90 percent of Tor keys can be broken by NSA: what does it mean?


#1

[Permalink]


#2

Bruce Schneier recommended avoiding elliptical encryption because the NSA has been involved in the standards process for it and may have intentionally weakened some of it. His recommendation was longer key lengths. 2048 at least probably time to look at 3072.

"Certainly the fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break them more easily."

https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html


#3

4096 works too.


#4

NSA has spent the necessary sum and sourced these chips (likely from IBM).

Such a fine, upstanding corporation.



#5

The challenge is to get wide adoption of good crypto and use it by default. No one is going to help us but us. It appears that the major institutions have it out for the common people. I shouldn't be surprised.


#6

Call your rep. Do you duty.


#7

That does bring up the likely-hood that no matter how secure your traffic is today that an archive of it will be broken in the future.


#8

We've been told about these sort of things for likely decades now (Clipper chip, Carnivore). The main difference is that instead of it being vague rumors it's documented information from an insider. For that we have people like Snowden and Manning to thank. It's not amazing that the people with power in government want to bury these supporters of true democracy. It is amazing how many who claim to be supporters of democracy and freedom condemn them, and others like them who stand up for truth despite the expected harsh result, as traitors. Traitors to abusive police states. Is it really a surprise that in the world wide oligarchy that we inhabit the mega corporations of our planet are partners (senior partners) in the police state?

I vaguely remember reading something about a government tech operative explaining to a tech guru (I believe it was Ken Thompson) that unless he had the source code to the operating system and compiler he used to compile his system and compiler he could not be certain that it was secure.

[Edit: Corrected "Bradley" to "Manning"]


#9

It's about economics and capability. It is currently very difficult to store most or all internet traffic and archive it long term. Then they have to crack the data. If you encrypted data 30 years ago using DES and they have a record of it, it can be cracked. I don't know how practical it is to crack RSA-1024 with NSAs current budget and technical capabilities. NSA is convincing corporations to make their crypto weaker. It may still be very hard to crack some crypto. It is probable that some strong crypto is computational impractical to crack for the foreseeable future. Stay professionally paranoid.


#10

Schneier on how hard it is to crack RSA-1024. Date 2008.

https://www.schneier.com/blog/archives/2008/06/kaspersky_labs.html


#11

"Reflections on Trusting Trust", Ken Thompson
Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763.

PDF here: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf


#12

Here's the fascinating part about all this: it requires the cooperation, on some level, of thousands of people. The moment that those people stop agreeing with the NSA to do what they're doing, the surveillance ceases to work. If the NSA can't do their job without 'tricks', then it becomes kind of pointless to actually do what they're doing. Exposing the real traitors working in US corporations who, through coercion or cooperation, agreed to build in the backdoors, is probably the easiest way to shame them into not doing it (easier than convincing the millions of stupid Americans who silently assent to weakening their own security and civil liberties in order to fight 'terrorists').


#13

If you want to be sure the NSA can't break your crypto, use what they approve for classified data. If the NSA can break an algorithm, the assume someone else might be able to as well. (I assume the NSA has key escrow on all NSA-secured crypto, so they don't need to be able to break it)

Type 1, suite B crypto. ECDH is on that list.


#14

From the link kindly supplied by "getoffmylawn:"

Acknowledgment. I first read of the possibility of such a Trojan horse in an Air Force critique of the security of an early implementation of Multics. I cannot find more specific reference to this document. I would appreciate it if anyone who can supply this reference would let me know.

My vague memory seems more on the level of a direct interaction between the government operative and the tech guru, so maybe there's another KT reference to it. But this covers the problem in detail. Thanks.


#15

I don't get this. Every single time I log into TOR, it reminds me to update, or it would if I ever used TOR, which I never would, because I have nothing to hide. But I just don't get how so many people could be running an outdated version. Ninety percent? And these are people who care about privacy?


#16

Came here to post just that.

As I understnd it, the trick is that the constants in ECC cryto could be random, or they could have been generated out of some source data known to insiders to the process. Looking at the numbers, there's no way to tell. But, if it was the latter, then whoever knows the source data, can easily defeat the crypto.

And guess who it was that pushed for the specific constants in use in the main ECC crypto implementations?

So, you could design a protocol that does ECC crypto, but generates random constants at the beginning of the connection - but most protocol designers wont do that.


#17

Nope! That's the thing about crypto, it's asymmetrical. The difficulty of scrambling data scales linearly with keylengths, while brute-force descrambling scales exponentially. It doesn't take too many bits in the key to encipher a message such that it could not be broken in a universe where every hydrogen atom was made to labor at the speed of the fastest GPU until the heat-death of the universe.

You're vulnerable at that point to things like implementation flaws and fundamental breakthroughs in math, but not to brute-force attacks.


#18

Okay, so I was looking at going secure, using TOR or a VPN. I know nothing about it except what I read here and abouts. Simply put I didn't because I was under the impression that TOR was compramised. Given that many TOR address' are compromised, were I to use the new version, would it be rendered meaningless between the flash compromise and the number of people packing this one? With little practical understanding of a VPN is it meaningless to use it? Given that I don't know of a zero knowledge email service and wouldn't trust them if I did does it even matter? I can't get the people I email to use crypto so again the same question? Lastly I don't encrypt my drives or phone, so again, is privacy worth it, or do I just assume I am being monitored and do all I can to change the legislation and accept that until then I am not secure?


#19

It's "elliptic curves", not "elliptical curves". They have little to do with "ellipses", a common misconception.


#20

The repositories for Tor that are available to Ubuntu users (and several others) by default has an outdated version of TOR. Ubuntu and other projects have rules about which repositories they will include by default, and what software they will include by default.

It seems that what is really necessary is for everyone to update TOR ASAP; cutting older versions that can't update out of the network, undermines the purpose of the network.