Hacker News new | past | comments | ask | show | jobs | submit login

I mostly read this thinking "good news". No, seriously, the documents suggest that the NSA hasn't made fundamentally important advances in decryption or uncovered significant weaknesses that academia doesn't know about. Now, that's not too much of a reassurance, because what academia (and the NSA) know is that HTTPS is in pretty terrible state, end-point security remains a significant problem, IPSec is a terrible protocl and so on.

It does raise the question what all the mathematicians are doing at NSA, and why they don't seem to have come up with any meaningful results. Suggests they are a waste of money, but then that's all of the NSA.

I suggest all of you check the original material (powerpoints w/ screenshots). A lot of people here suffer from the action movie mentality where they think the NSA is not like any other government agency, i.e. inefficient, behind the times, filled with horrible middle managers, deadweight, .. you get the idea. Things like the enterprise Java web interface, the CSV mass data export and "genericIPSec_wrapper.pl" can quickly dispel that myth.




Or at the very least they have compartmentalized serious mathematical cryptanalytic capabilities.

For instance:

* We know that the NSA has a novel md5 collision capability since they have used it in their malware. None of the Snowden docs, that I have seen, have talked about this.

* It is likely based on public research that the NSA can break 1024-bit RSA, but this has not showed up in the documents either.

My personal belief is that we are missing compartments dealing with cryptanalysis because Snowden did not have access to them. His work and access were focused on Computer Network Operations and not cryptanalysis.


That, at least, is the case. Specific operational cryptanalytic capabilities are indeed in separate compartments: PICARESQUE, PIEDMONT; focus on PAWLEYS for backdoors in, say, routers. GCHQ use STRAP3 protection measures for their CRYPTO compartments in CESG.

As a sysadmin, Snowden basically had root, and probably had access to pretty much everything that wasn't thoroughly airgapped. However, very few computing resources would have been cleared for that Exceptionally Compartmented Information. The documents he gathered were focused more on activities like mass surveillance and standard undermining, that he sought to blow the whistle on, rather than their targeted cryptanalytic capabilities in general.

640-bit RSA could be broken essentially in real-time by the computing resources available to GCHQ a couple years ago. Of course, they don't actually have to work in real-time, so I suspect that 1024-bit RSA is entirely within their capabilities currently, given that. Diffie-Hellman is slightly harder, but if they're prepared to throw some in the bin or lag behind, they can probably do it, but that's just guesswork.


It's plausible based on public research that any well-funded adversary can break 1024-bit RSA. You should assume 1024-bit RSA is simply broken.


Yes and given that I'm kinda surprised we haven't seen any docs talking about breaking 1024-bit RSA. That should have been their bread and butter, at least as far as DNI is concerned, a few years ago.


What 'yuhong said: it could be expensive, with NSA having the capability to break only one every couple months. They might need to carefully coordinate which keys they break, in which case it would be an important secret which CA keys were broken.


Do you think that the NSA would bother breaking CA keys? We know that they have shadow certificates and have much success infiltrating CAs to steal their keys and that they have been able to forge them without having to break the keys (via the previously unknown MD5 collision - as they did for Stuxnet. Seems to me like there are more valuable certs to go after (diplomats' certs, smartcard certs, OS update certs, ...).


So many "diplomats' certs" are used in machines by Crypto AG from Switzerland. And guess what, they had one major incident years ago - and even people working there have simply no clue who owns and control the company.

I'd say most of commercial crypto systems are rigged. https://pbs.twimg.com/media/B5-aW_8CEAAUzji.jpg:large


I've been interested in Crypto AG for many years and would like to know more. Do you have a source that Crypto AG is still used to store certs that diplomats use?

I guess there is this: http://www.crypto.ch/en/solutions/crypto-secure-diplomatic-m...


It is likely based on public research that the NSA can break 1024-bit RSA, but this has not showed up in the documents either.

It would be expensive though. This is one reason why I consider 1024-bit end entity certificates much less of a threat than 1024-bit CA roots.


I don't totally agree. I think that factoring in the risk of exposure leaves a CA root with a worse price / performance ratio versus an individual cert.

While you could use a faux CA root to sign faux certs for any site you want (ideally ones who are customers of that CA), in practice your use is severely limited. If faux certs are spotted and no one knows where they came from, suspicions are going to be raised. Not only is your faux CA root compromised, but now you may have tipped your hand regarding your capabilities.

To limit that possibility, your attacks would have to be extremely targeted. The more often a fake cert is used and the more people exposed to it, the higher the likelihood that someone will notice what is going on.

It also doesn't help you decrypt the real traffic to the site, or historical traffic, which busting the site's actual SSL key can yield. This presumes that you have a way of intercepting said traffic, but I think it's pretty clear that that is not out of the question (public wifi / ISP cooperation / fiber optic taps / malware). It's more work to bust individual certs, but you're leaving a smaller trail and you aren't sending out examples of your RSA cracking capabilities to your opponents over the public Internet.

Lowering the risk of exposure will let an attacker use the same methods over a much longer period of time, which I think is the goal here.

As to how to combat this: there is a lot of low hanging fruit. Besides the obvious, I would love to see much shorter expiration times for certs become the norm (as in weeks, if not days). For this to realistically happen in a widespread fashion, at minimum CAs need to embrace the concept from a pricing perspective.


Yea, if one was signed for www.google.com it would be a serious problem. If it is targeting specific obscure domain names where the customer is willing to accept the risk, that is a different matter.


"Expensive"

With public funding, lots of hardware and expert math/algorithm experts, it's less expensive

That is, even if the generated key-pair is really 1024-bit strong (and doesn't have any biases known by them)


It is about economics. The attacks on crypto systems have complexities, and still at the end of the day they require things like raw calculation power. Could they break even single 16384-bit RSA key pair? Probably yes, but they wouldn't be doing anything else on that year. It would be simply way too uneconomical.

Presented by Spiegel are internal services that are designed on purpose to be more economical. They exploit more bad implementations. It doesn't really matter as long as the dirty tricks get the work done.

Also, NSA seems to troll for targets from the vicinity of their targets of interest. It is again more economical, and can be just as revealing. The risk there is that the broken target has nothing of use. The real movie style "let's break the encryption keys" stuff is done for sure targets when they get the extremely rare high value target on platter.


> Could they break even single 16384-bit RSA key pair? Probably yes

There is no known algorithm that can break a properly generated RSA key of that size - the work required with GNFS is equivalent to brute forcing a symmetric key of something like 280 bits. Anything that could do that should be able to break even 4096 bit RSA keys (~144 bit security) pretty much instantaneously, and their problems with PGP pretty heavily imply they cannot do that.


Appelbaum also mentioned they have advanced crypt-analytic capabilities against AES, but the evidence right now supports that these advances are not enough to break AES in the general case.


might be of interest in light of possible AES breakage: i have a small project that encrypts/decrypts the whole message with RSA (of course the message is also signed before encryption and result is verified on decryption);

runs on as much cores as available; also for this it goes into some length to avoid multithreading locks in openssl (where possible).

http://mosermichael.github.io/cstuff/all/projects/2014/02/24...


I would not see any news organizations publishing any leaked document relating to actual technical capabilities. I don't even think that Snowden shared them with the reporters, the only ones who probably seen the besides Snowden are the FSB officers who "debriefed" him once he arrived in Russia. That's actually the thing that worries me the most about this incident, Snowden him self said that he kept the truely "nasty" stuff safe to be released in case something happens to him. But while he might not shared this with the press anyone who thinks he didn't had to buy his freedom in Russia with the full uncensored documents is fooling him self. This means that if he had any operational documents Russia and it's allies (N. Korea, Iran, China) just got a free upgrade to their own computer and communication intelligence apparatus. While people might not like their privacy being violated for the most part the NSA uses it's capabilities against unquestionably bad people, while in places like Russia and Iran it will be used against anything from reporters to political activists with much more severe consequences.


Here is yet another example of an unprovoked comment pushed to the top of a forum promoting the idea that three letter agencies like the NSA are incompetent and no better than the public sector at what they do, and that we don't need to worry about them. Go back to bed America, everything is OK.

Just like the rest of the government, the NSA is not a monolithic entity with no separation of concerns. There are people who clean the floor and people who are at the extreme cutting edge of research.

Don't let anyone convince you otherwise.


Of course we need to worry about them? Even by what acamedia knows, it's pretty bad right now for security and encryption in practice.

The belief that the NSA is at the extreme cutting edge and just so far ahead is exactly what stops us from making iterative, simple improvements on the technology we use. It's plain unhelpful, and as the data suggests, probably wrong.

(The separation of concerns part is hilarious. Remember, this is the same agency where Snowden managed to wget -r their wiki and various other databases and then go on an extended vacation unnoticed.)


The only data we have points to that the NSA is ahead of the academic community, from differential cryptanalysis onwards.


Yeah -- a competent organization would have rewritten genericIPSec_wrapper.pl to genericIPsec_wrapper.rb ages ago!


SSL was sort of expected. There are tons of bad SSL implementations out there using ciphers with RC4 and SHA1, but I don't think virtually all VPNs being bypassed and decrypted is "good news".


Also, most docs are from 2012. Who knows what happened since then. There is a reason, they have an army of mathematicians at hand.

I look forward to the day when they walk away from their jobs.


It doesn't matter how many mathematicians they have, they can't break good encryption. Unless the NSA has a super secret quantum computer that even Snowden didn't know about...


Well until 2 Israeli guys "rediscovered" differential cryptanalysis against DES in the late 80's no one knew about it either, no one with the exception of the NSA and the DES working group at IBM that is, even tho to them that weakness was known for almost 2 decades.

Additionally something like an effective attack against AES, RSA, or any other major encryption standard will probably be so compartmentalized that it won't even have a code word.

But on the other hand S31176 refers to a program which provides cryptanalysis against VPN (IPSEC, SSL and more) and it claims that they can decrypt (some of) the traffic. http://www.spiegel.de/media/media-35515.pdf




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: