The NYT article is pretty informative:
(http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html)
"Because strong encryption can be so effective, classified N.S.A.
documents make clear, the agency’s success depends on working with
Internet companies — by getting their voluntary collaboration, forcing
their cooperation with court orders or surreptitiously stealing their
encryption keys or altering their software or hardware."
"N.S.A. documents show that the agency maintains an internal database of
encryption keys for specific commercial products, called a Key
Provisioning Service, which can automatically decode many messages. If
the necessary key is not in the collection, a request goes to the
separate Key Recovery Service, which tries to obtain it.
How keys are acquired is shrouded in secrecy, but independent
cryptographers say many are probably collected by hacking into
companies’ computer servers, where they are stored"
Also interesting:
"Cryptographers have long suspected that the agency planted
vulnerabilities in a standard adopted in 2006 by the National Institute
of Standards and Technology, the United States’ encryption standards
body, and later by the International Organization for Standardization,
which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness,
discovered by two Microsoft cryptographers in 2007, was engineered by
the agency. The N.S.A. wrote the standard and aggressively pushed it on
the international group, privately calling the effort “a challenge in
finesse.”
“Eventually, N.S.A. became the sole editor,” the memo says."
Anyone recognize the standard?
Eric
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
