[cryptography] what has the NSA broken?

Patrick Pelletier code at funwithsoftware.org
Thu Sep 5 23:31:40 EDT 2013


On 9/5/13 6:25 PM, Andy Isaacson wrote:

> However, virtually nobody properly keys their ciphers with physical
> entropy.  I suspect that correlated key PRNG attacks are almost
> certainly a significant part of the NSA/GCHQ crypto break.  Many
> deployed systems expose a significant amount of correlated output of
> /dev/urandom or the in-process PRNG.

Isn't the point of a good PRNG that future output can't be predicted, 
even knowing all previous output?  If we assume that AES can't be broken 
even with the NSA's resources, why would a PRNG based on AES be 
breakable by the NSA?  (i. e. breaking AES-CTR used as a PRNG and 
breaking AES-CTR used as a cipher amount to the same thing.)  Back to 
the old random vs urandom debate, and whether it's possible to 
"decrease" entropy.

> Also, retrieving key material from endpoints is a high return activity.
> Nearly nobody uses PFS ciphersuites, many HTTPS privatekeys are used for
> multiple years, and a single 1 KiB leak of key material is sufficient to
> decrypt all traffic under that key.

Yeah, the long life of private keys was recently a subject on the 
perpass list:

http://www.ietf.org/mail-archive/web/perpass/current/msg00066.html

>RSA-1024 I'd treat as dead, RSA-2048 is
> probably robust enough that if NSA have an attack it would be too
> valuable to risk exposing under anything but an existential threat
> scenario.

It would be fair to say the same thing about 1024-bit Diffie-Hellman, 
too, right?  Most of the charts I've seen seem to indicate that.  So 
even a PFS ciphersuite wouldn't help you that much if you used 1024-bit 
DHE?  And yet a lot of software seems bent against using larger primes:

http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html

and OpenSSL seems to consider it the fault of the people wanting to use 
larger primes, rather than vice-versa:

http://www.mail-archive.com/openssl-users@openssl.org/msg71899.html

> I've met djb and all my checks for NSA minders came up negative.

Speaking of which, would Curve25519 be a wiser choice for ECDHE than the 
NIST-approved curves, given that Bruce Schneier believes the NSA is 
influencing NIST (for the worse)?

http://www.ietf.org/mail-archive/web/perpass/current/msg00087.html

--Patrick



More information about the cryptography mailing list