[Cryptography] Fwd: freedom-to-tinker.com: How is NSA breaking so much crypto?

Watson Ladd watsonbladd at gmail.com
Sat Oct 17 06:59:28 EDT 2015 

On Oct 16, 2015 11:51 PM, "Peter Gutmann" <pgut001 at cs.auckland.ac.nz> wrote:
>
> Peter Fairbrother <peter at m-o-o-t.org> writes:
>
> >I wonder whether the "state level threat" of breaking common 1024-bit DH
> >primes is the "major breakthrough" which NSA told Congress about a few
years
> >ago, for which they got all that lovely extra money.
>
> It almost certainly isn't.  If you read the Logjam paper it's actually
three
> different things:
>
> 1. A description of a downgrade attack on broken implementations.  This
isn't
>    a crypto weakness, it's just straight bad programming, like falling
back to
>    RC2/40 (hi, Microsoft!).
>
> 2. A discussion of the weakness of 768-bit keys and borderline nature of
1024-
>    bit keys.  The same implementations that will fall back to 512-bit keys
>    (see (1)) seem to be one of the few places left in mainstream crypto
that
>    still use keys already known to be weak 1-2 decades ago (hi,
Sun/Oracle!).
>
> 3. Speculation about the NSA breaking 1024-bit DH to get into VPNs, mostly
>    ignoring [0] the fact that almost any other (very effective) attack
doesn't
>    require any of this effort, and that all the mentions of specific
>    successful attacks (rather than generalisations about techniques used)
in
>    the Snowden docs mention stealing keys, backdooring hardware, etc.

Snowden did not have access to BULLRUN, which protects fact of
cryptanalysis against a protocol.

>
> The third point seems to have now blown up into a general "ZOMG the NSAs
can
> break DH!", taking their direction from a general comment from an unnamed
> source quoted by James Bamford about an "enormous breakthrough several
years
> ago in its ability to cryptanalyze, or break, unfathomably complex
encryption
> systems".  Clapper's comment is even less useful than this, using
> "groundbreaking cryptanalytic capabilities to defeat adversarial
cryptography
> and exploit internet traffic" is exactly what the NSA was created to do,
so
> he's basically saying "we're doing our job".  He could have said the same
> thing fifty years ago with "Russian communications" substituted for "the
> Internet".
>
> Even if the anonymous-source comment is valid (I've occasionally had ex-
> military/ex-spooks quote astounding things to me over the years, much of
which
> could never be confirmed or mapped to actual facts/events [1]), if you're
> going to apply Delphic oracle-like post-hoc mapping of predictions onto
events
> then a far better fit for the "remarkable breakthrough" was "we figured
out
> how to design a PRNG that looks at first glance to be sound, and managed
to
> get it adopted into international crypto standards".

Scope doesn't fit: most PRNGS reduce to AES, or were never used.

>
> That's a perfect match for an "enormous breakthrough several years ago in
its
> ability to cryptanalyze, or break, unfathomably complex encryption
systems".
> Mind you so is just about anything else: We figured out that WEP wasn't
> secure, we figured out how to hack Bluetooth pairing, we figured out that
WPS
> isn't secure, we figured out how to break A1/A2, we figured out how to
bypass
>
> [23 pages of further crypto weaknesses deleted]
>
> If the comment is even valid and not just some guy shooting his mouth
off, I'd
> go for either EC-DRBG or "we figured out how to generate backdoored ECC
curves
> from a seed value (although they probably didn't name it BADA55) and get
them
> adopted into international crypto standards and widely used everywhere".

Wrong timeframe. NSA curves was in 1993.

>
> Finally, given that "several years ago" most SSL/TLS implementations
(which
> carries a lot more interesting traffic than IPsec does) were still using
RSA
> for key exchange and not DH (it's a relatively recent move to deprecate
RSA
> keyex and move to DH), telling your boss that you needed $x00,000,000 for
a
> DH-breaking supercomputer wouldn't have got you very far.

The NSA is very interested in communications carried over large VPN
installations like diplomatic communications. That might be enough to
justify it. Also the computer doesn't go away afterwards: can still do
other things with it.
>
> Peter.
>
> [0] Actually they do mention that "The attack system also seems to require
>     knowledge of the PSK", which means that the DH is irrelevant because
>     you've lost your auth key for the exchange.
>
> [1] Lots of people do cool things in their jobs, and everyone embellishes
a
>     bit from time to time...
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151017/206984c0/attachment.html>

More information about the cryptography mailing list