It does raise the question what all the mathematicians are doing at NSA, and why they don't seem to have come up with any meaningful results. Suggests they are a waste of money, but then that's all of the NSA.
I suggest all of you check the original material (powerpoints w/ screenshots). A lot of people here suffer from the action movie mentality where they think the NSA is not like any other government agency, i.e. inefficient, behind the times, filled with horrible middle managers, deadweight, .. you get the idea. Things like the enterprise Java web interface, the CSV mass data export and "genericIPSec_wrapper.pl" can quickly dispel that myth.
For instance:
* We know that the NSA has a novel md5 collision capability since they have used it in their malware. None of the Snowden docs, that I have seen, have talked about this.
* It is likely based on public research that the NSA can break 1024-bit RSA, but this has not showed up in the documents either.
My personal belief is that we are missing compartments dealing with cryptanalysis because Snowden did not have access to them. His work and access were focused on Computer Network Operations and not cryptanalysis.
Additionally something like an effective attack against AES, RSA, or any other major encryption standard will probably be so compartmentalized that it won't even have a code word.
But on the other hand S31176 refers to a program which provides cryptanalysis against VPN (IPSEC, SSL and more) and it claims that they can decrypt (some of) the traffic. http://www.spiegel.de/media/media-35515.pdf
It would be expensive though. This is one reason why I consider 1024-bit end entity certificates much less of a threat than 1024-bit CA roots.
Just like the rest of the government, the NSA is not a monolithic entity with no separation of concerns. There are people who clean the floor and people who are at the extreme cutting edge of research.
Don't let anyone convince you otherwise.
The belief that the NSA is at the extreme cutting edge and just so far ahead is exactly what stops us from making iterative, simple improvements on the technology we use. It's plain unhelpful, and as the data suggests, probably wrong.
(The separation of concerns part is hilarious. Remember, this is the same agency where Snowden managed to wget -r their wiki and various other databases and then go on an extended vacation unnoticed.)
I look forward to the day when they walk away from their jobs.
Presented by Spiegel are internal services that are designed on purpose to be more economical. They exploit more bad implementations. It doesn't really matter as long as the dirty tricks get the work done.
Also, NSA seems to troll for targets from the vicinity of their targets of interest. It is again more economical, and can be just as revealing. The risk there is that the broken target has nothing of use. The real movie style "let's break the encryption keys" stuff is done for sure targets when they get the extremely rare high value target on platter.
I'd say most of commercial crypto systems are rigged. https://pbs.twimg.com/media/B5-aW_8CEAAUzji.jpg:large
While you could use a faux CA root to sign faux certs for any site you want (ideally ones who are customers of that CA), in practice your use is severely limited. If faux certs are spotted and no one knows where they came from, suspicions are going to be raised. Not only is your faux CA root compromised, but now you may have tipped your hand regarding your capabilities.
To limit that possibility, your attacks would have to be extremely targeted. The more often a fake cert is used and the more people exposed to it, the higher the likelihood that someone will notice what is going on.
It also doesn't help you decrypt the real traffic to the site, or historical traffic, which busting the site's actual SSL key can yield. This presumes that you have a way of intercepting said traffic, but I think it's pretty clear that that is not out of the question (public wifi / ISP cooperation / fiber optic taps / malware). It's more work to bust individual certs, but you're leaving a smaller trail and you aren't sending out examples of your RSA cracking capabilities to your opponents over the public Internet.
Lowering the risk of exposure will let an attacker use the same methods over a much longer period of time, which I think is the goal here.
As to how to combat this: there is a lot of low hanging fruit. Besides the obvious, I would love to see much shorter expiration times for certs become the norm (as in weeks, if not days). For this to realistically happen in a widespread fashion, at minimum CAs need to embrace the concept from a pricing perspective.
With public funding, lots of hardware and expert math/algorithm experts, it's less expensive
That is, even if the generated key-pair is really 1024-bit strong (and doesn't have any biases known by them)
I guess there is this: http://www.crypto.ch/en/solutions/crypto-secure-diplomatic-m...
As a sysadmin, Snowden basically had root, and probably had access to pretty much everything that wasn't thoroughly airgapped. However, very few computing resources would have been cleared for that Exceptionally Compartmented Information. The documents he gathered were focused more on activities like mass surveillance and standard undermining, that he sought to blow the whistle on, rather than their targeted cryptanalytic capabilities in general.
640-bit RSA could be broken essentially in real-time by the computing resources available to GCHQ a couple years ago. Of course, they don't actually have to work in real-time, so I suspect that 1024-bit RSA is entirely within their capabilities currently, given that. Diffie-Hellman is slightly harder, but if they're prepared to throw some in the bin or lag behind, they can probably do it, but that's just guesswork.
There is no known algorithm that can break a properly generated RSA key of that size - the work required with GNFS is equivalent to brute forcing a symmetric key of something like 280 bits. Anything that could do that should be able to break even 4096 bit RSA keys (~144 bit security) pretty much instantaneously, and their problems with PGP pretty heavily imply they cannot do that.
runs on as much cores as available; also for this it goes into some length to avoid multithreading locks in openssl (where possible).
http://mosermichael.github.io/cstuff/all/projects/2014/02/24...
