Re: [Cryptography] Bruce Schneier has gotten seriously spooked
At 12:09 PM 9/7/2013, Chris Palmer wrote: On Sat, Sep 7, 2013 at 1:33 AM, Brian Gladman b...@gladman.plus.com wrote: Why would they perform the attack only for encryption software? They could compromise people's laptops by spiking any popular app. Because NSA and GCHQ are much more interested in attacking communictions in transit rather than attacking endpoints. So they spike a popular download (security-related apps are less likely to be popular) with a tiny malware add-on that scans every file that it can read to see if it's an encryption key, cookie, password More to the point, spike a popular download with remote-execution malware, and download spiked patches for important binaries, so the not-a-collection-target's browser uses known keys (the opposite of the fortify patch that made 40-bit Mozilla do 128-bit), and the disk encryption software broadcasts its keys or stashes them in plaintext ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On 2013-09-08 4:36 AM, Ray Dillinger wrote: But are the standard ECC curves really secure? Schneier sounds like he's got some innovative math in his next paper if he thinks he can show that they aren't. Schneier cannot show that they are trapdoored, because he does not know where the magic numbers come from. To know if trapdoored, have to know where those magic numbers come from. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On Sep 7, 2013, at 6:30 PM, James A. Donald jam...@echeque.com wrote: On 2013-09-08 4:36 AM, Ray Dillinger wrote: But are the standard ECC curves really secure? Schneier sounds like he's got some innovative math in his next paper if he thinks he can show that they aren't. Schneier cannot show that they are trapdoored, because he does not know where the magic numbers come from. To know if trapdoored, have to know where those magic numbers come from. That will not work When the community questioned the source of the DES S boxes, Don Coppersmith and Walt Tuchman if IBM at the time openly discussed the how they were generated and it still did not quell the suspicion. I bet there are many that still believe DES has an yet to be determined backdoor. There is no way to prove the absence of a back door, only to prove or argue that a backdoor exists with (at least) a demonstration or evidence one is being used. Was there any hint in the purloined material to this point? There seems to be the opposite. TLS using ECC is not common on the Internet (See Ron was wrong, Whit is right). If there is a vulnerability in ECC it is not the source of today's consternation. (ECC is common on ssh, see Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices) I will be looking forward to Bruce's next paper. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On 07/09/2013 01:48, Chris Palmer wrote: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? Why would they perform the attack only for encryption software? They could compromise people's laptops by spiking any popular app. Because NSA and GCHQ are much more interested in attacking communictions in transit rather than attacking endpoints. Endpoint attacks cost more to undertake, only give access to a limited amount of data and involve much greater risks that their attack will either be discovered or their means of attack will leave evidence of what they have done and how they have done it. The internal bueaucratic costs of gaining approval for (adverarial) endpoint attacks also makes it a more costly process than the use of network based interception. There is significant use of open source encryption software in end to end encryption solutions, in file archivers, in wifi and network routers, and in protecing the communications used to manage and control such components when at remote locations. The open source software is provided in source code form and is compiled from source in a huge number of applications and this means that the ability to covertly substitute broken source code could provide access to a huge amount of traffic without the risks involved in endpoint attacks. I stress that I am NOT suggesting that this has happened (or is happening), simply that it has attractions from an NSA/GCHQ viewpoint. Fortunately, I think it is a difficult attack to mount covertly (that is, without the acqiecience of the author(s) of the software in question). On the more general debate here, in my view, 'security for the masses' through the deployment of encryption is a 'pipe dream' that isn't going to happen. Functionality (and the complexity that comes with it) is the enemy of security and it is very clear that the public places a much higher value on functionality than it does on security (or privacy). Every time a new device comes onto the market, it starts with limited functionality and some hope of decent security but rapidly evolves to be a high functionality product in which the prospect of decent security declines rapidly to zero. Raspberry Pis look interesting _now_ but I would be willing to bet that they won't buck the trend of increasing funtionality and declining security simply because this is what the majority in even this limited user community will want. To buck this trend we need an effort like the Raspberry Pi effort but one driven by our community with a strong commitment to simplicty and deliberately limited functionality in both hardware and software. Brian Gladman ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On 09/06/2013 01:25 PM, Jerry Leichter wrote: A response he wrote as part of a discussion at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? A: (Schneier) Yes, I believe so. -- Jerry Here is another interesting comment, on the same discussion. https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929 Schneier states of discrete logs over ECC: I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry. Is he referring to the standard set of ECC curves in use? Is it possible to select ECC curves specifically so that there's a backdoor in cryptography based on those curves? I know that hardly anybody using ECC bothers to find their own curve; they tend to use the standard ones because finding their own involves counting all the integral points and would be sort of compute expensive, in addition to being involved and possibly error prone if there's a flaw in the implementation. But are the standard ECC curves really secure? Schneier sounds like he's got some innovative math in his next paper if he thinks he can show that they aren't. Bear ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On Sep 7, 2013, at 2:36 PM, Ray Dillinger wrote: SNIP! Schneier states of discrete logs over ECC: I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry. Is he referring to the standard set of ECC curves in use? Is it possible to select ECC curves specifically so that there's a backdoor in cryptography based on those curves? That very statement prompted me to start the Suite B thread a couple of days ago. What concerns me most about ECC is that your choices seem to be the IEEE Standard curves (which have NSA input, IIRC), or ones that will bring down the wrath of Certicom (Slogan: We're RSA Inc. for the 21st Century!). I've said this repeatedly over the past year, but if whomever ends up buying Certicom-owner Blackberry would set them free, it would help humanity (at the cost of the patent revenues, alas). Dan ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On 09/07/2013 02:53 PM, Ray Dillinger wrote: Is he referring to the standard set of ECC curves in use? Is it possible to select ECC curves specifically so that there's a backdoor in cryptography based on those curves? I know that hardly anybody using ECC bothers to find their own curve; they tend to use the standard ones because finding their own involves counting all the integral points and would be sort of compute expensive, in addition to being involved and possibly error prone if there's a flaw in the implementation. Take a trip down memory lane and research the historical roots of the Data Encryption Standard, especially the pre-DES Lucifer standard with IBM. Some hints would be the last minute reduction to 56-bit, as well as the replacement S-Boxes that were mandated for use by IBM before Lucifer became the DES. And then if you were in the Beltway region back in '98, you might also remember the entire federal government freaking out about EFF's Deep Crack, which almost overnight caused 56-bit DES to be deprecated in favor of 3DES. But then there were the complaints about the computational expensiveness of 3DES, so our superheros at NIST jumped in with the Advanced Encryption Standard contest and here were are again. In the '90s there were a few papers written about optimal DES S-Box calculation; they disappeared from publication. There was also a fellow who released a software application used for alternate DES S-Box generation, that got yanked as well. I am not suggesting black helicopters or extrajudicial renditions, just that once they were on the Internet and then a few weeks later they were not online anymore, anywhere. An oldie but goodie in this category of discussion is SANS' S-Box Modifications and Their Effect in DES-like Encryption Systems, Joe Gargiulo, July 25, 2002. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On Sat, Sep 7, 2013 at 1:33 AM, Brian Gladman b...@gladman.plus.com wrote: Why would they perform the attack only for encryption software? They could compromise people's laptops by spiking any popular app. Because NSA and GCHQ are much more interested in attacking communictions in transit rather than attacking endpoints. So they spike a popular download (security-related apps are less likely to be popular) with a tiny malware add-on that scans every file that it can read to see if it's an encryption key, cookie, password db, whatever — any credential-like thing. The malware uploads any hits to the mothership, then exits (possibly cleaning up after itself). Trivial to do, golden results. But really, why not leave a little CC pinger behind? Might as well; you never know when it will be useful. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On 09/07/2013 07:32 PM, Brian Gladman wrote: I don't have experience of how the FBI operates so my comments were directed specifcally at NSA/GCHQ interests. I am doubtful that very large organisations change their direction of travel very quickly so I see the huge investments being made in data centres, in the tapping of key commmunications cables and core network routers and 'above our heads', as evidence that this approach still works well for NSA and GCHQ. And I certainly don't think that volume is a problem yet since they have been able to invest heavily to develop the techniques that they use to see through lightweight protection and to pull out 'needles from haystacks'. Of course, you might well be right about the future direction they will have to travel because increasing volume in combination with better end to end protection must be a nightmare scenario for them. But I don't see this move happening all that soon because a surprisingly large amount of the data in which they have an interest crosses our networks with very little protection. And it seems even that which is protected has been kept open to their eyes by one means or another. Brian As a perennial optimist I would hope that global surveillance efforts were focused solely on core communication peering and network access points. Unfortunately, the realist (and technologist) in me says otherwise. It is not possible to view or intercept local area network communications from a core network router. For example, if I wanted to catch some U.S. senator fornicating with his neighbor's wife for purposes of blackmail fodder, then access to a core network router wouldn't do me much good. However, if I had access to that senator's premise router by way of a lawful intercept backdoor, then perhaps I could for example observe that senator and his mistress' comings and goings by capturing a 720p video feed from the Xbox camera in his living room. Or by remotely enabling the speaker phone microphone on a Cisco VoIP device. Or maybe I could enable the microphone and video camera on a LAN-connected laptop to listen in on ambient conversations and to observe a live video feed from the room where the laptop is sleeping. Etc, etc. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On Fri, Sep 06, 2013 at 04:25:12PM -0400, Jerry Leichter wrote: A response he wrote as part of a discussion at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? A: (Schneier) Yes, I believe so. This is why I've been verifying Tor downloads using out of band fingerprints of signing key. Just because active attacks are more expensive than passive attacks and are fundamentally detectable, don't assume they're not being used in highly targeted cases. If you have ever been under telco surveillance, that's enough effort already spent to warrant slipping you some custom malware with no added bill of materials. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Bruce Schneier has gotten seriously spooked
A response he wrote as part of a discussion at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? A: (Schneier) Yes, I believe so. -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On 6 September 2013 16:25, Jerry Leichter leich...@lrw.com wrote: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? http://c2.com/cgi/wiki?TheKenThompsonHack (and many other references) ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? Why would they perform the attack only for encryption software? They could compromise people's laptops by spiking any popular app. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/06/2013 08:48 PM, Chris Palmer wrote: Why would they perform the attack only for encryption software? They could compromise people's laptops by spiking any popular app. What is more important to them: A single system, or all of the comms going into and coming out of it? - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Too bizarre for real life, too normal to wind up on Art Bell. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIqngUACgkQO9j/K4B7F8EtYgCgtMPqxWguJq/ey3jj/jsPFA3V iD0AoOSHbT8ZLZ7YxNLqdy5uOiS/6o4p =DGj7 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
