject to weak magic numbers, etc.

Known mathematical inroads have been made on RSA, but were then compensated through larger key lengths and better selection of primes. OTOH, elliptic curve has those troublesome magic numbers.

Re:Why is EC more secure than RSA?

[gweihir]

You do not understand the problem. ECC is just a different "number system". You an do RSA in ECC. The claim is for the same algorithms done over natural numbers or over EC "numbers". The primary advantage of ECC is not higher security, but shorter keys. The primary disadvantage is that ECC is not as well understood as crypto over "normal" numbers, and hence there may be a lot more surprises ahead or the NSA may know some tricks that the rest of the world does not. They are by far the largest employer of mathematicians, after all.

Staying away from ECC would be good advice at this time, just do conventional asymmetric crypto with larger keys.

Re:Why is EC more secure than RSA?

[mlts]

I am pretty sure that NeXT took it out because crypto was classified as a munition back then under ITAR, so it was yanked out in a subsequent version. Instead, it had this pseudo public key applet where one could type a password, and the public key was something generated from the password, so when you wanted to sign or decode something, the password was the private key.

I think it was the NSA or someone who goaded Apple into having decent security put in, from the improvements in how passwords were stored in OS X (first hashed, now salted and hashed with multiple rounds), to having decent full disk encryption.

I don't think any large company wants to be particularly crypto-friendly unless they are selling to a niche enterprise market. There is always a fear that one of the Four Horsemen of the Infocalypse would use their product and the police/LEOs will be saying to the press that if it were not for foobar's product, these criminals would have been caught and lives of children not lost, or why is their security product so good that only "terrorists" would use it.

I do agree about trying to get gpg [1] on a Mac. One either is forced to trust the mac port, or have to fetch a ton of libraries and build the prereqs to compile a usable gpg binary. Of course, one can use the commercial product from Symantec, Symantec Encryption Desktop Professional, but the price of that is pretty steep (think around $258.25.)

iOS is even worse. Good luck deleting root certificates from the device that you don't want. You trust what Apple says you need to trust, or go find another device to use. PGP/gpg apps are available for iOS, but the quality of the apps is "meh" at best, especially if you want to encrypt files before throwing them on an archive server, or use more advanced OpenPGP functionality like storing multiple files in one packet.

Most companies seem to have gone the "BYOC" (bring your own crypto) route other than Linux distributions and BSD variants. Yes, one -can- grab a binary, but how can you trust it, unless you download the binary to a trusted system with an existing copy and validate it there.

[1] PGP [2] is a very mundane, boring tool. However, it has stood the test of time, being standalone and not dependent on an OS, a CA system, a licensing model, or other factors. It has become so boring that it has been largely ignored except as a signing tool for OS distributions. It would be nice to see PGP keysigning parties again, or other ways to build one's personal web of trust.

[1]: I'm stating PGP as a superset of NetPGP, PGP, and gpg -- a utility that groks OpenPGP files, basically.

Re:Why is EC more secure than RSA?

[HiThere]

How does this relate to quantum computers?

I've recently read that the NSA is getting a "large" quantum computer. (I think they were having it special built.) I "know" that quantum computers are supposed to dramatically improve the speed of prime factorization, but do they solve Elliptic Curves faster?

Re:Why is EC more secure than RSA?

God does not love nor trust us enough to allow quantum computers to ever work.

God does not exist.

Re:Why is EC more secure than RSA?

[evilviper]

you don't want to learn number theory, then accept that you are incapable of having an informed opinion on asymmetrical cryptography

Just because you are incapable or unwilling to give an approachable explanation to an amateur, does NOT mean it is difficult or impossible for someone to do so.

Re:Why is EC more secure than RSA?

[pikine]

It makes perfect sense in the context of this article. In general no algorithm faster than Pollard's rho algorithm is known, but if you choose bad constants for EC, then NSA might have already found a way to heuristically crack it quickly. In practice, people might be using a key size that is way too small and way too easy for NSA to crack.

If that made no sense to you, go brush up on your number theory. If you don't want to learn number theory, then accept that you are incapable of having an informed opinion on asymmetrical cryptography standards. (Which is okay, we can't all have an informed opinion on every issue; your brain can only hold so much stuff, right?)

Seriously, you can brush up on your manners. Stop being anonymous and start being responsible for your statements.

Re:Why is EC more secure than RSA?

[muecksteiner]

Now that you mention it, I seem to recall something about the crypto in NeXTStep being classified as a munition back then as well. That was before the "PGP printed on a t-shirt" campaigns had their effect.

And the rest of what you write is depressingly correct.

As others have already written in this thread, the upshot of the Snowden revelations of the past few weeks/months is that any trust that anyone worldwide might have had in computing products from the U.S. is gone forever. This whole incident will likely have done more to bring about the reduction of the U.S. computer industry from "dominant player" to merely "one of the players" than anything else.

Re:Why is EC more secure than RSA?

[Festeron]

I don't think your keyboard is connected correctly.

Honestly, it's hard to take you seriously - even if what you say is correct and pertinent - when you consistently misspell simple words. It's "lengTH", which ends in a "TH" sound as in "THis" or "THat", not an "HT" sound as in "unenligHTened". Not to mention "yields", "remember", "numbers", "though", and "polynomially" [although I just did].

Sheesh.

Re:Why is EC more secure than RSA?

[david_thornley]

I beg your pardon, but 10^15 years is not a geological time frame.

The Universe started about 1.4*10^10 years ago, and in another 10^10 years the Sun will be completely burnt out and the U-238 on the planet will have undergone two half-lives. In another 10^11 years, barring any messing with it, we'll have well under a millionth of the U-238 we have now. Figure 10^12 and it's effectively gone.

Since geological process require energy, 10^15 years goes from the start of the Universe to a steady geological state (assuming the planet is still there) in one tick.

Really, 10^15 years isn't any sort of useful time frame.

Re:Why is EC more secure than RSA?

[Splab]

Heh,point taken, numbers that big are pretty hard to compare to anything.

Was just trying to point out that doing any form of searching in 2^128 combinations is rather impractical :D

Re:Why is EC more secure than RSA?

[rubycodez]

You are the one with the fallacy. there are crypto systems where increasing key size does nothing to increase security, and even those where ease of breaking *increases* with key size, more bits in the key gives more information about the plaintext. you can't make a blanket statement about key size, only about key size in a particular tecnique of encryption, which again may have security increase, decrease, or stay the same depending on the particular technique

Not shown to be good

Why are people even asking if it's been backdoored? It's already established that no one can explain the constants. It hasn't been shown to not be backdoored. That's enough to prove beyond the shadow of a doubt that it's wrong. Arguing about whether the standard is compromised by mere incompetence or malice, isn't worth spending time on.

If you don't know something is done right, then that alone is irrefutable proof that it has been done wrong. Even if they're good constants.

Re:Not shown to be good

[somersault]

It hasn't been shown to not be backdoored

You can't really prove that something doesn't have a back door without putting in enough resources to find all the back doors there could possibly be.. so that doesn't make much sense either.

Re:Not shown to be good

[Chacharoo]

I wish the parent were modded up. It's the loss of trust that's the bottom line. The constants may well not be back-doored. Or they may be. But once the trust is gone, and there's no verification of how the numbers arose in the first place, it's already too late.

Re:Not shown to be good

If you don't know something is done right, then that alone is irrefutable proof that it has been done wrong. Even if they're good constants.

No. While I get your point, this is simply wrong. Absence of proof is not proof of absence. However, absence of proof does result in absence of trust, which is pretty damn important when it comes to cryptography.

Re:Not shown to be good

[0123456]

You can't really prove that something doesn't have a back door without putting in enough resources to find all the back doors there could possibly be.. so that doesn't make much sense either.

But, as pointed out, you can ensure your constants come from a well-defined source, not just random numbers picked out of nowhere. It's far less likely that the first 64 digits of pi would create a back door than some number the NSA gave you.

Re:Not shown to be good

[Entropius]

If you find out that the locksmith who installed your locks is working for the mob, changing your locks is probably a pretty good idea. Do you know that he's given them a copy of the master key? No, but a locksmith getting paid by the mob usually means only one thing...

Re:Not shown to be good

[gweihir]

I agree. Even if it is not backdoored, it may have been a test-balloon to see whether they could get away with unexplained constants. If that works (looks more and more unlikely now), the next version could have been backdoored. Therefore the attack may not be on the algorithm (this time), but on the process. Even worse.

How come that I cannot see any fundamental difference between the attacks on critical infrastructure by the NSA and those that terrorists would like to do? (Except that what the NSA does is worse...)

Re:Not shown to be good

[evilviper]

The constants may well not be back-doored. Or they may be. But once the trust is gone, and there's no verification of how the numbers arose in the first place, it's already too late.

The story was almost the same with NSA and the original DES, and yet we found later that the special magic numbers were in-fact PROTECTING the crypto alg from as-yet unknown cryptanalysis methods. Though I still fault them for not using a 64-bit key from the start.

Reference?

[LWATCDR]

" Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation,"
What confirmation? Really I fear slashdot has become pure click bait.

Re:Reference?

[IamTheRealMike]

Sorry, I could have provided a link for that too. It was in the major Snowden story of last week that revealed the NSA was undermining public standards. The New York Times said this:

Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

“Eventually, N.S.A. became the sole editor,” the memo says.

Although the NYT didn't explicitly name the bad standard, there's only one that fits the criteria given which is Dual_EC_DRBG.

Re:Reference?

[afidel]

Bruce Schneier talked about DRBG being a probable backdoor back in 2007.

Re:Reference?

[Electricity+Likes+Me]

The problem I have with this article is that it also doesn't say what "appears to confirm" actually means.

The two quotes would apply as much to the agency pushing a standard through a difficults standards body as it would to hiding a weakness in a standard while doing the same.

Where do these quotes appear? Where is the surrounding context? If you can say the NSA weakened an encryption standard then why can't you give more context since that's almost certainly not a problem people are going to imminently die over.

Color me intensely skeptical when the NYT has everything to gain from being sensational.

Re:Reference?

[IamTheRealMike]

I just found this new blog post from the NYT which gives a very small amount of additional context. It also explicitly names the NSA RNG as what they were talking about.

http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/

But internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a back door for the N.S.A. In publishing the standard, N.I.S.T. acknowledged “contributions” from N.S.A., but not primary authorship.

Internal N.S.A. memos describe how the agency subsequently worked behind the scenes to push the same standard on the International Organization for Standardization. “The road to developing this standard was smooth once the journey began,” one memo noted. “However, beginning the journey was a challenge in finesse.”

At the time, Canada’s Communications Security Establishment ran the standards process for the international organization, but classified documents describe how ultimately the N.S.A. seized control. “After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft,” the memo notes. “Eventually, N.S.A. became the sole editor.”

The Guardian, ProPublica, the NYT and Schneier all appear confident enough in what they've read to state assertively that it's a hacked standard. Also, why else would the NSA care so much about pushing a crap and slow RNG that we know can have a backdoor into international standards?

Re:Reference?

[LateArthurDent]

The Guardian, ProPublica, the NYT and Schneier all appear confident enough in what they've read to state assertively that it's a hacked standard. Also, why else would the NSA care so much about pushing a crap and slow RNG that we know can have a backdoor into international standards?

Well, as someone pointed out before, the last time everyone went paranoid on the whole, "the NSA is purposefully weakening encryption" is when they provided S-boxes values for DES before anyone else knew about differential cryptanalysis. Turns out they were actually strengthening the algorithm. It's possible they're doing the same thing again. After all, if they're deliberately adding weaknesses, they risk foreign entities discovering those weaknesses and intercepting traffic from american companies, which I doubt is something they want.

Now, since 9/11 our government has gone batshit insane and has made incredibly poor decisions that violate our rights and offer no additional safety. So I'm not saying they haven't added those backdoors. I'm saying the wording in the memo doesn't really confirm they have. It's still possible they want to influence international standards to increase security, not insert weaknesses.

Re:Reference?

[thoromyr]

there's a problem with your interpretation: it isn't (necessarily) where the magic numbers came from, but that some non-NSA researchers into ECC discovered that you could select a "key" A and from it derive a "key" B whereby anything that utilized B would be crackable with knowledge of A. The issue is that the magic numbers provided by the NSA could be a B where they hold an A.

This is a lot different than simply not knowing why particular numbers were picked. With present public knowledge it isn't the particular numbers as such, but rather that *any* numbers were proposed. Particularly when this feature was not publicly known. Particularly when the NSA has been pushing ECC as "the next thing".

At one time it might have seemed a stretch, especially in light of DES (though that was likely just a PR job*), but given current information anything the NSA pushes requires an explanation involving solid, mathemetical and cryptographically sound reasoning.

* there was suspicion about DES when introduced, particularly that the NSA provided unexplained S numbers. The NSA worked to keep the key length of DES /small/ which leads to a suspicion that they may have felt confident they alone had the capability to brute force it, but wanted it free of a weakness from a (at the time) non-public attack that might have made it vulnerable to competing agencies.

Re:Reference?

[Electricity+Likes+Me]

My problem is present public knowledge - from people claiming to have seen the evidence - is incredibly sketchy. Its worded weirdly and omits important details. I mean why are we getting stuff about a memo and standards selection process if the evidence is supposed to be "the NSA definitely backdoored Duel EC DRBG". Presumably this means there's text, written on one of these documents somewhere, which describes this as being exactly what they did. Why can this not be published?

The Guardian was very confident it had dynamite when all it had were powerpoint slides - they've walked back the articles on their website a lot since the initial publication.

Replaced security with obscurity

The essence of what the NSA did, was to replace cryptographic security with security through obscurity. People who haven't found the back door yet don't know its there. Classic 'security via obscurity' that is the opposite of crypto.

Now everyone knows they're there, we need to replace them damn fast. Waiting for the backdoor to be verified is too late, by then bad actors (I mean ones other than General Alexander) could already have found it.

Replacing these takes time, and so the assumption should be they are vulnerable, because the NSA leaks show the NSA knows they are vulnerable, even if we don't quite know the micro detail of how, yet.

Re:Replaced security with obscurity

[UnknowingFool]

From the post from Schneider from 2007, the approach is secure except for the constants used which may have a secret weakness. In the NIST standard, there is an option to use different constants. Rather than replace it all, just use different constants.

Re:Replaced security with obscurity

[gnasher719]

The essence of what the NSA did, was to replace cryptographic security with security through obscurity. People who haven't found the back door yet don't know its there. Classic 'security via obscurity' that is the opposite of crypto.

That seems to me like a mischaracterisation of the problem.

Right now, nobody outside the NSA knows whether creating a backdoor through cleverly chosen constants is possible or not. Possibly, nobody inside the NSA knows either. If someone can figure out a way how such a backdoor can be created (which nobody has done yet, and which might not be possible), then we still don't know whether this actually happened or not. The NSA could find such a method today, and they would say "damn, we missed a great opportunity because we didn't know this ten years ago". If a way to create a backdoor is found in twenty years time, then we might assume that the NSA wasn't clever enough to find it thirty years earlier.

We owe our thanks to Mr. Snowden

[Taco+Cowboy]

... A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable

This, and many other expose, can only come to light, because of the courage of a single person - Mr. Edward Snowden.

If not for Mr. Snowden, would we ever discover the phenomenon of the "magic number" ?

If not because of Mr. Snowden, we wouldn't even begin to question the integrity of those previously highly regarded "very important people".

If not for his courage, how much more damage all of us have to suffer ?

And yet, inside the United States of America, there are still people equating Mr. Snowden as though he is a traitor.

And even here in Slashdot, we have posters posting very stinging attack on Mr. Snowden.

Our country is under attack, and the attacker is our own government, but yet, there are still Americans who will do everything to help deepen the tyranny, all in the name of "patriotism".

I, an American citizen, do owe my deepest thanks to Mr. Edward Snowden, and I do hope that more of my fellow Americans should start acknowledge something very very wrong has happened to America, the country we love so much, and that we should start doing something together, to RIGHT THE WRONGS.

There have been too many comments that essentially convey the message that we, the People of America, have no power to determine our own future, and that our government, is so overwhelmingly powerful that we are ready to become their slaves, rather than stand up and oppose the tyranny.

Is America still the land of the free, and the home of the braves ?

Or has American turned into the land of the enslaved, and the home of the cowards ?

The choice is on your hand, my fellow Americans.

Either we start righting the wrongs now, or we will end up handing over to our children a country of tyranny.

Are we going to let our children suffer because of our cowardice ?

You are the only one who can answer the question.

Re:We owe our thanks to Mr. Snowden

[j3thr0]

Except that this came to light back in 2007. http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

Re:We owe our thanks to Mr. Snowden

[rvw]

Except that this came to light back in 2007.
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

So why has nobody fixed this in the past six years? Thanks to Snowden it's back in the spotlight, and now it seems like action is being taken. That's his legacy. I thank him for that.

Re:We owe our thanks to Mr. Snowden

[IamTheRealMike]

That story is about Dual_EC_DRBG which was indeed strongly suspected of being an NSA back door back in 2007. Snowden confirmed the suspicion. However this story is not about that algorithm. It's about the SEC random curves that are used for signing and other crypto, not random number generation. There are two different algorithms under discussion here.

Re:We owe our thanks to Mr. Snowden

[Bing+Tsher+E]

When it came to light in 2007 why was it tamped down and not dealt with? Is there a history that needs to be audited to explain why it drifted (was pushed?) back into obscurity? Perhaps there's even more value in investigating this. Could there be agents that need to be identified and rooted out?

The above is speculation, but it's the sort of question that should be asked, and our understanding of the matter increased.

Re:We owe our thanks to Mr. Snowden

[FriendlyLurker]

Some related reading: "The Responsibility of Intellectuals"

Re:We owe our thanks to Mr. Snowden

[lkcl]

if you've seen the film with nicholas cage, it highlighted for me for the very first time that the U.S. Constitution was written by some extremely fore-sighted people. there are specific words in it which not just permit but *OBLIGATE* you - each and every american citizen - to overthrow any government that has become tyrannical or otherwise lost its way.

given that america has such a significant hold over the rest of the world, *i* as a UK citizen am obligated to point this out to you, because by not doing so it will have an adverse effect (through erosion of sovereign rights of each and every country - erosion initiated by the corrupt U.S. Govt infrastructure) on *my* country to whom *i* hold allegiance.

so - get to it, americans - get your act together!

Re:We owe our thanks to Mr. Snowden

[AHuxley]

Re watching slashdot: We are days, weeks, months, years, decades late and talking about whats in the US press over the past days/months.
The best sockpuppets can do is link to science (bread and games) and hope to shape the long term debate away from any more Fourth Amendment/illegality talk.
Enjoy the crypto topics and comment away :)

Re:We owe our thanks to Mr. Snowden

[brillow]

We might have discovered these magic numbers if anyone ever critically analysed this document.

Apparently "security experts" just blindly do things and don't critically examine what goes on.

Scientists have been finding wrong analyses and bringing them down for centuries. In fact, I could read any journal issue in my field and find at least 5 utterly wrongheaded analyses of things. YOU HAVE TO READ SHIT.

Re:We owe our thanks to Mr. Snowden

[stanlyb]

But the public did not believe it.
Now, when a foreign company evaluates the risks of hosting everything on their site, or at Amazon Cloud for example, we all know what decision they take. Thanks to Snowden.
And, ironically, that's the biggest threat for America, not that the NSA will have harder time, but that the business will have a lot of more hard time selling their products...

Re:We owe our thanks to Mr. Snowden

[stanlyb]

Actually, you did not try to tell the truth, but to answer the quoted questions. But don't mind me, keep swimming.

Re:We owe our thanks to Mr. Snowden

[MickLinux]

The keys to the definition of kook are held by the government. If you want to know the truth, you have to ignore the label kook.
 

That doesn't mean that all kooks have the truth. It means that the label kook is often a slanderous title used to hide the truth.
 

Look at syzygyjob.com, and see the earthquake prediction by Jack Coles. He's rotting in prison even as he does it, calls in his predictions by collect call. I have no idea what he did or is supposed to have done to warrant prision, but I do know that Jim Berkland has asserted on the www that he was committed to a mental hospital for the offense of saying to the court that his occupation was earthquake forecaster.
 

Now,. I suspect that Coles is misinterpreting his data. I think that he believes that the radio signals he gets are piezoelectrically induced, whereas they may be simply the result of the reflection of broadcasted waves, off microdust in the atmosphere, caused by slow-slip quakes. Big whoopdedoo. He can be wrong; I'm probably wrong; but that doesn't make his statement that he is an earthquake forecaster false. Nor does it require a person to be committed to a mental hospital.

That is the power that our government wields, Are we now in an age, when nonconformance means assignment to a prison, without rights, under the name of "mental health"? So what is the difference between that, and the Nazi government before it destroyed a quarter of the world, ending with Germany and itself?
 

If you want to have a chance at knowing the truth, drop the term kook. Or take it as a badge of nonconformance.

Re:We owe our thanks to Mr. Snowden

[chuckinator]

Elliptic curve cryptography looks great on a machine running HollywoodOS at your local cineplex, but I have yet to see a single convincing argument for using it for real life cryptography beyond the cool factor and a bunch of hand waving. It's weak and suffers from weird factorization and Fourier based cryptanalysis, and it's simply inferior to exponentiation based algorithms such as those using in Diffie-Hellman variants, RSA, DSS, krb5, etc.

Re:We owe our thanks to Mr. Snowden

Before it came to light as a theoretical possibility. People could see that the possibility existed, however accusing the NSA of having used it would be accusing them of deliberately and knowingly weakening the security of systems designed to be used in defence of their country. That is a pretty serious accusation against people who essentially work for the military. Most people's belief in innocent until proven guilty made that a hard case to make.

Now, thanks to Snowdon, we know they have been weakening system security for their own convenience. Suddenly many people's old viewpoints have become obviously naive.

Re:We owe our thanks to Mr. Snowden

[mdielmann]

The difference is, we have plenty of evidence that the NSA is more than happy to weaken cryptography, and the security of its nation's citizens, to simplify their task. Remember Clipper. Never forget Clipper. They've already proven they can't be trusted with the citizenship's security. We must assume they will not change until they prove otherwise.

Re:We owe our thanks to Mr. Snowden

[alexgieg]

we should start doing something together, to RIGHT THE WRONGS.

The problem is that whenever discussions on these topics come about, the proposed "solutions" are always framed within the rules set by the power elites. And the power elites are this because they are masters of this game. In fact, they've mastered it so much that nowadays even violent revolutions are no exceptions, they also fit within the rules, just another subset of the same old game.

No, the actual solution is to break the rules altogether. Throughout history what managed to alter the rules the most were technological and scientific changes. But only alter, because they still mostly happened at a pace master manipulators (politicians, statesmen and other power hungry individuals) could deal with. So to actually break the rules technological change must come at even faster rates, to the point it surpasses human ability to keep pace altogether. And by that I don't mean merely politicians' ability. Organizations like the NSA employ the brightest of the brightest. That's the level that must be overcome.

What will right the wrongs then, if we happen to do it right, will be molecular nanotechnology-controlling friendly exponentially self-improving general artificial intelligence, a.k.a. the Singularity. The flip side of the coin is that not doing it right will mean the extinction of the human species, as a non-friendly one won't have any reason to keep us around. In any case, one way or the other it'll be the ultimate rule breaker, the one after which everything that came before will be meaningless.

So, we should really focus on that. The first research institute (or garage or basement) to manage it will change everything, for better or worse. As for the standard alternatives though, nope, they're just more of the same.

Re:We owe our thanks to Mr. Snowden

[twotailakitsune]

The DES "S-boxes" were magic numbers that people believed it was a backdoor. It took years for people to see that it closed weaknesses. The way the NSA work, they can't talk about why they put in the magic numbers. Not that we should not try to find out what the numbers do. If we change the "magic number" without learning that it really is a weakness, we could end up making Elliptic curve weaker.

Re:We owe our thanks to Mr. Snowden

[StormReaver]

...the U.S. Constitution...[obligates]...each and every american citizen - to overthrow any government that has become tyrannical or otherwise lost its way.

The U.S. Constitution has no such language. You're thinking of the U.S. Declaration of Independence.

Re:We owe our thanks to Mr. Snowden

[s.petry]

When it came to light in 2007 why was it tamped down and not dealt with? Is there a history that needs to be audited to explain why it drifted (was pushed?) back into obscurity? Perhaps there's even more value in investigating this. Could there be agents that need to be identified and rooted out?

Because the same corrupt people doing bullshit like this own the media, and have sock puppets for sites like /.. How hard is it for them to currently push things off the front page by submitting numerous seemingly technical articles? How hard is it for people to divert traffic to a "we hate microsoft" thread? I would say just as hard as it is for TV to divert your attention from Syria by showing a nearly naked teenager humping teddy bears.

Hopefully, after all is said and done people catch on and stop falling for the games.

Re:We owe our thanks to Mr. Snowden

[Jane+Q.+Public]

"Remember Clipper. Never forget Clipper. They've already proven they can't be trusted with the citizenship's security. We must assume they will not change until they prove otherwise."

Clipper is not such a good example. Except for the trustworthiness part.

The problem with Skipjack + Clipper was not that it was "backdoored" per se, but that the keys would be (openly) in government possession at all times. The promise from Government was that they would be "escrowed", and only used for legitimate, court-authorized law enforcement purposes. Of course, nobody believed them.

The reason industry professionals opposed it was because they simply didn't trust government to keep the keys locked away. The concern -- by now justified many times over -- was that instead it would use the keys willy-nilly for its own purposes.

Once the government finally gave up completely on the project (several years after Congress told them to back off), and they made the inner workings public, researchers quickly found vulnerabilities in the system. The major vulnerability being one that would allow a hacker to make the government-held key useless.

So, other than the key problem, it wasn't so much the government wanting to put a "back door" into the crypto, as it was just plain ineptitude on the part of government when it came to the implementation.

Re:We owe our thanks to Mr. Snowden

[Em+Adespoton]

We might have discovered these magic numbers if anyone ever critically analysed this document.

Apparently "security experts" just blindly do things and don't critically examine what goes on.

Scientists have been finding wrong analyses and bringing them down for centuries. In fact, I could read any journal issue in my field and find at least 5 utterly wrongheaded analyses of things. YOU HAVE TO READ SHIT.

More than this, you have to speak up, and having spoken up, you have to be heard.

I'm pretty sure that you'll probably find a number of papers in the field that have been published for years talking about the fragility of SEC random curves as selected. There are probably dozens of people jumping up and down right now saying "I told you so!" -- the issue is that nobody listened to them (and likely still aren't listening to them).

Re:We owe our thanks to Mr. Snowden

[mdielmann]

Wrong. The big problem is the government wants a way to see your data, unconditionally, whether or not you have ever done anything wrong, preferably without you knowing. Their willingness to store the keys somewhere, probably unsafely, for their convenience, rather than putting a back door that someone else might stumble upon is a very minor thing, comparatively.

The Clipper episode doesn't give you insight into technique, in this case. It gives you insight into intent.

Re: We owe our thanks to Mr. Snowden

[asamad]

+1

Re:We owe our thanks to Mr. Snowden

[HiThere]

People who are experts seem to have been saying that it only hardened DES a little bit, when others were trying to get it made a lot harder.

I'm not an expert, so I can't evaluate whether this is a true assertion or not...but it seems plausible.

Re:We owe our thanks to Mr. Snowden

[Darinbob]

It wasn't until I saw a Marx Brothers movie that I fully understood communism.

Re:We owe our thanks to Mr. Snowden

[Remus+Shepherd]

Is America still the land of the free, and the home of the braves ?

Or has American turned into the land of the enslaved, and the home of the cowards ?

I'd reassure you about American courage if I wasn't afraid of speaking publically on this topic.

Re:We owe our thanks to Mr. Snowden

[Darinbob]

Because some companies make a lot of money selling proprietary EC libraries, there's money to be made by hyping it.

Re:We owe our thanks to Mr. Snowden

[chuckinator]

Well, someone did a pretty bang up job peddling the idea that bitcoins are cryptographically sound using the same tech, but this post is likely to be modded into oblivion for taking a shot at one of the slashdot sacred cows.

Re:We owe our thanks to Mr. Snowden

[vadim_t]

That was in 1975. The NSA that did that isn't necessarily the NSA that exists today. Just because they did something good nearly 40 years ago, dosn't mean they have anywhere near the same ideas now.

Internal priorities, people with the ability to push their agenda, and external factors can have easily changed in that time. Hell, most of the people from back then are probably dead by now.

Also, while they did make it stronger against differential cryptanalysis, they got the key length reduced, which means that today, DES is terribly weak, and 3DES is needed to patch it up.

This fits in quite nicely in what you say though. The thinking might have been that differential cryptanalysis makes cracking much easier, but a reduced key length would still require NSA-sized resources to break.

Re:We owe our thanks to Mr. Snowden

[louarnkoz]

Actually, no. There is proof that Dual_EC_DRBG is much weaker than advertised. But the story is about the other elliptic curves that NIST standardized based on "contributions" from the NSA.

Re:We owe our thanks to Mr. Snowden

[WuphonsReach]

Elliptic curve cryptography looks great on a machine running HollywoodOS at your local cineplex, but I have yet to see a single convincing argument for using it for real life cryptography beyond the cool factor and a bunch of hand waving.

RSA is not perfect either. Every time you double the key length, performance drops by a factor of about 6x. Currently, in order to get about 128 "bits" of strength, you need to use to use either a 3072 or 4096 RSA key length. To get to 192 "bits", 7680/RSA or 8192/RSA.

ECC is interesting to cryptographers because it seems to offer the same amount of encryption strength, with far less bits required, and it can be used in a public key manner. You only need about 256-383 bits in the ECC key to be equivalent to 128 "bits" of strength, and 384-511 bits for 192 "bits" of strength. The problem, as usual, lies in either poor implementation or picking the wrong curves.

History is another reason. RSA has been around since 1978 and all known patents expired by 2000. So researchers have been beating on RSA for about 35 years now and there are lots of proven implementations (TLS/SSL, SSH, GPG/PGP, etc.). RSA also relies on how hard it is to factor prime numbers, which is a problem that mathematicians have been studying for hundreds (thousands?) of years.

ECC was introduced c1985 and some patents have yet to expire.The math has only been examined for 25 years, and the entire field of elliptical curves is very young compared to prime numbers. Which doesn't make it a bad choice, it's just not as well vetted.

It is slower at public key operations (signature verification, key exchange) then RSA. The speed at doing bulk encryption is a wash, because all public-key encryption implementations create a random symmetrical key and use a symmetrical encryption algorithm (3DES, AES) to do the encryption of the content. The public-key pairs are only used to exchange those symmetrical keys and to validate two sides of the conversation.

Re:We owe our thanks to Mr. Snowden

[WuphonsReach]

Also, while they did make it stronger against differential cryptanalysis, they got the key length reduced, which means that today, DES is terribly weak, and 3DES is needed to patch it up.

Most of what I've read on the subject indicates that key length was reduced in order to make it easier to implement in silicon. Maybe IBM was a bit short-sighted at the time, thinking that 56bit keys was still going to be strong enough. After all, "export grade" crypto was still limited to 40bit keys back then.

Re:We owe our thanks to Mr. Snowden

[uninformedLuddite]

I would say just as hard as it is for TV to divert your attention from Syria by showing a nearly naked teenager humping teddy bears.

Pics?

Re:We owe our thanks to Mr. Snowden

[uninformedLuddite]

The truth might be that every time a bitcoin is mined someone's private data gets just that little bit closer to decrypted.

Re:We owe our thanks to Mr. Snowden

[Jane+Q.+Public]

" The big problem is the government wants a way to see your data, unconditionally, whether or not you have ever done anything wrong, preferably without you knowing."

How does this make me "wrong", since we agree 100% that is the fundamental, underlying problem?

My point was only that Clipper was not an example of "backdoor" crypto. But it WAS definitely an example that government cannot be trusted.

"The Clipper episode doesn't give you insight into technique, in this case. It gives you insight into intent."

We are in complete agreement.

Re:We owe our thanks to Mr. Snowden

[s.petry]

It's on youtube, watch the video! Youtube "miley cyrus vma 2013"

Re:We owe our thanks to Mr. Snowden

[uninformedLuddite]

That girl makes my skin crawl

Re:Is Bitcoin Vulnerable?

[IamTheRealMike]

Bitcoin uses what the SEC calls a Koblitz curve (secp256k1) for which there is much less design freedom and it seems much less likely that there is any way to back-door those curves. Unfortunately many ECC implementations don't support all the curves, just a few of the plain vanilla random ones. Actually I'm not aware of anything except Bitcoin that uses secp256k1.

Open letter to the NSA

[aaaaaaargh!]

Dear NSA,

Since I'm getting tired of these stories and it seems kind of unfair that you're getting all the heat recently, here is my suggestion how you could improve your PR image by doing something to our mutual benefit:

Please use your supercomputers for a few months to aggressively mine Bitcoins and Litecoins. That would make you (virtually) richer than you already are and free me and the rest of the world in future from annoying Bitcoin-mining stories.

If you like this idea, consider donating some Bitcoins to me. You know where to find me.

Thank you for your attention and best regards,

aaaaaaargh!

Re:Open letter to the NSA

P.S.: Don't worry, I will only use them for recreational drug use and not to further damage the image of your agency.

Re:Open letter to the NSA

They are ALL open letters to the NSA.

Re:Open letter to the NSA

[Boronx]

With their computing power, they could just create their own counterfeit bitcoins that would outvote the rest of market, effectively stealing everyone's coins.

Re:Open letter to the NSA

[Bugpowda]

Nope. They don't have enough computing power for a 51% attack anymore. Until they build their own bitcoin mining ASICs at least. The network is running at nearly 1 petaHash / second, with each hash performing ~1,300 32bit adds. So, in very apples to oranges terms, the network is secured by 1,300 petaFLOPS (and rising at ~2.5% PER DAY). The sum total FLOPS of the top500 supercomputer list from June 2013 is 223.6 petaFLOPS.

Re:Open letter to the NSA

[ColdWetDog]

Oh, and while you're at it, could you please recover the directory I inadvertently deleted last week? I don't recall the name, but I'm sure you do.

OXOXOX

Re:Open letter to the NSA

[MiniMike]

Maybe they could just pay a Bitcoin every time they callously trample someone's rights?

And you think they need a lot of computing power now...

secp256r1? That's the combo on my luggage!

"secp256r1" just so happens to be the combination to my luggage.

I guess I should change that.

Isn't it time we take back our own country ?

[Taco+Cowboy]

This shit is evidence that this country has *already* been taken over (from within and without)

Isn't it time we, the American Citizens, take back our own country from those fuckers ?

How much longer should we let those fuckers to ruin our country ?

How much longer do we want to be fooled by those fuckers ?

How much longer can our country last, under those fuckers ?

Re:Isn't it time we take back our own country ?

[Ksevio]

Yeah! So who are we running for President?

Re:Isn't it time we take back our own country ?

[rvw]

This shit is evidence that this country has *already* been taken over (from within and without)

Isn't it time we, the American Citizens, take back our own country from those fuckers ?

How much longer should we let those fuckers to ruin our country ?

How much longer do we want to be fooled by those fuckers ?

How much longer can our country last, under those fuckers ?

So what are you waiting for? You tell others what to do, and do nothing yourself. That's not going to motivate anybody.
(Disclaimer: I am not a US citizen)

Re:Isn't it time we take back our own country ?

[Lumpy]

AS soon as you get off your ass and do something other than bitch. I dont see you at any of the rallys or picketing in front of the whitehouse.

Re:Isn't it time we take back our own country ?

[meta-monkey]

I nominate Anonymous Coward.

Re:Isn't it time we take back our own country ?

[meta-monkey]

Because those are terrible ideas that will have zero effect.

The only way to beat a bureaucracy is at the polls, from the ground up:

1) download your local laws.

2) open in text editor.

3) hack to make them better.

4) get friends/randoms to run for city council with/for you based on those better laws.

5) campaign via social media/crowdfunding

6) win election. Enact laws. Acquire control of pre-built militarized police and tax money

7) use police to fight corruption, taxes to promote education, civic responsibility, transparent government

8) repeat for each city then county then state then nation.

9) ???

10) don't profit because you can't really take lobbying bribes for a distributed lawmaking system.

Re:Isn't it time we take back our own country ?

[Atzanteol]

It's past that point. Nobody we would want to run would win. If you're not in the two big parties you get no media attention, no money, it's significantly more difficult to get included in debates, etc. IOW it's a doomed candidacy.

Re:Isn't it time we take back our own country ?

[fustakrakich]

I nominate Romney

Re:Isn't it time we take back our own country ?

[Ksevio]

So what do you suggest? A non-democratic solution? Move to a dictatorship? Seems like the wrong direction to me

Re:Isn't it time we take back our own country ?

[router]

My take on the solution, feel free to critique it. Its my current plan.
http://slashdot.org/comments.pl?sid=4056347&cid=44485435

Re:Isn't it time we take back our own country ?

[cellocgw]

So who are we running for President?

Well, me of course! (see .signature)

Re:Isn't it time we take back our own country ?

[Phreakiture]

10) don't profit because you can't really take lobbying bribes for a distributed lawmaking system.

Not all profit is monetary. If we gain though building a better system, that's profit.

Re:Isn't it time we take back our own country ?

[Ksevio]

How about a step to reform election laws to third party candidates are actually viable? Voting third party or "none of the above" isn't that helpful if the congress just gets to appoint a president when no one gets the electoral votes.

Re:Isn't it time we take back our own country ?

[Darinbob]

We'd have to rename him Anonymous Hero.

(or maybe it's a she, I'm never clear on AC's gender)

Re:Isn't it time we take back our own country ?

[meta-monkey]

There's a difference:

1) with third parties, you're voting for an ideology and a person. With this, you're only voting on a predetermined body of laws. Use randomly selected eligible candidates. There's no saviors to corrupt and no party line toe.

2) don't start with president. Start with each and every city council. Buy the time those are taken, your base for the state is already built. Once you've got a state, gerrymander for congressional districts. Funnel tax money into open government initiatives and municipal Internet infrastructure. Use the tools of enemy against them.

It starts at the bottom and it's a long, boring, slow, protracted campaign. But nothing quick and easy can fix this mess.

Welcome to World War III. The streets will run red with tape. Grab a laptop, a case of Mountain Dew, and fortify your couch, soldier.

Re:Isn't it time we take back our own country ?

[Atzanteol]

Sounds good - now think about who you would need to get to vote on those laws...

Re:Isn't it time we take back our own country ?

[Atzanteol]

If I had a solution then believe me I would offer it. These sorts of problems are *very* difficult to solve and in our system require a huge buy-in from lots of people who are willing to "put their necks out." Hopefully the tide of public opinion swings in our favor but if it doesn't then there is probably no workable solution.

The old cypher machine vs your new internet?

[AHuxley]

The darker crypto history of the 1950-80's would point to long term weak export grade devices.
Why this generation of software and hardware would be allowed to be any different seems to have escaped a few people.
First the govs look at the private leadership, the firms, the brands - help stop communists....
If that fails, go for longterm staff with issues.
If that fails, set up a gov backed front company or standard out spending and undercutting any emerging private experts.
Looking back why did so few not see the lack of public gov interest after US crypto exports laws became more open (after public key cryptography?)
All the world was presented with was vague whispers of way too much unencrypted data with optical, internet and mobile phones...too expensive, too difficult..
The govs appetite never changed and funding in the past ~10 years was epic.

Justified paranoia

[return+42]

I think we are all going to have to be a lot more paranoid from now on about the public comments NIST gets on crypto standards. We can count on NSA to continue to try to mess with the standards, but they won't do it openly. They'll use proxies with no traceable connection to NSA. The crypto experts will have to examine these things a lot more carefully. Hanlon's razor won't cut it anymore.

Re:Justified paranoia

[steelfood]

Hanlon's razor specifically doesn't cover the case of known malicious actors, even if the malicious actors are non-specific.

For cryptography from here on out, it's a matter of questioning everything, and going through all of the results and conclusions with a fine-toothed comb. If something is too complex, then it should be simplified prior to standardization, or the standard needs to be revised. It something included seems arbitrary, then it needs to be questioned and only a reasonable explanation would justify its inclusion. Things should be checked and double checked. Assumptions should be identified, and the risks they present need to be mitigated beforehand, irrespective of how much additional work or overhead that would cause. The only thing that can be trusted is the math, but even then, the application of the math needs to be considered in length.

But I think it gets worse than this from here on out. The next thing for them to do is to attack the field of cryptography. They can't attack the math, so they'll attack education. They'll sabotage textbooks, teachers, professors, hell, the whole education system here and abroad. Just so their shenanigans cannot be exposed by real mathematicians, cryptographers, and other security experts. And when that happens--and it's happening even now, if you've ever bothered to look at the state of education in the U.S.--we'll all lose.

Factoring integers versus Discrete Log in EC group

[betterunixthanunix]

The difference boils down to factoring integers versus computing discrete logarithms in elliptic curve groups. The best publicly known integer factorization algorithm is GNFS which runs in roughly O(2^(n^1/3)), whereas the best publicly known ECDLOG algorithm runs in O(2^(n^1/2)). That is why we need RSA keys that are so much larger than ECC keys.

That, of course, is a theoretical argument. In practice, there are other issues to consider. ECC has a lot of parameters and there are a lot of constraints on the curve you choose; this means there are a lot of things to get wrong. RSA is not technically secure on its own (and the construction used to make it secure is easy to get wrong), but related systems like Blum-Goldwasser (which is based on a related problem, the Quadratic Residuosity Problem) are and they have many fewer parameters. The code for such systems is also simpler, which makes it more straightforward to audit (and harder to hide backdoors).

Excellent Summary

[Bob9113]

I was going to submit the same story. I'm glad I didn't; that summary is much better than what I had in mind. Nicely done, Unknown Lamer, IamTheRealMike, and any other editors who helped. Thank you for your effort on this important topic!

Not paranoid *enough* ?

[pla]

I only see people discussing the first-level implications to privacy and security of the NSA having chosen parameters that lead to a somehow-weak curve. Except - That doesn't take any special NSA magic, they just cheated up front.

Such discussion completely overlooks the much bigger problem here, however - The NSA chose parameters that give a weaker curve. Parameters generated as the output of hashing them with SHA1.

The ability to choose parameters strongly suggests that the NSA has a way to produce input texts that yield a desired SHA1 hash. That takes special NSA magic, and should really count as the FP story here, not the far less impressive trick of stacking the deck in their favor.

Re:Not paranoid *enough* ?

Either that, or it suggests that NSA knows about a ECC vulnerability that a fraction of the curves suffer from, say one in a trillion, and they hashed numbers at random until they found such a curve.

Re:Not paranoid *enough* ?

[GameboyRMH]

Couldn't the same thing be achieved with brute-forcing? If they have a program that can evaluate the strength of a curve, they can just fuzz the inputs and choose the "best" (worst) set of inputs. Perhaps they could build a function that would produce artificially weak random-ish inputs instead of properly random ones to speed it up further?

Re:Not paranoid *enough* ?

[skids]

SHA1 has been deprecated (mainly as a precaution, but with evidence that attacks were starting to gain a small foothold) since 2005 (by NIST itself even) in favor of the SHA2-240/256/384/512 suite. The question really is why did the selection of SHA1 over a SHA2 variant (I assume in 2007 since that is when the first draft of what became RFC 5639 was published) not raise red flags, in addition to the from-the-sleeve seeds?

Re:Not paranoid *enough* ?

[kwikrick]

Hmmm, perhaps it sufficient to just find a class of inputs that generates a particular class of hashes. Then pick a random input in that class
and use it as an elliptic curve parameter. I don't know if that's sufficient to generate weak elliptic curves. But if so, then the NSA doesn't need to have solved SHA1.

Re:Not paranoid *enough* ?

[rubycodez]

the acre of supercomputers has nothing to do with holding the view of that tradition, no siree

Trusting Trust

Ken Thompson's article "Reflections on Trusting Trust" seems to apply here.
http://cm.bell-labs.com/who/ken/trust.html

Even if the numbers are corrected, we have no guarantee that a lower-level system isn't undoing that work. Backdoors can (and probably do) exist in not only compilers, but in hardware. If this is the case, then broken encryption parameters are far less important. For example, git uses SHA1 for encryption. Assuming the scheme isn't already broken, it is likely possible to generate a collision with brute-force (especially if you need only one number). If some link in the git chain were thus broken, a replacement file with a backdoor payload could be injected (eg. in the confusion surrounding the gnu.org repos being hacked). As ken points out, once that initial injection is made (assuming it is of sufficent quality) it can be used to add anything to future compiled versions.

Re:Trusting Trust

[ColdWetDog]

Ken Thompson's article "Reflections on Trusting Trust" seems to apply here.
http://cm.bell-labs.com/who/ken/trust.html

Even if the numbers are corrected, we have no guarantee that a lower-level system isn't undoing that work. Backdoors can (and probably do) exist in not only compilers, but in hardware. If this is the case, then broken encryption parameters are far less important. For example, git uses SHA1 for encryption. Assuming the scheme isn't already broken, it is likely possible to generate a collision with brute-force (especially if you need only one number). If some link in the git chain were thus broken, a replacement file with a backdoor payload could be injected (eg. in the confusion surrounding the gnu.org repos being hacked). As ken points out, once that initial injection is made (assuming it is of sufficent quality) it can be used to add anything to future compiled versions.

This must be the reason my checking account never balances.....

It's time for a community rally

[shaitand]

We need community and built and vetted algorithms, easy and in-built encryption that doesn't rely on a "trusted" third party infrastructure, e-mail encryption that just works, zrtp for all voice communications on by default, and a genuinely locked down android system with firewalling.

There are a lot of Google services we rely on that can be replaced with decentralized community replacements. Clearly, Google is working for the enemy. Clearly, Facebook is working for the enemy. Here we can look to TOR and Bitcoin for hints on how these kind of decentralized systems can work.

These days most of this starts with our phones. So we need a solid and secure community vetted android system that becomes the basis for all those root your phone/tablet guides in the world.

Re:Is Bitcoin Vulnerable?

[Electricity+Likes+Me]

"Trust" has not been lost, but paranoia seems to be alive and well. Unless you can actually illustrate a possible attack (in the case of ECC the issue was that the PRNG could be hosting a public key as one of its magic numbers which would allow it to be predicted) then your just jumping at ... something less then a shadow.

There seem to be an awful lot of people with no cryptography expertise making grandiose statements, some probably running off to implement their own crypto which will be "NSA free" and so hilariously broken that if you had to pick a social-engineering attack to catch terrorists then this would be a good one.

Re:Is Bitcoin Vulnerable?

[Sique]

So for the NSA to kick out the really problematic implementations, the really secure ones, those they didn't find a backdoor in yet, the NSA will just recommend them?

What about Russia's GOST Elliptic curve standards?

Has anyone checked out Russia's GOST standard Elliptic Curve cryptography standards to see if choice of seeds is a widely known way of weakening crypto?

Or could it be that the Russian standard is actually more secure?

The GOST Elliptic curve standards have been translated to English in RFC 4357 and 5832 http://tools.ietf.org/html/rfc4357 and http://tools.ietf.org/html/rfc5832

Great summary

[superswede]

Kudos to IamTheRealMike for such an informative and well written summary.

They know me

[Taco+Cowboy]

Thank you Mr. Taco Cowboy (if that's your real name). The FBI should be visiting soon. Please hide your dogs, for their own sake.

Almost every single time I posted a comment that hits the bull's eye someone would counter it with a veil threat, like the above.

FYI, they know who I am.

I came from China, I am a naturalized citizen of the United States of America, and I am currently not living inside the U.S. of A.

In my younger days, I also was involved in some (still secret) military programs.

They have my dossier. They know where I am.

If they want to take me down, they can, any time.

But I am not important. I am expendable.

What is important is the future of my country, the United States of America.

As I said, I came from China, I had had first hand experienced the terror of Tyranny, with a capital "T".

What I, and millions of my former comrades in China had suffered through, I would NOT want you guys in America to go through.

The terror of Tyranny is much more than any Hollywood movie could ever convey.

Go ahead, threatening me more, if that is the thing that makes you feel good.

I have gone through the baptism of hell back when I was in China, death is nothing to be afraid of.

As I said, I am expendable, but the United States of America is not.

Re:They know me

Go ahead, threatening me more, if that is the thing that makes you feel good.

Seemed like they were simply being a cynic, rather than trying to threaten you. Nothing in the post in any way indicated that they would be happy should that happen to you.

Re:They know me

[spire3661]

This is a very Chinese attitude. The nation can crumble around me, if it is deemed corrupt. It is the IDEALS that drive us. When we lose our ideals, we lose the country.

Re:Errk don't yell at the brainpool curves!

[IamTheRealMike]

I linked to that RFC for the text in the introduction section, from which I got the "chosen ad hoc" language. My point is not to cast suspicion on all ECC, which is a valid mathematical technique developed in the open by civilian academics. But rather, to provide more evidence for the fact that nobody seems to know how the seed values were generated (we know WHO generated them, but not HOW).

Are the numbers really magic?

[hawguy]

Is there anything really magic about those magic numbers, or are they just random numbers generated by a true RNG? If that's the case, why not just have Bruce Schneier or other trusted non-government party generate new ones? Or have a dozen trusted parties generate RNGs by a variety of methods (commercial RNG, home made RNG, monkeys typing on a keyboard, etc) and hash them all together to make the constants?

Since these constants are apparently known and part of the spec, is there any reason they can't be shared with encrypted files? Everyone can use their own magic numbers when they encrypt data.

Re:Are the numbers really magic?

[u38cg]

Not exactly. Their choice can (depending on design) influence the strength of the crypto produced. The difficulty comes in verifying what a particular set of numbers does. For that reason, no, they couldn't efffectively be part of the key.

Maybe, maybe not..

[jcr]

But what we do know from the Snowden documents is that the NSA can not be trusted to obey the law. Anyone working in cryptography, particularly developing interoperability standards, should categorically reject the participation of any government officials in the standards process.

-jcr

Re:Maybe, maybe not..

[Burz]

But what we do know from the Snowden documents is that the NSA can not be trusted to obey the law. Anyone working in cryptography, particularly developing interoperability standards, should categorically reject the participation of any government officials in the standards process.

-jcr

They'll have to be a lot more exclusive than banning actual officials. People will have to be scrutinized for unofficial ties to government as well as to large corporate interests-- let's not forget our "plutonomy" situation: The government today is the errand-boy and enforcer for corporate aristocrats.

Re:Is Bitcoin Vulnerable?

[DrXym]

To give everyone a laugh at libertarian nerds who thought it was a great idea to invest in it.

Re:NIST required by statute to consult with NSA

[PPH]

NIST is also required by statute to consult with the NSA.

NIST: "Here's what we are going to do."
NSA: "But, but, but......."
NIST: "Now fuck off and die. You have been consulted with."

Its either that or NIST should be out of the encryption standards loop.

I've been saying for a very long time

[fustakrakich]

There is no effective, trustworthy, publicly available encryption. And I've been reliably hammered by the moderators and commenters for it on a steady basis..

GOD! I hate it when I'm right!

Re:I've been saying for a very long time

[pieterh]

How about Curve25519 and NaCl?

Re:I've been saying for a very long time

[fustakrakich]

I REPEAT!....... oh, never mind... I need a drink

Re:I've been saying for a very long time

[geekoid]

you can repeat all you want, that doesn't make you right.
and you're not.

Re:I've been saying for a very long time

[fustakrakich]

:-) The upcoming documents will show that I am. That little tipping point is fast approaching, and your faith, as powerful as it appears, will fall like the Walls of Jericho.

Re:Is Bitcoin Vulnerable?

[stanlyb]

Yep, because, obviously you are expert, we should what, believe you? Pleeease, done make mu laugh.

Re:Is Bitcoin Vulnerable?

[ZombieBraintrust]

No one knows who Satoshi is. For all we know the NSA is Satoshi and Bitcoin is a NSA opperation.

Agree: make a new fully open process, open source

[mrflash818]

Agree: make a new fully open process, open source encryption system, fully peer-reviewed, global internet participation possible, just like the Linux kernel.

Perhaps, like kernel.org, there can be FOE.org (Fully Open Encryption dot org) created.

Then that can be collaborated on via git, the developer community, and the security community. ...just my two cents.

And was on slashdot in 2007 as well

[gr8_phk]

http://it.slashdot.org/story/07/11/15/184204/new-nsa-approved-encryption-standard-may-contain-backdoor I remember at the time it seemed to be confirmed that there IS a backdoor. The question of weather anyone knew the magic numbers to open that door seemed obvious at the time as well - the NSA chose the numbers. It would go against everything they stand for NOT to have the keys.

Side note: Contrary to what some folks claim, this does not make the system weak against any foreign enemy, criminals, or hackers. It makes it weak only to the NSA so long as no one else discovers the master key. Not that this makes it ok, just not as bad as some claim.

Re:And was on slashdot in 2007 as well

[twotailakitsune]

NSA also picked the boxes in DES. For years people believed it was to make a backdoor. Then people learned that the NSA know of a weakness that they closed by picking the boxes.

Fully Open Encryption

[mrflash818]

There may be a solution to the NSA problem:

Make a new fully open process, open source encryption system, fully peer-reviewed, global internet participation possible, global peer review possible.

Use the development of the Linux kernel as a model. Use the global participation of Debian as a model.

Perhaps, like kernel.org, there can be FOE.org (Fully Open Encryption dot org) created.

Then that FOE system and software can be collaborated on via git, the developer community, and the security community. ...just my two cents.

Re:Fully Open Encryption

[evilviper]

Make a new fully open process, open source encryption system, fully peer-reviewed, global internet participation possible, global peer review possible.

You mean like AES? Or OpenSSL? Or...?

Use the global participation of Debian as a model.

You know it was Debian that fucked-up OpenSSL in an EPIC way, right? http://blogs.computerworld.com/fixing_debian_openssl

Even Math

[ThatsNotPudding]

'And even the numbers themselves shall bow down to our suzerainty.'

Re:Is Bitcoin Vulnerable?

here are now also an awful lot of people with lots of cryptography expertise running off to implement their own crypto, which will be "NSA free" and peer reviewed. Some of them will be hilariously broken - as all new crypto is assumed to be, quite appropriately - and some will survive scrutiny.

Paranoia motivates review. That is a good thing. Thus, anyone who scoffs at paranoia simply sounds like an NSA shill. Did the NSA buy you lunch for your post, Electricity Likes Me? :)

Churchill Corollary

[ThatsNotPudding]

No country or company in their right mind will ever trust a U.S. company with sensitive data ever again, and most of the companies that currently do are likely just biding time until they can find a non-U.S. based alternative (or some way to heavily encrypt their data).

The US government is the most untrustworthy government - except for all the others.


:(

Re:Churchill Corollary

[Burz]

I was going to make a similar statement. However, the US may be the least trustworthy now because of the distinction of having been verified going nuts on surveillance, and also being the most powerful.

What we have to turn to are nonprofit organizations and open source.

Re:Remember the oath you took?

[boarder8925]

You'd think that, but the people in charge understand "domestic enemies" to mean the American people.

Re:What about Russia's GOST Elliptic curve standar

[rubycodez]

wonderful, curves with constant parameters chosen by the KGB would be so much superior.

Revolution?

[Phoenix666]

I have been following the NSA revelations with keen interest. I am not a cryptologist. Advanced math escapes me. But I have understood enough to know that the NSA has been poisoning the well for our entire society. They, not Al Qaeda, not Iran, not China, pose the most existential threat to American freedom and the ability of my kids to grow up in peace. So I ask my fellow Americans and freedom-loving foreigners alike, can we not resolve to resist and bring down these criminals in any way we can? Whether it's better encryption, darknets, ostracism of the actual flesh-and-blood human beings practicing this tyranny on the rest of us, or many, many other measures, can't we all commit to doing what we can, where we can, to putting an end to them?

Re:Revolution?

[geekoid]

"NSA has been poisoning the well for our entire society."
hyperbole.

"They, not Al Qaeda, not Iran, not China, pose the most existential threat to American freedom and the ability of my kids to grow up in peace"
false.

Plus the VAST MAJORITY of their work has been legal.

They haven't practice any Tyranny. sheesh.

Re:Revolution?

[Burz]

Addressing the non-flesh-and-blood part of your question, two pieces of software could make a big difference if enough people adopt them: The I2P darknet (which uses stronger encryption than Tor, among other advantages), and Qubes OS which provides a large enhancement of security over what you would find in even the most hardened Linux system.

These two things stymie both the "legal" spying that was setup within ISPs and services like Google, and the ability of others to break into your systems and steal/infect stuff.

Re:Here's a thought

[HiThere]

If all you want is random, you can get that (at a slow rate) from any geiger counter. Or from a hot diode. Or from many other places.

It's my understanding that these numbers aren't supposed to just be random, but to have some other important properties...probably not being prime, though that may be a part of it.

actually

[geekoid]

" it's common practice to never use unexplainable magic numbers in cryptography standards"

you don't need those last three words.

Are Shamus Standard Curves better?

[okeuday]

Aside from going back to RSA with really large key sizes, what other options are there? Shamus Standard Curves were mentioned (here) but they seem to be obscure, to the point of not yet being within open source crypto, like PGP. Do we have open standards which the NSA hasn't touched?

As usual, Bitcoin users NOT AFFECTED

[Rudd-O]

See http://www.reddit.com/r/Bitcoin/comments/1m6twq/no_way_to_reproduce_some_key_numbers_used_in_the/cc6bfqb

:-)

ECDH-RSA

[manu0601]

How would that affect Ellictic Curve Diffie-Hellman Exchanges, which are the current preferred way to obtain Perfect Froward Secrecy (which means leak of the server private key does not help deciphering previously stored communications) in TLS?

Is it better to use slower DHE-RSA after all?