[cryptography] what has the NSA broken?
code at funwithsoftware.org
Thu Sep 5 23:31:40 EDT 2013
On 9/5/13 6:25 PM, Andy Isaacson wrote:
> However, virtually nobody properly keys their ciphers with physical
> entropy. I suspect that correlated key PRNG attacks are almost
> certainly a significant part of the NSA/GCHQ crypto break. Many
> deployed systems expose a significant amount of correlated output of
> /dev/urandom or the in-process PRNG.
Isn't the point of a good PRNG that future output can't be predicted,
even knowing all previous output? If we assume that AES can't be broken
even with the NSA's resources, why would a PRNG based on AES be
breakable by the NSA? (i. e. breaking AES-CTR used as a PRNG and
breaking AES-CTR used as a cipher amount to the same thing.) Back to
the old random vs urandom debate, and whether it's possible to
> Also, retrieving key material from endpoints is a high return activity.
> Nearly nobody uses PFS ciphersuites, many HTTPS privatekeys are used for
> multiple years, and a single 1 KiB leak of key material is sufficient to
> decrypt all traffic under that key.
Yeah, the long life of private keys was recently a subject on the
>RSA-1024 I'd treat as dead, RSA-2048 is
> probably robust enough that if NSA have an attack it would be too
> valuable to risk exposing under anything but an existential threat
It would be fair to say the same thing about 1024-bit Diffie-Hellman,
too, right? Most of the charts I've seen seem to indicate that. So
even a PFS ciphersuite wouldn't help you that much if you used 1024-bit
DHE? And yet a lot of software seems bent against using larger primes:
and OpenSSL seems to consider it the fault of the people wanting to use
larger primes, rather than vice-versa:
> I've met djb and all my checks for NSA minders came up negative.
Speaking of which, would Curve25519 be a wiser choice for ECDHE than the
NIST-approved curves, given that Bruce Schneier believes the NSA is
influencing NIST (for the worse)?
More information about the cryptography