Re: [cryptography] regarding the NSA crypto breakthrough
On 06/09/13 21:21, Tony Arcieri wrote: There are curves not selected by e.g. NIST with a published rationale for their selection, like Curve25519. Is there any reason why such curves can't be evaluated retroactively? http://cr.yp.to/ecdh/curve25519-20060209.pdf https://twitter.com/hashbreaker/status/375887883900432385 Curve25519 is y^2=x^3+486662x^2+x mod 2^255-19. Nothing random; all details justified in the paper. Vatican hasn't complained about the 666. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] regarding the NSA crypto breakthrough
On Thu, Sep 05, 2013 at 10:47:10AM -0700, coderman wrote: of all the no such agency disclosures, this one fuels the most wild speculation. It is reported that the journalists deliberately withheld details which are available in Snowden's original documents. Somebody better leak these, fast. The claims are that some code and magic constants have been weakened, but also that NSA still has problems with some methods. We need to know. Obviously, as a short-term workaround there's fallback to expensive/inconvenient methods like one-time pads, but long-term we obviously need new cyphers. Not tainted by any TLA poison. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] regarding the NSA crypto breakthrough
You're right. http://cpunks.wordpress.com/2013/09/06/how-to-remain-secure-against-surveillance-a-practical-guide/ --Michael 06.09.2013 11:01 Eugen Leitl eu...@leitl.org: On Thu, Sep 05, 2013 at 10:47:10AM -0700, coderman wrote: of all the no such agency disclosures, this one fuels the most wild speculation. It is reported that the journalists deliberately withheld details which are available in Snowden's original documents. Somebody better leak these, fast. The claims are that some code and magic constants have been weakened, but also that NSA still has problems with some methods. We need to know. Obviously, as a short-term workaround there's fallback to expensive/inconvenient methods like one-time pads, but long-term we obviously need new cyphers. Not tainted by any TLA poison. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] regarding the NSA crypto breakthrough
of all the no such agency disclosures, this one fuels the most wild speculation. James Bamford, a veteran chronicler of the NSA, describes the agency as having made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users. That sounds a lot like saying that the the spooks have managed to break at least some of the cryptographic codes that protect everything from secure e-mail to e-commerce. however, the crypto breakthrough discussed is more mundane: deployment of deep packet inspection with SSL/TLS capabilities.[0] this represents three significant efforts: 1. upgrading physical infrastructure (DPI systems at this scale use ASICs for processing, not software which can be upgraded on demand.) 2. secret partnerships with service providers to obtain server SSL/TLS secret keys. 3. key distribution to provision the DPI classifiers/sniffers with requisite secret keys when updated by service providers. hence, a crypto breakthrough providing unprecedented actionable visibility into previously opaque streams, with such inspection occurring at the edges rather than the mothership (where all encrypted data is sent, decryptable or not...) these efforts are compartmented, with few aware of how these different pieces fit together, thus fueling speculation about the nature of this break. from a technician point of view, you would notice the new ability to see inside SSL traffic, but may not understand how it was done. (e.g. with keys handed over in secret agreement for reasonable compensation and national security, rather than a basement full of quantum computers breaking web server keys...) class break in discrete log? quantum code crackers? you've been watching too much Sneakers![1] ;) 0. SSL: Intercepted today, decrypted tomorrow , should read SSL: Intercepted and decrypted in real-time, almost everywhere http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html less than a third of a percent of SSL/TLS web traffic uses forward secrecy! 1. Sneakers still the best hacker film to date... http://www.imdb.com/title/tt0105435/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] regarding the NSA crypto breakthrough
On Thu, Sep 5, 2013 at 11:38 AM, grarpamp grarp...@gmail.com wrote: ... however, the crypto breakthrough discussed is more mundane: Source? Sure, non-PFS can be exploited. i asked Snowden for an authoritative copy... ;P But extending that as underlying explanation of the Bamford quote is dangerous. It's Bamford's quote, ask him. there's lots of disinformation around this topic, comparisons and analogies that indicate this has been filtered through less technical intermediaries. he can't say much about specifics, remember? deployment of deep packet inspection with SSL/TLS capabilities.[0] I'd call it 'applied decrypting' not some breakthrough in 'cryptanalyze'ing or 'break'ing any crypto. Words are important. see above regarding technical vs. non-technical. for the high ups, getting access to encrypted communication is breaking encryption. whether that is breaking by cooperative agreement and new hardware, or breaking by new attacks on crypto primitives themselves, it is indistinguishable to them but makes all the difference to us. to walk through with rough ballpark but by no means representative numbers, consider: - modern CPU - 1,500 to 9,000 sessions per second - typical web 2.0 service provider - SSL ops: 800k/min, 13,333/sec (no keep-alive) - Bandwidth: 24kB/s or 200kbps (no CDN) verdict: medium to large internet sites can offload SSL/TLS to their front-end load balancers or servers without much effort. crypto accelerators no longer required (unless used for HSM protection of server keys). Google proved this. now do the math for OC48 passive drops feeding the DPI collectors: - for sake of argument, consider just 5% of channel capacity using SSL/TLS: 2.5Gb / 20 == 125Mb/sec - for sake of argument, consider 5k/sec sessions per 200kbps (gloss over specific algo. overhead) - 125Mb/200kb= 625 times more load than our provider example above with 3.1mm sessions/sec. verdict: you need a rack of servers at each collection point just to extract keys for the DPI sniffer. summary: NSA breakthrough at the Multiprogram Research Facility, or Building 5300, is a system for the real-time recovery of session keys from public key exchanges, which do not implement forward secrecy, the session keys then used for DPI of SSL/TLS traffic. (AES faster and easier to do in hardware, solved already.) conveniently enough the real-time support can be applied retroactively against all stored encrypted communications (c.f. NSA Utah) which are now vulnerable to recovery as server public keys for the period in question are handed over, taken, or cracked. what would be even more interesting is if Building 5300 also built a TWIRL[0] or SHARK[1] device to get the 1028 bit secret keys used by servers all over the world for their traffic, thus achieving DPI-SSL visibility for non-cooperative entities. to the critics: sorry, i have nothing to prove. there hints are out there, but sadly, you'll just have to take me at face value or dig along with others until you've got your own compelling picture of what this entails. like a good spy or journo, i don't burn intelligence sources; least of all just to prove i'm right on the internets ;P to everyone else: start using 2k or 4k keys immediately! burn your 1k keys with fire!!! 0. The TWIRL integer factorization device http://cs.tau.ac.il/~tromer/twirl/ 1. SHARK - a realizable special hardware sieving device for factoring 1024-bit integers http://www.crypto.ruhr-uni-bochum.de/imperia/md/content/texte/publications/conferences/shark.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] regarding the NSA crypto breakthrough
On Thu, Sep 5, 2013 at 10:47 AM, coderman coder...@gmail.com wrote: ... 2. secret partnerships with service providers to obtain server SSL/TLS secret keys. there is a line item in the BULLRUN docs that indicates this server key recovery effort extends into involuntary efforts, e.g. covert exfiltration of server keys or CA keys or any other key of interest: http://s3.documentcloud.org/documents/784047/bullrun-guide-final.pdf also, the statement: ``` capabilities against a technology does not necessarily equate to decryption ``` makes you go h... tricks in the CES bag, as listed from the doc: - NSA/CSS Commercial Solutions Center (NCSC) leaning on partners for access. - Second party partners directly accessed. - Tailored Access Operations (TAO, aka, black bag jobs) to create access. - NSA/CSS develops implants to enable a capability against an adversary using encrypted network communication. and some relevant points of interest from the guardian article: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security/print A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made vast amounts of data collected through internet cable taps newly exploitable... -[ED: newly exploitable in real-time, even back in time for new keys applicable to stored sessions] The NSA spends $250m a year on a program which, among other goals, works with technology companies to covertly influence their product designs. -[ED: now this budget area i'd love to see on a line item basis...] For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies, stated a 2010 GCHQ document. Vast amounts of encrypted internet data which have up till now been discarded are now exploitable. -[ED: note how if they can't DPI it at the origin, they consider it discarded. however, as mentioned, this just means it is placed into long term storage for later analysis.] The breakthrough, which was not described in detail in the documents, meant the intelligence agencies were able to monitor large amounts of data flowing through the world's fibre-optic cables and break its encryption, despite assurances from internet company executives that this data was beyond the reach of government. Among other things, the program is designed to insert vulnerabilities into commercial encryption systems. These would be known to the NSA, but to no one else, including ordinary customers, who are tellingly referred to in the document as adversaries. These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact. -[ED: a compromised RDRAND becomes a fancy linear generator and only NSA (and Intel) would know your random bits are totally predictable.] Among the specific accomplishments for 2013, the NSA expects the program to obtain access to data flowing through a hub for a major communications provider and to a major internet peer-to-peer voice and text communications system. -[ED: who's seen elevated activity in the Secret telco rooms? anyone? bueller?] ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] regarding the NSA crypto breakthrough
On 9/5/13, coderman coder...@gmail.com wrote: On Thu, Sep 5, 2013 at 11:38 AM, grarpamp grarp...@gmail.com wrote: ... however, the crypto breakthrough discussed is more mundane: Source? Sure, non-PFS can be exploited. i asked Snowden for an authoritative copy... ;P Didn't John just say something about journalists and interpretation ;) But extending that as underlying explanation of the Bamford quote is dangerous. It's Bamford's quote, ask him. there's lots of disinformation around this topic, comparisons and analogies that indicate this has been filtered through less technical intermediaries. he can't say much about specifics, remember? deployment of deep packet inspection with SSL/TLS capabilities.[0] I'd call it 'applied decrypting' not some breakthrough in 'cryptanalyze'ing or 'break'ing any crypto. Words are important. see above regarding technical vs. non-technical. for the high ups, getting access to encrypted communication is breaking encryption. whether that is breaking by cooperative agreement and new hardware, or breaking by new attacks on crypto primitives themselves, it is indistinguishable to them but makes all the difference to us. to walk through with rough ballpark but by no means representative numbers All good extended analysis indeed. Perhaps my issue is just with the words. I read Bamford as indicating attacks against the crypto itself, not tricks applied downstream or around it (regardless of how wholesale, specific, successful or profitable a given applied approach might be in the eyes of the doers or the done). While recently novel and profitable with centralized services, borrowing traditional certs [1] or logging the PFS session keys [2] is vastly different from having a working cryptanalysis against the long term thought to be dependable underlings such as RSA, AES, ECC, etc. Surely if the cooperation to achieve [1] is so tight then [2] would be equally doable. Then again, might as well ship the plaintext straight off the servers. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] regarding the NSA crypto breakthrough
On 9/5/13, coderman coder...@gmail.com wrote: of all the no such agency disclosures, this one fuels the most wild speculation. James Bamford, a veteran chronicler of the NSA, describes the agency Links to links to source quotes... http://lists.randombit.net/pipermail/cryptography/2013-June/004477.html http://lists.randombit.net/pipermail/cryptography/2013-June/004523.html however, the crypto breakthrough discussed is more mundane: Source? Sure, non-PFS can be exploited. But extending that as underlying explanation of the Bamford quote is dangerous. It's Bamford's quote, ask him. deployment of deep packet inspection with SSL/TLS capabilities.[0] I'd call it 'applied decrypting' not some breakthrough in 'cryptanalyze'ing or 'break'ing any crypto. Words are important. 0. SSL: Intercepted today, decrypted tomorrow , should read SSL: Intercepted and decrypted in real-time, almost everywhere http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html less than a third of a percent of SSL/TLS web traffic uses forward secrecy! ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] regarding the NSA crypto breakthrough
On Thu, Sep 5, 2013 at 4:14 PM, grarpamp grarp...@gmail.com wrote: ... Perhaps my issue is just with the words. I read Bamford as indicating attacks against the crypto itself, not tricks applied downstream or around it (regardless of how wholesale, specific, successful or profitable a given applied approach might be in the eyes of the doers or the done). when i read what he wrote, in the context of how i expect this system is built, it is to me a violation of the implied assumptions in crypto that he is discussing. assumptions like SSL private keys are kept on the servers, not provided to third parties ... for national security reasons. assumptions like i'm using ZRTP, my call is end-to-end secure! (why the !^@# is ZRTP termination the usual mode in VoIP server implementations? E.g. wiretap mode. Oh, nevermind...) the list goes on. While recently novel and profitable with centralized services, borrowing traditional certs [1] or logging the PFS session keys [2] is vastly different from having a working cryptanalysis against the long term thought to be dependable underlings such as RSA, AES, ECC, etc. you'll notice that all of the targets mentioned above have a public key exchange mechanism where by session secrets can be exchanged in presumed privacy - unless forward secrecy is used. we've seen how the latency added for forward secrecy provides fig leaf coverage for real reason. keep-alive don't care about your start-up latency! in short: #1 with the private keys handed over or pilfered, to support DPI-SSL, is reasonable, effective, and fits within the parameters of what we've discovered. it could be part of the certificate renewal process, an infrequent one-off. #2 is not done, since this would be logistically ugly - every web server somehow feeding back ephemeral keys or session secrets to the spooks. not going to happen. #2 does raise an interesting proposition - if forward secrecy becomes common this collection mechanism is crippled. watch for push back against wide deployment of PFS suites on large web properties. (spoiler alert: i'll bet you money this won't happen, for all sorts of stated reasons except the real one.) Then again, might as well ship the plaintext straight off the servers. the live dip is PRISM, the passive snarf is UPSTREAM, of which BULLRUN is a part? remember, You should use both. best regards, ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
