

NSA can retain encrypted communications of Americans possibly indefinitely - pronoiac
http://www.pcworld.com/article/2042673/nsa-can-retain-encrypted-communications-of-americans-possibly-indefinitely.html

======
pronoiac
I had the terrifying thought that this could apply to HTTPS or SSH sessions.
That's alarmist, though, right?

~~~
tptacek
I assume that this applies to HTTPS and SSH sessions.

------
betterunix
I wonder if they might try to claim that this applies to ROT26. It would not
be much more of a stretch than their other interpretations of the law...

~~~
jiggy2011
Good point. Where does one draw the line between encryption,encoding and
compression for example?

What if a communication itself is not encrypted but contains encrypted
elements, like maybe a session ID?

~~~
betterunix
"Where does one draw the line between encryption,encoding and compression for
example?"

I am told that the FBI does not actually draw such a distinction when dealing
with criminal messages. The term "null cipher" is used to refer to messages
encoded in a non-randomized fashion that does not involve any secret key. I
was being a bit sarcastic above, but honestly, I would not be surprised if the
government tried to claim that base64 encoding counted as "encryption" in this
situation.

------
jiggy2011
Isn't pretty much everything moving in the direction of always-on encryption,
so this in effects means they can store everything..

------
lantastic
I'm wondering: what is the cost of such retention? If all intercepted data was
encrypted, would that not eventually bankrupt the system?

While such a wide use of encryption seems unlikely, would it be possible to
achieve the same effect by feeding the system with encrypted garbage? Even if
it is eventually decrypted, it adds a lot of noise to the analysis effort,
further increasing the cost.

------
nobody_nowhere
If you read the doc, it says also that domestic communication "reasonably
believed to contain evidence of a crime... may be disseminated to Federal Law
Enforcement authorities".

~~~
throwaway10001
would that evidence and fruits of it be admissible in court?

~~~
jellicle
Yes, of course.

------
confluence
Well then let's make them store the entire internet. It's about time that we
encrypted everything. Flood the communication channels with encrypted chatter
and let's see how long they can keep storing it all. If you really want to
fuck with them intersperse your encrypted data with random bits from
/dev/random. Even better, just steam random bits non-stop and every so often
intersperse it with just a tiny bit of your real data.

The NSA knows how fucked they'd really be if everyone used end to end
encryption. You can smell their fear.

~~~
RKearney
You probably want to use urandom instead of random. /dev/random will block if
the entropy pool runs out whereas /dev/urandom will not.

~~~
eru
On Linux, yes. Not on the BSDs.

------
cherry314159
This is great! Now to backup my old photos, I'll tar them and encrypt them and
email them to myself. I can always try FOI request and get them back!

------
assafs
A good deal of encrypted material these days depends on the security of the
private key, though -- e.g., HTTPS loses a good deal of security if the
server's private key is known.

Given the reach of PRISM and related projects, and given that a lot of the
internet was using 1024-bit RSA keys for HTTPS, it's a good question wondering
how much of those private keys are still ... private.

~~~
Torgo
I have always wondered about this. What kind of security do you really get if,
for example, your SSL key is distributed to a couple thousand CloudFlare
servers all over the world?

~~~
ra
Zilch. Cryptographic security depends on good key management practices.

------
tomjen3
And they can and do so for the rest of the world too, but who cares right?
Only us citizens have a right to privacy at least according to hn.

------
thomasjames
That is good because, provided there is not some enormous leap forward in
number theory in the meantime, they can keep working on trying to break
256-bit key RSA encryption "indefinitely" as well thanks to a higher law by
the name of thermodynamics.

~~~
grecy
Wait 25 years until Moore's Law catches up, and they can break all those
256-bit encrypted things you did back in 2013.

~~~
thomasjames
From Schneier in "Applied Cryptography" (1996):

"Longer key lengths are better, but only up to a point. AES will have 128-bit,
192-bit, and 256-bit key lengths. This is far longer than needed for the
foreseeable future. In fact, we cannot even imagine a world where 256-bit
brute force searches are possible. It requires some fundamental breakthroughs
in physics and our understanding of the universe.

One of the consequences of the second law of thermodynamics is that a certain
amount of energy is necessary to represent information. To record a single bit
by changing the state of a system requires an amount of energy no less than
kT, where T is the absolute temperature of the system and k is the Boltzman
constant. (Stick with me; the physics lesson is almost over.)

Given that k = 1.38 × 10^−16 erg/K, and that the ambient temperature of the
universe is 3.2 Kelvin, an ideal computer running at 3.2 K would consume 4.4 ×
10−16 ergs every time it set or cleared a bit. To run a computer any colder
than the cosmic background radiation would require extra energy to run a heat
pump.

Now, the annual energy output of our sun is about 1.21 × 10^41 ergs. This is
enough to power about 2.7 × 10^56 single bit changes on our ideal computer;
enough state changes to put a 187-bit counter through all its values. If we
built a Dyson sphere around the sun and captured all its energy for 32 years,
without any loss, we could power a computer to count up to 2^192. Of course,
it wouldn't have the energy left over to perform any useful calculations with
this counter.

But that's just one star, and a measly one at that. A typical supernova
releases something like 1^051 ergs. (About a hundred times as much energy
would be released in the form of neutrinos, but let them go for now.) If all
of this energy could be channeled into a single orgy of computation, a 219-bit
counter could be cycled through all of its states.

These numbers have nothing to do with the technology of the devices; they are
the maximums that thermodynamics will allow. And they strongly imply that
brute-force attacks against 256-bit keys will be infeasible until computers
are built from something other than matter and occupy something other than
space."

~~~
ISL
I've seen this argument quoted a couple of times and blindly accepted it as a
traditional Fermi-style attack on the problem. This is the first time I've
pondered the implementation.

Schneier's argument that 3.2K is a limit is perhaps not the best one? Dilution
fridges let you into the millikelvin quickly. Optical cooling can readily
reach nanokelvin. Power dissipation remains a significant problem, but the
power requirement is reduced by ~10^9.

From the quantum-computing side of things, it's not that crazy to imagine a
256 bit quantum computer, especially if you have a GDP-caliber budget.
Researchers worldwide are working hard on the relevant technological
precursors.

~~~
peterwaller
I'm under the impression that quantum computers buy you a square root. So
instead of doubling the number of bits in your key to improve the strength of
a key by a ludicrous amount, you should quadruple them.

In addition to this, I don't know how well quantum computers help against
(good) symmetric encryption. They help against certain types of PKI because
they give you the aforementioned speedup in factoring large integers. However,
I think Schneier's argument holds, because brute forcing 2^256 possible keys
is.. well, see the argument above about forcing a counter through all those
states.

(apologies for not citing sources. Hopefully someone more knowledgeable can
weigh in)

~~~
archgoon
For AES you are correct. The best known quantum attack is Grover's Search
Algorithm (but emphasis on 'known' here), reducing the key space to 2^128.
RSA, however, is based on prime factors, so it can be broken with Shor's
Algorithm, which means it will take on the order of (256)^3 operations.

------
Qantourisc
Lets all generate lots and lots of cat /dev/random over ssh ?

~~~
jevinskie
Just use /dev/zero, no need to waste more energy than needed. The NSA is
unable to tell the difference if the cipher is good enough.

~~~
eru
Or, better random without ssh.

~~~
jevinskie
With appropriate handshakes!

------
e3pi
Mobile App Game:

test the forever stored future with ten thousand inviting Voynich manuscripts
with buried url tripwire alert beacons and countdown n-folded damascene crypto
layerings that annunciate when finally cracked and the hunter bot-spider races
along the breadcrumbs, trips the wire, and `hello'!

------
pvnick
A bit offtopic, but is there a style associated with the image at the top?
Particularly the way that eyeball looks, I've seen that style of artwork a lot
when reading surveillance-related stories.

