Could it simply be disinformation? If we bad guys thought strong crypto was cracked, we might not bother to use it.
Cue MC Frontalot's "Secrets from the Future"
This all makes me want to watch Sneakers again. Setec Astronomy - http://www.youtube.com/watch?v=GutJf9umD9c
The strongest encryption today will be trivial to crack at some point in the future - sooner than you think.
I suspect (not know, not "am able to prove", suspect) that their "breakthrough" involves being a shadow-peer-certificate-authority, getting ahold of (or even having issued) the certs being issued to authenticate and encrypt.
My real paranoia says that they invented BitCoin in order to build a giant, more-or-less free method to do a lot of cracking computation on finding certificates with hash collisions that could be used.
Or it could be as simple as they found a side-channel timing attack in many (most) implementations of TLS, similar to the one described in [Remote Timing Attacks are Still Practical⋆ Billy Bob Brumley and Nicola Tuveri].
Future breakthroughs in Quantum Computing? If they'd already made them do you think they'd tell us? I knew one serious Crypto-Freak who said he'd followed the career paths of a dozen people who'd published one, usually very interesting, paper on Quantum Computing and they all ended up not publicly publishing anything else and going in some sort of vague "government work".
So what. Double the bits, then you're back out ahead. This is an arms race that can't be won by smarts, but can EASILY be won by brute force of a different kind. Compel big e-bizzes and cert authorities to share their keys, and you're in.
Why hot wire the car when you can just bust a small window in the kitchen with your fist and grab the keys off the keyrack? (And force a gag order on the homeowner, while you're at it.)
I like the theory that they are collecting haystacks, against some theoretical future development that facilitates finding needles
Maybe not. It would take a major breakthrough in either
- quantum computing (which no one seems to be able to make work yet)
- cryptography (possible, but by no means guaranteed that some major flaw lies undiscovered in the algorithms in use)
If we're talking about brute force, it's just not likely to happen. My favourite illustration of that, is that the sun will not produce enough energy to advance a 128-bit counter all the way from 0 to 2^128 before it burns out. Nevermind doing any calculations with the number - just count that high. A perfectly efficient Dyson sphere powering a perfectly efficient 128-bit silicon-wafer register, and the sun would burn out before it counted that high.
Interestingly, having issued the certs would not get them the ability to decrypt the traffic. A cert request does not include the private key, so not even the CA can decrypt traffic under certs it issued.
What they could do would be to issue additional, apparently valid, certs, to themselves - for which they would control the corresponding private keys. To make use of those, however, they'd have to redirect traffic of interest to their own infrastructure and conduct a man-in-the-middle attack.
Maybe, maybe not. If and when it happens there will be new crypto to deal with it. Also, everything needs encryption. We need to increase the amount of encrypted traffic so that targeting, storing, and breaking, cryptographic communication becomes VERY impractical.
Cryptography is only one tool in the security toolbox. Everything must be hardened to deny unauthorized and unwelcome access to any and all.
I suspect that the real reason that they are capturing this information and hanging onto it, is because as various agencies image computers collected in investigations, and collect public and private keys from there, as well as getting public and private keys from businesses such as Google, Yahoo, Bing err Microsoft, et. all, they will be testing the cryptext against each of those keys, and as cryptext is decrypted, they will move that out of the pool of potential evidence, into the pool of material to review to determine if it is material that may be evidence of a crime or national security issue, and handle the material accordingly.
It would not surprise me if some of the suggested botnets that the FBI and others are supposedly running are not capturing public/private keypairs for the very same purpose.
Or perhaps a future development that turns hay into needles.
Sure, there will always be an arms (or crypto) race and I'm confident that the crypto will stay ahead of the cracking, at least in the near future. The point I'm making is that whatever you encrypt now that is being stored somewhere - be it a file locker or the NSA, that will be trivially cracked.
As a minor note to this, the NSA doesn't necessarily need to know your private key to decrypt e-mails sent to you, it needs your private key, or the pair to the key the the encryption key for the e-mail was encrypted with, if the sender wants to keep the e-mail in a form that they can access later as well, without retaining a plaintext edition of the e-mail. It may be easier to get that than to get your private key.
1) Commercial quantum computers are now available
2) They've not broken strong crypto IMO. They're collecting encrypted data because one day it'll be easily decrypt-able and there's a good chance that most data they're interested in seeing is gonna be transmitted in an encrypted form
3) Of course they're gonna tell us it's broken to make us more complacent
I believe there was some discussion that this ocurred with Lavabit on reddit.com. The certs were coming back from a different CA, and couldn't be traced back directly to Lavabit's CA. For the life of me I can't find that thread now. I noted as well that the CA was not correct when I attempted to sign up right after the Snowden news hit.
But they know we don't trust them. So maybe they said they haven't broken strong crypto because they want us to think that they have broken it, when in fact they actually haven't! Maybe ROT13 is the only code the NSA can't crack, which is why they've been completely silent about it ever since the Snowden leaks dropped.
In crypto, as in any scientific field, there's no room for conspiracy thinking. There is no disinformation, there's only information (substantiated, verifiable observations) and non-information (unsubstantiated claims). Schneier does a great job keeping us focused on the former.
True, but there's ample room in politics.