zlacker

Or at the very least they have compartmentalized serious mathematical cryptanalytic capabilities.

For instance:

* We know that the NSA has a novel md5 collision capability since they have used it in their malware. None of the Snowden docs, that I have seen, have talked about this.

* It is likely based on public research that the NSA can break 1024-bit RSA, but this has not showed up in the documents either.

My personal belief is that we are missing compartments dealing with cryptanalysis because Snowden did not have access to them. His work and access were focused on Computer Network Operations and not cryptanalysis.

>>EthanH+(OP)
I would not see any news organizations publishing any leaked document relating to actual technical capabilities. I don't even think that Snowden shared them with the reporters, the only ones who probably seen the besides Snowden are the FSB officers who "debriefed" him once he arrived in Russia. That's actually the thing that worries me the most about this incident, Snowden him self said that he kept the truely "nasty" stuff safe to be released in case something happens to him. But while he might not shared this with the press anyone who thinks he didn't had to buy his freedom in Russia with the full uncensored documents is fooling him self. This means that if he had any operational documents Russia and it's allies (N. Korea, Iran, China) just got a free upgrade to their own computer and communication intelligence apparatus. While people might not like their privacy being violated for the most part the NSA uses it's capabilities against unquestionably bad people, while in places like Russia and Iran it will be used against anything from reporters to political activists with much more severe consequences.

>>EthanH+(OP)
It is likely based on public research that the NSA can break 1024-bit RSA, but this has not showed up in the documents either.

It would be expensive though. This is one reason why I consider 1024-bit end entity certificates much less of a threat than 1024-bit CA roots.

>>EthanH+(OP)
It's plausible based on public research that any well-funded adversary can break 1024-bit RSA. You should assume 1024-bit RSA is simply broken.

>>tptace+d8
Yes and given that I'm kinda surprised we haven't seen any docs talking about breaking 1024-bit RSA. That should have been their bread and butter, at least as far as DNI is concerned, a few years ago.

>>EthanH+n8
What 'yuhong said: it could be expensive, with NSA having the capability to break only one every couple months. They might need to carefully coordinate which keys they break, in which case it would be an important secret which CA keys were broken.

>>EthanH+(OP)
Appelbaum also mentioned they have advanced crypt-analytic capabilities against AES, but the evidence right now supports that these advances are not enough to break AES in the general case.

>>tptace+s8
Do you think that the NSA would bother breaking CA keys? We know that they have shadow certificates and have much success infiltrating CAs to steal their keys and that they have been able to forge them without having to break the keys (via the previously unknown MD5 collision - as they did for Stuxnet. Seems to me like there are more valuable certs to go after (diplomats' certs, smartcard certs, OS update certs, ...).

>>EthanH+(OP)
It is about economics. The attacks on crypto systems have complexities, and still at the end of the day they require things like raw calculation power. Could they break even single 16384-bit RSA key pair? Probably yes, but they wouldn't be doing anything else on that year. It would be simply way too uneconomical.

Presented by Spiegel are internal services that are designed on purpose to be more economical. They exploit more bad implementations. It doesn't really matter as long as the dirty tricks get the work done.

Also, NSA seems to troll for targets from the vicinity of their targets of interest. It is again more economical, and can be just as revealing. The risk there is that the broken target has nothing of use. The real movie style "let's break the encryption keys" stuff is done for sure targets when they get the extremely rare high value target on platter.

>>xnull2+Tf
So many "diplomats' certs" are used in machines by Crypto AG from Switzerland. And guess what, they had one major incident years ago - and even people working there have simply no clue who owns and control the company.

I'd say most of commercial crypto systems are rigged. https://pbs.twimg.com/media/B5-aW_8CEAAUzji.jpg:large

>>yuhong+I
I don't totally agree. I think that factoring in the risk of exposure leaves a CA root with a worse price / performance ratio versus an individual cert.

While you could use a faux CA root to sign faux certs for any site you want (ideally ones who are customers of that CA), in practice your use is severely limited. If faux certs are spotted and no one knows where they came from, suspicions are going to be raised. Not only is your faux CA root compromised, but now you may have tipped your hand regarding your capabilities.

To limit that possibility, your attacks would have to be extremely targeted. The more often a fake cert is used and the more people exposed to it, the higher the likelihood that someone will notice what is going on.

It also doesn't help you decrypt the real traffic to the site, or historical traffic, which busting the site's actual SSL key can yield. This presumes that you have a way of intercepting said traffic, but I think it's pretty clear that that is not out of the question (public wifi / ISP cooperation / fiber optic taps / malware). It's more work to bust individual certs, but you're leaving a smaller trail and you aren't sending out examples of your RSA cracking capabilities to your opponents over the public Internet.

Lowering the risk of exposure will let an attacker use the same methods over a much longer period of time, which I think is the goal here.

As to how to combat this: there is a lot of low hanging fruit. Besides the obvious, I would love to see much shorter expiration times for certs become the norm (as in weeks, if not days). For this to realistically happen in a widespread fashion, at minimum CAs need to embrace the concept from a pricing perspective.

>>yuhong+I
"Expensive"

With public funding, lots of hardware and expert math/algorithm experts, it's less expensive

That is, even if the generated key-pair is really 1024-bit strong (and doesn't have any biases known by them)

>>spacef+dm
I've been interested in Crypto AG for many years and would like to know more. Do you have a source that Crypto AG is still used to store certs that diplomats use?

I guess there is this: http://www.crypto.ch/en/solutions/crypto-secure-diplomatic-m...

>>EthanH+(OP)
That, at least, is the case. Specific operational cryptanalytic capabilities are indeed in separate compartments: PICARESQUE, PIEDMONT; focus on PAWLEYS for backdoors in, say, routers. GCHQ use STRAP3 protection measures for their CRYPTO compartments in CESG.

As a sysadmin, Snowden basically had root, and probably had access to pretty much everything that wasn't thoroughly airgapped. However, very few computing resources would have been cleared for that Exceptionally Compartmented Information. The documents he gathered were focused more on activities like mass surveillance and standard undermining, that he sought to blow the whistle on, rather than their targeted cryptanalytic capabilities in general.

640-bit RSA could be broken essentially in real-time by the computing resources available to GCHQ a couple years ago. Of course, they don't actually have to work in real-time, so I suspect that 1024-bit RSA is entirely within their capabilities currently, given that. Diffie-Hellman is slightly harder, but if they're prepared to throw some in the bin or lag behind, they can probably do it, but that's just guesswork.

>>erglkj+uk
> Could they break even single 16384-bit RSA key pair? Probably yes

There is no known algorithm that can break a properly generated RSA key of that size - the work required with GNFS is equivalent to brute forcing a symmetric key of something like 280 bits. Anything that could do that should be able to break even 4096 bit RSA keys (~144 bit security) pretty much instantaneously, and their problems with PGP pretty heavily imply they cannot do that.

>>xnull2+zf
might be of interest in light of possible AES breakage: i have a small project that encrypts/decrypts the whole message with RSA (of course the message is also signed before encryption and result is verified on decryption);

runs on as much cores as available; also for this it goes into some length to avoid multithreading locks in openssl (where possible).

http://mosermichael.github.io/cstuff/all/projects/2014/02/24...

>>skuhn+jm
Yea, if one was signed for www.google.com it would be a serious problem. If it is targeting specific obscure domain names where the customer is willing to accept the risk, that is a different matter.