[Cryptography] Fwd: freedom-to-tinker.com: How is NSA breaking so much crypto?

Fri Oct 16 21:28:48 EDT 2015

Peter Fairbrother <peter at m-o-o-t.org> writes:

>I wonder whether the "state level threat" of breaking common 1024-bit DH
>primes is the "major breakthrough" which NSA told Congress about a few years
>ago, for which they got all that lovely extra money.

It almost certainly isn't.  If you read the Logjam paper it's actually three
different things:

1. A description of a downgrade attack on broken implementations.  This isn't
   a crypto weakness, it's just straight bad programming, like falling back to
   RC2/40 (hi, Microsoft!).

2. A discussion of the weakness of 768-bit keys and borderline nature of 1024-
   bit keys.  The same implementations that will fall back to 512-bit keys
   (see (1)) seem to be one of the few places left in mainstream crypto that
   still use keys already known to be weak 1-2 decades ago (hi, Sun/Oracle!).

3. Speculation about the NSA breaking 1024-bit DH to get into VPNs, mostly
   ignoring [0] the fact that almost any other (very effective) attack doesn't
   require any of this effort, and that all the mentions of specific
   successful attacks (rather than generalisations about techniques used) in
   the Snowden docs mention stealing keys, backdooring hardware, etc.

The third point seems to have now blown up into a general "ZOMG the NSAs can
break DH!", taking their direction from a general comment from an unnamed
source quoted by James Bamford about an "enormous breakthrough several years
ago in its ability to cryptanalyze, or break, unfathomably complex encryption
systems".  Clapper's comment is even less useful than this, using
"groundbreaking cryptanalytic capabilities to defeat adversarial cryptography
and exploit internet traffic" is exactly what the NSA was created to do, so
he's basically saying "we're doing our job".  He could have said the same
thing fifty years ago with "Russian communications" substituted for "the
Internet".

Even if the anonymous-source comment is valid (I've occasionally had ex-
military/ex-spooks quote astounding things to me over the years, much of which
could never be confirmed or mapped to actual facts/events [1]), if you're
going to apply Delphic oracle-like post-hoc mapping of predictions onto events
then a far better fit for the "remarkable breakthrough" was "we figured out
how to design a PRNG that looks at first glance to be sound, and managed to
get it adopted into international crypto standards".

That's a perfect match for an "enormous breakthrough several years ago in its
ability to cryptanalyze, or break, unfathomably complex encryption systems".
Mind you so is just about anything else: We figured out that WEP wasn't
secure, we figured out how to hack Bluetooth pairing, we figured out that WPS
isn't secure, we figured out how to break A1/A2, we figured out how to bypass

[23 pages of further crypto weaknesses deleted]

If the comment is even valid and not just some guy shooting his mouth off, I'd
go for either EC-DRBG or "we figured out how to generate backdoored ECC curves
from a seed value (although they probably didn't name it BADA55) and get them
adopted into international crypto standards and widely used everywhere".  

Finally, given that "several years ago" most SSL/TLS implementations (which
carries a lot more interesting traffic than IPsec does) were still using RSA
for key exchange and not DH (it's a relatively recent move to deprecate RSA
keyex and move to DH), telling your boss that you needed $x00,000,000 for a
DH-breaking supercomputer wouldn't have got you very far.

Peter.

[0] Actually they do mention that "The attack system also seems to require
    knowledge of the PSK", which means that the DH is irrelevant because
    you've lost your auth key for the exchange.

[1] Lots of people do cool things in their jobs, and everyone embellishes a
    bit from time to time...