Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-11 Thread Chris Palmer
On Tue, Sep 10, 2013 at 2:04 PM, Joe Abley jab...@hopcount.ca wrote: As an aside, I see CAs with Chinese organisation names in my browser list. I wouldn't pick on/fear/call out the Chinese specifically. Also, be aware that browsers must transitively trust all the issuers that the known trust

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-10 Thread Andreas Davour
On Mon, Sep 09, 2013 at 06:41:23AM -0700, Andreas Davour wrote: So there *is* a BTNS implementation, after all. Albeit only for OpenBSD -- but this means FreeBSD is next, and Linux to follow. I might add that as far as I know, this work has not been picked up yet by neither

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-10 Thread Joe Abley
On 2013-09-09, at 12:04, Salz, Rich rs...@akamai.com wrote: ➢ then maybe it's not such a silly accusation to think that root CAs are routinely distributed to multinational secret ➢ services to perform MITM session decryption on any form of communication that derives its security from the

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-10 Thread Perry E. Metzger
On Tue, 10 Sep 2013 17:04:51 -0400 Joe Abley jab...@hopcount.ca wrote: On 2013-09-09, at 12:04, Salz, Rich rs...@akamai.com wrote: then maybe it's not such a silly accusation to think that root CAs are routinely distributed to multinational secret services to perform MITM session

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-10 Thread Ben Laurie
On 10 September 2013 22:04, Joe Abley jab...@hopcount.ca wrote: Suppose Mallory has access to the private keys of CAs which are in the browser list or otherwise widely-trusted. An on-path attack between Alice and Bob would allow Mallory to terminate Alice's TLS connection, presenting an

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-09 Thread ianG
Hi Jeffery, On 8/09/13 02:52 AM, Jeffrey I. Schiller wrote: The IETF was (and probably still is) a bunch of hard working individuals who strive to create useful technology for the Internet. Granted! I do not want to say that the IETF people are in a conspiracy with someone or each other,

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-09 Thread Salz, Rich
➢ then maybe it's not such a silly accusation to think that root CAs are routinely distributed to multinational secret ➢ services to perform MITM session decryption on any form of communication that derives its security from the CA PKI. How would this work, in practice? How would knowing a

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-09 Thread Andreas Davour
From: Eugen Leitl eu...@leitl.org Forwarded with permission. [snip] http://hack.org/mc/projects/btns/ So there *is* a BTNS implementation, after all. Albeit only for OpenBSD -- but this means FreeBSD is next, and Linux to follow. I might add that as far as I

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-09 Thread Salz, Rich
* NSA employees participted throughout, and occupied leadership roles in the committee and among the editors of the documents Slam dunk. If the NSA had wanted it, they would have designed it themselves. The only conclusion for their presence that is rational is to sabotage it [3].

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread John Gilmore
First, DNSSEC does not provide confidentiality. Given that, it's not clear to me why the NSA would try to stop or slow its deployment. DNSSEC authenticates keys that can be used to bootstrap confidentiality. And it does so in a globally distributed, high performance, high reliability

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Ray Dillinger
On 09/06/2013 05:58 PM, Jon Callas wrote: We know as a mathematical theorem that a block cipher with a back door *is* a public-key system. It is a very, very, very valuable thing, and suggests other mathematical secrets about hitherto unknown ways to make fast, secure public key systems.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread John Kelsey
Let's suppose I design a block cipher such that, with a randomly generated key and 10,000 known plaintexts, I can recover that key. For this to be useful in a world with relatively sophisticated cryptanalysts, I must have confidence that it is extremely hard to find my trapdoor, even when you

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 8:53 PM, Gregory Perry gregory.pe...@govirtual.tvwrote: On 09/07/2013 07:52 PM, Jeffrey I. Schiller wrote: Security fails on the Internet for three important reasons, that have nothing to do with the IETF or the technology per-se (except for point 3). 1. There is

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 10:35 PM, Gregory Perry gregory.pe...@govirtual.tvwrote: On 09/07/2013 09:59 PM, Phillip Hallam-Baker wrote: Anyone who thinks Jeff was an NSA mole when he was one of the main people behind the MIT version of PGP and the distribution of Kerberos is talking daft.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 9:50 PM, John Gilmore g...@toad.com wrote: First, DNSSEC does not provide confidentiality. Given that, it's not clear to me why the NSA would try to stop or slow its deployment. DNSSEC authenticates keys that can be used to bootstrap confidentiality. And it does

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Jerry Leichter
On Sep 7, 2013, at 11:45 PM, John Kelsey wrote: Let's suppose I design a block cipher such that, with a randomly generated key and 10,000 known plaintexts, I can recover that key At this point, what I have is a trapdoor one-way function. You generate a random key K and then compute

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Daniel Cegiełka
Hi, http://www.youtube.com/watch?v=K8EGA834Nok Is DNSSEC is really the right solution? Daniel ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Peter Bowen
On Sat, Sep 7, 2013 at 6:50 PM, John Gilmore g...@toad.com wrote: PS: My long-standing domain registrar (enom.com) STILL doesn't support DNSSEC records -- which is why toad.com doesn't have DNSSEC protection. Can anybody recommend a good, cheap, reliable domain registrar who DOES update their

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Jon Callas
3) Shortly after the token indictment of Zimmerman (thus prompting widespread use and promotion of the RSA public key encryption algorithm), the Clinton administration's FBI then advocated a relaxation of encryption export regulations in addition to dropping all plans for the Clipper chip

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Jeffrey I. Schiller
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Sep 06, 2013 at 05:22:26PM -0700, John Gilmore wrote: Speaking as someone who followed the IPSEC IETF standards committee pretty closely, while leading a group that tried to implement it and make so usable that it would be used by default

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Samuel Weiler
On Thu, 5 Sep 2013, Phillip Hallam-Baker wrote: * Allowing deployment of DNSSEC to be blocked in 2002(sic) by blocking a technical change that made it possible to deploy in .com. As an opponent of DNSSEC opt-in back in the day, I think this is a poor example of NSA influence in the

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Gregory Perry
As an opponent of DNSSEC opt-in back in the day, I think this is a poor example of NSA influence in the standards process. I do not challenge PHB's theory that the NSA has plants in the IETF to discourage moves to strong crypto, particularly given John Gilmore's recent message on IPSEC, but I

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread ianG
On 7/09/13 01:51 AM, Peter Gutmann wrote: ianG i...@iang.org writes: And, controlling processes is just what the NSA does. https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html How does '(a) Organizations and Conferences' differ from SOP for these sorts of things? In

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread ianG
On 7/09/13 03:58 AM, Jon Callas wrote: Could an encryption algorithm be explicitly designed to have properties like this? I don't know of any, but it seems possible. I've long suspected that NSA might want this kind of property for some of its own systems: In some cases, it completely

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Eugen Leitl
On Fri, Sep 06, 2013 at 09:19:07PM -0400, Derrell Piper wrote: ...and to add to all that, how about the fact that IPsec was dropped as a 'must implement' from IPv6 sometime after 2002? Apropos IPsec, I've tried searching for any BTNS (opportunistic encryption mode for IPsec) implementations,

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread ianG
On 7/09/13 10:15 AM, Gregory Perry wrote: Correct me if I am wrong, but in my humble opinion the original intent of the DNSSEC framework was to provide for cryptographic authenticity of the Domain Name Service, not for confidentiality (although that would have been a bonus). If so, then the

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Jerry Leichter
On Sep 7, 2013, at 12:31 AM, Jon Callas wrote: I'm sorry, but this is just nonsense. You're starting with informal, rough definitions and claiming a mathematical theorem. Actually, I'm doing the opposite. I'm starting with a theorem and arguing informally from there Actually, if you

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Gregory Perry
If so, then the domain owner can deliver a public key with authenticity using the DNS. This strikes a deathblow to the CA industry. This threat is enough for CAs to spend a significant amount of money slowing down its development [0]. How much more obvious does it get [1] ? The PKI industry

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread David Mercer
On Sat, Sep 7, 2013 at 2:19 AM, ianG i...@iang.org wrote: On 7/09/13 10:15 AM, Gregory Perry wrote: Correct me if I am wrong, but in my humble opinion the original intent of the DNSSEC framework was to provide for cryptographic authenticity of the Domain Name Service, not for

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Anne Lynn Wheeler
On 09/07/13 05:19, ianG wrote: If so, then the domain owner can deliver a public key with authenticity using the DNS. This strikes a deathblow to the CA industry. This threat is enough for CAs to spend a significant amount of money slowing down its development [0]. unfortunately as far as

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Gregory Perry
On 09/07/2013 04:20 PM, Phillip Hallam-Baker wrote: Before you make silly accusations go read the VeriSign Certificate Practices Statement and then work out how many people it takes to gain access to one of the roots. The Key Ceremonies are all videotaped from start to finish and the auditors

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 5:19 AM, ianG i...@iang.org wrote: On 7/09/13 10:15 AM, Gregory Perry wrote: Correct me if I am wrong, but in my humble opinion the original intent of the DNSSEC framework was to provide for cryptographic authenticity of the Domain Name Service, not for

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Gregory Perry
On 09/07/2013 05:03 PM, Phillip Hallam-Baker wrote: Good theory only the CA industry tried very hard to deploy and was prevented from doing so because Randy Bush abused his position as DNSEXT chair to prevent modification of the spec to meet the deployment requirements in .com. DNSSEC would

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Jeffrey I. Schiller
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Sep 07, 2013 at 09:14:47PM +, Gregory Perry wrote: And this is exactly why there is no real security on the Internet. Because the IETF and standards committees and working groups are all in reality political fiefdoms and technological

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread John Kelsey
I don't see what problem would actually be solved by dropping public key crypto in favor of symmetric only designs. I mean, if the problem is that all public key systems are broken, then yeah, we will have to do something else. But if the problem is bad key generation or bad implementations,

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Eugen Leitl
On Thu, Sep 05, 2013 at 04:11:57PM -0400, Phillip Hallam-Baker wrote: If a person at Snowden's level in the NSA had any access to information Snowden didn't have clearance for that information. He's being described as 'brilliant' and purportedly was able to access documents far beyond his

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Benjamin Kreuter
On Fri, 6 Sep 2013 01:19:10 -0400 John Kelsey crypto@gmail.com wrote: I don't see what problem would actually be solved by dropping public key crypto in favor of symmetric only designs. I mean, if the problem is that all public key systems are broken, then yeah, we will have to do

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Kristian Gjøsteen
5. sep. 2013 kl. 23:14 skrev Tim Dierks t...@dierks.org: I believe it is Dual_EC_DRBG. The ProPublica story says: Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jerry Leichter
Perhaps it's time to move away from public-key entirely! We have a classic paper - Needham and Schroeder, maybe? - showing that private key can do anything public key can; it's just more complicated and less efficient. Not really. The Needham-Schroeder you're thinking of is the essence of

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jerry Leichter
On Sep 6, 2013, at 7:28 AM, Jerry Leichter wrote: ...Much of what you say later in the message is that the way we are using symmetric-key systems (CA's and such)... Argh! And this is why I dislike using symmetric and asymmetric to describe cryptosystems: In English, the distinction is way

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Tim Dierks
On Fri, Sep 6, 2013 at 3:03 AM, Kristian Gjøsteen kristian.gjost...@math.ntnu.no wrote: Has anyone, anywhere ever seen someone use Dual-EC-DRBG? I mean, who on earth would be daft enough to use the slowest possible DRBG? If this is the best NSA can do, they are over-hyped. It's

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread ianG
On 6/09/13 04:50 AM, Peter Gutmann wrote: Perry E. Metzger pe...@piermont.com writes: At the very least, anyone whining at a standards meeting from now on that they don't want to implement a security fix because it isn't important to the user experience or adds minuscule delays to an initial

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread James A. Donald
On 2013-09-06 12:31 PM, Jerry Leichter wrote: Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS. Elsewhere, enabling access and exploiting systems of interest and inserting

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread ianG
On 6/09/13 11:32 AM, ianG wrote: And, controlling processes is just what the NSA does. https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html Oops, for those unfamiliar with CAcert's peculiar use of secure browsing, drop the 's' in the above URL. Then it will securely load.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Perry E. Metzger
On Fri, 6 Sep 2013 09:03:27 +0200 Kristian Gjøsteen kristian.gjost...@math.ntnu.no wrote: As a co-author of an analysis of Dual-EC-DRBG that did not emphasize this problem (we only stated that Q had to be chosen at random, Ferguson co were right to emphasize this point), I would like to ask:

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Peter Gutmann
ianG i...@iang.org writes: And, controlling processes is just what the NSA does. https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html How does '(a) Organizations and Conferences' differ from SOP for these sorts of things? Peter. ___

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jerry Leichter
Following up on my own posting: [The NSA] want to buy COTS because it's much cheap, and COTS is based on standards. So they have two contradictory constraints: They want the stuff they buy secure, but they want to be able to break in to exactly the same stuff when anyone else buys it.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread ianG
On 6/09/13 08:04 AM, John Kelsey wrote: It is possible Dual EC DRBG had its P and Q values generated to insert a trapdoor, though I don't think anyone really knows that (except the people who generated it, but they probably can't prove anything to us at this point). It's also immensely

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 4:42 AM, Jerry Leichter leich...@lrw.com wrote: Argh! And this is why I dislike using symmetric and asymmetric to describe cryptosystems: In English, the distinction is way too brittle. Just a one-letter difference - and

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread John Gilmore
Speaking as someone who followed the IPSEC IETF standards committee pretty closely, while leading a group that tried to implement it and make so usable that it would be used by default throughout the Internet, I noticed some things: * NSA employees participted throughout, and occupied

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 6:23 AM, Jerry Leichter leich...@lrw.com wrote: Is such an attack against AES *plausible*? I'd have to say no. But if you were on the stand as an expert witness and were asked under cross-examination Is this *possible*?, I

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Derrell Piper
...and to add to all that, how about the fact that IPsec was dropped as a 'must implement' from IPv6 sometime after 2002? signature.asc Description: Message signed with OpenPGP using GPGMail ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Kevin W. Wall
On 9/6/2013 1:05 PM, Perry E. Metzger wrote: I have re-read the NY Times article. It appears to only indicate that this was *a* standard that was sabotaged, not that it was the only one. In particular, the Times merely indicates that they can now confirm that this particular standard was

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Derrell Piper
On Sep 6, 2013, at 8:22 PM, John Gilmore g...@toad.com wrote: Speaking as someone who followed the IPSEC IETF standards committee pretty closely, while leading a group that tried to implement it and make so usable that it would be used by default throughout the Internet, I noticed some

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jerry Leichter
On Sep 6, 2013, at 8:58 PM, Jon Callas wrote: I've long suspected that NSA might want this kind of property for some of its own systems: In some cases, it completely controls key generation and distribution, so can make sure the system as fielded only uses good keys. If the algorithm

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Phillip Hallam-Baker
OK how about this: If a person at Snowden's level in the NSA had any access to information that indicated the existence of any program which involved the successful cryptanalysis of any cipher regarded as 'strong' by this community then the Director of National Intelligence, the Director of the

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Tim Dierks
On Thu, Sep 5, 2013 at 4:57 PM, Perry E. Metzger pe...@piermont.com wrote: On Thu, 5 Sep 2013 16:53:15 -0400 Perry E. Metzger pe...@piermont.com wrote: Anyone recognize the standard? Please say it aloud. (I personally don't recognize the standard offhand, but my memory is poor that

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Eric Murray
On 09/05/2013 01:57 PM, Perry E. Metzger wrote: and am not sure which international group is being mentioned. ISO. Not that narrows it down much. Eric ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Bernie Cosell
On 5 Sep 2013 at 16:11, Phillip Hallam-Baker wrote: I would bet that there is more than enough DES traffic to be worth attack and probably quite a bit on IDEA as well. There is probably even some 40 and 64 bit crypto in use. Indeed -- would you (or any of us) guess that NSA could break TDES

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Eric Murray
The NYT article is pretty informative: (http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html) Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread John Kelsey
First, I don't think it has anything to do with Dual EC DRGB. Who uses it? My impression is that most of the encryption that fits what's in the article is TLS/SSL. That is what secures most encrypted content going online. The easy way to compromise that in a passive attack is to compromise

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread arxlight
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What surprises me is that anyone is surprised. If you believed OpenBSD's Theo de Raadt and Gregory Perry back in late 2010, various government agencies (in this specific case the FBI- though one wonders if they were the originating agency) have been

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Thu, 5 Sep 2013 19:14:53 -0400 John Kelsey crypto@gmail.com wrote: First, I don't think it has anything to do with Dual EC DRGB. Who uses it? It did *seem* to match the particular part of the story about a subverted standard that was complained about by Microsoft researchers. I would

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Thu, 5 Sep 2013 16:53:15 -0400 Perry E. Metzger pe...@piermont.com wrote: Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Thu, 05 Sep 2013 13:33:48 -0700 Eric Murray er...@lne.com wrote: The NYT article is pretty informative: (http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html) [...] Also interesting: Cryptographers have long suspected that the agency planted vulnerabilities in a

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Here are a few guesses from me: 1) I would not be surprised if it turned out that some people working for some vendors have made code and

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Phillip Hallam-Baker
On Thu, Sep 5, 2013 at 3:58 PM, Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Informed speculation means intelligent, technical ideas about what has been done. It does not mean wild conspiracy theories and the like. I will

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Phillip Hallam-Baker
On Thu, Sep 5, 2013 at 4:41 PM, Perry E. Metzger pe...@piermont.com wrote: On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Here are a few guesses from me: 1) I would not be surprised if

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Thu, 05 Sep 2013 16:43:59 -0400 Bernie Cosell ber...@fantasyfarm.com wrote: On 5 Sep 2013 at 16:11, Phillip Hallam-Baker wrote: I would bet that there is more than enough DES traffic to be worth attack and probably quite a bit on IDEA as well. There is probably even some 40 and 64

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Eric Murray
Bruce Schneier explains the Dual_EC_DRBG attack: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Lance James
Hi all, If you read the articles carefully, you'll note that at no point does the NSA appear to have actually broken the *cryptography* in use. It's hard to get concrete details from such vague writing and no access to the the original documents, but it sounds like they've mostly gotten a lot

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Jerry Leichter
[This drifts from the thread topic; feel free to attach a different subject line to it] On Sep 5, 2013, at 4:41 PM, Perry E. Metzger wrote: 3) I would not be surprised if random number generator problems in a variety of equipment and software were not a very obvious target, whether those

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Jerry Leichter
On Sep 5, 2013, at 7:14 PM, John Kelsey wrote: My broader question is, how the hell did a sysadmin in Hawaii get hold of something that had to be super secret? He must have been stealing files from some very high ranking people. This has bothered me from the beginning. Even the first

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Fri, 06 Sep 2013 12:13:48 +1200 Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Perry E. Metzger pe...@piermont.com writes: I would like to open the floor to *informed speculation* about BULLRUN. Not informed since I don't work for them, but a connect-the-dots: 1. ECDSA/ECDH (and DLP

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Peter Fairbrother
BULLRUN seems to be just an overarching name for several wide programs to obtain plaintext of passively encrypted internet communications by many different methods. While there seem to be many non-cryptographic attacks included in the BULLRUN program, of particular interest is the

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Peter Gutmann
Perry E. Metzger pe...@piermont.com writes: I would like to open the floor to *informed speculation* about BULLRUN. Not informed since I don't work for them, but a connect-the-dots: 1. ECDSA/ECDH (and DLP algorithms in general) are incredibly brittle unless you get everything absolutely

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread David Mercer
On Thursday, September 5, 2013, Jerry Leichter wrote: [This drifts from the thread topic; feel free to attach a different subject line to it] On Sep 5, 2013, at 4:41 PM, Perry E. Metzger wrote: 3) I would not be surprised if random number generator problems in a variety of equipment and

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Peter Gutmann
Perry E. Metzger pe...@piermont.com writes: At the very least, anyone whining at a standards meeting from now on that they don't want to implement a security fix because it isn't important to the user experience or adds minuscule delays to an initial connection or whatever should be viewed with

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Fri, 06 Sep 2013 13:50:54 +1200 Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Perry E. Metzger pe...@piermont.com writes: Does that make them NSA plants? There's drafts for one or two more fairly basic fixes to significant problems from other people that get stalled forever, while the

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Peter Gutmann
Perry E. Metzger pe...@piermont.com writes: I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH that you're thinking of? It's not just randomness, it's problems with DLP-based crypto in general. For example there's the scary tendency of DLP-based ops to leak the private

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 7:01 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Perry E. Metzger pe...@piermont.com writes: I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH that you're thinking of? It's not just

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Jerry Leichter
The actual documents - some of which the Times published with few redactions - are worthy of a close look, as they contain information beyond what the reporters decided to put into the main story. For example, at

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 7:31 PM, Jerry Leichter leich...@lrw.com wrote: Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Jerry Leichter
On Sep 5, 2013, at 10:19 PM, Jon Callas wrote: I don't disagree by any means, but I've been through brittleness with both discrete log and RSA, and it seems like only a month ago that people were screeching to get off RSA over to ECC to avert the cryptocalypse. And that the ostensible

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Jerry Leichter
Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS. ... This makes any NSA recommendation *extremely* suspect. As far as I can see, the bit push NSA is making these

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 8:02 PM, Jerry Leichter leich...@lrw.com wrote: Perhaps it's time to move away from public-key entirely! We have a classic paper - Needham and Schroeder, maybe? - showing that private key can do anything public key can; it's

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 8:24 PM, Jerry Leichter leich...@lrw.com wrote: Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS. ...

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread John Kelsey
On Thu, 5 Sep 2013 19:14:53 -0400 John Kelsey crypto@gmail.com wrote: First, I don't think it has anything to do with Dual EC DRGB. Who uses it? It did *seem* to match the particular part of the story about a subverted standard that was complained about by Microsoft researchers. I