[Cryptography] Fwd: freedom-to-tinker.com: How is NSA breaking so much crypto?

Fri Oct 16 18:47:35 EDT 2015

On Fri, Oct 16, 2015 at 4:39 PM, Ray Dillinger <bear at sonic.net> wrote:
>
>
> On 10/15/2015 12:03 PM, Dan McDonald wrote:
>> On Thu, Oct 15, 2015 at 02:28:38PM -0400, Arnold Reinhold wrote:
>>>
>>> This article suggests that the widespread use of a common prime modulus in
>>> Diffie-Hellman may be the weakness NSA is exploiting to break much Internet
>>> traffic.
>>
>> I also wonder how long it'll be until it works with 1536-bit modulii or
>> larger.  Also, about 6 years ago, there was an RFC for DH groups with larger
>> generators.  We got those, AND ECC, into Solaris/OpenSolaris well before
>> Oracle hit the fan.  I suspect that also will help.
>>
>
> Instead of wondering how long it'll be until it works with *longer*
> re-used primes, why aren't you asking why primes are getting reused??
>
> Isn't the central weakness here is the propensity of server
> implementations to continue using the same prime factor for their
> whole uptimes - or, indeed, for the whole of *every* uptime?
>
> Isn't the appropriate fix making sure that different numbers get used
> each time DH is performed?  And won't that be the appropriate thing to
> do regardless of the key length being used?
>
> I mean, yes, I'm all for moving to longer keys given that these
> exhaustion attacks are possible in the first place.  But shouldn't
> we first be fixing the dead-wrong implementation that makes the
> brute-force attacks feasible?

If you don't use a pre-computed prime you have to check the prime
presented every time and that is something we can't trust people to do
right.

The solution is to compute the session key so that it is a product of
the pre-master secret and the ephemeral exchange.

What the protocol does right now is generate a strong shared secret
(s1) and then use it to authenticate a DH exchange with shorter keys
producing a weaker shared secret (s2).

The problem is eliminated if w use H(s1 + s2) as the shared secret.
Which is what I proposed at the time and got told I was being a
trouble maker, unhelpful, etc.

I am pretty sure that there was at least one NSA snot involved in
making sure that didn't get fixed. BULLRUN shows they were spending
$250 million a year sabotaging security standards work. One way you do
that is to introduce subtle flaws but another, equally important thing
is making sure that you don't let anyone who is too clever near the
control levers.