
How Advanced Is the NSA's Cryptanalysis, and Can We Resist It? - moonboots
https://www.schneier.com/essay-446.html
======
ef4
We can and we must.

I'm glad that Bruce Schneier has now had a chance to view some of the primary
source documents from the Snowden leaks, because I trust him to speak frankly
and I trust his technical ability.

(I'm referring to
[http://www.schneier.com/blog/archives/2013/09/the_nsa_is_bre...](http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html),
not the above link).

Both he and Snowden have essentially said that we can still trust the math.
Modern symmetric crypto has enough safety margin that even extremely
surprising breakthroughs wouldn't give the NSA practical decryption
capabilities. (Asymmetric crypto is less certain, but even there Schneier
still says discrete-log-based methods with sufficiently large keys are likely
ok, and I would bet he's right.)

So the bottom line is this:

\- using crypto correctly really matters, because they really _are_ out to get
you. Most software gets it wrong, not because there are no good cryptosystems,
but because people are ignorant of how to do it right.

\- build attack-resistant organizations, not just protocols. The more
transparent, flat, and distributed an organization, the harder it is to
secretly coerce into cooperating with the NSA. It's a lot harder to force a
backdoor into Firefox than into Chrome.

\- it turns out open source really matters. The tinfoil hat brigade is
vindicated. Closed source vendors really are actively working against their
customer's security.

~~~
hyperbovine
If the NSA had really broken asymmetric crypto it would imply that they were
sitting on an huge unpublished result in one or more of a) complexity theory
b) quantum computing c) number theory d) ?? something even more outlandish.
It's difficult to imagine even them keeping a lid on that. Mathematics is not
a large field nor is it by nature a secretive one. (Arguably recognition is
the thing driving most mathematicians.) The furtive whispers would accumulate.

~~~
eru
Oh, in RSA there are also lots of `weak' numbers that you shouldn't choose.
They might have found some attacks against some newly recognized weak numbers.

------
newman314
What is not being said is "Which if any of the CAs have been compromised?"
There is this ongoing conversation of "Use HTTPS" (as one of the defense
mechanisms) but there is been very little discussion from what I have seen
around the scenario where CAs have been compromised/backdoor'ed.

~~~
tracker1
I really wish that I could mod this up a _LOT_ ... even with TOR exit nodes +
HTTPS, there's still a really good chance of things not being secure...

~~~
newman314
Compromise the CA (and possibly the pinned certs) and the keys to the bank are
yours. No need to spend all that pesky time crunching numbers, factoring etc.

The most frightening thing to this is there is no good, widespread
alternative...

------
bascule
Schneier has been giving some pretty weird advice lately. This is probably the
weirdest thing I've seen from him:

"Prefer conventional discrete-log-based systems over elliptic-curve systems;
the latter have constants that the NSA influences when they can."

There are plenty of ECC systems that have virtually no chance of NSA
influence. Curve25519/Ed25519 come to mind.

~~~
anologwintermut
Schneier told people to use Tor to avoid the NSA[0]. Telling people to use Tor
when Tor offers almost no anonymity guarantees against a global passive
adversary (which the NSA almost certainly is), is not good advice at all. In
fact, it's actively harmful since it both gives people a false sense of
security and instructs the to wave a giant red flag saying I HAVE SOMETHING TO
HIDE.

[0] [http://www.theguardian.com/world/2013/sep/05/nsa-how-to-
rema...](http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-
secure-surveillance)

~~~
nothingspecial
If everyone used Tor they wouldn't stand out individually, and I think it's
fair to assume Schneier offered his suggestions in that sense.

~~~
anologwintermut
But there is still the problem that it offers no anonymity against the NSA and
he is suggesting that it does.

------
danso
Politics and civil freedoms aside, I think it's fascinating that there can
essentially be this black box, i.e. the NSA, that can make breakthroughs in
_new mathematics_ with only its employees and those on the outside sworn to
secrecy. They obviously have brilliant mathematicians, but more brilliant than
the best ones at the world's best universities or tech companies? Or are their
suspected/hypothetical theoretical breakthroughs a product of the _efficiency_
of academic thinking that comes from being under one roof, a la the Manhattan
Project (which, like the NSA, obviously had more than just people brilliant in
an academia sense)

When I studied cryptography in college, our professor said matter of factly
that the NSA is likely at least a decade ahead in terms of known mathematical
breakthroughs, but perhaps he was biased toward thinking that because he was
in the field during the 1970s breakthrough that Schneier mentions. It seems
more feasible that the breakthrough is in engineering and technology, but hey,
I guess it's good to know the boundaries of mathematical reasoning can be
pushed (hopefully, those gains will be available to the rest of the world for
non-spying means)

edit: Case in point, Schneier's 2007 post that's now on the front page

[https://www.schneier.com/blog/archives/2007/11/the_strange_s...](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)

Schneier describes a random number generator, released as the standard by the
U.S. government, that he concludes was likely back-doored through NSA
intervention. This hypothesis was made by two independent researchers in the
previous months, and others had suspicions a year before. My point being: in
terms of open encryption standards, it's very amazing that the NSA (or any
private entity) can make a purely mathematical breakthrough that's well-ahead
of the field.

~~~
cortesoft
As Schneier says, the difference is that the NSA guys get all the
breakthroughs in the public sphere PLUS all the breakthroughs they have
privately, so they will ALWAYS be at least as far as the public, and most
likely further.

Also, they might not have the most brilliant mathematicians, but private
companies don't have the interest in using their math expertise to break
encryption. There are more lucrative ways to exploit great math ability.

Universities may have more of an interest in advancing cryptography research,
but they can't match the budget nor focus of the NSA.

~~~
maxk42
Agreed. One advantage the NSA has is it can pay some of the best
mathematicians to be full-time pure mathematicians. There are very few
mathematicians that have the opportunity to do something like that -- even
professors have to teach a few classes. I imagine it's a powerful draw to top
talent and gives them the ability to spend more time on a problem than most
others.

~~~
zorked
On the other hand your work is secret and you will never be recognized for
what you do.

~~~
lesterbuck
You would be recognized inside the NSA, a large technical population.

In addition, as with the CIA and other clandestine US government
organizations, they appeal to patriotism and helping the national interest.
That appeal seems to be fraying somewhat lately for the NSA.

~~~
vinceguidry
If they're really trying to keep it secret, not even the NSA rank and file
will know. It's all mostly need to know anyway.

~~~
nitrogen
Though I have no first-hand knowledge, I was under the impression that
organizations like the NSA have internal peer-reviewed journals that their
mathematicians can "publish" in, while remaining classified and unavailable to
the public.

~~~
gizmo686
I have a friend who interned with the NSA in high school. Although what he did
is classified, he was allowed to say that his work got published internally.

------
coldcode
Yet they let one random contractor steal a ton of their secrets. What are the
odds that one person out of those 35,000 that knows these secrets, if they
exist, and has a conscience won't come forth and spill the magic beans.

~~~
jessaustin
If we stipulate the possibility of a person of conscience in that pool, can we
then infer the possibility of people of "evil intent"? By that, I mean people
who will attempt (carefully of course) to use NSA knowledge for their own
enrichment, apart from the "accepted" goals of the NSA.

------
cinquemb
Does anyone know of any research surrounding the usage of meshnets (security
wise)? I know they are springing up in places like chicago (I'm following the
forum[0] so I can at least be conscious of the technical aspects and their
implementations when I can do something like that where I live), but somehow
they remain disconnected from general conversation (on HN) surrounding passive
surveillance.

[0] [http://cmn-forum.karmanebula.com/](http://cmn-forum.karmanebula.com/)

~~~
marshray
The security model of meshnets always seemed to me to be very similar to the
original internet. I.e., to the extent there is any, the endpoints are
responsible for providing it for themselves.

------
Debugreality
Here is an interesting startup idea that may be a step towards a solution.

Setup an organization that gives a tick of approval similar to ISO quality
standards but for NSA Free software. It would involve selling your logo to
business that meet a defined list of processes and practices to harden their
software against 3rd party spying and security flaws.

Then you can preform audits and sell your logo on a yearly basis to businesses
around the globe.

~~~
lostlogin
I misread your post as saying >iOS quality. I'm not sure what that would mean,
however I was about to post saying good luck getting that onto the AppStore.

------
lignuist
Ok Snowden, now release the secure algorithms. :)

If they can break the known algorithms, they probably have better stuff for
their own communication.

------
twotwotwo
Wow, I disagree with him about the relative security of RSA vs. ECC. First,
ignoring any clues from NSA's behavior entirely, RSA attacks have gradually
gotten better, and an RSA/DH-based system with 256-bit security would be very
slow (3072-bit RSA keys).

Second, I really doubt NSA's recommendations for Suite B algos are head fakes,
because the public justification for them makes sense and head faking doesn't.
US and allied governments can't use secret algorithms everywhere, and their
systems need to talk securely. And they seem to actually be using Suite B, so
it would be an expensive, risky head fake to standardize your whole government
around something you know can in principle be cracked (even if you think only
you can currently do it). On the other hand, I think it doesn't matter to NSA
much if Suite B reveals that NSA thinks 521-bit ECDH is OK; notice how it
hasn't led to ubiquitous ECDH usage.

2.5th, if all the latest hints mean they're breaking tons of real traffic with
a mathematical breakthrough, it's got to be in implementing RSA cracks,
because most real traffic isn't using ECC. (Schneier admitted that might be
possible when a "crypto breakthrough" claim came out early last year:
[http://www.schneier.com/blog/archives/2012/03/can_the_nsa_br...](http://www.schneier.com/blog/archives/2012/03/can_the_nsa_bre.html.))

But there is at least one way to deal with an unresolvable uncertainty about
which of two algos is badly broken. For secure one-to-one communications, you
only need to establish a secure session once, then keep a secret key stashed
for secrecy and authentication (auth through MACs or authenticated encryption,
not signatures). So just frickin' use both: do two key negotiations, hash the
results to get your key, and don't worry how slow it is because chips are fast
and you only need to do this once.

Anyway, I do echo Schneier that the math is probably not the weakest point;
it's consistent with experience in the world outside, where there are far more
bugs and so on than algorithm failures (though algo failures happen, e.g., the
2008 MD5 SSL break). And it's consistent with all the other NSA leaks, which
are mostly about non-cryptographic ways to data. Regaining some privacy looks
like a long and difficult process.

~~~
oleganza
Correction: 256-bit security is provided by 15360-bit RSA keys and 512-bit ECC
keys. 3072-bit RSA key provides 128 bits of security.

------
jaekwon
If you're a brilliant mathematician who has made a breakthrough in breaking
cryptography, wouldn't you want to make a deal with the NSA? Reveal
breakthrough in return for more knowledge.

~~~
marcosdumay
Well, on those feet, I'd ask for money, not knowledge. That has the advantage
that the NSA may actually accept the deal, instead of just blackmailing me (or
worse).

That is, if I wanted to make any kind of deal with the NSA.

~~~
marshray
Why would you expect a lawless organization like this to actually pay you?

It might just be easier for them to say "Thanks, but we already knew that, and
by the way that's ultra classified so we'll give you the option of a clean
suicide."

~~~
fivethree
Because the "lawless organization" is backed by the richest country in the
history of the concept of money.

~~~
marshray
The money isn't the issue. The issue is that once you disclose the algorithm,
your continued existence can then only represent future nation-state levels of
liability.

~~~
Spooky23
The NSA isn't some faceless villain. They are an organization that has been
consistently 10-20 years ahead of the world in many math disciplines.

~~~
marshray
The NSA is but one of several massive spy operations under the Pentagon. It's
not even the best funded. Several of them are ones most people have never even
heard of. I'd say that qualifies as 'faceless'.

------
kefka
The NSA, I'm sure is able to break *encryption schemes. That is, in deed their
job.

For my friend, The pig is about to roost in the henhouse.

