
German intelligence agencies can decrypt PGP? - rosser
http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.golem.de%2Fnews%2Fbundesregierung-deutsche-geheimdienste-koennen-pgp-entschluesseln-1205-92031.html
======
buster
The important sentence here is "Ja, die eingesetzte Technik ist grundsätzlich
hierzu in der Lage, je nach Art und Qualität der Verschlüsselung.".

Means (answering the question if the technology can partially decrypt _or
analyze_ SSH or PGP):

"Yes, the used technology is basically (or _in principle_ ) capable of doing
that, _depending on the kind and quality of decryption_."

This sentence is so much generalized that the writer almost certainly meant
"yes, we can bruteforce a weak encryption".

Also the question includes the capability of "analyzing" SSH or PGP. That
would (imo) include reading meta-data. So, in fact, if they are capable of
telling the encryption scheme used in a PGP message, they would qualify to
answer "yes, we can" here.

So, that's not surprising and the article is kind of link-bait.

------
ubernostrum
This is a pointless article, and I'm going to be maintaining skepticism until
there's some detail. For example:

Do they have an actual method for breaking PGP, or do they have some sort of
backdoor they've planted? Or some sort of access to the keys through other
means?

If they have an actual method to break PGP, does it work against all the
algorithms, or just one or a few? Does it work against arbitrary key length,
or is there a maximum they can break?

If it's general-purpose enough to be just "PGP" regardless of algorithm/key
length, how quickly can they decrypt? Is this real time? Is it "we can decrypt
in time to find out where next week's attack will be"? Is it "we can decrypt
in time to present evidence at this guy's trial next year"?

Without that sort of information this reads like a scary mistranslation, and
not the sort of thing a government would disclose anyway.

~~~
rubbingalcohol
Correct. PGP mixes symmetric and public key encryption algorithms, letting you
choose your favorite ciphers and key lengths. You can choose RSA, DSA, AES,
CAST5, TripleDES, etc. To say you've "cracked PGP" is akin to saying you've
cracked pretty much all of the widely-accepted ciphers out there. I don't buy
it.

~~~
sounds
I'm looking for any algorithms among those you listed that is considered weak.

[http://en.wikipedia.org/wiki/Triple_DES#Security](http://en.wikipedia.org/wiki/Triple_DES#Security)
\- ok, that has chosen plaintext weaknesses.

I don't see much information on CAST5 aka CAST128, can someone chime in with
its current status?

I suppose you could encrypt an image using ECB. Would PGP allow this kind of
broken configuration? [http://pthree.org/2012/02/17/ecb-vs-cbc-
encryption/](http://pthree.org/2012/02/17/ecb-vs-cbc-encryption/)

~~~
rubbingalcohol
PGP uses CFB mode. To my knowledge there is no implementation that would let
you use ECB.

[http://tools.ietf.org/html/rfc4880](http://tools.ietf.org/html/rfc4880)

------
glurgh
The answer provided by the government does not make a specific claim they can
decrypt PGP or SSH.

The question is quite vague - can the government decrypt, at least partially,
encrypted communications (e.g. PGP or SSH)

The answer is even vaguer, something along the lines of 'The deployed
technology is, in principle, capable of that, depending on the type and
quality of encryption'.

Both the question and the answer are so woolly they can mean anything from
'German intelligence can partially decrypt ROT13' to 'German intelligence can
read 4096 bit PGP encrypted messages like a morning newspaper'.

One can also be reasonably sure that in the extremely unlikely event some
entity somewhere were capable of breaking PGP, they'd go to great lengths not
to tell anyone about it - such a (again, wildly improbable) capability becomes
a lot less valuable if it was common knowledge.

------
rmk2
The most important sentence is this:

"Eine starke Verschlüsselung mit PGP gilt als sicher, wenn es Angreifern nicht
gelingt, den privaten geheimen Schlüssel, den nur der Empfänger besitzt, und
sein Kennwort zu stehlen."

A strong encryption with PGP can be considered as secure, if attackers do not
succeed in stealing the private secret key that only the recipient holds.

Basically, as long as they can't get your secret key and brute-force it
because of a stupid password, you'll be fine.

Edit: fixed numerus

------
weinzierl

      Es würden Anwendungen der deutschen Firmen Utimaco, 
      Ipoque oder Trovicor genutzt, um möglichst tief in die 
      private Kommunikation einzudringen.
    
      They use applications of the German companies Utimaco   
      Ipoque or Trovicor to penetrate as deeply as possible 
      into the private communications.
    

The linked PDF doesn't support this claim. It contains a question about the
companies involved, but all it says is that the answer is not public.

If true it might be interesting that former PGP lead developer Gerhard
Eschelbeck is CTO of Sophos (owner of Utimaco).

------
serf
"It's all broken folks, you may as well not use anything at all!"

------
diminoten
I don't understand why some NSA leaks suddenly make people think the state of
crypto is any different than it was two weeks ago. The Snowden leaks thusfar
have ZERO relevance to what the collective crypto community considers good
ways of securing data.

Nothing changed, technically speaking. The NSA merely broke _rules_. They
didn't do anything technologically special.

~~~
LoganCale
It doesn't necessarily make people think the state of crypto has changed so
much as suddenly take note of and wonder about the state of crypto. Many such
people ignored it completely prior to this but are now interested in it.

------
weinzierl
Funny thing is that google translates ZKA as CCC in the linked PDF.

ZKA is Zollkriminalamt (customs police) and CCC is Chaos Computer Club - quite
different organisations.

------
yk
The actual document [1] is remarkably vague. ( And the answer states in the
least charitable interpretation that the German intelligence agencies are
capable of partially analyzing ROT13 or detecting traffic on port 443...)

But actually I did only comment to ask, if there is a way to switch from
Google translate to the actual site, not the "original" button which still
goes through Google servers. ( Especially since Google also renders PDF as
HTML, when I click on a PDF link in the page.)

[1][http://www.andrej-
hunko.de/start/download/doc_download/225-s...](http://www.andrej-
hunko.de/start/download/doc_download/225-strategische-fernmeldeaufklaerung-
durch-geheimdienste-des-bundes) (pdf, German)

------
linhat
Could we please all relax a bit.

If the government tells you, they have a technology that can _in principle be
used, depending on type and quality of encryption_ , history shows us that
this either means they can decrypt almost everything, or, most likely, not
much. Both ways, they are not telling the complete truth at all.

Especially the german government likes to tell us that they have something
that can _in principle_ be used for _something_ , like using your issued ID
for online activities, a nation wide health-card system, a _working_ toll
collect system, etc., the list just goes on and on and on...

Anecdote: I remember, a couple of years ago, sitting in the audience of the
yearly Chaos Communication Congress in Berlin in a talk by a pretty popular
lawyer specializing in internet laws and regulation (IIRC the title was
something like _You have the right to stay silent_ ; if you understand german,
watch it, it's _hilarious_ ), where in the Q&A session somebody jumps up and
tells the audience (paraphrased):

...the last time the police raided my home (much laughter from the audience)
they took my encrypted disks with them (probably dmcrypt/luks or truecrypt)
and after almost one year they still have not been able to decrypt a single
bit of it...

I'm pretty sure not much has changed with ciphers becoming even stronger these
days. I, at least, sleep well at night, trusting that my PGP2 encrypted mails
are safe.

------
zobzu
the document and translations are all very unclear and unprecise.

Note that they would also claim that they can decode SSH, ie SSL.

~~~
dalai
The translation is not too bad in this case and the PDF looks legit. Btw this
is from 2012.

The question was if the technology they have is capable of decoding encrypted
transmissions (e.g. SSH or PGP).

The reply was that in general yes, depending on the type and quality of the
encryption.

What I would note is that neither the question nor the reply are about a
particular encryption technology. I would not take it to mean that they can
decrypt PGP in general.

~~~
fiber
The answer is technically correct, if someone uses a weak enough cipher, they
would be able to decode it. What else could they say? "We spend a lot of money
on eavesdropping software, but really if people are encrypting their
communication, it's all pretty useless."?

------
albertyw
I hope all they've discovered is a technicality allowing for partial decoding.
If they can break PGP/SSL in a way that isn't just brute forcing the hashing
algorithm, then we'll have a lot more trouble than just the government(s)
spying on us.

------
Zarathust
There is an asic bitcoin miner which can generate 500GH/s which retails for
22k$. What if you had a billion dollars to crack encryptions?

~~~
pi18n
Let's assume one hash is exactly equivalent to one attempt at brute force and
the keys are 256 bits. 5GH/s * ($5B / $22K) is about 10^17 GH/s. There are
2^256 possibilities, which is about 10^77. So to try them all you need about
10^60 seconds. Granted that is the worst case for the cracker, but the average
case is also going to take quite a while.

~~~
marcosdumay
> Granted that is the worst case for the cracker, but the average case is also
> going to take quite a while.

The average case for finding something equaly distributed in a space is half
the time, or about 5 * 10^59 seconds, what is about the same thing, because
with numbers that big "about" usualy means anything from *10 to /10.

Of course, RSA keys aren't equaly distributed at the key space. That gives an
speedup of sume number between 1 and 2 that I can remember (still about the
same thing), and there are search algorithms that reduce the number of tries
by some non-trivial amount. I'm not up-to-date on them.

------
aaronpk
I guess pretty good wasn't quite good enough.

------
ohazi
...what!?

edit: So this is from over a year ago. Probably safe to stop panicking.

~~~
patrickg
Why is there a difference if this is old or news?

------
ape4
Special hardware can speed-up brute forcing.

