<p dir="ltr"><br>
On Oct 16, 2015 11:51 PM, "Peter Gutmann" <<a href="mailto:pgut001@cs.auckland.ac.nz">pgut001@cs.auckland.ac.nz</a>> wrote:<br>
><br>
> Peter Fairbrother <<a href="mailto:peter@m-o-o-t.org">peter@m-o-o-t.org</a>> writes:<br>
><br>
> >I wonder whether the "state level threat" of breaking common 1024-bit DH<br>
> >primes is the "major breakthrough" which NSA told Congress about a few years<br>
> >ago, for which they got all that lovely extra money.<br>
><br>
> It almost certainly isn't. If you read the Logjam paper it's actually three<br>
> different things:<br>
><br>
> 1. A description of a downgrade attack on broken implementations. This isn't<br>
> a crypto weakness, it's just straight bad programming, like falling back to<br>
> RC2/40 (hi, Microsoft!).<br>
><br>
> 2. A discussion of the weakness of 768-bit keys and borderline nature of 1024-<br>
> bit keys. The same implementations that will fall back to 512-bit keys<br>
> (see (1)) seem to be one of the few places left in mainstream crypto that<br>
> still use keys already known to be weak 1-2 decades ago (hi, Sun/Oracle!).<br>
><br>
> 3. Speculation about the NSA breaking 1024-bit DH to get into VPNs, mostly<br>
> ignoring [0] the fact that almost any other (very effective) attack doesn't<br>
> require any of this effort, and that all the mentions of specific<br>
> successful attacks (rather than generalisations about techniques used) in<br>
> the Snowden docs mention stealing keys, backdooring hardware, etc.</p>
<p dir="ltr">Snowden did not have access to BULLRUN, which protects fact of cryptanalysis against a protocol.</p>
<p dir="ltr">><br>
> The third point seems to have now blown up into a general "ZOMG the NSAs can<br>
> break DH!", taking their direction from a general comment from an unnamed<br>
> source quoted by James Bamford about an "enormous breakthrough several years<br>
> ago in its ability to cryptanalyze, or break, unfathomably complex encryption<br>
> systems". Clapper's comment is even less useful than this, using<br>
> "groundbreaking cryptanalytic capabilities to defeat adversarial cryptography<br>
> and exploit internet traffic" is exactly what the NSA was created to do, so<br>
> he's basically saying "we're doing our job". He could have said the same<br>
> thing fifty years ago with "Russian communications" substituted for "the<br>
> Internet".<br>
><br>
> Even if the anonymous-source comment is valid (I've occasionally had ex-<br>
> military/ex-spooks quote astounding things to me over the years, much of which<br>
> could never be confirmed or mapped to actual facts/events [1]), if you're<br>
> going to apply Delphic oracle-like post-hoc mapping of predictions onto events<br>
> then a far better fit for the "remarkable breakthrough" was "we figured out<br>
> how to design a PRNG that looks at first glance to be sound, and managed to<br>
> get it adopted into international crypto standards".</p>
<p dir="ltr">Scope doesn't fit: most PRNGS reduce to AES, or were never used.</p>
<p dir="ltr">><br>
> That's a perfect match for an "enormous breakthrough several years ago in its<br>
> ability to cryptanalyze, or break, unfathomably complex encryption systems".<br>
> Mind you so is just about anything else: We figured out that WEP wasn't<br>
> secure, we figured out how to hack Bluetooth pairing, we figured out that WPS<br>
> isn't secure, we figured out how to break A1/A2, we figured out how to bypass<br>
><br>
> [23 pages of further crypto weaknesses deleted]<br>
><br>
> If the comment is even valid and not just some guy shooting his mouth off, I'd<br>
> go for either EC-DRBG or "we figured out how to generate backdoored ECC curves<br>
> from a seed value (although they probably didn't name it BADA55) and get them<br>
> adopted into international crypto standards and widely used everywhere".</p>
<p dir="ltr">Wrong timeframe. NSA curves was in 1993.</p>
<p dir="ltr">><br>
> Finally, given that "several years ago" most SSL/TLS implementations (which<br>
> carries a lot more interesting traffic than IPsec does) were still using RSA<br>
> for key exchange and not DH (it's a relatively recent move to deprecate RSA<br>
> keyex and move to DH), telling your boss that you needed $x00,000,000 for a<br>
> DH-breaking supercomputer wouldn't have got you very far.</p>
<p dir="ltr">The NSA is very interested in communications carried over large VPN installations like diplomatic communications. That might be enough to justify it. Also the computer doesn't go away afterwards: can still do other things with it.<br>
><br>
> Peter.<br>
><br>
> [0] Actually they do mention that "The attack system also seems to require<br>
> knowledge of the PSK", which means that the DH is irrelevant because<br>
> you've lost your auth key for the exchange.<br>
><br>
> [1] Lots of people do cool things in their jobs, and everyone embellishes a<br>
> bit from time to time...<br>
> _______________________________________________<br>
> The cryptography mailing list<br>
> <a href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br>
> <a href="http://www.metzdowd.com/mailman/listinfo/cryptography">http://www.metzdowd.com/mailman/listinfo/cryptography</a></p>