[cryptography] philosophical question about strengths and attacks at impossible levels
iang at iang.org
Tue Nov 23 17:42:35 EST 2010
On 24/11/10 7:51 AM, travis+ml-rbcryptography at subspacefield.org wrote:
> On what basis do you make the (implicit) assumption that cert privkeys
> were actually stolen?
For me, it would be Preponderance of evidence, or in non-legal terms
"more likely than not."
> Note; I do not claim to have any evidence the pubkeys were factored,
> etc., I'm just wondering on what basis you jump to assuming it was
> a node security failure.
Yeah. We are somewhat hamstrung in our analysis because we have little
or no direct evidence. We aren't viewing the direct facts of what is
occuring, we're having to derive our view from indirect information such
as media reports, narrow anecdotes from our work, our risk analyses of
likelihood of attacks, and our own general experience.
So, for example, we know some things:
CAs aren't rushing to revoke their roots and jump to higher strength,
/and/ user certificates seem to identified and revoked from time to time.
There is a history of breaches. At some point in the past there was
a company reporting that Linux servers were being breached at around
4000 per month (IIRC); we know that packages of Linux servers are
bought & sold on the attacker markets. Acquiring a stolen cert is
We can calculate the cost of a root key factoring, and we can also
see some data points of root attacks (one MD5-without-nonces sub-root
was crunched about 1-2 years back).
The security UI work suggests that the whole UI link of the security
chain is marginal, and most known attacks are aggregate rather than
targetted, so the use of a stolen cert seems as plausible as using a
More information about the cryptography