zlacker

[parent] [thread] 8 comments
1. nullc+(OP)[view] [source] 2014-12-28 23:35:57
The fact that they broke some but not all the OTR messages in the log suggests to me that their attack is not a MITM, but instead a compromise of the 1024 bit DH or CTR mode AES.
replies(2): >>tptace+w4 >>meowfa+B8
2. tptace+w4[view] [source] 2014-12-29 01:28:46
>>nullc+(OP)
Do you really think NSA has compromised AES-CTR? That would have to be a pretty fundamental attack, wouldn't it?
replies(2): >>teduna+ef >>nullc+0p
3. meowfa+B8[view] [source] 2014-12-29 03:29:24
>>nullc+(OP)
The impression I got was that the person they were monitoring used OTR for some messages and plaintext for others.
replies(2): >>nullc+To >>Alyssa+5C
◧◩
4. teduna+ef[view] [source] [discussion] 2014-12-29 07:27:50
>>tptace+w4
I have little doubt they have compromised some system that reuses keys or nonces (or fails to increment the counter :)). If I were making a powerpoint to brag to my bosses, I would definitely put that on a slide.
◧◩
5. nullc+To[view] [source] [discussion] 2014-12-29 12:13:17
>>meowfa+B8
One normally does not turn off OTR in the middle of a conversation.
◧◩
6. nullc+0p[view] [source] [discussion] 2014-12-29 12:16:42
>>tptace+w4
I am not trying to draw any conclusions. Just exploring what the data seems to support.

Another alternative (mentioned on otr-dev) is an implementation which uses a low quality rng feeding the ECDH might result in some messages being recoverable and others not.

An attack on CTR would indeed be pretty fundamental. Though some of the other documents appeared to support some level of cryptanalysis capability against some implementations of at least some symmetric ciphers.

replies(1): >>tptace+0H
◧◩
7. Alyssa+5C[view] [source] [discussion] 2014-12-29 16:00:38
>>meowfa+B8
I believe this is correct.
◧◩◪
8. tptace+0H[view] [source] [discussion] 2014-12-29 17:00:24
>>nullc+0p
Can you think through a scenario in which CTR could be broken? CTR, in particular. What's a hypothetical here?
replies(1): >>nullc+R03
◧◩◪◨
9. nullc+R03[view] [source] [discussion] 2014-12-31 14:43:44
>>tptace+0H
Sure.

Improve the existing key-recovery attacks (http://research.microsoft.com/en-us/projects/cryptanalysis/a...) on AES from 2^126 to 2^80 (through unknown methods, potentially exploiting the trivial relation of CTR plaintexts), which is a scale at which a state level party could perform computation, especially on specialized hardware. Observe a CTR block on known plaintext and recover the key.

Practical key recovery attacks have existed against many block ciphers. AES is pedantically weaker than it should be (since an attack exists at 2^126).

Do I think this is likely? I don't have enough information to answer, and in the absence of information I'd default to "probably not". It wouldn't be inconceivable, however.

[go to top]