On Nov 28, 2011, at 6:58 PM, Marsh Ray wrote: > On 11/28/2011 04:56 PM, Steven Bellovin wrote: >> >> I'm writing something where part of the advice is "don't buy snake >> oil crypto, get the good stuff". By "good" I mean well-accepted >> algorithms (not "proprietary for extra security!"), and protocols >> that have received serious analysis. I also want to exclude >> too-short keys. > >> But -- honesty requires that I define the threat model. We *know* >> why NSA wanted short keys in the 1990s, but most folks are not being >> targeted by<pick your favorite SIGINT agency>, and hence don't have >> a major worry. > > But where's the evidence of that claim?
For which claim? That most folks aren't being targeted by major SIGINT agencies? I suspect that it's the converse that needs proving. > > AFAICT there is evidence of widespread wiretapping in the world. From > extra equipment closets in AT&T buildings to "Carnivore" AKA "Omnivore" > NSA programs. That's to say nothing of someone traveling > internationally. If you are a tech, aerospace, or military company in > the West, you would should expect state-sponsored adversaries to rattle > your doorknobs on a regular basis. Right. And if you manufacture paper clips or sell real estate, you're not in that category. I do note that none of the news stories about cyberattacks from China have mentioned crypto. EIther it's not part of the attack -- my guess -- or Someone doesn't want attention called to weak crypto. > > Furthermore, some of the largest distributed supercomputers in the world > are botnets or on-line game systems now. The days of Western > intelligence agencies having unambiguously greater brute-force > capabilities than "The Bad Guys^TM" are drawing to a close. The > purported RSA factorization is a sign of that. > >> So -- is there a real threat that people have to worry about? The TI >> example is a good one, since it's fully verified. > > Funny, that one sounds to me like a failed model. This idea of keeping > secrets locked in a plastic box while simultaneously selling it to > millions of consumers has failed every time it has been tried. I don't follow. TI put a public key into their devices, and used the private key to sign updates. That's a perfectly valid way to use digital signatures, even if I think their threat model was preposterous. If they had used 1024-bit keys it wouldn't have been an issue. > >> The claim has been made in the foxit blog, but as noted it's not >> verified, merely asserted. > > If we can't get clarification, perhaps we can obtain some samples of the > malware and confirm it ourselves. How? Private keys are private keys; the fact that they exist somewhere says nothing about how they were obtained. > >> WEP? Again, we all know how bad it is, but has it really been used? >> Evidence? > > Yes, WEP was a confirmed vector in the Gonzales TJX hack: >> http://www.jwgoerlich.us/blogengine/post/2009/09/02/TJ-Maxx-security-incident-timeline.aspx > > http://en.wikipedia.org/wiki/TJX_Companies#Computer_systems_intrusion Ah --- I'll check. I knew they attacked WiFi; I didn't recall that they'd cracked WEP. Thanks. > > >> Did anyone use the TLS renegotiate vulnerability? > > I have spoken with pentesters who has used it successfully. Not on your > typical web site. RIght -- not what I was asking about. > > >> Password guessing doesn't count... > > How about dictionary attacks and rainbow tables then? > > I heard it stated somewhere that an Apple product was using PBKDF2 with > a work factor of 1. Does that count? There's a separate section on bad passwords... Thanks. --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
