BULLRUN seems to be just an overarching name for several wide programs to obtain plaintext of passively encrypted internet communications by many different methods.

While there seem to be many non-cryptographic attacks included in the BULLRUN program, of particular interest is the cryptographic attack mentioned in the Snowden papers and also hinted at in earlier US congressional manouverings for NSA funding.

The most obvious target of attack is some widespread implementation of SSL/TLS, and while it might just be an attack against a reduced keyspace, eg password-guessing or RNG compromise, I wonder whether NSA have actually made a big cryptographic break against some cipher, and if so, against what?

Candidate ciphers are:


and key establishment mechanisms:


I don't think a break in another cipher or KEM would be widespread enough to matter much. Assuming NSA (or possibly GCHQ) have made a big break:

I don't think it's against 3DES or RC4, though the latter is used a lot more than people imagine.

AES? Maybe, but a break in AES would be a very big deal. I don't know whether hiding that would be politically acceptable.

RSA? Well, maybe indeed. Break even a few dozen RSA keys per month, and you get a goodly proportion of all internet encrypted traffic. It's just another advance on factorisation.

If you can break RSA you can probably break DH as well.

ECDH? Again quite possible, especially against the curves in use - but perhaps a more widespread break against ECDH is possible as well. The math says that it can be done starting with a given curve (though we don't know how to do it), and you only need to do the hard part once per curve.

My money? RSA.

But even so, double encrypting with two different ciphers (and using two different KEMs) seems a lot more respectable now.

-- Peter Fairbrother
The cryptography mailing list

Reply via email to