
How is NSA breaking so much crypto? - sohkamyung
https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/
======
misiti3780
"Since weak use of Diffie-Hellman is widespread in standards and
implementations, it will be many years before the problems go away, even given
existing security recommendations and our new findings. In the meantime, other
large governments potentially can implement similar attacks, if they haven’t
already. "

can someone explain to me why this cant be fixed over night. im no crypto
expert, but

" If a client and server are speaking Diffie-Hellman, they first need to agree
on a large prime number with a particular form. "

why can't you just switch the large prime number and then continue on sending
encrypted data?

~~~
amluto
It turns out that verifying whether a given prime is appropriate for Diffie-
Hellman is rather slow. This means that, if you accept a prime supplied by
someone else (e.g. whoever you're communicating with), and you don't carefully
verify the prime, then you're at risk of ending up with a maliciously chosen
weak group and/or generator.

For some protocols, this is fine. For other protocols, it's a problem. IIRC
one variant of the triple-handshake attach on TLS involved tricking the client
into using a weak group.

From memory (too lazy to look up all the details right now), the issue is that
the order of the multiplicative group mod p is p-1. If p is a prime greater
than 3 (which it is in standard Diffie-Hellman), then p-1 is certainly not
prime, which means that the multiplicative group will have subgroups of
varying sizes. Some subgroups might be small. If one party sends a public
share in a small subgroup, then bad things can happen.

Unfortunately, validating the DH parameters is too slow to do with each
handshake. So either you carefully design the protocol to avoid this problem
(which is certainly doable in many case), you use a well-known group (which
should be fine as long as the group is large enough), or you use something
like ECDH. ECDH is nice because the index calculus attacks don't work and you
can have a nice group structure.

Aside: While it's possible for an EC group to have a prime order, for various
tricky reasons, the better modern EC curves deliberately have an order that's
h*p for some small h (h is called the "cofactor" and h=4 or h=8 are common)
and a large prime p. This gives some nifty benefits, but it requires a bit of
care under some circumstances.

~~~
phicoh
There is an easy way to solve this at the protocol level: maintain a hash of
everything that was said and sign it during authentication. Any downgrade
attack will show up and cause the wrong hash to be signed.

~~~
schoen
As I understand it, this fix has already been proposed for TLS by the
developers of the triple-handshake attack, but it may take some time to be
implemented and may never be implemented everywhere.

[https://www.ietf.org/archive/id/draft-bhargavan-tls-
session-...](https://www.ietf.org/archive/id/draft-bhargavan-tls-session-
hash-01.txt)

I'm not quite sure why this Internet-Draft expired without a replacement or if
this work is still continuing somewhere in the TLS WG.

~~~
schoen
> I'm not quite sure why this Internet-Draft expired without a replacement

Oh, because it was issued as an RFC!

[https://www.rfc-editor.org/rfc/rfc7627.txt](https://www.rfc-
editor.org/rfc/rfc7627.txt)

------
seanwilson
Isn't the much simpler explanation that, for particular servers, they either
have permission (e.g. companies have agreed to hand over the encryption keys
or allow monitoring of the data after it is unencrypted on arrival) or some
other means (man-in-the-middle attacks, server backdoors, hacking vulnerable
software) to bypass the encryption entirely without you knowing? For instance,
I find the idea that they would direct huge amounts of computing power to
crack individual keys implausible given the previous example methods are so
much easier.

~~~
kllrnohj
> they either have permission (e.g. companies have agreed to hand over the
> encryption keys or allow monitoring of the data after it is unencrypted on
> arrival)

No, because nobody would do that and the NSA has no legal authority with which
to force that. Companies wouldn't agree to this because they have everything
to lose and nothing to gain. It's not like the NSA could even offer them
favors in exchange, as the entire thing is ultra-classified. Also there's
exactly zero chance this would ever be able to be kept secret. Companies can't
even keep their products secret for the few months it takes from prototypes to
launch, there's no way in hell the NSA would trust them to keep this secret
for years. The first sys admin forced to do this would _instantly_ talk about
it.

> some other means (man-in-the-middle attacks, server backdoors, hacking
> vulnerable software) to bypass the encryption entirely

The article talks about this. That's definitely possible, but it's much more
targetted and doesn't fit the scale that the Snowden leaks suggested the NSA
was achieving.

~~~
seanwilson
> No, because nobody would do that and the NSA has no legal authority with
> which to force that. Companies wouldn't agree to this because they have
> everything to lose and nothing to gain.

Not claiming I'm well read up on this but wasn't a big part of the leaks that
companies were cooperating with the NSA in secret?

[http://www.wired.com/2014/01/how-the-us-almost-killed-the-
in...](http://www.wired.com/2014/01/how-the-us-almost-killed-the-internet/)

"Gellman wanted to be the first to expose a top-secret NSA program called
Prism. Snowden’s files indicated that some of the biggest companies on the web
had granted the NSA and FBI direct access to their servers, giving the
agencies the ability to grab a person’s audio, video, photos, emails, and
documents."

~~~
kllrnohj
The telcos (AT&T, Verizon, etc...) were cooperating, but that also fell under
existing wiretap laws-ish and was known-ish. There had been rumors about it
for years, there have been photos of mysterious governement vans of equipment
showing up at sites, special locked rooms, etc... Those companies also haven't
denied it.

However there is none of that for any of the other companies listed under
Prism. Later leaks from Snowden suggest that the companies listed in Prism did
not know they were part of Prism (places where inter-dc traffic was being
spliced, that sort of thing).

Also just practically speaking with how fast companies rise & fall in this
area doing this on a per-company basis wouldn't scale. Like when would you
expect the NSA to approach, say, WhatsApp? Or Snapchat?

------
Pyxl101
Some advice from the authors on how to properly deploy Diffie-Hellman:

[https://weakdh.org/sysadmin.html](https://weakdh.org/sysadmin.html)

~~~
nly
There's also [https://cipherli.st/](https://cipherli.st/) which, imho, is
better. What's really awful is the sets are similar yet almost disjoint, only
agreeing on 4 cipher combos:

    
    
       DHE-RSA-AES128-GCM-SHA256
       DHE-RSA-AES128-SHA
       ECDHE-RSA-AES128-GCM-SHA256
       ECDHE-RSA-AES128-SHA
    

Personally I use the shorter "strong" config off cipherli.st

~~~
dadrian
Our cipher recommendations on the Weak DH site come directly from Mozilla. See
[https://wiki.mozilla.org/Security/Server_Side_TLS#Recommende...](https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations)

------
andyjohnson0
_" For the nerds in the audience, here’s what’s wrong: If a client and server
are speaking Diffie-Hellman, they first need to agree on a large prime number
with a particular form. [...] an adversary can perform a single enormous
computation to “crack” a particular prime [...]"_

Can someone explain to me what the authors mean by "cracking" a prime? Is the
difficulty of this related to the difficulty factoring a composite number? The
language used is annoyingly imprecise.

Edit: Question was already asked by smegel, and has some useful answers.

~~~
johncolanduoni
It's called index calculus[1]. Basically, it allows you to do a (huge) amount
of work that can be factored out from breaking specific DH exchanges, as long
as the same prime is used. Since finding good DH primes is far more expensive
than coming up with good primes for RSA, these primes tend to be reused on a
massive scale.

[1]:
[https://en.wikipedia.org/wiki/Index_calculus_algorithm](https://en.wikipedia.org/wiki/Index_calculus_algorithm)

~~~
dheera
This system sounds incredibly insecure to me. What are the benefits of this
over just plain old RSA with everyone using their own keys?

~~~
minitech
Forward secrecy in the event of a compromised key.

------
paulgerhardt
See also Martin Hellman's oral history on trap doors:
[https://conservancy.umn.edu/bitstream/handle/11299/107353/oh...](https://conservancy.umn.edu/bitstream/handle/11299/107353/oh375mh.pdf?sequence=1)

------
devit
Apparently some Cisco products might even be using 768-bit DH as default for
IPsec!

From [http://www.cisco.com/en/US/docs/ios-
xml/ios/sec_conn_ikevpn/...](http://www.cisco.com/en/US/docs/ios-
xml/ios/sec_conn_ikevpn/configuration/15-2mt/sec-key-exch-ipsec.html):

<< Diffie-Hellman--A public-key cryptography protocol that allows two parties
to establish a shared secret over an unsecure communications channel. Diffie-
Hellman is used within IKE to establish session keys. It supports ___== >
768-bit (the default) <==_ __, 1024-bit, 1536-bit, 2048-bit, 3072-bit, and
4096-bit DH groups. It also supports a 2048-bit DH group with a 256-bit
subgroup, and 256-bit and 384-bit elliptic curve DH (ECDH). Cisco recommends
using 2048-bit or larger DH key exchange, or ECDH key exchange. >>

Malice or incompetence? (or crappy hardware that needs help to not be slow?)

The recommendation is correct so...

------
vbezhenar
When I setup TLS for web or smtp, there's an option to generate custom dh
params. So basically one must generate new dh params for every installation to
be safe against attack presented in the article, is it correct?

~~~
schoen
That would work, but there's still a problem when the client can't verify that
the parameters are safe, at least when using client certificates. See the
references in section 9.7 of

[https://datatracker.ietf.org/doc/draft-ietf-tls-
negotiated-f...](https://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-
ff-dhe/)

As a result, that draft proposes using specific much larger parameters, on the
basis of scaling considerations for the attacker. I think the authors of this
paper endorse this solution.

(It's OK in general if you share parameters with someone else, it just means
that an attacker who can do this precomputation for those parameters gets to
attack both of your DH sessions as a result.)

------
metachris
Interesting paper ([https://weakdh.org/imperfect-forward-
secrecy.pdf](https://weakdh.org/imperfect-forward-secrecy.pdf)) and lots of
good references!

Inspired me to write a little tool to download all referenced pdfs from any
given pdf: [https://github.com/metachris/pdf-link-
extractor](https://github.com/metachris/pdf-link-extractor)

------
thiagoharry
According with the estimated cost given to that machine (few hundred million
dollars) and the problem's nature, what they propose is very similar to TWIRL,
an hypothetical machine that could factor 1024-bits integer to break RSA. That
was the reason that made a lot of people consider 1024-bit RSA not secure
anymore and change their keys to 2048 bits. The same should happen with DH
now.

------
acd
You can check for web sites common Diffehellman primes on ssllabs.com Check
section Protocol details "Uses common DH primes"

Also the latest openssh package warns against Diffie hellman ssh keys now we
know why they warn us.

------
sarciszewski
This might not contribute much to the discussion, but I just want to add:

I for one welcome the coming arrival of ECDH over curve25519 in TLS
everywhere.

(And I _really_ hope that comes to pass.)

~~~
api
Question I don't know the answer to:

Is there any chance that ECC is vulnerable to similar issues with static
universally agreed upon constants. In ECC these are curves, and is it feasible
to "pre-crack" a curve? Or is the space so huge in this case that it would
take millions of years of compute time to do so?

Someone who knows ECC math better than I do would have to answer this one.

~~~
tptacek
A big part of the whole point of ECC is that it resists index calculus.

Also, remember: this isn't a fatal flaw in all of Diffie Hellman. It's a
variant of a well-known attack that makes it economical to attack 1024 bit DH,
not merely plausible. So far as anyone knows, it does nothing to help attack
2048 bit DH.

~~~
api
So Curve25519 is pretty much rock solid unless (a) someone discovers genuinely
new math or (b) we get a practical quantum computer with enough coherent
qubits to actually run the ECC variant of Shor's algorithm.

Note the qualifications around (b). Just any QC would not do... it would have
to (as far as I know) have a rather "wide" coherent qubit capacity among other
characteristics.

So what... Curve25519 until 2050? 2100? Hard to say and new math is always a
total wildcard, but it seems damn secure.

... and as you say DH and RSA are also great with >2048 bits. 4096 bits is
what I typically use.

~~~
petra
>>So Curve25519 is pretty much rock solid unless (a) someone discovers
genuinely new math or

After the NSA news happened , schneier said the math is safe , saying/implying
you can trust Diffie-Hellman. And now it's not secure. So how can we be so
sure of Curve25519 ?

~~~
tptacek
There's nothing new about the math here. 1024 bit DH has been precarious for
over a decade, at least since Tromer costed out an RSA-1024 factoring machine.

In other words, people a decade ago were _also_ telling you to avoid DH-1024.
What we're looking at today is a more efficient way of exploiting a bug we've
known about for a long time.

------
AnonNo15
Crap. So what are the immediate countermeasures? Switch to elliptic curves
cryptography?

~~~
njharman
Don't be a target the NSA is interested in.

~~~
wernercd
By stating your intent to not be noticed, you have drawn their eyes.

Why else would you want that if you aren't trying to hide something?

~~~
crpatino
It's a pretty safe bet that everyone here - a forum called "hacker news" which
discusses, among other things, the several aspects of online security - is
already on a watch list. The idea is to not promote yourself even further in
their attention.

------
zmanian
How much software has been updated to use stronger DH either ECC or 2048 bit
prime field?

Is there an easy way to check if a VPN provider has updated?

The ASICs NSA built for breaking some common 1024 bit fields are probably
breaking specific RSA keys now...

~~~
andrewpe
Run your private key through the second command here:
[http://etherhack.co.uk/asymmetric/docs/rsa_key_breakdown.htm...](http://etherhack.co.uk/asymmetric/docs/rsa_key_breakdown.html)

------
542458
I wonder what the effort to break a 2048-bit prime would be. I suspect it's
heading into "dyson sphere powered ideal computer" territory, but I'd be
curious to know what it would actually be.

~~~
tptacek
The thing that breaks 2048 bit conventional multiplicative group Diffie
Hellman is likely to break conventional multiplicative group Diffie Hellman
altogether.

~~~
Locke1689
Any reason not to just settle on ECDH for new applications?

~~~
tptacek
It's Complicated. All else equal, yes, you should use ECDH over a good curve,
implemented carefully in a curve library you yourself did not write, which
library has been carefully reviewed for flaws.

But if you don't have access to that code on every platform you might need to
deploy on, it might be better to do DH-2048 than to use crappy curve code.

Basically, your best choice right now is Curve25519. If you can't get a
trustworthy Curve25519, though, it might be tricky to pick between DH-2048 and
{other curve software}.

~~~
guelo
I understand the reasoning for this recommendation but as this paper shows
there is also a danger in going along with what's popular, even if it's the
best currently recommended practices. If you as a reasonably well-versed
engineer can come up with a custom implementation it would be more likely that
you'll be protected from mass surveillance. Even if your implementation has
some weaknesses you won't be caught up in a dragnet. Assuming the eye of
Sauron does not look right at you, meaning a government-level adversary
targets you directly.

~~~
tptacek
The opposite is true: if you implement ECDH yourself, you aren't unlikely to
end up with software that thousands of different people will be able to break
with their laptops. It's tricky to get right.

~~~
lmm
Any handspun crypto will likely have trivial flaws. But they might escape the
NSA's notice, in the same way that a hand-rolled CAPTCHA can sometimes prevent
more spam than a better-designed but widely-deployed one?

~~~
pja
Pretty much: Odds are that, if you roll your own, you’ll make mistakes which
make your code trivial to break for a motivated attacker that is willing to
put the effort into targeting you personally.

It’s also quite possible that the NSA/GCHQ/5-Eyes will notice that your
communications are 'interesting, because different' and mark them to be stored
in perpetuity in case they ever do decide that you’re of interest so that they
can go back and break it all then.

So, how lucky are you feeling?

------
kristopolous
about 12 years ago I came up with a pretty clever way to factor numbers that I
never pursued the computational complexity of.

The basic algorithm is that you take some candidate X (which will be our 2048
bit number here) and classify your question (primality, whether it is the
product of 2 primes, etc) --- once you have your question, Q, then you can
pick a number Y0 to get X % Y0 = Z0 ... sometimes ~sqrt(X) works well, other
times it's the closest prime factorial, etc.

now using those results, [Q, Y0, Z0], you can optimally pick Y1 and do the
operation again, X % Y1 = Y2 ...

Like the Chinese remainder theorem each Z gives you information on the next
optimum Y given your question Q ...

I called it tunnel factoring and saw some great early results ... but for some
reason I haven't ever pursued it

~~~
chadnickbok
Good engineers ship.

~~~
kristopolous
Do you actually want the source? It's similar to gnfs, but my implementation
of my algorithm seems to be faster in c, under probably gcc 2.95 when compared
to a reference gnfs i had found online ... enough times to be significant (but
a result of "faster on my computer" doesn't really lead to any kind of
"breaking news"). It could just be due to an ineffecient implementation.

I'll have to look at some old cvs repos ... Hopefully I can find it. I'll put
it on guthub if i can.

I worked a good 6 months on it and I understand the gravity of the claim. I
have no interest in being bogus or fraudulent.

~~~
sillysaurus3
_Hopefully I can find it. I 'll put it on guthub if i can._

Please do. It sounds very interesting.

------
astazangasta
If one is not enough, why not just have a million standard keys to choose
from? This makes the problem space prohibitively large, but this many keys
could be passed around in a standard distribution easily enough.

------
kordless
> For the most common strength of Diffie-Hellman (1024 bits), it would cost a
> few hundred million dollars to build a machine, based on special purpose
> hardware, that would be able to crack one Diffie-Hellman prime every year.

I'll just leave this here: [http://fortune.com/2015/06/29/intelligence-
community-loves-i...](http://fortune.com/2015/06/29/intelligence-community-
loves-its-new-amazon-cloud/)

~~~
nickpsecurity
Irrelevant: such a cloud would be useless for this application. NSA more
likely will use a massively-parallel cluster with FPGA's. Potentially ASIC's
if the numbers added up.

~~~
kordless
> such a cloud would be useless for this application

Either you don't know what is in that DC, or you do. If you don't know what's
in the DC, you can't say one way or the other about what it can and can't do.
If you do know what's in the DC, then you'd likely be prevented from saying
what it's capabilities were or would deny those capabilities publicly if it
did possess them. This is why people make tinfoil hats; because they reach
cognitive dissonance quickly with logic built around untrusted data.

Because I can't implicitly trust you, or Amazon, or the intelligence agencies,
I'm left with the reasoning capabilities I have and trust. Floundering in
cognitive dissonance isn't going to get me anywhere in that regard. I'm left
with what I know, which is that US agencies pay Amazon a staggering amount of
money to run a datacenter for them. I know that AWS itself runs servers with
special purpose hardware in them, such as GPUs, and that most of the value in
AWS comes from federating systems and providing fault tolerance and easy
programmatic access to provisioning. What sits behind all those features is
anyone's guess. Amazon does not publicly discuss their relationship with the
government, so that's zero help here.

If Amazon wanted to own the world's public cloud AND remain trusted, they
should have thought twice about doing a deal with the government. In Germany,
this shit wouldn't fly. Companies who provide services to the government there
sign special agreements to ensure what services they provide to the government
aren't colluded with the services they provide to individuals. It's beyond
dumb that we allow this in the US and that the largest cloud provider here is
mute in that regard.

~~~
nickpsecurity
"If you don't know what's in the DC, you can't say one way or the other about
what it can and can't do."

Sure you can: just go with worst case scenario and assume custom hardware. I
did that on Schneier's blog below:

"The room for error here is in the ASIC assessment. We need to figure out how
much they can parallelize this, either in cores or custom circuits, in a given
ASIC. Then, how many of those can do in one chip at 14-28nm. Then how many
they can squeeze in a rack. Then how much factoring can be done with Amazon or
Microsoft datacenters full of those. That would be the most paranoid
assessment.

You see, the unit prices of these things are really low vs initial development
costs. That's one of main drivers for hardware to shrink. The chips might cost
pro's $10-30 million to develop with boards a tiny fraction of that. Then, the
chips themselves are fabbed dirt-cheap with the boards being inexpensive. If
algorithm doesn't need much communication, then they can use standard I/O
options to farm out the jobs which then just run until they complete. They
could add more capacity year after year cheaply with incremental energy cost
after spending a ton of money on chip design and real estate just once. They
could get 50,000-100,000 chips with multiple accelerators on each every year.

So, I think the authors upper bound is lower than the real upper bound. Need
to get specialists who have implemented algorithms like this in hardware to
show how it will likely be implemented. Need at least one person whose done a
28nm design to estimate how much of the chip can be dedicated to that with the
other functions considered. Then multiply that by whatever Amazon has to get a
decent upper-bound. "

------
qakmail
Just to clarify (because I was confused when I read your comment), the weak DH
attack was made public by the same people who wrote this post and the academic
paper attached to it. It looks like the post and the paper are part of the
same "release". Conflict of interest disclaimer: I was a grad student of
Professor Halderman's several years ago.

------
chinathrow
Imagine the money spent on both a) measures and b) countermeasures related to
the ongoing spying by the intelligence apparatus around the world.

Imagine the money not spent on more pressing issues we face these days: health
problems, poverty and the destruction of nature earth, just to name a few.

Why do we, as a society, tolerate this?

~~~
pbhjpbhj
>Why do we, as a society, tolerate this? //

In Western democracies [I really want to put quotes around both those words]
do we have a choice?

In the UK we get to vote but it's for one of 2 or 3 sets of policies for the
next 5 years, at no point do I recall any main party saying they were going to
do something about NSA/GCHQ incursions in to UK life; I imagine USA have us
over a barrel even if there were political will amongst the elite to change
the spying on ordinary subjects [of the Crown].

~~~
arethuza
You can read Chris Mullin's excellent _A Very British Coup_ for what would
happen if someone got into power that actually threatened that part of the
establishment.

Of course that would never happen as nobody who actually had any intention to
do such a thing would ever get elected as PM - look at the complete lambasting
that Jeremy Corbyn has been getting, including murmurings that the Army would
mutiny if he got into power.

[NB I am not a Labour supporter and wouldn't vote for Corbyn but I do think
that the way he has been treated recently is pretty appalling.]

------
ibmthrowaway271
Is there a tool to output the DH params being used when attempting a TLS
connection (not dumping them from a packet capture)?

I know I can, but I'm hoping for something simpler than having to parse the
TLS messages from:-

    
    
      openssl s_client -connect host:port -msg
    

to work it out.

------
onderkalaci
_There seemed to be no reason why everyone couldn’t just use the same prime,
and, in fact, many applications tend to use standardized or hard-coded
primes._

Then, if the prime number is standardized or hard-coded, why they just not use
it? Why we need to break it?

~~~
macns
It shouldn't be nor standardized nor hard-coded because someone with the funds
(e.g. NSA) would need to break the encryption using this 'standardized' number
only once.

If everyone used a random very large prime (spec suggests so) then NSA would
have to break with every prime number possible which currently is not possible

------
cm2187
Isn't the bulk of the https traffic using RSA, not Diffie-Hellman?

~~~
justsayinghi
IIRC asymmetric decryption is time consuming, so it is used as the initial
step to send/receive the symetric DH key. All additional encryption/decryption
is symetric.

~~~
cm2187
But I thought DH was an alternative to RSA, not a symetric encryption
algorithm.

~~~
Natanael_L
Here's some of the options:

Client generates a key, encrypts with server's RSA key, sends it to the
server, and the session starts. This lacks PFS.

Client and server participates in DH key exchange, the server signs their DH
parameters using the RSA key so that the client knows that he's talking to the
right person. They now start the session using that DH generated key. This has
PFS.

And there's same as the above but with DH replaced with elliptic curve DH
(different way of achieving the same thing), and RSA replaced with ECDSA, and
a few other options.

------
z3t4
Check your root certificates. If any of those has capabilities of "Man in the
middle", they can see your SSL traffic. That's probably how they do it.

~~~
caf
It's not that simple. A CA can intercept your SSL traffic, but to do so it has
to create a fradulent certificate for the end site and proxy your traffic to
the site, presenting the fradulent certificate to you.

This means it can't be done without risking that you might notice it. And it
can't be done just by passively hoovering up all the traffic and then
retrospectively going back and decrypting it.

~~~
schoen
And nowadays "you might notice" in an automated way because of HPKP!

------
crozewski
Can we use distributed computing to crowdsource the computation of more/better
primes? Can OpenSSL look to this pool for its primes?

~~~
JacobEdelman
We wouldn't need to do this. One computer would suffice to generate primes at
a pace making cracking computation infeasible. Though, even if we switch
primes every few seconds, if somebody wanted to put a few hundred million
dollars into cracking a few seconds of messages, they could do it.

------
late2part
I wonder if that estimated cost is the COGS or the R&D? If it's the R&D, what
is the cost of the second machine?

------
petra
Since we don't exactly know what other ways to break crypto are there - why
aren't we focusing on concatenated encryption(at least for critical apps) -
while working hard to ensure no crypto vulnerable to malware type attacks,
especially considering that malware isn't a good way for web scale
surveillance ?

~~~
Natanael_L
It is more commonly called cascade encryption.

The problem is that in many cases you can't afford to sacrifice enough
performance for it.

Also, malware and crypto doesn't "play in the same field". Malware is solved
by secure programming, access controls and users that are educated to not fall
for trojans.

Encryption handles communication and storage, and only to a small degree data
processing.

~~~
sfilipov
To support your point, virtually all crypto vulnerabilities we know of for
sure are a result of bugs in implementations rather than problems with the
underlying algorithms.

On the other hand there are algorithms which are believed to be backdoored by
the NSA (some elliptic curves). These algorithms can be avoided.

In the end, cascading encryption has very limited benefits because the weakest
point of a security application is almost never the algorithm used.

------
kobayashi
Regarding VPN usage, is the fix a client-side or a server-side solution?

~~~
Natanael_L
Server side. They need to change parameters.

------
mediocrejoker
If the NSA wasn't doing this, you can bet they will be soon.

------
jgalt212
How do these findings affect the usage of Tor and Tails?

------
agwa
There aren't any new findings here. It's merely a rehash of the Weak DH attack
(by the same researchers) that was made public in May of this year:
[https://weakdh.org/](https://weakdh.org/)

Still, it's a good reminder that you should not be using 1024-bit Diffie-
Hellman.

~~~
swolchok
> It's merely a rehash of the Weak DH attack that was made public in May of
> this year

Just to clarify (because I was confused when I read your comment), the weak DH
attack was made public by the same people who wrote this post and the academic
paper attached to it. It looks like the post and the paper are part of the
same "release".

Conflict of interest disclaimer: I was a grad student of Professor Halderman's
several years ago.

~~~
agwa
Indeed. I wasn't implying that the blog post authors were copycats. I've
updated my comment to hopefully avoid confusion.

------
mrb
FYI this is not really new news. The authors of that research had already
disclosed their findings at [https://weakdh.org](https://weakdh.org) about 5
months ago.

Today they simply formally presented their research at ACM CCS.

------
smegel
Can someone explain what "breaking a prime" means? What is the output after
your year of computation?

~~~
zmanian
The output is a giant table of A= g^X mod p where given A you can look up x.

~~~
caf
There's more to it than that, though - a table that could let you directly
look up the discrete log of an arbitrary A would require on the order of
2^1024 entries (for a 1024 bit group).

It's a table specifically of the discrete logs of a large (but tractable)
number of small primes. Those discrete logs can be used as the input to a
separate stage that can calculate the discrete log of any value in the field.

~~~
qopp
The paper mentioned in the article shows how a few complex steps reduces to
very large polynomial time, most of which can be precomputed given "45 million
computer-years", the rest computed on a per-session basis very quickly.

------
too_late
Wouldn't this be easy to subvert, though?

I mean, say we put through a few patches and started generating primes more
often. Then there big-ass special purpose prime machine becomes an order of
magnitude less-effective, right?

I think the best way to defend against these one-to-many attacks is to spread
out the cost of decrypting large quantities of data. If we all had our own
keys, even if they weren't as strong as one single key that everyone used,
that much more work has to be done to decrypt data for a group of users.

I know nothing about crypto, but a layman can hear about these implementation
architectures and immediately realize what's wrong with it all.

~~~
JacobEdelman
The problem is that there needs to be an agreed upon key that each of the
parties knows before-hand. But yes, there are definitely viable ways to
generate new ones or implement new, safer, standards. Alternatively, a much
larger prime can be used. Also, the Diffie-Hellman protocol is a well known
one that many many security researchers, programmers, and students have looked
at. The flaws are not obvious, as it's initially unclear how "cracking" a
large prime would work.

~~~
too_late
If they have special-purpose hardware specially designed for cracking primes,
maybe bigger isn't better, right?

What can end-users be doing about this?

------
auntienomen
Ha ha! (Seriously, nice paper.)

------
ape4
Important stuff.

------
ck2
This is an arms race and it doesn't address the underlying cause.

The government of the people should not be spending $10B a year to monitor and
track all of its people just to warehouse the data.

That is quite literally Stasi. Not vaguely like, exactly like.

~~~
johncolanduoni
> That is quite literally Stasi. Not vaguely like, exactly like.

Come on. I agree this is ridiculous and unacceptable, but this kind of
hyperbole only serves to make people discount the sentiment. The NSA has not
tried to use this to suppress political dissidence. The Stasi themselves
called the way they manipulated prisoners "decomposition", and all evidence
suggests it deserved the name. It makes the CIA torture look like juvenile
detention.

Is that a possible dark future if this goes unchecked? For sure. But I think
one of the main reasons serious anti-NSA sentiment and action has had trouble
making it to the mainstream is that people say things like this that make most
people write the movement off as a bunch of crackpot conspiracy theorists. I
don't think you are one, so please don't talk like one.

~~~
laotzu
>The NSA has not tried to use this to suppress political dissidence.

False. They did with Martin Luther King Jr.

To quote the Senator Church of the Church Committee which investigated this:

>In the need to develop a capacity to know what potential enemies are doing,
the United States government has perfected a technological capability that
enables us to monitor the messages that go through the air. Now, that is
necessary and important to the United States as we look abroad at enemies or
potential enemies. We must know, at the same time, that capability at any time
could be turned around on the American people, and no American would have any
privacy left such is the capability to monitor everything—telephone
conversations, telegrams, it doesn't matter. There would be no place to hide.

>If this government ever became a tyrant, if a dictator ever took charge in
this country, the technological capacity that the intelligence community has
given the government could enable it to impose total tyranny, and there would
be no way to fight back because the most careful effort to combine together in
resistance to the government, no matter how privately it was done, is within
the reach of the government to know. Such is the capability of this
technology.

>I don't want to see this country ever go across the bridge. I know the
capacity that is there to make tyranny total in America, and we must see to it
that this agency and all agencies that possess this technology operate within
the law and under proper supervision so that we never cross over that abyss.
That is the abyss from which there is no return.

~~~
astine
FBI != NSA

~~~
laotzu
Both agencies targeted him:

[https://en.wikipedia.org/wiki/Martin_Luther_King,_Jr](https://en.wikipedia.org/wiki/Martin_Luther_King,_Jr).

------
mkagenius
Devil is in the details, I would take this with a grain of salt before I read
the paper.

What if few hundred millions is 10x less than actual amount. What if it takes
10 years instead of 1.

~~~
BasDirks
What if it's the other way around?

~~~
mkagenius
They would have said that; that was the purpose of the article :)

Unless they themselves are wrong in the calculations.

------
nosuchthing
Being that crypto is 'just math', why would crypto be safe? The only claim
that crypto is safe assumes computational power is limited. Is that a safe
assumption? Assuming the crypto math is safe, one also has to be certain the
entire system which runs the crypto is safe as well.

Analysis and attempts to decode the Voynich manuscript lead me to believe
mathematical patterns intended to hide information, languages in particular,
are not safe in the least.

~~~
ianremsen
That assumption is correct, founded deep within the well-tested parts of our
current understanding of physics.

When the work required to brute-force a cipher in a sane timeframe doesn't
exist (or even couldn't fit) within the bounds of the observable universe, (if
the crypto works as intended, which, to be fair, is a big if) brute-forcing is
safely axed as an avenue of attack.

Of course, on these scales, if you really want to, you could connive and
threaten your way into having a backdoor installed. Or you could spy on the
victim and steal their laptop, with the key decrypted and in memory. Or you
could beat the key and password out of them. Brute-forcing shouldn't be the
most pressing of anyone's cryptographic worries.

------
dogma1138
Breaking crypto is what the NSA was created to do, playing a cat and mouse
game with it means you'll always loose. If the NSA cannot break crypto it's
useless, and given 2 outcomes them giving up or them just asking for more
money and being more intrusive the latter is much more likely.

No one will get their privacy "back" by fighting the NSA through technology,
considering their mission, budget and capabilities they'll always win, the
only way to pacify the NSA is through legislation that will ensure that they
only use their capabilities when it's warranted.

~~~
jMyles
This depends on your view of the nature of technology vs. the nature of
political institutions.

I tend to believe that, with time as the X-axis, that the nature of technology
is on a positive curve with regard to liberty while the nature of political
institutions is on a negative one.

~~~
dogma1138
Technology can be positive or negative it's all in the application, but that's
not the issue.

It's not that the NSA is inherently bad or good, as long as it exists it will
be able to break crypto because that is it's mission, the US needs that
ability for national security but it doesn't mean that the NSA has to apply
their capabilities to cast a net on the entire planet.

That said it's very unlikely that an organization with virtually unlimited
funding, and a recruitment monopoly on the best and the brightest in the field
of cryptography and computer security will lose on the technology front.
Trying to disarm the NSA is effectively trying to disarm the US that won't
fly, the only option is to ensure that they use it only when its explicitly
warranted and not as a business as usual tool.

~~~
aianus
> the US needs that ability for national security

Bullshit.

> recruitment monopoly on the best and the brightest in the field of
> cryptography and computer security

Again, bullshit. The NSA can't compete on compensation and there are plenty of
people who refuse to work there out of principle alone.

~~~
dogma1138
It's not bullshit the NSA plays a pivotal role in ensuring US national
security, that doesn't mean that their current actions are justified, but
having the means is a national security mandate in the current geopolitical
climate.

And the NSA doesn't need to compete on monetary compensation, it competes on a
whole 'nother level which is giving people the biggest challenges to solve
while having access to unparalleled levels of resources and cutting edge
technology.

Bell Lab's didn't compete on compensation either, but it was where everyone
wanted to work because of the environment.

You also disregard nationalism, patriotism, and the ability of the
intelligence community to groom targets which they've perfected into an art
form.

~~~
aianus
> You also disregard nationalism, patriotism, and the ability of the
> intelligence community to groom targets which they've perfected into an art
> form.

I'm not saying those things don't exist or that the NSA is incapable of hiring
competent people, I'm disputing your claim that the NSA has a 'monopoly' on
recruiting the best and brightest. I've seen no significant correlation in my
personal experiences between skill in mathematics and patriotism.

------
NN88
Its...their...job...

I wonder what world you all live in in which this is a bad thing. Theres real
threats out there and i'd hate to live in a country that lacked the
geopolitical leverage to make use of these tools to my nation's interests.

~~~
aianus
> Theres real threats out there

Grow some balls. I'll take a 1% chance of dying to terrorists every year over
an Orwellian government that passively intercepts everyone's communications.

~~~
dcposch
Besides, your actual risk of dying in a terrorist attack is nowhere close to
1% / year.

It's actually 0% per lifetime, rounded to many decimal places.

Statists and authoritarians like to overstate external threats as an excuse to
consolidate & expand state authority internally. It's an old and common
tactic.

