[cryptography] [info] The NSA Is Building the Country's Biggest Spy Center (Watch What You Say)

Marsh Ray marsh at extendedsubset.com
Thu Mar 22 13:02:57 EDT 2012

On 03/22/2012 09:57 AM, Peter Maxwell wrote:
> From
> http://blogs.computerworld.com/19917/shocker_nsa_chief_denies_total_information_awareness_spying_on_americans?source=CTWNLE_nlt_security_2012-03-22
>>  "Remember," former intelligence official Binney stated, "a lot of
>> foreign government stuff we've never been able to break is 128 or
>> less. Break all that and you'll find out a lot more of what you
>> didn't know-stuff we've already stored-so there's an enormous
>> amount of information still in there."

In other words, they've accumulated a backlog of ciphertext. Encryption
working as designed.

>> Binney added the NSA is "on the verge of breaking a key encryption
>> algorithm."

This sounds like budget boondoggle baloney to me.

How can you be "on the verge" of something like that?

You might have some ideas on how to attack it, but until they're proven
they're just guesses and likely to be dead ends. Not something you
should justify reworking your computing systems around.

But once they're proven, you're not "on the verge".

> That sounds far more plausible than the previous explanations.  I'd
> also suspect the "key encryption algorithm" may be RC4 and not AES
> at the moment.

Or it could just be all the 40- and 56- bit stuff that was captured by
wiretapping Americans and not decrypted way back when the NSA felt
constrained by laws.

Or it could be everything using 512-bit RSA key exchange.

Or it could be everything for which the security of the encryption
ultimately depends on a user-chosen password. E.g., MS-PPTP/MPPE (but
there's nothing really new about this).

Or it could be a common protocol using a cipher weakly. For example, I
noticed this the other day about RDP "standard, non-FIPS" mode:
If the endpoints do actually manage to negotiate the use of 128 bit (as
opposed to 40 or 56 bit) security, it uses the output of RC4 without
discarding any initial bytes. Those initial bytes have some
correlations, some of which can expose the whole key. Just to make sure
the 1684 bit state size of RC4 doesn't get stale, the protocol refreshes
the key every 4096 packets. (Actually better than MPPE which seems to
rekey every 1 or 256 packets depending on negotiated options).

Or it could be complete BS.

- Marsh

More information about the cryptography mailing list