On 9/5/13 6:25 PM, Andy Isaacson wrote:
However, virtually nobody properly keys their ciphers with physical
entropy. I suspect that correlated key PRNG attacks are almost
certainly a significant part of the NSA/GCHQ crypto break. Many
deployed systems expose a significant amount of correlated output of
/dev/urandom or the in-process PRNG.
Isn't the point of a good PRNG that future output can't be predicted,
even knowing all previous output? If we assume that AES can't be broken
even with the NSA's resources, why would a PRNG based on AES be
breakable by the NSA? (i. e. breaking AES-CTR used as a PRNG and
breaking AES-CTR used as a cipher amount to the same thing.) Back to
the old random vs urandom debate, and whether it's possible to
"decrease" entropy.
Also, retrieving key material from endpoints is a high return activity.
Nearly nobody uses PFS ciphersuites, many HTTPS privatekeys are used for
multiple years, and a single 1 KiB leak of key material is sufficient to
decrypt all traffic under that key.
Yeah, the long life of private keys was recently a subject on the
perpass list:
http://www.ietf.org/mail-archive/web/perpass/current/msg00066.html
RSA-1024 I'd treat as dead, RSA-2048 is
probably robust enough that if NSA have an attack it would be too
valuable to risk exposing under anything but an existential threat
scenario.
It would be fair to say the same thing about 1024-bit Diffie-Hellman,
too, right? Most of the charts I've seen seem to indicate that. So
even a PFS ciphersuite wouldn't help you that much if you used 1024-bit
DHE? And yet a lot of software seems bent against using larger primes:
http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html
and OpenSSL seems to consider it the fault of the people wanting to use
larger primes, rather than vice-versa:
http://www.mail-archive.com/openssl-users@openssl.org/msg71899.html
I've met djb and all my checks for NSA minders came up negative.
Speaking of which, would Curve25519 be a wiser choice for ECDHE than the
NIST-approved curves, given that Bruce Schneier believes the NSA is
influencing NIST (for the worse)?
http://www.ietf.org/mail-archive/web/perpass/current/msg00087.html
--Patrick
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
