Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Is the NSA Breaking So Much Crypto? (freedom-to-tinker.com)

Posted by timothy on from the ruling-out-beginner's-luck dept.

schwit1 writes: There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a "computing breakthrough" that gave them "the ability to crack current public encryption." The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.

However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community. Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.

If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn't just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to "crack" a particular prime, then easily break any individual connection that uses that prime.

36 of 217 comments (clear)

  1. Re:ugh... by Urquhardt · · Score: 2

    Just what I was thinking....

  2. well, if i told you... by turkeydance · · Score: 2, Funny

    and all that....

  3. No one is surprised by TechyImmigrant · · Score: 5, Insightful

    We've long past the point where we knew RSA, simple Diffie Hellman, Sha-1 and NIST curves need to go in the bin. This is one more nail in the coffin.
    The standards I'm working in have gone Ed25519, Curve25519 ECDH, Shake128, AES, etc. 128 bits, sane curves, modern hashes. Rearranging the TLS deck chairs won't help.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:No one is surprised by jonwil · · Score: 4, Informative

      If you use 2048 bit or 4096 bit RSA and you dont make mistakes in generating the key, RSA is still perfectly fine to use short of a quantum attack (even if the NSA had a classified supercomputer that was more powerful than all the supercomputers on the top 100 list combined filled with custom RSA-cracking ASICs they still can't crack high-strength RSA using any known mathematical formula)

      I do agree that TLS needs replacing with a new protocol that only supports the strongest encryption (that means 256 bit AES, at least 2048 bit RSA, ECDH with perfect forward secrecy and SHA2/SHA3 for hashing) and has no mechanism to downgrade to any older protocols or to weaker encryption like MD5, SHA1, RC4 etc.

    2. Re:No one is surprised by Darinbob · · Score: 2

      Same problem remains. If you keep using the same initial paramter (large prime, elliptic curve, etc) then once that is cracked you have very easy access to what is derived from that parameter. The keys/secrets/whatever still need to be refreshed periodically. Ie, the hardcoded public key may be quite secure for awhile, but over several years it loses security. If the NSA really wants to break your system then they just need to break that one public key, maybe they put their best computers on it for a couple of years, and once broken you're screwed.

    3. Re:No one is surprised by Burdell · · Score: 4, Informative

      There's no need for a new protocol; TLS allows you to configure servers and clients to restrict the available ciphers. That's why the browser vendors have been able to push out MD5 (and moving on SHA-1), RC4, RSA 2048 bit, etc. No protocol changes were necessary; just remove ciphers from the supported list used to negotiate the connection.

      BTW: research indicates that AES256 may in fact be slightly weaker than AES128, in some use cases. Both are still have no practical attacks, even for nation-state level attacks; at this time, there is no evidence that AES256 would be "more secure" in practical terms (i.e. billions of years to break one encrypted message) than AES128. Given that, there is no reason to replace AES128 with AES256, now or in the foreseeable future. Odds are that if some attack vector against AES is found, it will be time to move to a new algorithm, not just more bits/rounds.

    4. Re:No one is surprised by Burdell · · Score: 2

      That's like saying "IP sucks because it allows telnet!". TLS supports cipher negotiation; there is nothing that says you have to configure your server and/or browser to allow MD5, RC4, 1024-bit RSA, SHA-1, etc.; in fact, those are have been/are being deprecated by browser vendors (and have already been removed from most secure server configs).

    5. Re:No one is surprised by TechyImmigrant · · Score: 2

      The problem is that newer is not necessarily better. I don't trust NIST much at the moment thanks to the NSA plants in it, nor do I trust anything with the words "elliptic curve" in it (especially any with "magic" constants).
      The old algorithms like RSA and DH are simple in concept, and have withstood the test of time algorithmically. Sure key lengths had to get longer due to Moore's law and some computational improvements, but no serious attacks are exist against them. It's unwise to ditch these methods any sooner than we have to.

      I'm afraid in asymmetric signatures and Diffie Hellman, newer certainly is better.

      The security of RSA is steadily being chipped away by improvements in index calculus. That is why RSA keys need to be so much longer than ECC keys.

      The issue of magic constants is termed 'rigidity' by crypto nerds. I.E. Did the algorithm designer get to choose being multiple possible versions? Or did they have to follow a defined procedure to get to the values in the spec. Rigidity is one of the safecurves criteria and the only sane thing to do with elliptic curves is go with the safecurve compliant algorithms.

      Five years ago I was arguing strongly (and successfully) against the adoption of ECC in certain standards because there were a number of uncertainties. Events have since shown that be correct. The death of binary fields, the NIST curve constants, the twist insecurity of P-224, etc. Now the tables have turned between RSA and ECC. We have a much better understanding of the security of ECC and how to build good ECC curves. We know NIST curves are untrustworthy. We know the sidechannel properties of hardware implementations of group multiplication over different prime group orders over ECC curves. RSA is getting weaker steadily, mostly through better cryptanalysis and sidechannel issues. If you're deployment RSA-2048 in a product that has to last 20 years, you're making a big gamble. If you deploy RSA-1024, you're not taking the problem seriously.

      The LogJam attack that was doing the rounds yesterday highlighted the folly of doing Diffie Hellman in prime fields, rather than elliptic curves. The paper didn't adequately address the issue that fixing a prime in a spec is something you really want to do for a number of reasons but they got the recommendations right - move to ECC. Moore's law caught up with the practice (of fixing primes for prime fields over which to the DH) . Don't make the mistake of inventing complex prime negotiation protocols. Move to ECC.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  4. Posted this a couple of years ago... by Panaflex · · Score: 5, Insightful

    When the NSA leaks happened, investigates this and promoted this as a possible attack vector.

    NOTE - You can generate a new set of moduli like so:

    # ssh-keygen -G moduli-2048.candidates -b 2048
    # ssh-keygen -T moduli-2048 -f moduli-2048.candidates

    Put the results in /etc/ssh/moduli

    WARNING: This takes forever. Also, according to man ssh-keygen:

    It is important that this file contains moduli of a range of bit lengths and that both ends of a connection share common moduli.

    It's not possible to regenerate and share many moduli quickly - hence the reuse of moduli. SSH has support for x25519 algorithms - this definitely means I'll be moving away from pre-computed DH moduli also.

    --
    I said no... but I missed and it came out yes.
    1. Re:Posted this a couple of years ago... by bunratty · · Score: 5, Funny

      WARNING: This takes forever.

      Ain't nobody got time for that!

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:Posted this a couple of years ago... by chipschap · · Score: 3, Insightful

      This is probably politically incorrect to say but, whatever you think of NSA .... I'm impressed with the fact that they've assembled a core staff of brilliant mathematicians who do amazing things ... whether you like those things or not.

    3. Re:Posted this a couple of years ago... by AmiMoJo · · Score: 2

      I'm disappointed that those brilliant minds would waste them violating the laws of their own country and attacking their own people. The money is probably good, but they could be using their talents to make us all safer.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Scott Aaronson has an excellent summary by JoshuaZ · · Score: 5, Informative

    Scott Aaronson has an excellent summary of this research on his blog: http://www.scottaaronson.com/b... One point that Scott makes that is easy to lose track of is how much working this out required people on both the theoretical crypto end and the practical crypto end to work together. This is a combination of multiple vulnerabilities and some clever number theory.

  6. The necessary question. by geekmux · · Score: 4, Insightful

    "...many applications tend to use standardized or hard-coded primes."

    If the suggested theory of static primes holds true, during application design, what part of of the definition of random did we not quite understand?

    Given the impact, this stands as the golden example of what not to do Ever again.

  7. Maybe they're not by wonkey_monkey · · Score: 5, Insightful

    How Is the NSA Breaking So Much Crypto?

    Maybe they're not. They're hardly going to tell you what they can't crack.

    --
    systemd is Roko's Basilisk.
    1. Re:Maybe they're not by pixelpusher220 · · Score: 2

      Another site's take was if they couldn't crack it they'd be in line with the FBI for back doors in software.

      That they aren't nearly as vocal can be construed to mean it doesn't matter to them since they don't need the back doors.

      --
      People in cars cause accidents....accidents in cars cause people :-D
    2. Re:Maybe they're not by DarkOx · · Score: 5, Interesting

      Right but if you are really concerned about opsec you'd use two or more layers anyway.

      Something like HTTPs or Tor will make your traffic opaque to most parties. They are common protocols that don't attract attention of anyone who isn't already watching you specifically. So they are good choice for an outer layer. We also think if the right cipher suites are selected they are mathematically sound / secure. They should not depend on an obscurity component, aside form the negotiated key that is part of their normal operation.

      I might then make up an inner layer. Lots of attacks on the outer layer protocols tend to be downgrade attacks or attacks that cause selection of ciphers the attacker knows how to break. Just using another layer of TLS inside the tunnel might be a fine idea.

      Finally a third layer of something with a PSK for the symetric cipher that is a little more obscure but not known to have any problems. obscure means of course not as well testing, perhaps on of the rejected candidate algorithms for AES or a modified version of something existed. This does not have to be mathematically as good its mainly their to frustrate someone with an undisclosed ability to beach the other layers. It will make their tools not work out of the box. If they have the ability to break the other layers chances are they can break this one as well but you will make them work for it. The third level analyst with the metasploit module will some need help! This is will buy you time.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  8. Not quite the same. by sstamps · · Score: 5, Insightful

    So, in short, they're not breaking crypto, they are breaking shitty implementations of crypto.

    So basically, like using a one-time pad multiple times.

    Well, I guess it's time to start sorting the wheat from the chaff and start ditching fixed-prime implementations wholesale.

    --
    -SS "Teach the ignorant, care for the dumb, and punish the stupid."
    1. Re:Not quite the same. by ColdWetDog · · Score: 2

      What they are really saying is that rubber-on-the-road crypto (see, a car analogy) is very hard. So you're likely to be doing it wrong, whatever it is that you're doing.

      --
      Faster! Faster! Faster would be better!
    2. Re:Not quite the same. by TechyImmigrant · · Score: 2

      So, in short, they're not breaking crypto, they are breaking shitty implementations of crypto.

      No. They are estimating the cost of breaking standardized crypto and pointing out that it is within reach of state agencies.
      There are standards that don't suffer these problems and other problems and yet still use pre-defined static primes.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  9. Alternatives? by grahamsz · · Score: 2

    While there are a few alternatives to RSA (though they share some mathematical similarity) i'm not aware of any non-quantum replacement for DH. That obviously makes it a natural candidate for any kind of focussed attack.

    I honestly had no idea that most implementations fixed p. It seems obvious in retrospect that this could lead to the creation of a giant LUT

  10. OLD news by Lennie · · Score: 2

    This is the original logjam attack from May this year.

    Even the PDF points to the same site:
    https://weakdh.org/

    --
    New things are always on the horizon
  11. Re:Um, this is news? by TechyImmigrant · · Score: 2

    You are wrong. Precalculating the primes is not simple and it wouldn't help.
    The authors of the paper are pre-calculating the number field sieve for the prime group. This allows them to efficiently compute discrete logs over the group.
     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  12. Re:Logjam by TechyImmigrant · · Score: 4, Informative

    How is this news? Sounds like they are just describing the logjam attack which was published earlier this year

    They are estimating the computation effort to build a number field seive to efficiently compute logs over the 1024 bit prime groups in common use for plain old Diffie Hellman.
    They recommend elliptic curves and not the NIST curves. From TFP:

    "Transition to elliptic curves. Transitioning to elliptic
    curve Diffie-Hellman (ECDH) key exchange with appropriate
    parameters avoids all known feasible cryptanalytic
    attacks. Current elliptic curve discrete log algorithms for
    strong curves do not gain as much of an advantage from
    precomputation. In addition, ECDH keys are shorter than
    in “mod p” Diffie-Hellman, and shared-secret computations
    are faster. Unfortunately, the most widely supported ECDH
    parameters, those specified by NIST, are now viewed with
    suspicion due to NSA influence on their design, despite no
    known or suspected weaknesses. These curves are undergoing
    scrutiny, and new curves, such as Curve25519, are
    being standardized by the IRTF for use in Internet protocols.
    We recommend transitioning to elliptic curves where
    possible; this is the most effective long-term solution to the
    vulnerabilities described in this paper."

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  13. Not the only vector by WillAffleckUW · · Score: 2

    All of your chips and transmission devices also have direct backdoors.

    Yes, all of them.

    --
    -- Tigger warning: This post may contain tiggers! --
  14. Re:Breaking. lol. by Anonymous Coward · · Score: 5, Funny

    Backdoors. thank you very much.

    Nope. They mention that in the paper and then proceed to show how it can be done without them. But nice try.

    The biggest surprise for me in the paper is the revelation that all major browsers would not accept a prime less than 512 bits with one exception- Safari. Safari was found to accept primes as small as 16 bits, essentially rendering it completely vulnerable to real-time attack by almost anybody.

    IE, Firefox, and Chrome are already transitioning to support stronger mechanisms which would not be vulnerable. Time to take a hard look at your choice of browser, Apple fanboys.

  15. Re:Um, this is news? by ShanghaiBill · · Score: 5, Informative

    Apparently you have no clue how many ages of the universe it would take to enumerate the 256-bit primes.

    We are nerds here, so lets calculate it. The number of primes less than N is approx ln(N), so the number of primes less than 2^256 = (2^256/256) = 2^248 = 4.5e74. If you computed one prime per plank time, it would take this long: 4.5e77 * 5.4e-44 secs/planckTime / (1.38e10 years/universe * 3600 * 24 * 365) = 2.3e12, or about 2 trillion times the age of the universe. 512 bit primes would take considerably longer.

    Once you calculate the list of primes, you need to figure out where to store it. Storing 4.5e74 numbers is problematic, since that is about a quintillion times the number of atoms in the sun.

    We can be fairly certain that the NSA is not just relying on a lookup table.

  16. Another possible option by IWantMoreSpamPlease · · Score: 3, Insightful

    Say you can crack it, even if you can't. Security researchers around the world will try to figure out how you did it, and in the end, show you what to do.

    Sort of like Reagan-era Star Wars. Drove the Russians crazy (and broke) trying to replicate non-existent technology because they took our word for it, that we had done it.

    --
    So rise up, all ye lost ones, as one, we'll claw the clouds.
  17. Re:Um, this is news? by Immerman · · Score: 5, Informative

    Here I was about to give you grief on your math ( ln ( 2^512 ) ~= 354 ), and then realized the problem was simply that you mis-typed the initial theorem.

    For anyone else thrown off, the correct rule is that there's approximately N / log( N ) primes less than N.

    --
    --- Most topics have many sides worth arguing, allow me to take one opposite you.
  18. Nothing has been learned by RubberDogBone · · Score: 4, Insightful

    In the hacking/spy drama movie Sneakers, there is a scene where Robert Redford's character is confronted with an office door protected by a keypad lock, which cannot be picked. But he needs to get into that office. The lock looks impenetrable. Surely the mission is about to fail.

    So he asks his support team for help with the lock. What they tell him is never shown on screen, only Redford mumbling and agreeing to try it.

    He takes a couple steps back and KICKS IN THE DOOR. The lock was completely irrelevant, in the end.

    The lesson from that scene is extremely powerful when you understand the same lesson applies to ANY problem. When you are faced with a heavily secured door, or an encryption standard, the attack vector is often going to be something other than going through the face of the door or the front end of the encryption. What you'd do is KICK IN THE DOOR. And the TLAs know this and do exactly that. Their people have always kicked in doors while normal people look at the locks and shrug and walk away.

    --
    Sig for hire.
  19. Re:Um, this is news? by ShanghaiBill · · Score: 5, Informative

    For anyone else thrown off, the correct rule is that there's approximately N / log( N ) primes less than N.

    Sorry about that. But the math is still wrong. It is supposed to be ln (log base e) and I did the calculations with log2. So the number of primes less than 2^256 should be (2^256/177) = 6.5e74, not 4.5e74.

  20. Quantum-safe encryption? by Immerman · · Score: 5, Interesting

    So it seems to me that every time an encryption-breaking article come up lots of people mention how such-and-such algorithms are (if implemented correctly) provably safe from non-quantum attacks. Considering though that quantum computers are probably somewhere just over the horizon, and the NSA etc. will almost certainly be among the first to get them, possibly years or decades before anyone else even knows they exist, that just doesn't seem very comforting. Especially if you're encrypting something that you would prefer to remain secure indefinitely, instead of just until the Q-codebreaker chews through the recorded backlog.

    So my question is, are there any common encryption algorithms capable of withstanding attack by a quantum computer? And if not, why not?

    --
    --- Most topics have many sides worth arguing, allow me to take one opposite you.
    1. Re: Quantum-safe encryption? by Anonymous Coward · · Score: 2, Informative

      Yes, there are quantum computer resistant public key crypto algorithms. A quick Google search would have shown you that. Wikipedia has decent summaries of the state of the art, as well.

  21. Re:Breaking. lol. by buchner.johannes · · Score: 2

    Backdoors. thank you very much.

    Nope. They mention that in the paper and then proceed to show how it can be done without them.

    Just because it can be done without backdoors, doesn't mean the NSA isn't going the easy route. That the NSA is tapping large datacenters before encryption and has access to the private keys of major companies is known now. Schneier says:

    The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  22. Re:Um, this is news? by Chrisq · · Score: 4, Funny

    Apparently you have no clue how many ages of the universe it would take to enumerate the 256-bit primes.

    We are nerds here, so lets calculate it. The number of primes less than N is approx ln(N), so the number of primes less than 2^256 = (2^256/256) = 2^248 = 4.5e74. If you computed one prime per plank time, it would take this long: 4.5e77 * 5.4e-44 secs/planckTime / (1.38e10 years/universe * 3600 * 24 * 365) = 2.3e12, or about 2 trillion times the age of the universe. 512 bit primes would take considerably longer.

    Once you calculate the list of primes, you need to figure out where to store it. Storing 4.5e74 numbers is problematic, since that is about a quintillion times the number of atoms in the sun.

    We can be fairly certain that the NSA is not just relying on a lookup table.

    Yes but with Moor's law we'll beat that eventually, just as athletes running faster and faster will eventually exceed the speed of light. ;-)

  23. Re:Um, this is news? by Chrisq · · Score: 2

    Yes but with Moor's law we'll beat that eventually, just as athletes running faster and faster will eventually exceed the speed of light. ;-)

    No, they will eventually slow down time itself, causing the people watching them to live forever even with their diet of chips and bud light, and lifestyle of a couch potato.

    But by that time the American spectators will be so heavy that they form a black hole, meaning not even the athletes can get away.