On Fri, Sep 6, 2013 at 9:56 PM, <[email protected]> wrote: > It's not like I blew off my chair in surprise: > > "U.S. and British intelligence agencies have cracked the encryption designed > to provide online privacy and security, documents leaked by former > intelligence analyst Edward Snowden show." > > http://www.usatoday.com/story/news/nation/2013/09/05/nsa-snowden-encryption-cracked/2772721/
I'd seriously recommend the primary sources rather than USA today. Try the Propublica writeup, the Guardian writeup, or the Nytimes writeup -- those are the ones with the original research. I'd also have a close look at Bruce Schneier's two essays on the topic. All of these are linked to from the following Bruce Schneier blog post: https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html Basically -- I wouldn't suggest USA Today for summarizing information about cryptography. > But I do have a question: > > Where does this leave Tor and _its_ encryption?? It seriously depends on what the NSA has broken. If they've got a strong AES break, or a cheap way to break ECDH-P256 or ECDH-Curve25519, then we're pretty screwed. But none of the good reporting I'm seeing suggests that. (FWICT, none of the good reporting is actually being very specific at all, and the stuff that *is* being specific is speculating or misunderstanding or free-associating, for the most part.) The stuff I'm seeing is pretty vague, but if I had to speculate myself, I'd most suspect: * Dubious stuff in NIST standards. Everybody's pointing at that Dual_EC RNG, but other stuff will be getting a lot of cryptographer scrutiny. What isn't broken may often be found to be deliberately * The commercial CA world is possibly a house of cards. * Operating system RNGs are a black hole of stupidity. On the one hand, entropy collection really ought to be an OS function. On the other hand, * Paranoia time: I suspect deliberate obstruction of progress and encouragement of complacency in relevant standards bodies. Seriously, it's 2013, and our options for TLS are mac-then-encrypt-with-CBC, CTR CGM (which-will-be-usually-implemented-with-table-lookups), and RC4? I suppose that human frailty alone might explain such a sorry state of affairs, but everybody knows That One Guy who won't let a simple standard get approved when a complex protocol already exists, and who won't stand for fixing the mistakes of yesterday so long as a half-assed workaround is conceivable. Then again, it's not like non-cryptograhpic standard move any faster than cryptographic ones, so this could be my paranoia acting up. Also, RSA1024 and DH1024 are *not* what folks ought to be using nowadays. (See that article where a guy who knows how to use So please, everybody upgrade to Tor 0.2.4.x once you can so that we can start getting our forward secrecy with stronger keys. Over the 0.2.5 series, I want to move even more things (including hidden services) to curve25519 and its allies for public key crypto. I also want to add more hard-to-implement-wrong protocols to our mix: Salsa20 is looking like a much better choice to me than AES nowadays, for instance. I also want to support more backup entropy sources. Then again, I'm not a cryptographer myself, so you might want to check out what actual cryptographers are saying. These are interesting times for crypto. yrs, -- Nick -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
