How Is the NSA Breaking So Much Crypto?

schwit1 writes: There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a "computing breakthrough" that gave them "the ability to crack current public encryption." The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.

However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community. Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.

If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn't just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to "crack" a particular prime, then easily break any individual connection that uses that prime.

ugh...

ugh...

Re:ugh...

[Urquhardt]

Just what I was thinking....

Breaking. lol.

Backdoors. thank you very much.

Re:Breaking. lol.

Backdoors. thank you very much.

Nope. They mention that in the paper and then proceed to show how it can be done without them. But nice try.

The biggest surprise for me in the paper is the revelation that all major browsers would not accept a prime less than 512 bits with one exception- Safari. Safari was found to accept primes as small as 16 bits, essentially rendering it completely vulnerable to real-time attack by almost anybody.

IE, Firefox, and Chrome are already transitioning to support stronger mechanisms which would not be vulnerable. Time to take a hard look at your choice of browser, Apple fanboys.

Re:Breaking. lol.

Why should I "take a look at my choice of browser"- I use firefox on my mac.

-Apple fanboy

Re:Breaking. lol.

[MrNaz]

No true fanboy would use Safari!

Re:Breaking. lol.

[Dunbal]

This is more of a front door with a bicycle lock.

Re:Breaking. lol.

[buchner.johannes]

Backdoors. thank you very much.

Nope. They mention that in the paper and then proceed to show how it can be done without them.

Just because it can be done without backdoors, doesn't mean the NSA isn't going the easy route. That the NSA is tapping large datacenters before encryption and has access to the private keys of major companies is known now. Schneier says:

The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics.

Re: Breaking. lol.

As in coming in the front door and hitting someone with a bicycle lock?

Re:Breaking. lol.

[Bing+Tsher+E]

The hard core are still using CyberDog!

Re:Breaking. lol.

[h33t+l4x0r]

You realize that the ssl cert provider isn't the one doing the attacking, don't you?

well, if i told you...

[turkeydance]

and all that....

Um, this is news?

I was ridiculed for suggesting that you simply pre-calculate every possible prime in that bitspace and that's it.

Re:Um, this is news?

You were ridiculed because it's ridiculous.
Apparently you have no clue how many ages of the universe it would take to enumerate the 256-bit primes.

Re:Um, this is news?

[TechyImmigrant]

You are wrong. Precalculating the primes is not simple and it wouldn't help.
The authors of the paper are pre-calculating the number field sieve for the prime group. This allows them to efficiently compute discrete logs over the group.
 

Re:Um, this is news?

[ShanghaiBill]

Apparently you have no clue how many ages of the universe it would take to enumerate the 256-bit primes.

We are nerds here, so lets calculate it. The number of primes less than N is approx ln(N), so the number of primes less than 2^256 = (2^256/256) = 2^248 = 4.5e74. If you computed one prime per plank time, it would take this long: 4.5e77 * 5.4e-44 secs/planckTime / (1.38e10 years/universe * 3600 * 24 * 365) = 2.3e12, or about 2 trillion times the age of the universe. 512 bit primes would take considerably longer.

Once you calculate the list of primes, you need to figure out where to store it. Storing 4.5e74 numbers is problematic, since that is about a quintillion times the number of atoms in the sun.

We can be fairly certain that the NSA is not just relying on a lookup table.

Re:Um, this is news?

[Immerman]

Here I was about to give you grief on your math ( ln ( 2^512 ) ~= 354 ), and then realized the problem was simply that you mis-typed the initial theorem.

For anyone else thrown off, the correct rule is that there's approximately N / log( N ) primes less than N.

Re:Um, this is news?

It's quite easy. The NSA had a head start and unlimited funds. They just started generating those primes with the best algorithms all the way back in the 60's or 70's when encryption wasn't a thing yet in normal day to day communication. Just add new decommissioned computers to the calculation farm and let them calculate the primes for years until they break. Fast Forward to 2010 and you had about 40 years of machines doing nothing but generating prime numbers. How long would it take for thousands of computers to calculate all primes numbers up to 4k bits? And do think about it, once you have the prime it is in a database that retrieves it in micro seconds.

Re:Um, this is news?

How long would it take for thousands of computers to calculate all primes numbers up to 4k bits?

A ridiculously stupid amount of time. You evidently haven't read the first reply to my comment.

We're talking about the kind of amounts of work that prompted Bruce Schneier to quip, "...bruce-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space."

Re:Um, this is news?

[ShanghaiBill]

For anyone else thrown off, the correct rule is that there's approximately N / log( N ) primes less than N.

Sorry about that. But the math is still wrong. It is supposed to be ln (log base e) and I did the calculations with log2. So the number of primes less than 2^256 should be (2^256/177) = 6.5e74, not 4.5e74.

Re:Um, this is news?

LOL is this the same website where people pack their suitcases and prepare to colonize the universe at the merest hint of a NASA artist's impression?

Re: Um, this is news?

Breaking classical Diffie-Hellman is much easier than than. The paper discusses a well known sub-exponential method for breaking DH. It's costly but it makes breaking 1024-bit DH keys a matter of months, not eons. And considering that most software uses fixed DH parameters instead of dynamically generating them (it's been proven safe to do so for over a decade--even OpenSSL can do it if ask it nicely), cracking just a handful of DH parameters has given the NSA access (at least offline) to the majority of secure communications.

There are no known sub-exponential attacks for Elliptic Curve Diffie-Hellman. That's partly why smaller keys are more secure. However, there's no proof that such attacks do not exist, and its possible the NSA has discovered one.

The truly paranoid may wish to investigate quantum computer resistant algorithms like NTRU. But be careful--there have been set backs recently in this area. Recent discoveries show the cryprographic community to have been insufficiently cautious in some of their designs and overzealous in trying to improve performance. (Lattice based cryptography tends to be much slower than DH or RSA, and the keysizes are often measured in kilobytes, not bits.

Re:Um, this is news?

How do people come up with large primes? Do they just pluck a big odd number out of the air and test it to see if it is a prime? (Even I know it has to be an odd number.)

Something else I've wondered about, but never knew where to ask:

Do people ever encrypt where instead of creating a one time pad they instead pass a short note like: "Start at the 63 digit of the 5th root of the sine of .8858'. Or is it too computationally challenging to compute a bunch of digits for something like the 5th root of a number?

Re: Um, this is news?

Pretty accurate guess; in fact choosing a random number out of the air and then testing it for primality is vital to security. If there were a known cheap way to generate prime numbers then the primes people chose would be biased toward the smaller set of primes produced that way, making brute force vastly more effective. Once a random integer is picked you start with the simplest tests (prime seive) and then get into number theory like Rabin-Miller primality testing. It turns out that primality is polynomially decidable but that's slower than using statistical methods to become 99.999...% sure that a number is prime, which is good enough for cryptography.

Re: Um, this is news?

There are specific types of prime which can be found more easily than just picking a big random odd number, but essentially yes. A random number is chosen, then probabilistic tests are run to determine if it's likely to be prime. It is actually possible that the number isn't prime, but this can be made an arbitrarily small possibility by running more tests.

Re: Um, this is news?

The truly paranoid may wish to investigate quantum computer resistant algorithms like NTRU.

I'd argue that good crypto is vital these days to have freedom of speech survive. (I first recall seeing this argument on one of Bruce Schnier's articles.) I think we need it everywhere and for everything, from trivial to critical. The shear mass of it will make it difficult for the governments of the world to spy on its citizens en mass and in theory, some form of freedom of speech can be preserved, without the fear that it will trigger some governments keyword match and end up with said person on a list for nothing more than speech that doesn't agree with those in power. Once on said list, which may not have well defined criteria it might then be possible to prevent them from even getting employment, or worse. Sure crypto can be used for bad guys, but so can water, and like water it is likely to become vital to preventing or at least mitigating against abuse of power. The power governments in the world have now make the ideas in 1984 look tame. The best we can likely hope for is to have it where the governments have to choose their targets, rather than just letting them datamine everything and everyone. In short it should be difficult to remove a persons right to privacy. At the very least it should be just as hard as it would be to force them to give up their guns....

Re:Um, this is news?

[Chrisq]

Apparently you have no clue how many ages of the universe it would take to enumerate the 256-bit primes.

We are nerds here, so lets calculate it. The number of primes less than N is approx ln(N), so the number of primes less than 2^256 = (2^256/256) = 2^248 = 4.5e74. If you computed one prime per plank time, it would take this long: 4.5e77 * 5.4e-44 secs/planckTime / (1.38e10 years/universe * 3600 * 24 * 365) = 2.3e12, or about 2 trillion times the age of the universe. 512 bit primes would take considerably longer.

Once you calculate the list of primes, you need to figure out where to store it. Storing 4.5e74 numbers is problematic, since that is about a quintillion times the number of atoms in the sun.

We can be fairly certain that the NSA is not just relying on a lookup table.

Yes but with Moor's law we'll beat that eventually, just as athletes running faster and faster will eventually exceed the speed of light. ;-)

Re:Um, this is news?

[Cederic]

We'll let you off, as you got the important element entirely accurate and sufficiently precise:

512 bit primes would take considerably longer.

Re:Um, this is news?

Yes but with Moor's law we'll beat that eventually, just as athletes running faster and faster will eventually exceed the speed of light. ;-)

No, they will eventually slow down time itself, causing the people watching them to live forever even with their diet of chips and bud light, and lifestyle of a couch potato.

Re:Um, this is news?

[Chrisq]

Yes but with Moor's law we'll beat that eventually, just as athletes running faster and faster will eventually exceed the speed of light. ;-)

No, they will eventually slow down time itself, causing the people watching them to live forever even with their diet of chips and bud light, and lifestyle of a couch potato.

But by that time the American spectators will be so heavy that they form a black hole, meaning not even the athletes can get away.

Re:Um, this is news?

[jratcliffe]

Yes but with [b]Moor's law[/b] we'll beat that eventually, just as athletes running faster and faster will eventually exceed the speed of light. ;-)

Assume your best friend is telling the truth about your wife's infidelity without actually confronting her and hearing her side of the story?

No one is surprised

[TechyImmigrant]

We've long past the point where we knew RSA, simple Diffie Hellman, Sha-1 and NIST curves need to go in the bin. This is one more nail in the coffin.
The standards I'm working in have gone Ed25519, Curve25519 ECDH, Shake128, AES, etc. 128 bits, sane curves, modern hashes. Rearranging the TLS deck chairs won't help.

Re:No one is surprised

+1 to OPs post, TLS sucks because it even allows such older algorithms to be used in the negotiation along with possible fixed/common primes!

Re:No one is surprised

[jonwil]

If you use 2048 bit or 4096 bit RSA and you dont make mistakes in generating the key, RSA is still perfectly fine to use short of a quantum attack (even if the NSA had a classified supercomputer that was more powerful than all the supercomputers on the top 100 list combined filled with custom RSA-cracking ASICs they still can't crack high-strength RSA using any known mathematical formula)

I do agree that TLS needs replacing with a new protocol that only supports the strongest encryption (that means 256 bit AES, at least 2048 bit RSA, ECDH with perfect forward secrecy and SHA2/SHA3 for hashing) and has no mechanism to downgrade to any older protocols or to weaker encryption like MD5, SHA1, RC4 etc.

Re:No one is surprised

[Darinbob]

Same problem remains. If you keep using the same initial paramter (large prime, elliptic curve, etc) then once that is cracked you have very easy access to what is derived from that parameter. The keys/secrets/whatever still need to be refreshed periodically. Ie, the hardcoded public key may be quite secure for awhile, but over several years it loses security. If the NSA really wants to break your system then they just need to break that one public key, maybe they put their best computers on it for a couple of years, and once broken you're screwed.

Re:No one is surprised

[Burdell]

There's no need for a new protocol; TLS allows you to configure servers and clients to restrict the available ciphers. That's why the browser vendors have been able to push out MD5 (and moving on SHA-1), RC4, RSA 2048 bit, etc. No protocol changes were necessary; just remove ciphers from the supported list used to negotiate the connection.

BTW: research indicates that AES256 may in fact be slightly weaker than AES128, in some use cases. Both are still have no practical attacks, even for nation-state level attacks; at this time, there is no evidence that AES256 would be "more secure" in practical terms (i.e. billions of years to break one encrypted message) than AES128. Given that, there is no reason to replace AES128 with AES256, now or in the foreseeable future. Odds are that if some attack vector against AES is found, it will be time to move to a new algorithm, not just more bits/rounds.

Re:No one is surprised

[Burdell]

That's like saying "IP sucks because it allows telnet!". TLS supports cipher negotiation; there is nothing that says you have to configure your server and/or browser to allow MD5, RC4, 1024-bit RSA, SHA-1, etc.; in fact, those are have been/are being deprecated by browser vendors (and have already been removed from most secure server configs).

Re: No one is surprised

Quantum computers will break AES128, but not AES256. AES256 is considered "weaker" only because attacks have been shown which reduce the effective work by more than attacks on AES128. But its relative to the benchmark work factor in each case. In absolute terms AES256 is much stronger than AES128.

Re:No one is surprised

[Bengie]

There is a related key attack that doesn't affect AES128 but reduces AES192 to 2^176 ops and AES256 to 2^119 ops. It does require that the key you're trying to attack does not change during the duration of the attack and requires you to have a way to influence the generation of new keys in known ways. By sending in data to the remote server and having it encrypt the data, you can see how the data changes.

A practical attack like trying to attack a web sever's session key would require that you generate at least 2^119 sessions, assuming a new key per session, which is not the norm. Then you would need to send 2^119 payloads of data and retrieve the information. You still need to process the data.

Once you include the 15 packets of TCP+SSL round trips and even minimum 64byte packets, that's 960 bytes. Lets assume at least 1024 byte because I'm ignoring other overheads like TCP, HTTP headers, and session cookies. 1024 bytes times 2^119 is 618,970,019,642,690,137,449,562,112 TiB.

Re:No one is surprised

Pretty silly comment since TLS is designed to give you control over what ciphers you allow in your implementation.

Re:No one is surprised

LibreSSL is also planning to remove all of the insecure and old crap from their newer API IIRC, which should help immensely.

Re:No one is surprised

[gweihir]

SHA1 does not need to go into the bin for all applications. For password-hashing it is still fine, if iterated and salted appropriately. Please stop spreading FUD.

Re:No one is surprised

[gumbi+west]

crap, I wondered why I was getting so much odd traffic. Shouldn't have built my server to that spec.

Re:No one is surprised

[Big+Hairy+Ian]

This is all pretty academic as the Quantum Computer Juggernaut is almost here.

Re:No one is surprised

The problem is that newer is not necessarily better. I don't trust NIST much at the moment thanks to the NSA plants in it, nor do I trust anything with the words "elliptic curve" in it (especially any with "magic" constants).
The old algorithms like RSA and DH are simple in concept, and have withstood the test of time algorithmically. Sure key lengths had to get longer due to Moore's law and some computational improvements, but no serious attacks are exist against them. It's unwise to ditch these methods any sooner than we have to.

Re:No one is surprised

[TechyImmigrant]

The problem is that newer is not necessarily better. I don't trust NIST much at the moment thanks to the NSA plants in it, nor do I trust anything with the words "elliptic curve" in it (especially any with "magic" constants).
The old algorithms like RSA and DH are simple in concept, and have withstood the test of time algorithmically. Sure key lengths had to get longer due to Moore's law and some computational improvements, but no serious attacks are exist against them. It's unwise to ditch these methods any sooner than we have to.

I'm afraid in asymmetric signatures and Diffie Hellman, newer certainly is better.

The security of RSA is steadily being chipped away by improvements in index calculus. That is why RSA keys need to be so much longer than ECC keys.

The issue of magic constants is termed 'rigidity' by crypto nerds. I.E. Did the algorithm designer get to choose being multiple possible versions? Or did they have to follow a defined procedure to get to the values in the spec. Rigidity is one of the safecurves criteria and the only sane thing to do with elliptic curves is go with the safecurve compliant algorithms.

Five years ago I was arguing strongly (and successfully) against the adoption of ECC in certain standards because there were a number of uncertainties. Events have since shown that be correct. The death of binary fields, the NIST curve constants, the twist insecurity of P-224, etc. Now the tables have turned between RSA and ECC. We have a much better understanding of the security of ECC and how to build good ECC curves. We know NIST curves are untrustworthy. We know the sidechannel properties of hardware implementations of group multiplication over different prime group orders over ECC curves. RSA is getting weaker steadily, mostly through better cryptanalysis and sidechannel issues. If you're deployment RSA-2048 in a product that has to last 20 years, you're making a big gamble. If you deploy RSA-1024, you're not taking the problem seriously.

The LogJam attack that was doing the rounds yesterday highlighted the folly of doing Diffie Hellman in prime fields, rather than elliptic curves. The paper didn't adequately address the issue that fixing a prime in a spec is something you really want to do for a number of reasons but they got the recommendations right - move to ECC. Moore's law caught up with the practice (of fixing primes for prime fields over which to the DH) . Don't make the mistake of inventing complex prime negotiation protocols. Move to ECC.

Re:No one is surprised

[TechyImmigrant]

Unfortunately, web sites haven't kept up. If you want to be able to communicate over TLS with the usual crop of web sites, dropping SHA-1 and RC4 is not an option.

It's grim out there in TLS land.

Re:No one is surprised

[TechyImmigrant]

Pretty silly comment since TLS is designed to give you control over what ciphers you allow in your implementation.

But it fails in practice because both ends have to agree on something and the required ciphers are determined by the worst best case algorithm out there on the interwebs. Software libraries react accordingly and support RC4, SHA-1, RSA1024 etc. and users have no clue how to select their ciphers.

The spec writers need to step up and define in the standard and protocols how old mechanisms don't just get deprecated, but how they actually go away.

Re: No one is surprised

[TechyImmigrant]

The AES256 key schedule is not confidence inspiring. I won't be surprised if the attacks on it improve to the point where AES256 is actually worse that AES128, rather than theoretically.

AES256 is only theoretically worse because you can't brute force O(2^128) and you can't brute force O(2^112). So it's a wash.

The attacks on the key schedule are limited to certain uses. But it's a slippery slope.

Re:No one is surprised

[TechyImmigrant]

Can you offer a reason to prefer it over a better algorithm with better properties that takes less compute power and has been subject to a rigorous standardization process? E.G. Shake128. I can't.

There are existing deployments by the millions. But wherever there is a choice for new deployments, going with the old thing is the behavior that has led us to where we are today with TLS.

Re: No one is surprised

You can drop RC4 at least (IE6 is gone).

Re: No one is surprised

[TechyImmigrant]

The recommendation to web site hosts to address the beast attack was to go back to RC4 because the browsers supported it and the servers supported it. The right thing would be to go forward to a decent mode like CCM or GCM, but that would require the browsers to support them and they don't universally support those modes.
E.G.
https://blogs.gnome.org/mcatan...
https://community.qualys.com/b...

Re:No one is surprised

[gweihir]

Can you offer a reason to prefer it over a better algorithm with better properties that takes less compute power and has been subject to a rigorous standardization process? E.G. Shake128. I can't.

Obviously you have no experience in the real world, or you would have found the glaringly obvious scenario. It really is quite simple: Applications that already use it, but in a task were it is secure. Replacing it is effort, causes problems and may even introduce security problems. Claiming it is generally insecure is problematic and unprofessional.

Incidentally, "takes less compute power" is undesirable in password hashing.

Re:No one is surprised

[RockDoctor]

I've had this recently on corporate stuff - firefox would refuse to connect to their intranet because of weak DH key lengths (I forget the exact message). The Hell-desk's solution : use IE 7 or 8, as they deployed onto the machine. And they gave me that instruction, in writing, even after I told them that I wouldn't accept responsibility for any subsequent data breaches.

Their data, their responsibility, their problem.

tl;dr they cheated

[OffTheLip]

Influence the outcome.

Prime

[valnar]

So are they saying that encryption protocols aren't using....optimus prime numbers?

NSA cracked my prime (17) yet?

I always use 17 as my large prime for DH. I doubt they've cracked it yet.

Re:NSA cracked my prime (17) yet?

17 isn't prime....

CAP == 'disallow'

Re:NSA cracked my prime (17) yet?

Half of 17 is 8.5. Out of the numbers 2, 3, 4, 5, 6, 7, and 8, which one can evenly divide 17?

Re: NSA cracked my prime (17) yet?

You forgot 1 from your list, and 17/1 has no remainder.

Re: NSA cracked my prime (17) yet?

The real fail in his logic is that he thought 17/2 was relevant. You only need to check the primes up to the square root of the number you're looking at...

Re:NSA cracked my prime (17) yet?

[Intron]

I always use 17 as my large prime for DH. I doubt they've cracked it yet.

Everybody else uses odd primes, so I always use an even prime.

Re:NSA cracked my prime (17) yet?

You thought we were gonna think 2, but I know ur secret is 0. 0 goes an integer number of times into any other number! It also goes a non integer number of times into any other number, but I doubt that disqualifies it in the eyes of the Lord.

Re: NSA cracked my prime (17) yet?

[nedlohs]

And N/2 is >= sqrt(N) for N>=4 (and since we take the integer floor of the result works for the 4 natural numbers that missed anyway), and thus provides a perfectly valid upper bound - not optimal but there was no claim that it was.

Logjam

How is this news? Sounds like they are just describing the logjam attack which was published earlier this year

Re:Logjam

[TechyImmigrant]

How is this news? Sounds like they are just describing the logjam attack which was published earlier this year

They are estimating the computation effort to build a number field seive to efficiently compute logs over the 1024 bit prime groups in common use for plain old Diffie Hellman.
They recommend elliptic curves and not the NIST curves. From TFP:

"Transition to elliptic curves. Transitioning to elliptic
curve Diffie-Hellman (ECDH) key exchange with appropriate
parameters avoids all known feasible cryptanalytic
attacks. Current elliptic curve discrete log algorithms for
strong curves do not gain as much of an advantage from
precomputation. In addition, ECDH keys are shorter than
in “mod p” Diffie-Hellman, and shared-secret computations
are faster. Unfortunately, the most widely supported ECDH
parameters, those specified by NIST, are now viewed with
suspicion due to NSA influence on their design, despite no
known or suspected weaknesses. These curves are undergoing
scrutiny, and new curves, such as Curve25519, are
being standardized by the IRTF for use in Internet protocols.
We recommend transitioning to elliptic curves where
possible; this is the most effective long-term solution to the
vulnerabilities described in this paper."

Re:Logjam

[Anubis+IV]

You must've seen a pre-published description of Logjam, since this is the paper that first presented it. The second sentence even starts with, "First, we present Logjam [...]". So yeah...

Re:Logjam

Sorry if this is a dumb question, but I use openssl dhparam to generate a 4096-bit DH parameter file. Does that make a difference?

Re:Logjam

>Why not try an all meat diet? Smarter people than you do: http://www.jbc.org/content/87/...


Because you'll become very unhealthy from nutritional deficiencies. There's a reason that people eat vegetables.
A lot of stupid people think they're smart.

Re:Logjam

This will come as a shock to all the Innu living perfectly well on an all-meat diet. Oh wait, you're an effete first-worlder that doesn't eat organ meats?

Re:Logjam

[Lothsahn]

ECDH is possibly backdoored by the NSA. From what we know, DH is mathematically sound, provided you generate your own, large enough (2048b or larger) prime.

ECDH in TLS only uses curves proposed by NIST. Some cryptographers believe that constants used to pre-compute the curves are in fact backdoored, which would explain how they decrypt most of the traffic. Curve 25519 and a few others are very likely safe, but not available in TLS1.2. ALL available ECDH curves in TLS were proposed by NIST.

I believe that between precomputed ECDH curves and Logjam, the NSA is able to decrypt nearly https traffic.

https://www.schneier.com/blog/...
"I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry." - Bruce Schneier on ECDHE curves in TLS

I trust Bruce.

Ideally, the standards body would introduce curve 25519 to TLS1.2. Until then, server operators need to take this advice, configure their servers to prefer DHE (not EC) with 2k+ keys, and turn off older ciphers including EC*.

Oh, and get firefox to fix this bug: https://bugzilla.mozilla.org/s...

Re:Logjam

[TechyImmigrant]

Sorry if this is a dumb question, but I use openssl dhparam to generate a 4096-bit DH parameter file. Does that make a difference?

It would help mitigate that attack by increasing the workload to build the number field sieve. But it would increase the load at both ends. Switching to Curve25519 ECDH or Goldilocks or some other good elliptic curve would reduce the load at both ends and prevent the logjam attack.
 

Re:Logjam

[TechyImmigrant]

Yep. Get Curve25519 ECDH deployed. It's a good option for O(2**128) bit security bounds. And yes, the short term TLS solution is to move to bigger prime fields for DH.
 

Posted this a couple of years ago...

[Panaflex]

When the NSA leaks happened, investigates this and promoted this as a possible attack vector.

NOTE - You can generate a new set of moduli like so:

# ssh-keygen -G moduli-2048.candidates -b 2048
# ssh-keygen -T moduli-2048 -f moduli-2048.candidates

Put the results in /etc/ssh/moduli

WARNING: This takes forever. Also, according to man ssh-keygen:

It is important that this file contains moduli of a range of bit lengths and that both ends of a connection share common moduli.

It's not possible to regenerate and share many moduli quickly - hence the reuse of moduli. SSH has support for x25519 algorithms - this definitely means I'll be moving away from pre-computed DH moduli also.

Re:Posted this a couple of years ago...

[bunratty]

WARNING: This takes forever.

Ain't nobody got time for that!

Re:Posted this a couple of years ago...

Forever? It depends if you're doing this on a ARM powered router, or a personal computer. It took 10 minutes or so on a ancient 2004 Intel Xeon. Not really long for a security boost between workstation and server. If the generation process wasn't single threaded (for a good reason I'm guessing) then it would be much, much faster.

On a old i5-2500K:

ssh-keygen -G moduli-2048.candidates -b 2048
------
real 2m8.848s

ssh-keygen -T moduli-2048 -f moduli-2048.candidates
------
real 3m11.198s

I wish I could make coffee this fast. Now if this was 4096 and above moduli you would be right, it takes a long damn time.

Re:Posted this a couple of years ago...

[Xylantiel]

Do the moduli need to be a pre-shared secret? (I don't think so) If not, why does the server not just compute them in the background and change periodically? That seems to be what is suggested in the first section of RFC 4419. Why wasn't that implemented?

Re:Posted this a couple of years ago...

[chipschap]

This is probably politically incorrect to say but, whatever you think of NSA .... I'm impressed with the fact that they've assembled a core staff of brilliant mathematicians who do amazing things ... whether you like those things or not.

Re:Posted this a couple of years ago...

Yes, that was the consensus 2 years ago; what the NSA and Snowden had done, respectively, was nothing short of epic: https://en.wikipedia.org/wiki/Pwnie_Awards#2013

Re:Posted this a couple of years ago...

[Lothsahn]

SSH has support for 25519 ECDHE, which is great.

TLS does not. All EC curves in TLS are proposed by NIST, and possibly backdoored. You probably don't want to use EC crypto with HTTPS.
http://slashdot.org/comments.p...

Re:Posted this a couple of years ago...

[Mr.CRC]

The NSA appears to be one of the few competent .gov agencies. Quite ironic that the government only does well mostly things it really shouldn't do.

Re:Posted this a couple of years ago...

The moduli is a pre-shared-public. In other words everyone is allowed to know the moduli. In fact almost every implementation picks one of the default moduli which are listed in some RFC, there are different moduli for different key lenghts.

You could change them according to some schedule, but both sides of the conversation need to use the same moduli.

Re:Posted this a couple of years ago...

It takes about 3 days in an old Xeon X5550 to generate a new set of "moduli" for SSH, with all key sizes present in the upstream "moduli" file, but it will result in a *small* number of valid moduli with large sizes.

And these things are _not_ security sensitive, so you can just generate them in the cloud. Or we could create a distributed effort with bragging rights prizes, like Seti@home, etc. If we end up with a very large moduli file, it will be hell for anyone trying to rainbow-table it.

Re:Posted this a couple of years ago...

[AmiMoJo]

I'm disappointed that those brilliant minds would waste them violating the laws of their own country and attacking their own people. The money is probably good, but they could be using their talents to make us all safer.

Re:Posted this a couple of years ago...

There's more evidence to suggest it's incompetent at doing things it shouldn't do (health care, education, food stamps, social security, etc).

Re:Posted this a couple of years ago...

[david_thornley]

The NSA has several different purposes. One is surveillance in the US, which they should not be doing. One is safeguarding US communications, which they sometimes do and sometimes don't. One is gathering intelligence from other countries, which they should be doing.

Re:Posted this a couple of years ago...

"I'm disappointed that those brilliant minds would waste them violating the laws of their own country and attacking their own people."

You're under the dangerous illusion the government worked for you. The rich want to keep control over the masses, their politics and public opinion. They do that via control of information.

In his 1970 book Between Two Ages: America's Role in the Technetronic Era, Brzezinski wrote the following.

"The technetronic era involves the gradual appearance of a more controlled society. Such a society would be dominated by an elite, unrestrained by traditional values. Soon it will be possible to assert almost continuous surveillance over every citizen and maintain up-to-date complete files containing even the most personal information about the citizen. These files will be subject to instantaneous retrieval by the authorities."

http://www.amazon.com/gp/product/0670160415

The internet is a threat to all institutions of power (aka the rich and their corporations). The free flow of information is detrimental to their goals and aims (profits and control over us).

The (mass surveillance) by the NSA/others and abuse by law enforcement is just more part and parcel of state suppression of dissent against corporate interests. They're worried that the more people are going to wake up and corporate centers like the US and canada may be among those who also awaken. See this vid with Zbigniew Brzezinski, former United States National Security Advisor.

https://www.youtube.com/watch?v=Ttv6n7PFniY&feature=youtu.be&t=11

Brezinski at a press conference

https://www.youtube.com/watch?v=0kmUS--QCYY

States experiencing serious systemic "handicaps":

https://youtu.be/0kmUS--QCYY?t=246

Major powers, and imposing control over the awakened masses.

https://youtu.be/4usbR_kKCDs?t=397

Crisis of democracy

https://www.youtube.com/watch?v=ZYFxtNgOeiI

WIKILEAKS: U.S. Fought To Lower Minimum Wage In Haiti So Hanes And Levis Would Stay Cheap

http://www.businessinsider.com/wikileaks-haiti-minimum-wage-the-nation-2011-6

The real news:

http://therealnews.com/t2/

http://www.amazon.com/Democracy-Incorporated-Managed-Inverted-Totalitarianism/dp/069114589X

http://www.amazon.com/Shadow-Government-Surveillance-Security-Single-Superpower/dp/1608463656/

http://www.amazon.com/National-Security-Government-Michael-Glennon/dp/0190206446/

The Citibank memo

http://politicalgates.blogspot.ca/2011/12/citigroup-plutonomy-memos-two-bombshell.html

US distribution of wealth

https://imgur.com/a/FShfb

http://www2.ucsc.edu/whorulesamerica/power/wealth.html

Protectionism for the rich and big business by state intervention, radical market interference.

https://www.youtube.com/watch?v=WHj2GaPuEhY#t=349

Re:Posted this a couple of years ago...

Forgot a link, you need this:

Science on reasoning:

https://www.youtube.com/watch?v=PYmi0DLzBdQ

Re:Posted this a couple of years ago...

[Mr.CRC]

Yes you are quite right. I really just wanted to express the irony of government competence occurring mostly when the .gov is doing stuff counter to the well being of its citizens.

Re:Posted this a couple of years ago...

8 minutes and its not even running on multiple cores...
Your forever is a tad short.

Re:Posted this a couple of years ago...

[Panaflex]

Thanks for the feedback.

Sorry, I was evaluating SSH security protocols and was looking to add moduli generation and DH exchanges last year.

Ideally, it would be nice to generate a high-quality moduli for each new connection. 8 minutes in your case, and more than an hour on an ARM core. Forever in terms of algorithms and network connections.

Scott Aaronson has an excellent summary

[JoshuaZ]

Scott Aaronson has an excellent summary of this research on his blog: http://www.scottaaronson.com/b... One point that Scott makes that is easy to lose track of is how much working this out required people on both the theoretical crypto end and the practical crypto end to work together. This is a combination of multiple vulnerabilities and some clever number theory.

The necessary question.

[geekmux]

"...many applications tend to use standardized or hard-coded primes."

If the suggested theory of static primes holds true, during application design, what part of of the definition of random did we not quite understand?

Given the impact, this stands as the golden example of what not to do Ever again.

Re:The necessary question.

If the suggested theory of static primes holds true, during application design, what part of of the definition of random did we not quite understand?

As usual, XKCD has the answer.

Re:The necessary question.

[sandbagger]

An issue is that random typically doesn't mean what it's taken to mean in plain language. True randomness is actually hard since you've got to have some mechanism chugging away spitting out numbers. Understanding how (pseudo) random is defined goes a long way to reducing the reducing the size of the haystack in your search for the needle.

Re:The necessary question.

I thought there was (unproven but provocative) theoretical justification for believing that true randomness does not exist. Not hardware generators, not software generators, nothing.

Isn't this just the information loss problem in another coat?

Re:The necessary question.

It would certainly be provocative to suggest that quantum randomness isn't. For example, the individual events that go to make up the wave interference pattern you see when you do the 2-slit experiment with electrons.

I'm not saying that physicists haven't postulated this (hidden variables for example) or that it isn't an interesting idea, but it is certainly not standard.

Re: The necessary question.

In cryptography randomness usually means unpredictable. You don't need quantum mechanics for something to be unpredictable. There are classical phenomena which evolve so quickly, even at tiny scales, that no computer could possibly predict the output in the remaining time afforded before the heat death of the universe even given an initial state. This is how most "true" RNGs work (thermal noise, etc, which can be perfectly modeled with thermodynamics.)

Were you referring to the information paradox? Similar answer: just because we know the information isn't lost doesn't mean it can be known. The information can be so disordered that there wouldn't be enough energy in the universe to reconstitute it into something useable.

Its like trapdoor functions undergirding public cryptography--the inverse operation does not always have the same computational complexity. The costs can be exponentially different. Putting the egg back together is way more difficult than breaking it.

Maybe they're not

[wonkey_monkey]

How Is the NSA Breaking So Much Crypto?

Maybe they're not. They're hardly going to tell you what they can't crack.

Re:Maybe they're not

[pixelpusher220]

Another site's take was if they couldn't crack it they'd be in line with the FBI for back doors in software.

That they aren't nearly as vocal can be construed to mean it doesn't matter to them since they don't need the back doors.

Re:Maybe they're not

[Impy+the+Impiuos+Imp]

It is in their interest to let people think they have cracked or hacked this, Windows, HTTPS, TOR, whatever, even if they haven't.

Re:Maybe they're not

Another site's take was if they couldn't crack it they'd be in line with the FBI for back doors in software. That they aren't nearly as vocal can be construed to mean it doesn't matter to them since they don't need the back doors.

Ah, the old 'if it could be true, then it must be true' logical fallacy.

Re:Maybe they're not

[DarkOx]

Right but if you are really concerned about opsec you'd use two or more layers anyway.

Something like HTTPs or Tor will make your traffic opaque to most parties. They are common protocols that don't attract attention of anyone who isn't already watching you specifically. So they are good choice for an outer layer. We also think if the right cipher suites are selected they are mathematically sound / secure. They should not depend on an obscurity component, aside form the negotiated key that is part of their normal operation.

I might then make up an inner layer. Lots of attacks on the outer layer protocols tend to be downgrade attacks or attacks that cause selection of ciphers the attacker knows how to break. Just using another layer of TLS inside the tunnel might be a fine idea.

Finally a third layer of something with a PSK for the symetric cipher that is a little more obscure but not known to have any problems. obscure means of course not as well testing, perhaps on of the rejected candidate algorithms for AES or a modified version of something existed. This does not have to be mathematically as good its mainly their to frustrate someone with an undisclosed ability to beach the other layers. It will make their tools not work out of the box. If they have the ability to break the other layers chances are they can break this one as well but you will make them work for it. The third level analyst with the metasploit module will some need help! This is will buy you time.

Re:Maybe they're not

I think it is more in their interest to let people think they haven't cracked even if they have - the 'enemy' might keep using defeated technology rather than switch to something else.

Re: Maybe they're not

given thar openssl and mainstream software are steaming piles of shit, there does not appear to be a need for mathematicians.

this entire article insults rationality.

Re:Maybe they're not

[Cramer]

Nah. It just means the NSA is more secretive about it. (read: they already "have their ways"... waterboarding, spies, backdoors, weakened protocols, etc.)

Re:Maybe they're not

[Bogtha]

Another site's take was if they couldn't crack it they'd be in line with the FBI for back doors in software.

In that case, the NSA don't ned to crack the crypto, they just need to crack the FBI.

Re:Maybe they're not

[rtb61]

Crack the FBI, it seems pretty much like both the NSA and CIA have shattered the FBI with purposefully planted agents as well as recruited FBI agents. If anyone needs to crack crypto it is the FBI and they need to crack both the CIA and NSA otherwise democracy in the US is likely to collapse under the corruptive weight of extortion schemes ("we will let you continue to commit crimes as long as you do these things for us").

Not quite the same.

[sstamps]

So, in short, they're not breaking crypto, they are breaking shitty implementations of crypto.

So basically, like using a one-time pad multiple times.

Well, I guess it's time to start sorting the wheat from the chaff and start ditching fixed-prime implementations wholesale.

Re:Not quite the same.

[ColdWetDog]

What they are really saying is that rubber-on-the-road crypto (see, a car analogy) is very hard. So you're likely to be doing it wrong, whatever it is that you're doing.

Re:Not quite the same.

[TechyImmigrant]

So, in short, they're not breaking crypto, they are breaking shitty implementations of crypto.

No. They are estimating the cost of breaking standardized crypto and pointing out that it is within reach of state agencies.
There are standards that don't suffer these problems and other problems and yet still use pre-defined static primes.

Re:Not quite the same.

You're mistaken. The, "there seemed to be no reason why everyone couldn't just use the same prime" bit came out of the Crypto community, not some poor understanding of the protocol.

The attack was based on a theoretical breakthrough in discrete logarithms and broke some of our assumptions about DH.

Regarding the fix, switching to ECC probably makes more sense than redesigning the TLS protocol to also agree on a prime (mainly because the handshake has lead to so many man-in-the-middle vulnerabilities in the past). Increasing the minimum key length is also an option.

Re: Not quite the same.

i have a car, a motorbike and cash for train tickets. no need for primes.

Re:Not quite the same.

[SuricouRaven]

It's very difficult to actually implement crypto unless you are a highly capable mathematician with a specialism in number theory. That's why the sensible thing is always to use libraries that have been vetted by people who know what they are doing.

Re:Not quite the same.

Also known as "passing the bucket". How do you assess if those fine people knew what they were doing?

Re:Not quite the same.

And unfortunately you should also be a competent practical coder, which is where OpenSSL fell down.

Alternatives?

[grahamsz]

While there are a few alternatives to RSA (though they share some mathematical similarity) i'm not aware of any non-quantum replacement for DH. That obviously makes it a natural candidate for any kind of focussed attack.

I honestly had no idea that most implementations fixed p. It seems obvious in retrospect that this could lead to the creation of a giant LUT

Re:Alternatives?

Off the top of my head, the Supersingular Isogeny Diffie-Hellman Key Exchange should work as a (nearly) drop-in replacement for (EC)DH key exchanges. It's currently believed that 768bit keys are sufficient to provide 128bit security from quantum attacks (and somewhat higher for classical).

Re:Alternatives?

[delt0r]

The reason people did this was to make checking easier. If i use a big prime and then a subgroup (typical for DH) that is randomly generated. I must check everything to make sure that everything matches the required mathematical properties. For example i can use a random curve for EC, but first i must check it is not one of the known weak curves. Then i need to calculate the order of the curve, which can be fairly slow. Hence agree before hand on a fixed curve.

NSA measures their computer resources in units of

acres.

And has done so for decades. That should go a long ways to explain their abilities. Also, not all of it is commodity hardware but includes ASICs.

Also, who's to say they don't control one or more botnets to harvest even more computing resources from the public?

OLD news

[Lennie]

This is the original logjam attack from May this year.

Even the PDF points to the same site:
https://weakdh.org/

Re:OLD news

Back in May it wasn't peer-reviewed.

Re:OLD news

[Lennie]

And still pretty much everyone reacted and fixed a whole bunch of things.

So in practice it doesn't really matter.

Anyway, it would have been great if the summary has mentioned it. :-)

Re:OLD news

Indeed, updated packages for apache, nginx, openssh that implemented the fixes detailed in the paper, to prevent use of weak dh groups. Hell, debian wheezy even got a apache package which backported the ability to specify your own generated DH group inside the certificate.

Not the only vector

[WillAffleckUW]

All of your chips and transmission devices also have direct backdoors.

Yes, all of them.

Re:Not the only vector

True that.

With enough time and effort, you can ALWAYS find unencrypted 0's and 1's somewhere.

Re:Not the only vector

[WillAffleckUW]

Also in your track control processor and keyboard buffers.

I'm going to sound like a Judas

[Rinikusu]

But fuck.. some part of me would love to work at the NSA doing this sort of shit (and getting paid to do it). Yeah, there's the whole "but you're undermining FREEDOM!" angle, but there's a part of me that wants to ignore that and play with amazing shit.

Then again, there's a lot of folks who scoff at the NSA doing it, but hey, if Apple, Google, or FB had done it it'd be some sort of market miracle or some bullshit. :/

Re:I'm going to sound like a Judas

[Microlith]

Then again, there's a lot of folks who scoff at the NSA doing it, but hey, if Apple, Google, or FB had done it it'd be some sort of market miracle or some bullshit.

Bullshit yes, 'tis what you spout. If any of those had found a way to break encryption as the NSA had, I would expect a paper on it much like this and a push to deprecate whatever was broken. Particularly given their businesses are built upon secure communications. Instead, the NSA breaks it and uses it to spy on everyone.

Re:I'm going to sound like a Judas

Does that make you a patriot? I can't keep track due to my "doublethink" being miscalibrated. Seems like a trademark with multiple camps fighting for it.

No. It would take you forever.

[trout007]

When you have the ability to create your own money by entering into a computer you have the resources to do it relatively quickly.

Because they own the CAs?

Easier to crack the companies, not the code. The CA model is broken, and the NSA is part of why.

ex post facto

[PopeRatzo]

The NSA isn't "breaking crypto".

It was pre-broke for them.

LIES

It's a complete lie. Trust the math.

Anytime they have cracked something, they already had some information or used a keylogger or something similar. In a situation where they had to perform a complete crack, they are mostly out of luck.

Strong indications are that Snowden is a government plant, and that his mission was to convince the public and rest of the world that the NSA was more capable than they actually are.

Re:LIES

Mod parent up.

Re:LIES

The paper is full of math. It checks out. They might be wrong about what the NSA is actually doing of course; but the math proves that if even if the NSA isn't cracking all that crypto *yet*, they (and other large security orgs) do have the resources to do so.

Re:LIES

[fahrbot-bot]

Strong indications are that Snowden is a government plant, ...

Judging from photos, perhaps some type of Fern...

It's Easy

[WankerWeasel]

I've worked in computer forensics for almost 10 years and worked with countless government agencies around the world. Years ago I watched one of the 3-letter agencies crack BitLocker in under 30 seconds. It's funny how many insist there is no way and dismiss the idea without a second thought. Now new evidence is showing that they certainly have the technology to do so. Maybe it's time to not be so quick to dismiss such thoughts.

Re:It's Easy

bitlocker

If you just want to keep your wife out of your porn bitlocker is fine, but anybody who is using Microsoft crypto to protect themselves from the US Government is a fool.

Re:It's Easy

[linuxrocks123]

Assuming you're not just spouting bullshit, most likely you witnessed a dictionary attack against a weak password.

Good thing actually

[140Mandak262Jamuna]

This will separate the wheat from chaff. People who know security and take it seriously will make sure they spend the resources to find a couple of large primes and base their keys on them. The equivalent of script kiddies who just download some binaries with security hashing algorithms who use it without understanding them will get cracked. Not just by NSA. Anyone with a budget and determination will. All the governments.

Re:Good thing actually

[skids]

Well, for the more-BYOD-than-BYOD sector, what will happen is we'll install a new VPN that is not quite as crusty as our old one which always "just worked" and so never got budgeted for an upgrade, configure it for best practices security, and then weaken it when 10% the must-have clients turn out to be too crummy to deal and don't support installation of a 3rd party client, even if we could get front-row to shoulder the support burden involved in doing that (or doing an on-site CA and dealing with cert installation.)

(I'm going to try to sell the idea of forcing those weakest-link clients to use a different SAP IP so we can tell them apart and not cripple security for the rest, we'll see how that goes.)

Because....

... the negotiation always happens and those / that part of the data is always collected by the NSA.
Now, if the negotiation happened via some other transport mechanism (think sneaker-net), yes,
that's virtually unbreakable except by brute-force..

I kinda thought everybody knew that...

Re:NSA measures their computer resources in units

Also, who's to say they don't control one or more botnets to harvest even more computing resources from the public?

So despite no evidence that it is true, you consider the fact that this speculation can not be disproven (due to its nature) as proof of it truth?

The intern's been playing with the CSS again

[Hognoxious]

Anybody else seeing the headline as:

How Is the NSA Breaking So Much
                    (freedom-
Crypto? to-tinker.com)

???

Re:The intern's been playing with the CSS again

[Tailhook]

Everyone except the monkey that broke it.

Re:Not Surprising

[Cramer]

If it has the keys (i.e. is one of the SSL endpoints), SURE. A random SSL connection between two nodes... not a fucking chance. (null certificate + man-in-the-middle don't count as that makes the firewall an endpoint)

Mathematicians

You do know that the NSA has more mathematicians than any other organization on the planet.

Re:Mathematicians

[Deadstick]

Worst office Christmas party ever.

Re:Mathematicians

[Immerman]

Actually most of the mathematicians I have known have been pretty fun people to hang out with. Maybe you're thinking of accountants?

Re:Mathematicians

Maybe that says more about you than them ?

Of course they can decrypt HTTPS

[The-Ixian]

They can MITM anyone they want and they almost certainly have the ability to mint any certificate they wish....

Re:Of course they can decrypt HTTPS

[SuricouRaven]

That's great for targeted interception, but you can't use it for large-scale surveillance. Try that and it won't be long before someone notices the suspicious mismatch of certificate hashes.

no shit

[behrooz0az]

I read about how DH works years ago and this was the first thing that came to mind. It's there. Just go read.

Re:NSA measures their computer resources in units

Ummm, no, I think he was just speculating. That's why he said "who's to say".

That's what speculation is, you suggest something that may be true without evidence.

It's not like he said "I'm absolutely sure that they control botnets...."

Sheesh.

Cryptowall Solution?

[Voyager529]

I'm certain you've got codebreakers breaking codes. If you're able to do this, and you'd like to establish a shred of good will, would you kindly package it into simple-to-use applications that will allow users to decrypt files held ransom by Cryptowall? You'd be strengthening your image while simultaneously hurting the economy of the sketchy side of the internet.

Warm regards,
Voyager529

Re:Cryptowall Solution?

[coofercat]

The sketchy side of the internet (in part) supplies them with the tools of their trade. Given all the other sh*t these agencies have been up to, I wouldn't be surprised to find out they were in charge of some ransomware so that they could fund other extra-curricular activities (via suitable layers of third parties, of course).

nsa has both keys

hah. well if you have both keys in encryption, data no longer safe.

Another possible option

[IWantMoreSpamPlease]

Say you can crack it, even if you can't. Security researchers around the world will try to figure out how you did it, and in the end, show you what to do.

Sort of like Reagan-era Star Wars. Drove the Russians crazy (and broke) trying to replicate non-existent technology because they took our word for it, that we had done it.

Set weak standards

[AHuxley]

The ability to create, shape, sell, and attack weak international crypto would be the easy key to decades of "the ability to crack current public encryption".
A "computing breakthrough" could just be in cheap storage, fast sorting that allows a collect it all ability after getting plain text.
Nothing much has really changed from the ideas of the 1950's. Set weak junk encryption, get the majority of users accepting a weak standard and then collect it all.
It worked for diplomatic hardware in the 1950-90's. Just keep pushing the easy to break standards and really smart nations line up to buy and install junk crypto globally.
How did it work? Nations only tested for man in the middle attacks or trying to force the crypto. The West had the design, trap door, keys so getting back plain text was not an issue :)
In the past words and important messages had to be kept or sorted in real time. Now the 1970's-90's breakthrough is collect it all.
Low prices, created in neutral nations, great marketing, seeing fake reports about other advanced nations trusting the same systems are the most easy tricks to sell bad crypto.
The other magic was to buy up or create crypto front companies with endless gov funding if a really private sector secure product ever emerged ever generation or so.
Other more simple and direct methods also stopped development of advanced independent domestic crypto.
The clues to how the NSA works on all emerging crypto are in the crypto history books.
How did the UK break the Soviet embassy codes in the 1930's? They hired the person who worked to on them.
Ernst Fetterlein https://en.wikipedia.org/wiki/...
Weak codes, finding the correct staff, ensuring other nations never create good crypto or buy into junk standards.

again they have both keys to the castle!!!

if you got both keys you encryption is uselesssssssssss.
or you have asics built to crack.
simple. why such a mystery?

1024 DH Keys Are Not Current

[DERoss]

The journal article cited addresses Diffie-Hellman (DH) certificates with 1024 bits. For browsers, such certificates are being deprecated. Certification authorities are not supposed to issue intermediate certificates or sign subscriber certificates that have less than 2048 bits, and Mozilla reserves the right to require even larger certificates.

Furthermore, the OpenPGP format allows even larger DH parts of the DH/DSS encryption keys. My own DH/DSS key is 4096/1024. The 4096 is the size of the DH part. The 1024 is the size of the one-time, temporary DSS key used to encrypt my files; that temporary key is then itself encrypted with my DH key and appended to the encrypted file. Since a new DSS key is generated each time I encrypt a file -- even for the same file -- the smaller size does not bother me.

Re:1024 DH Keys Are Not Current

The paper is talking about the DH group sizes and not about certificate key lengths (which are using RSA usually anyway). It is actually not about any keys, but the groups used in the key exchange.

Re:NSA measures their computer resources in units

[Nutria]

Ummm, no, I think he was just speculating. That's why he said "who's to say".

But he said it in the same conspiracy theorist manner as do nut jobs who "speculate" that Obama is a shape-shifting humanoid reptilian from Planet Nibiru.

Nothing has been learned

[RubberDogBone]

In the hacking/spy drama movie Sneakers, there is a scene where Robert Redford's character is confronted with an office door protected by a keypad lock, which cannot be picked. But he needs to get into that office. The lock looks impenetrable. Surely the mission is about to fail.

So he asks his support team for help with the lock. What they tell him is never shown on screen, only Redford mumbling and agreeing to try it.

He takes a couple steps back and KICKS IN THE DOOR. The lock was completely irrelevant, in the end.

The lesson from that scene is extremely powerful when you understand the same lesson applies to ANY problem. When you are faced with a heavily secured door, or an encryption standard, the attack vector is often going to be something other than going through the face of the door or the front end of the encryption. What you'd do is KICK IN THE DOOR. And the TLAs know this and do exactly that. Their people have always kicked in doors while normal people look at the locks and shrug and walk away.

Re:Nothing has been learned

[CronoCloud]

Don't forget they use social engineering in Sneakers as well, involving Mary McDonnell's character to get past the voiceprint lock of character actor Stephen Tobolosky's character Werner Brandes

"My name is Werner Brandes, my voice is my passport."

Prescient film, underrated in my opinion.

Re:Nothing has been learned

[MrKaos]

Prescient film, underrated in my opinion.

Too many secrets.

Re:Nothing has been learned

[MrKaos]

Their people have always kicked in doors while normal people look at the locks and shrug and walk away.

Lock are only there to remind honest people that they aren't supposed to be in there.

Re:Nothing has been learned

ssst.

Setec Astronomy

Re:Nothing has been learned

... keypad lock, which cannot be picked ...

Unlikely. At some point, the electronic lock needs to send current to the locking mechanism. Drilling a hole in the correct spot would allow access to those wires. Rather like drilling a safe door to see the notches on the tumbler plates. This is why safes are hardened armour and contain drill-sensitive mechanisms.

... lock was completely irrelevant ...

That is true for any building without hardened-glass windows. In most cases, a lock slows entry and proves entry occurred. Lock-picking or safe-cracking are rare skills, contrary to the movies. Also wrong in the movies, is the complicated plans needed to open a lock. 'Firewall' and 'Thunderbolt and lightfoot' are closer to reality.

Re:Nothing has been learned

[bentcd]

The lesson from that scene is extremely powerful when you understand the same lesson applies to ANY problem. When you are faced with a heavily secured door, or an encryption standard, the attack vector is often going to be something other than going through the face of the door or the front end of the encryption. What you'd do is KICK IN THE DOOR. And the TLAs know this and do exactly that. Their people have always kicked in doors while normal people look at the locks and shrug and walk away.

In this case the lock has performed its function: it prevented Redford from effecting a clandestine break-in. It is now obvious to the office owner when he returns that he has been burgled and he can take steps to minimize the damage that will result from it.

In the security business it is accepted that ultimately you cannot prevent a determined attacker from gaining access to a physical location. The best you can do is 1) delay him and 2) force him to leave evidence that he was there.

Re:Nothing has been learned

[ExecutorElassus]

Shit, somebody beat me to this movie reference, and then I went and posted it further downthread like an idiot.

Welp, it was nice knowing you guys, I guess :(

Re:Nothing has been learned

[tibit]

Locks that are considered up-to-snuff, security-wise, have a tamper-proof CPU with integrated hardware crypto and a coil driver on a ceramic substrate, buried right next to the coil. The coil is wound in a couple of sections to prevent simple "poke and energize" schemes. The magnet wire is bonded directly to the circuitry on the substrate. The power to the locking mechanism is always there. All that's required to unlock the lock is a proper command, sent over a properly encrypted link. It's done for the same reason that modern credit card strip readers encrypt right next to the head assembly, and the chip readers encrypt right in the chip on the card. You really don't want your plaintext, whether it's the CC number or the on/off boolean to be any more exposed than necessary.

Re:Nothing has been learned

[binarstu]

Prescient film, underrated in my opinion.

I agree. I think it is one of the best "hacker" movies. As you and the GP have pointed out, one of the things that makes it so good is the repeated use of low tech to defeat high tech. Another good example is the way they defeat the ultrasonic/infrared motion detectors. In most films of the genre, the solution would be to magically break into the security system and remotely disable it. In Sneakers? Put on a neoprene suit and move really slowly. That is much more satisfying.

Quantum-safe encryption?

[Immerman]

So it seems to me that every time an encryption-breaking article come up lots of people mention how such-and-such algorithms are (if implemented correctly) provably safe from non-quantum attacks. Considering though that quantum computers are probably somewhere just over the horizon, and the NSA etc. will almost certainly be among the first to get them, possibly years or decades before anyone else even knows they exist, that just doesn't seem very comforting. Especially if you're encrypting something that you would prefer to remain secure indefinitely, instead of just until the Q-codebreaker chews through the recorded backlog.

So my question is, are there any common encryption algorithms capable of withstanding attack by a quantum computer? And if not, why not?

Re: Quantum-safe encryption?

Yes, there are quantum computer resistant public key crypto algorithms. A quick Google search would have shown you that. Wikipedia has decent summaries of the state of the art, as well.

Re:Quantum-safe encryption?

[juanfgs]

DSA 256

Re:Quantum-safe encryption?

[juanfgs]

my mind isn't cooperating today, pretty much any semantically secure algorithm with a key space of 256 bits or more should be safe https://www.schneier.com/blog/...

Re:Quantum-safe encryption?

[juanfgs]

and I meant AES 256, yadda yadda

Re:Quantum-safe encryption?

Don't be an idiot, there isn't a single block cipher that is quantum resistant.

Re:Quantum-safe encryption?

[aurum42]

Discovering trolling has now become a problem with non-trivial cognitive load

Re:Quantum-safe encryption?

[sociocapitalist]

So my question is, are there any common encryption algorithms capable of withstanding attack by a quantum computer? And if not, why not?

"...most current symmetric cryptographic algorithms (symmetric ciphers and hash functions) are considered to be relatively secure from attacks by quantum computers."
https://en.wikipedia.org/wiki/...

Re: Quantum-safe encryption?

if you're sufficiently paranoid shipping cds with pure random data around is always an option

Re:Quantum-safe encryption?

[JoshuaZ]

Note that there aren't any crypto systems which are proveably safe from quantum attacks, only systems where we strongly suspect them to be safe. At this point, other than one-time pads, we can't prove any system is even safe in a classicial setting. For example, RSA and Diffie-Hellman both rely on conjectures which are strictly stronger than P != NP.

Re:Quantum-safe encryption?

[nvm_my_comment]

hun...this? http://perpetualencryption.com...

Re:Quantum-safe encryption?

Are you kidding? That was such a blatant troll it only takes a second to figure out. One time pads not actionable? They're very actionable as people are lazy, watch that communication channel and another message using the same one time pad is very likely to come through in the near future. Solution for factoring primes? Its always 1 and the number thats the definition of a prime. Factoring primes in other bases harder? A prime is a prime no matter the base. Encryption and authentication shouldnt be tied together? then what the hell is the purpose of encryption your traffic when anyone can man in the middle it.

Re:Quantum-safe encryption?

[delt0r]

Can you fit more bullshit per character in a post? I don't think so.

At least read your own references.

Re:Quantum-safe encryption?

[delt0r]

Honestly the QC threat is very over stated. Don't forget that a 1000bit quantum computer *cannot* help at all for a 1001bit number/system. Also a 1001bit quantum computer is 2x harder to make than a 1000bit one. Also we are miles away from 8bits. Hell even if you get all the bits there are massive problem with the factoring method using a huge number of quantum operation giving further problems for decoherence.

Long story shot. It has not been shown that it is even physically possible to have a quantum computer of sufficient bits in this universe.

Re:Quantum-safe encryption?

[delt0r]

All symmetric ciphers are resistant to QC. It is a mathematical fact. Numb nuts.

Re:Quantum-safe encryption?

[david_thornley]

There are no crypto systems which are provably safe from conventional attacks. It is conceivable that P=NP, and that reasonable algorithms will be found for NP-complete problems. I really doubt it, but nobody can prove otherwise.

Crypto systems are in NP, since given a potential key you can quickly confirm whether it's the correct key or not. It would be nice to prove a system NP-complete, but I haven't heard of one.

Re:Quantum-safe encryption?

[MrVictor]

Yes. Categorically symmetric key crypto (the type that is used to secure system drives) is not vulnerable to quantum computer attacks like public key crypto is (the type used in stuff like HTTPS). In the post quantum world, most of the commonly used public-key algorithms will have to be thrown out. The situation is not without hope though. There are many algorithms up to the job.

On the other hand, creating NSA-proof algorithms is a bit trickier. I think this is possible as long as you don't let the NSA on your standards committee and let them dictate curious details like they did with the Dual_EC_DRBG elliptic curve algorithm.

Re:Quantum-safe encryption?

Also the enigma machine is not possible in this universe and the Germany has won the 1939-1951 war.

Re: Quantum-safe encryption?

[ChrisBoozer]

They dont crack the cypher they go around it using liguistic patern analysis, if you dont pre encrypt with a symetric filter prior to encoding. Also an algorithim that constantly shifts like three card monty and uses multiple layers of encrption that are all changing encoding keys thousands of times a second like frequency hopping radio encoding. Harder no crack multiple moving targets.

Re: Quantum-safe encryption?

[delt0r]

What the hell are you going on about? Do you know *anything* at all about encryption or how it is used? Do you know what CBC mode is? We don't use Caesar ciphers anymore you know.

Re:Quantum-safe encryption?

[delt0r]

There is a big difference here. The enigma machine was a real machine and had been built. Not so with a QC you dumb shit.

Re:Quantum-safe encryption?

At the time it was use the enigma machine was secret and if you asked they would tell you "There is no such thing you dumb shit".

Are you a stasis shill or just a tool?

Re:Quantum-safe encryption?

[delt0r]

What the fuck dude? The Allies had actual enigma machines, and the code books. They where captured rather famously. Claiming they didn't exist? What is wrong with AC these days. They could troll a lot better back in the old days.

Covert?

[MrKaos]

It seems more like overt surveillance now.

MacOS X using same moduli since 2012

MacOS X uses the OpenBDS moduli file, and also containing 1023 size keys and are identical on all Macs.
/private/etc/moduli

Probably a good idea to make new self generated ones with only 4k keys.

daddy is this why its all messed up

Ye son, that and those @ oracle whom seek to plunder..

Gestalt computing

Gestalt computing

Is the NSA breaking crypto?

They're only breaking crypto that's already broken - which is actually quite a bit. There is still crypto they can't break, otherwise there wouldn't be calls for a ban on encryption.

Simply generate recursively enumerable set

Given a public key, it's said "impossible" to discover the associated private key.
But if we generate *all* the pairs (private, public) keys, then we could index reversely. That all.
With a lot of work of computation (NS* has a big cluster of computers) we could calculate such index with public and private keys with size =N (typic N=1024).

Think of that,

Re:Simply generate recursively enumerable set

[tibit]

We could, if we had a couple trillion trillion trillion trillion universes at our disposal.

What if...

[marxmarv]

they know what they're doing too well?

SEATEC INDUSTRIES

[ExecutorElassus]

Wasn't this the plot of Sneakers?

trolling?

[nvm_my_comment]

In November this year, a new encryption protocol (Perpetual Encryption) will become available to the public

Alright I guess we'll see in a month and half.

Pay attention.

First, you all need to realize this is a complete lie. It's a trick to get you into compliance, by making you think they are more capable than they really are. The nazi's used the same tactics.

Second, those items that were decrypted were done so by other means. Successful Dictionary attacks, key logging, etc.

Finally, you need to encrypt EVERYTHING and it needs to be a high number of bits; I suggest you go big or go home, say 8192 bits. And it not only needs to be the data that is encrypted, the practice of how it's implemented needs to be cryptic and secure as well, so key logging and dictionary attacks won't work.

I'm sure somebody will say 8192 is too much. But I remember not long ago they said 56 bit was enough and would take millions of years to decrypt, yet today it's referenced as weak.

The paper cited in TFA...

... is simply not credible. It only has 12 authors.

NSA has quantum computing

How can we be sure that the NSA doesn't have quantum computing? And even if they don't, they will be the FIRST to implement it on a massive scale once it is available.

Won't quantum computing render most of our current encryption algorythm suite obsolete?

and not just the NSA

I have it on good authority that the Chinese government was able to read GMail and Microsoft mail (both encrypted) certainly at the start of this year; for some reason they seemed to have trouble with mail from one or two other sources, but imagine that this is now resolved. as well.

Apologize for posting anonymously.