User: Password:
|
|
Subscribe / Log in / New account

Sponsorship

Sponsorship

Posted Jan 9, 2014 18:22 UTC (Thu) by BrucePerens (guest, #2510)
Parent article: A new Dual EC DRBG flaw

A very long time ago, I had a minor involvement in a project with John Whethersby's "Open Source Software Institute" to sponsor Ben Laurie to take OpenSSL through FIPS 140 certification. The project took years longer than expected (I think because NIST was reluctant to certify Open Source) and sponsorship did not cover all of the expenses, Ben took the project to completion with a mostly-unpaid investment of personal time. John Whethersby might know who the sponsor is, but due to his continuing involvement in business with U.S. Government regarding Open Source there's probably no point in asking him. I try to stay on the corporate side these days, it's a lot easier to deal with.

NSA has had a lot of time to get up to speed with the issue of encryption and I think it's safe to say that they are 10 years ahead of the state of the art now and that they have a lot of custom silicon in house. People who believe that any form of algorythmic encryption protects them from NSA are self-decieved. Only the most carefully handled one-time pad has a chance of defeating them.


(Log in to post comments)

Sponsorship

Posted Jan 9, 2014 18:45 UTC (Thu) by BrucePerens (guest, #2510) [Link]

Oh right. Defense Medical Logistics (part of the US Government) and HP are the sponsors (and I guess I was there part of the time this was being worked upon so HP may mean me). I remember the person from Defense Medical Logistics telling me he was frustrated with his vendors and the incredible budget outlay they required.

This is all public knowledge.

Sponsorship

Posted Jan 9, 2014 18:52 UTC (Thu) by BrucePerens (guest, #2510) [Link]

The OpenSSL FIPS security policy here clearly attributes the sponsors and people involved.

Sponsorship

Posted Jan 9, 2014 19:17 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

>NSA has had a lot of time to get up to speed with the issue of encryption and I think it's safe to say that they are 10 years ahead of the state of the art now and that they have a lot of custom silicon in house. People who believe that any form of algorythmic encryption protects them from NSA are self-decieved.

So NSA has enough silicon to boil oceans and explode supernovae stars? That's what is required to brute-force 128-bit and 256-bit keys.

As for algorithmic breakthroughs - even in the case of DES and differential cryptoanalysis (the most well-known NSA breakthrough) the threats were mostly theoretical.

It's highly unlikely that they have a practical attack against widely-used ciphers that allows to recover keys without using 2^80 bytes of chosen plaintext or anything similar.

Of course, NSA might certainly use careful side-channel attacks or they might be able to brute-force keys with insufficient entropy.

Sponsorship

Posted Jan 10, 2014 1:59 UTC (Fri) by BrucePerens (guest, #2510) [Link]

You are assuming that the PRNG has near-perfect entropy and that the search space is thus as large as you think it is. This might be a reasonably safe assumption, but it's less than provable. Also note that the search space for quantum computers would be the square root of the search space size for von Neuman ones.

We can only use NSA's actions to forcast their capabilities. Right now there is an effort to make encryption mandatory for every HTTP connection in the next version of the HTTP standard. U.S. government does not seem to have the slightest interest in this activity, and it is very likely to go forward. My assumption is that they are not bothered, for some reason, and we can hope to deter corporate eavesdropping, but NAS knows something we don't.

Sponsorship

Posted Jan 10, 2014 2:06 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

>You are assuming that the PRNG has near-perfect entropy and that the search space is thus as large as you think it is.
I think that for most practical PRNGs it's not feasible to find their bias. And it's also ultimately futile because you'd have to re-do the analysis for each new version of PRNG.

Now, if we're talking about keys derived from users' input then it's a whole different story. It's very much feasible to brute-force most of passwords that are easily memorable.

>This might be a reasonably safe assumption, but it's less than provable. Also note that the search space for quantum computers would be the square root of the search space size for von Neuman ones.
So just use 256-bit keys. Building a quantum computer capable of iterating through the 128-bit keyspace is very faaaar in the future if even practically possible, and it'll have the same issue with the boiling oceans.

>We can only use NSA's actions to forcast their capabilities. Right now there is an effort to make encryption mandatory for every HTTP connection in the next version of the HTTP standard.
NSA is not omnipotent. Also, it's far easier for them to force most of cloud providers to provide direct taps to their internal networks.

NSA capability

Posted Jan 23, 2014 22:16 UTC (Thu) by ballombe (subscriber, #9523) [Link]

Breaking Dual EC DRBG is equivalent to breaking a single instance of ECDSA.
If the NSA had the capability to break ECDSA, then they would have generate the points in a 'nothing up my sleeves' way to avoid the perception they planted a backdoor.

So it is reasonable to assume that the NSA could not break ECDSA in 2005.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds