[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Peter Fairbrother zenadsl6186 at zen.co.uk
Thu Sep 5 21:19:43 EDT 2013


BULLRUN seems to be just an overarching name for several wide programs 
to obtain plaintext of passively encrypted internet communications by 
many different methods.

While there seem to be many non-cryptographic attacks included in the 
BULLRUN program, of particular interest is the cryptographic attack 
mentioned in the Snowden papers and also hinted at in earlier US 
congressional manouverings for NSA funding.

The most obvious target of attack is some widespread implementation of 
SSL/TLS, and while it might just be an attack against a reduced 
keyspace, eg password-guessing or RNG compromise, I wonder whether NSA 
have actually made a big cryptographic break against some cipher, and if 
so, against what?

Candidate ciphers are:

3DES
RC4
AES

and key establishment mechanisms:

RSA
DH
ECDH


I don't think a break in another cipher or KEM would be widespread 
enough to matter much. Assuming NSA (or possibly GCHQ) have made a big 
break:

I don't think it's against 3DES or RC4, though the latter is used a lot 
more than people imagine.

AES? Maybe, but a break in AES would be a very big deal. I don't know 
whether hiding that would be politically acceptable.

RSA? Well, maybe indeed. Break even a few dozen RSA keys per month, and 
you get a goodly proportion of all internet encrypted traffic. It's just 
another advance on factorisation.

If you can break RSA you can probably break DH as well.

ECDH? Again quite possible, especially against the curves in use - but 
perhaps a more widespread break against ECDH is possible as well. The 
math says that it can be done starting with a given curve (though we 
don't know how to do it), and you only need to do the hard part once per 
curve.




My money? RSA.


But even so, double encrypting with two different ciphers (and using two 
different KEMs) seems a lot more respectable now.

-- Peter Fairbrother


More information about the cryptography mailing list