[Cryptography] Fwd: freedom-to-tinker.com: How is NSA breaking so much crypto?

Paul Wouters paul at cypherpunks.ca
Sat Oct 17 01:08:00 EDT 2015

On Sat, 17 Oct 2015, Peter Gutmann wrote:

> 3. Speculation about the NSA breaking 1024-bit DH to get into VPNs, mostly
>   ignoring [0] the fact that almost any other (very effective) attack doesn't
>   require any of this effort, and that all the mentions of specific
>   successful attacks (rather than generalisations about techniques used) in
>   the Snowden docs mention stealing keys, backdooring hardware, etc.

Their measurement of 66% of VPNs are using weak DH is also based on a
wrong assumption of NO_PROPOSAL_CHOSEN. I did a write up on that:


> Finally, given that "several years ago" most SSL/TLS implementations (which
> carries a lot more interesting traffic than IPsec does) were still using RSA
> for key exchange and not DH (it's a relatively recent move to deprecate RSA
> keyex and move to DH), telling your boss that you needed $x00,000,000 for a
> DH-breaking supercomputer wouldn't have got you very far.

Ah while the IPsec traffic was far less then TLS, it was actually far
more interesting. So I don't really agree with you here. Of course, now
everyone is using IKE/IPsec to watch netflix, which must piss of the NSA
more than it pisses of the Content Industry :)

ps. this is probably the nicest thing Peter has ever said about IKE/IPsec :)

More information about the cryptography mailing list