Agreed. But, breaking the session key only works for a single message or
a single session. If they want to target a specific individual, breaking
the RSA/DSA keys will give them access to all encrypted messages.
(within the context is that a sent message is encrypted by the
recipient's public
On 08/14/2013 06:34 AM, Jerry Feldman wrote:
Agreed. But, breaking the session key only works for a single message
or a single session. If they want to target a specific individual,
breaking the RSA/DSA keys will give them access to all encrypted
messages. (within the context is that a sent
From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss-
bounces+blu=nedharvey@blu.org] On Behalf Of Daniel Barrett
In the absence of the 4096-bit private half of my key, how hard is it
to decrypt the session key by brute force and thereby decrypt file
Foo? Do the time arguments
That depends on the cipher in use and if it supports perfect forward
secrecy or not.
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
On 08/14/2013 06:34 AM, Jerry Feldman wrote:
Agreed. But, breaking the session key only works for a single message or a
single session. If they want to
On 08/13/2013 05:04 PM, Jerry Feldman wrote:
The real issue is determining who and what to monitor.
That is the key. For years the idea is that the NSA is selective and
decides what traffic to analyze, what messages to try to decrypt, what
targets to actively attack (with such things as a
On 08/13/2013 04:47 PM, Jerry Feldman wrote:
Let's take the situation: NSA is watching you.
They can intercept your email, crack your RSA or DSA key, and then
they can discover the session keys. They are not interested in
everybody's random encrypted emails, so if they focus on individuals
On 08/13/2013 04:30 PM, Daniel Barrett wrote:
In the absence of the 4096-bit private half of my key, how hard is it
to decrypt the session key by brute force and thereby decrypt file
Foo? Do the time arguments from this KeePass discussion apply?
There are three approaches they can take, sorted
Jerry Feldman wrote:
recipient's public key), so to make this bidierctional they need to
break 2 keys, so the job gets more difficult. Breaking the session key
The public key is more easily recovered from, say, a public key server.
This requires no effort at all.
It may be easier -- and it
On 08/14/2013 09:38 AM, Edward Ned Harvey (blu) wrote:
From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss-
bounces+blu=nedharvey@blu.org] On Behalf Of Kent Borg
Bruteforcing
128-bits is impossible. Bruteforcing 256-bits is 128-bits times as
impossible.
Careful here. Someday,
On 08/14/2013 07:36 AM, Kent Borg wrote:
On 08/14/2013 06:34 AM, Jerry Feldman wrote:
Agreed. But, breaking the session key only works for a single message
or a single session. If they want to target a specific individual,
breaking the RSA/DSA keys will give them access to all encrypted
On 08/14/2013 10:03 AM, Richard Pieri wrote:
Certificate + handshake = session key = decrypted session in real
time. Any user, any session, any time, any reason. No cryptanalysis
needed. No brute force needed.
Yes, if the communications uses a broken (lack of) key exchange.
Stupidly, SSL
Kent Borg wrote:
I didn't realize that SSL was so stupid. Rather important technology
was left out of SSL, even though it was already two years old at that
point. Grrr.
It wasn't left out. It was intentionally excluded. Back in the day,
Netscape was under ITAR munitions restrictions. They
On 08/14/2013 12:45 PM, Richard Pieri wrote:
Do you finally get what I've been on about?
You have good points.
But I still return to my harping that anything that bends the cost curve
up for the NSA ruins their idea of snooping on everything. For example,
the third of SSL traffic with good
Kent Borg wrote:
Everything is just too big to afford if not at really low bulk rates.
Even for the NSA.
It's the other way around. The more that is encrypted, the more known
text the NSA has available for side-channel attacks. The more that is
encrypted, the more chances of a hash collision
It may not be easier, but it would be more effective when monitoring
specific people.
On 08/14/2013 10:03 AM, Richard Pieri wrote:
Jerry Feldman wrote:
recipient's public key), so to make this bidierctional they need to
break 2 keys, so the job gets more difficult. Breaking the session key
Jerry Feldman wrote:
It may not be easier, but it would be more effective when monitoring
specific people.
Yes, well, we all know how well the USA PATRIOT Act and Protect America
Act have curtailed warrantless surveillance of the general population.
The most effective use of large-scale
[please update the subject; it has nothing to do with KeePassX]
Richard Pieri wrote:
I assert that the NSA have compromised the public CAs just as they have
compromised the service providers.
Plausible.
Certificate + handshake = session key = decrypted session in real time.
Any user, any
Tom Metro wrote:
I haven't looked at reference material to refresh my understanding on
this, so it may be wrong, but my recollection is that a CA compromise
would only facilitate man-in-the-middle attacks.
Certificate escrow is the easiest way for a three-letter agency to
obtain site
Thanks for reading this.
I work for a non-profit, which provides services to recently-arrived
immigrants, such as instruction in English, help with finding jobs, etc.
The organization is considering buying a software package called ETO,
owned by Social Solutions Co.
19 matches
Mail list logo