
The NSA's Cryptographic Capabilities - silenteh
http://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html
======
devx
After the new revelations every site who's using SSL should be using Perfect
Forward Secrecy with it, too. Right now, only a few known companies like
Google (only for the search engine probably), DuckDuckGo, and
Ixquick/Startpage are using it.

Considering NSA is collecting as many keys as possible, let's at least make
their job exponentially harder by encrypting every session and every message
with a new key with PFS. It's the _least_ these companies can do, if they're
serious about their users' privacy.

Also, as Bruce is saying - use 3072 bit or even 4096 bit RSA keys (or better
alternatives) and AES-256 as soon as possible (hopefully within a year).

~~~
Spearchucker
Whilst it makes perfect sense, it's an exercise in frustration. An asymmetric
key is usually used to protect a shared symmetric key. Generating a strong
asymmetric key on a phone, for example, takes bloody ages. As ever, strong
security comes at the expense of usability.

~~~
devx
PFS only adds 15 percent overhead, and the new ARMv8 architecture will be up
to 10x faster for AES.

------
einhverfr
The idea that we can break public key encryption and go back to shared secrets
doesn't solve the problem for which public key encryption is the answer,
namely sharing the secrets. Schneier's piece would be a little more helpful if
this were considered. Going back to simple shared secrets means that one
cannot securely engage in something like ecommerce, and so breaking public key
encryption would totally break the way we use encryption today.

------
shin_lao
_Certainly the fact that the NSA is pushing elliptic-curve cryptography is
some indication that it can break them more easily._

There are valid and sane reasons to dismiss RSA. Keys are becoming larger and
larger for example.

What Bruce doesn't say is that the NSA made modifications to DES S-Boxes so
that it can RESIST differential cryptanalysis better.

But overall I agree, I think the _" Also, we are investing in groundbreaking
cryptanalytic capabilities to defeat adversarial cryptography and exploit
internet traffic."_ is just vulgarization for the people voting budget.

It doesn't matter if you break the crypto or the implementation as long as you
provide intelligence.

~~~
hga
" _What Bruce doesn 't say is that the NSA made modifications to DES S-Boxes
so that it can RESIST differential cryptanalysis better._"

That was then. Back then, the NSA's clear mission was to help prevent the
Soviets from winning, and that included protecting our communications (still
part of their remit). Now ... it's not so clear.

BTW, according to Wikipedia IBM independently discovered differential
cryptography and kept that secret at the NSA's request, so IBM was potentially
in a position to understand the NSA's requested changes, or just plain worked
with it on them.

There were a bunch of things that the NSA might have though mitigated the
danger so it was an acceptable tradeoff to the very real threat of Soviet
spying on US businesses (see e.g.
[http://nsarchive.wordpress.com/2013/04/26/agent-farewell-
and...](http://nsarchive.wordpress.com/2013/04/26/agent-farewell-and-the-
siberian-pipeline-explosion/)):

They limited the key size to 56 bits (according to Wikipedia a compromise
between 48 and 64 ... where else have we heard of that sort of thing:
[https://en.wikipedia.org/wiki/Asynchronous_Transfer_Mode#Cel...](https://en.wikipedia.org/wiki/Asynchronous_Transfer_Mode#Cell_size)).

It was intended for hardware implementations, and perhaps they didn't do a
good job of factoring in Moore's law, which then was only a decade old and had
a lot more skeptics. And microprocessors were still quite new.

There was a strong export control regime back then, and to the extent DES was
implemented in hardware it was more effective.

Getting back to adversaries, official and unofficial, to the extend they
aren't nation states, or not very wealthy and technically sophisticated ones,
the tradeoffs are significantly different today. We can be very sure they're
not worried about al-Qaeda brute forcing a secretly weakened algorithm as long
as it's not too weak (i.e. requires a lot more than a handful of machines with
GPUs or FPGAs).

Same might be true for various nation states as long as they don't get
patronage by the Russians or Chinese Communists, and we might have an idea of
the capabilities of the latter two frenemies (I sure hope we do!).

------
raheemm
On a different note, considering the popular myth that government by default
is incompetent, this is a remarkable degree of competence, surpassing even the
private sector.

~~~
venomsnake
A brute with a mallet can cause a lot of damage. And yet he is not master
fencer.

NSA have a lot of brute force behind their backs. They have a rubber stamping
court, are allowed to read existing laws as a weak guidelines, almost
unlimited budget and the lucky fact that the majority of the world's IT IP is
located in the hands of american companies.

It will be hard to not produce results with all that.

Governments usually are competent in their own way. What they usually lack is
subtlety and elegance.

------
MrBra
> I think it extraordinarily unlikely that the NSA has built a quantum
> computer capable of performing the magnitude of calculation necessary to do
> this, but it's possible.

.

I think, that from the very first moment a quantum computer could be built
(given an extraordinary amount of resources) NSA set this to their highest
priority, and tried to do so, given what this system could provide them, so I
am pretty sure that by now they have already some prototype working and
growing.

Or do you think they're saving money? Or not trying to draw all possible funds
to this cause considering how much appeal its computations could exercise for
exampe for US foreign economy?

------
wjnc
One point that is made more often is: "It's very probable that the NSA has
newer techniques that remain undiscovered in academia."

How does one go around maintaining such an omerta?

Most cryptographic math is not that hard that it requires a team to remember.
So anyone working in this field at NSA could (if true) become professor by
working out that math in academia after his/her career at NSA. Or is there
such strong commitment to secrecy that not one former NSA cryptographer would
try to follow that route?

~~~
mr_luc
Compare it to ASDICs.

The Brits invented Sonar in 1916, and the Admiralty kept it secret for long
enough that when World War 2 broke out, they had it fitted on 5 types of ships
as part of an integrated anti-submarine suite; they were the only ones that
had this operational capability.

If you were a scientist who worked on that project, and in 1920 you published
"On Quartz-Based Range Detection In Water", you would have definitely gone to
jail.

(Or, of course, the Enigma cracking -- but that's not really the best example;
it wasn't a long-maintained operational advantage consisting of abilities the
rest of the world didn't have, but rather an emergency skunk-works that got
jump-started by the Poles; it did, however, have a pretty good record of
secrecy after the fact!)

