I'm glad that Bruce Schneier has now had a chance to view some of the primary source documents from the Snowden leaks, because I trust him to speak frankly and I trust his technical ability.
Both he and Snowden have essentially said that we can still trust the math. Modern symmetric crypto has enough safety margin that even extremely surprising breakthroughs wouldn't give the NSA practical decryption capabilities. (Asymmetric crypto is less certain, but even there Schneier still says discrete-log-based methods with sufficiently large keys are likely ok, and I would bet he's right.)
So the bottom line is this:
- using crypto correctly really matters, because they really are out to get you. Most software gets it wrong, not because there are no good cryptosystems, but because people are ignorant of how to do it right.
- build attack-resistant organizations, not just protocols. The more transparent, flat, and distributed an organization, the harder it is to secretly coerce into cooperating with the NSA. It's a lot harder to force a backdoor into Firefox than into Chrome.
- it turns out open source really matters. The tinfoil hat brigade is vindicated. Closed source vendors really are actively working against their customer's security.
If the NSA had really broken asymmetric crypto it would imply that they were sitting on an huge unpublished result in one or more of a) complexity theory b) quantum computing c) number theory d) ?? something even more outlandish. It's difficult to imagine even them keeping a lid on that. Mathematics is not a large field nor is it by nature a secretive one. (Arguably recognition is the thing driving most mathematicians.) The furtive whispers would accumulate.
Oh, in RSA there are also lots of `weak' numbers that you shouldn't choose. They might have found some attacks against some newly recognized weak numbers.
RSA has plenty of mathematical gotchas that, if you don't know about them, will lead to a weaker implementation.
If the NSA hasn't demolished public key crypto, it still seems reasonable to assume that they've made sure a significant implementation vulnerability (that looks like normal crypto give and take) has been inserted.
To clarify, there are public-key cryptosystems with no known quantum attacks, but it's not known how to build such systems based on problems that are known to be QMA-complete (or NP-complete).
> Currently, our best candidates for such trapdoor OWF's are based on lattice problems, like the Shortest Vector Problem (SVP) that I described earlier. Whereas factoring reduces to the abelian hidden subgroup problem, which is solvable in quantum polynomial time, SVP is only known to reduce to the dihedral hidden subgroup problem, which is not known to be solvable in quantum polynomial time despite a decade of effort.
> Inspired by this observation, and building on earlier work by Ajtai and Dwork, Oded Regev has recently proposed public-key cryptosystems that are provably secure against quantum eavesdroppers, assuming SVP is hard for quantum computers.
What is not being said is "Which if any of the CAs have been compromised?" There is this ongoing conversation of "Use HTTPS" (as one of the defense mechanisms) but there is been very little discussion from what I have seen around the scenario where CAs have been compromised/backdoor'ed.
CAs do not ever see their client's encryption keys. If a CA was compromised someone could only create authentication keys for websites. This type of an attack could work on a single person. It would not work for a large group of people because this type of attack is very easy to detect (by someone who is looking for it) and very traceable.
Compromise the CA (and possibly the pinned certs) and the keys to the bank are yours. No need to spend all that pesky time crunching numbers, factoring etc.
The most frightening thing to this is there is no good, widespread alternative...
Schneier told people to use Tor to avoid the NSA[0]. Telling people to use Tor when Tor offers almost no anonymity guarantees against a global passive adversary (which the NSA almost certainly is), is not good advice at all. In fact, it's actively harmful since it both gives people a false sense of security and instructs the to wave a giant red flag saying I HAVE SOMETHING TO HIDE.
Agree. The notion that they can break ECC but not RSA
1) means they're suggesting insecure algos for protecting top-secret data and know it
2) doesn't fit with the hints that maybe lots of traffic is being decrypted through some mathematical breakthrough[1], because for that you'd want to break RSA, not ECC
3) just seems odd, since knowing only the public attacks, a) RSA often has the narrowest security margin of any link in the chain in deplaoyed systems (e.g., RSA using a 1024-bit key thought to be worth ~80 bits vs. the symmetric algo using 128/256-bit keys) and b) RSA attacks, and not ECC attacks, have slowly gotten better.
[1] Not sure I believe those hints, but let's roll with the assumption.
Right, but that is the point. If you think that the NSA has some magic machine that might break one of the common encryption schemes, but you don't know which, then pick five different encryption schemes. A layered encryption scheme is only as weak as its strongest layer.
My comment was a bit hard to read. Layered encryption is not guaranteed to be only as weak as its strongest layer. It's possible for layering to enable side-channel attacks.
Politics and civil freedoms aside, I think it's fascinating that there can essentially be this black box, i.e. the NSA, that can make breakthroughs in new mathematics with only its employees and those on the outside sworn to secrecy. They obviously have brilliant mathematicians, but more brilliant than the best ones at the world's best universities or tech companies? Or are their suspected/hypothetical theoretical breakthroughs a product of the efficiency of academic thinking that comes from being under one roof, a la the Manhattan Project (which, like the NSA, obviously had more than just people brilliant in an academia sense)
When I studied cryptography in college, our professor said matter of factly that the NSA is likely at least a decade ahead in terms of known mathematical breakthroughs, but perhaps he was biased toward thinking that because he was in the field during the 1970s breakthrough that Schneier mentions. It seems more feasible that the breakthrough is in engineering and technology, but hey, I guess it's good to know the boundaries of mathematical reasoning can be pushed (hopefully, those gains will be available to the rest of the world for non-spying means)
edit: Case in point, Schneier's 2007 post that's now on the front page
Schneier describes a random number generator, released as the standard by the U.S. government, that he concludes was likely back-doored through NSA intervention. This hypothesis was made by two independent researchers in the previous months, and others had suspicions a year before. My point being: in terms of open encryption standards, it's very amazing that the NSA (or any private entity) can make a purely mathematical breakthrough that's well-ahead of the field.
As Schneier says, the difference is that the NSA guys get all the breakthroughs in the public sphere PLUS all the breakthroughs they have privately, so they will ALWAYS be at least as far as the public, and most likely further.
Also, they might not have the most brilliant mathematicians, but private companies don't have the interest in using their math expertise to break encryption. There are more lucrative ways to exploit great math ability.
Universities may have more of an interest in advancing cryptography research, but they can't match the budget nor focus of the NSA.
Agreed. One advantage the NSA has is it can pay some of the best mathematicians to be full-time pure mathematicians. There are very few mathematicians that have the opportunity to do something like that -- even professors have to teach a few classes. I imagine it's a powerful draw to top talent and gives them the ability to spend more time on a problem than most others.
You would be recognized inside the NSA, a large technical population.
In addition, as with the CIA and other clandestine US government organizations, they appeal to patriotism and helping the national interest. That appeal seems to be fraying somewhat lately for the NSA.
Though I have no first-hand knowledge, I was under the impression that organizations like the NSA have internal peer-reviewed journals that their mathematicians can "publish" in, while remaining classified and unavailable to the public.
I have a friend who interned with the NSA in high school. Although what he did is classified, he was allowed to say that his work got published internally.
This is basically just a small step worse than many professions. Once you hit the pay wall on journal articles you want to read, how many people pay to go through?
Not everyone works for public recognition. There are enough people who are willing to work on neat problems in exchange for plenty of money who are also willing to forgo public recognition.
Never is a long time, in a decade or two you might be. BUT either way, some very brilliant NSA mathematicians know what you came up with and so do you. That's enough for a lot of people.
The most common estimate I've seen is that the NSA has 600 mathematicians. I'd not be at all surprised if, for the areas of mathematics the NSA cares about, that is more than the total for the top 100 universities in the world.
I've also read that the work environment for mathematicians there is very much like a research university. They do their research, write papers for internal publication, give and attend seminars, and so on--and they don't have their research interrupted by someone asking them to teach calculus to freshmen, and without having to worry about impressing a tenure committee to avoid years and years of bouncing between temporary positions.
The combination of a very large number of people, and a pretty nice environment that lets those people throw themselves fully into research makes it plausible that they do make occasional significant breakthroughs.
You can crack into any system with 30 billion dollars at your disposal. People are always the weak link. Most of the revelations of late suggest a "paid backdoor" rather than a mathematical backdoor or a technical backdoor. The old adage of "follow the money" probably leads to many backdoors here that were paid for with cold hard cash.
Yet they let one random contractor steal a ton of their secrets. What are the odds that one person out of those 35,000 that knows these secrets, if they exist, and has a conscience won't come forth and spill the magic beans.
If we stipulate the possibility of a person of conscience in that pool, can we then infer the possibility of people of "evil intent"? By that, I mean people who will attempt (carefully of course) to use NSA knowledge for their own enrichment, apart from the "accepted" goals of the NSA.
Does anyone know of any research surrounding the usage of meshnets (security wise)? I know they are springing up in places like chicago (I'm following the forum[0] so I can at least be conscious of the technical aspects and their implementations when I can do something like that where I live), but somehow they remain disconnected from general conversation (on HN) surrounding passive surveillance.
The security model of meshnets always seemed to me to be very similar to the original internet. I.e., to the extent there is any, the endpoints are responsible for providing it for themselves.
Here is an interesting startup idea that may be a step towards a solution.
Setup an organization that gives a tick of approval similar to ISO quality standards but for NSA Free software. It would involve selling your logo to business that meet a defined list of processes and practices to harden their software against 3rd party spying and security flaws.
Then you can preform audits and sell your logo on a yearly basis to businesses around the globe.
I misread your post as saying >iOS quality. I'm not sure what that would mean, however I was about to post saying good luck getting that onto the AppStore.
Wow, I disagree with him about the relative security of RSA vs. ECC. First, ignoring any clues from NSA's behavior entirely, RSA attacks have gradually gotten better, and an RSA/DH-based system with 256-bit security would be very slow (3072-bit RSA keys).
Second, I really doubt NSA's recommendations for Suite B algos are head fakes, because the public justification for them makes sense and head faking doesn't. US and allied governments can't use secret algorithms everywhere, and their systems need to talk securely. And they seem to actually be using Suite B, so it would be an expensive, risky head fake to standardize your whole government around something you know can in principle be cracked (even if you think only you can currently do it). On the other hand, I think it doesn't matter to NSA much if Suite B reveals that NSA thinks 521-bit ECDH is OK; notice how it hasn't led to ubiquitous ECDH usage.
2.5th, if all the latest hints mean they're breaking tons of real traffic with a mathematical breakthrough, it's got to be in implementing RSA cracks, because most real traffic isn't using ECC. (Schneier admitted that might be possible when a "crypto breakthrough" claim came out early last year: http://www.schneier.com/blog/archives/2012/03/can_the_nsa_br...)
But there is at least one way to deal with an unresolvable uncertainty about which of two algos is badly broken. For secure one-to-one communications, you only need to establish a secure session once, then keep a secret key stashed for secrecy and authentication (auth through MACs or authenticated encryption, not signatures). So just frickin' use both: do two key negotiations, hash the results to get your key, and don't worry how slow it is because chips are fast and you only need to do this once.
Anyway, I do echo Schneier that the math is probably not the weakest point; it's consistent with experience in the world outside, where there are far more bugs and so on than algorithm failures (though algo failures happen, e.g., the 2008 MD5 SSL break). And it's consistent with all the other NSA leaks, which are mostly about non-cryptographic ways to data. Regaining some privacy looks like a long and difficult process.
If you're a brilliant mathematician who has made a breakthrough in breaking cryptography, wouldn't you want to make a deal with the NSA? Reveal breakthrough in return for more knowledge.
Well, on those feet, I'd ask for money, not knowledge. That has the advantage that the NSA may actually accept the deal, instead of just blackmailing me (or worse).
That is, if I wanted to make any kind of deal with the NSA.
Why would you expect a lawless organization like this to actually pay you?
It might just be easier for them to say "Thanks, but we already knew that, and by the way that's ultra classified so we'll give you the option of a clean suicide."
The money isn't the issue. The issue is that once you disclose the algorithm, your continued existence can then only represent future nation-state levels of liability.
The NSA is but one of several massive spy operations under the Pentagon. It's not even the best funded. Several of them are ones most people have never even heard of. I'd say that qualifies as 'faceless'.
I'm glad that Bruce Schneier has now had a chance to view some of the primary source documents from the Snowden leaks, because I trust him to speak frankly and I trust his technical ability.
(I'm referring to http://www.schneier.com/blog/archives/2013/09/the_nsa_is_bre..., not the above link).
Both he and Snowden have essentially said that we can still trust the math. Modern symmetric crypto has enough safety margin that even extremely surprising breakthroughs wouldn't give the NSA practical decryption capabilities. (Asymmetric crypto is less certain, but even there Schneier still says discrete-log-based methods with sufficiently large keys are likely ok, and I would bet he's right.)
So the bottom line is this:
- using crypto correctly really matters, because they really are out to get you. Most software gets it wrong, not because there are no good cryptosystems, but because people are ignorant of how to do it right.
- build attack-resistant organizations, not just protocols. The more transparent, flat, and distributed an organization, the harder it is to secretly coerce into cooperating with the NSA. It's a lot harder to force a backdoor into Firefox than into Chrome.
- it turns out open source really matters. The tinfoil hat brigade is vindicated. Closed source vendors really are actively working against their customer's security.