back to article That earth-shattering NSA crypto-cracking: Have spooks smashed RC4?

Fresh revelations from whistleblower Edward Snowden suggest that the NSA can crack TLS/SSL connections, the widespread technology securing HTTPS websites and virtual private networks (VPNs). Although reports from the New York Times and its allied publications held off on the specifics, it may all mean that US spooks can …

COMMENTS

This topic is closed for new posts.

Page:

        1. Charles 9

          Re: OMG, the laziness!

          But then again, how can Alice be certain she's meeting Bob and not Eve posing as Bob (and before you bring it up, Eve's a tomboy and an expert male crossdresser)?

          The most difficult part of a secure conversation is STARTING it, because that requires a level of trust. Thing is, how do you do that in a DTA environment: one where anyone you meet could be the enemy?

      1. Matt Bryant Silver badge
        Boffin

        Re: Don Jefe Re: OMG, the laziness!

        "......So, what is wrong with a book cypher?" The first problem is letting people know which book you are using without telling those you don't want to know. That usually means you have to have some other form of secure coms first, such as a pre-arranged list of books for each date that is handed to you. The second is that your book "ages" - you only have so many options for many words in the average book, so you have to change books after a period to defeat statistical pattern analysis. Another problem is you really have to make sure you have identical books - even different editions from the same publisher could have different page layouts and wording. And the last big problem is if the listeners suspect you are using a book cipher and they capture a suspect with only one book in his possession then it's pretty much game over.

        The availability of digital downloads of books on the Internet gets round most of the problems, especially as you can carry literally hundreds of e-books in one device or not even download the e-book until required, but does not get round the problem of the secure transfer of the initial list of books.

        1. Anonymous Coward
          Anonymous Coward

          Re: Don Jefe OMG, the laziness!

          Oh my dear Matty boy.

          Did it ever occur to you that the gubbermints have enormous libraries of digitized books at their disposal ? The Americans allegedly built the best Arab dictionary/lexicon. Not the university of Cairo or something similar.

          The entire corpus of human-written text easily fits into a large storage array these days, complete with all sorts of indices on the text.

          So your "idea" is either an evil attempt to trick people into the hands of the waterboarders and little-box-lockers, or you are simply not that smart. Mr Occam points to the last option.

          1. Matt Bryant Silver badge
            FAIL

            Re: Duck Ar5h0le Re: Don Jefe OMG, the laziness!

            ".....Did it ever occur to you that the gubbermints have enormous libraries of digitized books at their disposal ?....." You obviously did not understand how a book cipher works. You have to have the exact edition of the book. You can have a library of millions of digitised texts, and even if you run the code by checking all the books, if you have the wrong edition of the book you still get back garbage. If the book is a translation of teh original you again get back garbage. The chances of the NSA having every edition of every book on earth in every possible language are simply silly, it would require more storage and computational power than even the PRISM project, many times over. Please try thinking before triping.

            "....Mr Occam points to the last option." I suggest you stop talking to Mr Occam and loosen up the tinfoil.

  1. Sureo

    It's amazing....

    It's amazing what a lot of smart people can do, with a nearly unlimited budget. Now if they were to put their efforts to some of these problems instead:

    - pollution

    - overpopulation

    - cheap clean energy

    - global peace

    - etc

    I despair.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's amazing....

      Yes it sure would be nice to prioritize where all that money is actually going.

      Unfortunately, breaking world crypto to prevent some unknown number of dangerous, mysterious hooligans from disrupting world commerce and the American way of life (with little to no proper cost-benefit analysis) is way more exciting and fun. So far, that has been the backdrop of the 21st century, with little or no relief in sight.

      Now it looks like those banking systems we thought were keeping us all safe aren't so safe anymore.

      EPT providers and bankers must be shitting themselves right now.

      What will happen to all those electronic trillions that have been keeping us afloat?

      But going back to cash and barter will fix that soon enough. Then we can just wait for the next Robespierre to show up.

    2. Mr Young
      Pint

      Re: It's amazing....

      Don't despair - I'll go for cheap clean energy for starters

  2. Anonymous Coward
    Anonymous Coward

    Curve25519

    Roll on Curve25519!

    http://cr.yp.to/ecdh.html

  3. ridley

    "it is better to kill 100 innocent people than let one guilty person live" Vladimir Lenin

  4. Anonymous Coward
    Anonymous Coward

    Seems self-evident that they would, wouldn't they?

    We might not like it, but no-one should be surprised that the NSA can break commonly encrypted sessions like TLS/SSL should they? I mean, that's their job and to not do so would instantly make this week's Bad Guys immune from electronic eavesdropping.

    The scandal is not, repeat not that the NSA are l33t crypto haxx0rs. Nor is it that they have injected backdoors into some systems. (We've all known for a long time that the only good crypto is open crypto. I trust the mathematics of AES even if I suspect that the NSA know that by wiggling the flux capacitor just so on the dilithium crystals it can be made to reveal information. That is not a problem with AES so much as implementation.)

    The scandal is that the NSA is vacuuming up every piece of communication whether it relates to an investigation or not. Fourth Amendment be damned. Let's not get our panties in a twist about the NSA being good at their job and instead shine a light on what they truly think their job is.

  5. FuzzyTheBear

    Really ..

    To think even for a second that the spooks will let you put your hands on a cypher they cannot break is totally juvenile. the moment they will find messages they cannot break you will see black helicopters move. Military grade encryption and civilian grades are two things.If they can't break it , it's a direct threat to the security.

    At the least , someone is mighty interrested in keeping the message a secret. Raises eyebrows don't you think ?

    We all know the net is compromised 100% .Thanks Edward for confirming. A true American Hero ( Capital H )

    1. Charles 9

      Re: Really ..

      So why haven't they done anything about quantum encryption, which if performed properly is provably secure by science (the flaws in it have come from implementation flaws, not in the fundamental theory)? Unless you're saying the NSA has defied international science (including science outside US control) and created a way to break Quantum Key Distribution undetectably.

  6. Version 1.0 Silver badge

    The sky is falling?

    "That earth-shattering NSA crypto-cracking: Have spooks smashed RC4?"

    Yes - it's been chicken salad for a while.

    1. Anonymous Coward
      Anonymous Coward

      Re: The sky is falling?

      Any references ?

      1. Charles 9

        Re: The sky is falling?

        Wiki covers the subject pretty well.

        http://en.wikipedia.org/wiki/RC4

        And relax, it's full of citations where you can get further information.

        In a nutshell, RC4 has flaws that reveal key information about the plaintext in the cyphertext. Using that, one could reconstruct the plaintext with some patience (or access to a cloud because RC4 usually doesn't have a lot of bits). Klein's attack, for example, could analyze the cyphertext from a bunch of WEP-encrypted frames and use them to recover the WEP key. Since it could be done over the air and in a short amount of time, WEP was essentially no good anymore.

  7. John Sanders

    So after all this is why the huge push towards SSL vpns.

    Because that way the spooks can get their hands on the data.

    1. Anonymous Coward
      Anonymous Coward

      Re: So after all this is why the huge push towards SSL vpns.

      Except that the US military use https, too. The have their own CAs, of course and will purge all the commercial CAs for their internal use.

      https does not necessarily need RC4. You can run it with RSA+AES, for example. Or DH-3DES.

      You are either a shill or Idiot Chicken Little.

  8. kneedragon

    I should be good and read every comment, but after 15 min... Can't say I told you so, because I didn't, or not so you'd have heard me, but I realised twenty years ago that networks are watched, and that Windows is not secure, and even if you have an open source system, you're only secure as long as nobody really wants in. I started to study computers and networks at a tertiary level in the mid 90s, and we were told, by lecturers, security is relative. If you have something they want, and they have the resources to get it, they can, and sadly, there are a number of things you can do to make it a little more difficult for them, but you can't stop them, and in part, all you do by going to big trouble over security and encryption, is highlight that you have something to hide. The fact that you've employed strong encryption is a red flag. "Be good, be honest, be law abiding, but above all, if you can't do that, then do any and all your mischief AWAY from any computers. You can make computers somewhat secure, but that's all."

    I did get very suspicious about Microsoft, when the entire weight of the US government seemed to be about to come down on them over anti-trust... and then it all just went away, like they'd come to some agreement...

  9. Otto is a bear.

    The Guardian's version

    I read the Grauniad's version of the article, railing against the fact that security agencies have broken standard internet encryption techniques, and how this was an affront to liberty, the end of the internet as we know it, a green light to criminals to do it, on the premiss that once you know something is possible, it's a lot easier to do.

    But hang on, until the internet it was not possible for ordinary citizens to seriously encrypt their communications, and if law enforcement, or the security services wanted to intercept it, they needed a warrant. The security services still monitored random telephone and radio chatter, obtaining a warrant if they needed a close look. This is still what they do, but there is a hell of a lot more chatter to monitor, so methods to monitor it have had to be developed, and as a society we need our security services to do this.

    The Grauniad thinks that the argument of criminal or terrorist use is a smoke screen, but both terrorist and criminal organisations spend money on breaking encryption, and it's recognised by security vendors that there is a war going on to keep encryption secure, thus as soon as one method is broken, a new one must be released. Breaking encryption is hard, it's much much easier to compromise the endpoints.

    Here's the thing do you want criminals and terrorists to be able to communicate in total secrecy, safe from the prying eyes of governments. Do you want people to be able to organise a riot through blackberry. No, I thought not, you can't have it both ways. I live in a safe democracy, sadly, like all things these technologies can be used by totalitarian states as well. In democracies the state apparatus can't and won't afford the kind of surveillance manpower needed to watch every one, in a dictatorship, they can afford the manpower. Your communications in the UK, USA and in fact all the major democracies are as safe as they ever have been, unless you start taking about pulling off major coke deals, or blowing up bits of the government.

  10. ecofeco Silver badge

    Like a guy once said...

    Green singles out weakening the integrity of SSL as the gravest violation of privacy; the NSA reportedly blows $250m a year working on just that.

    ...did you really think the military was spending $600 on a single toilet seat?

  11. Peter Fairbrother 1

    Some misunderstandings here.

    First, the $280 million budget of the BULLRUN "dirty tricks" program does not include the cost of the "advanced cryptanalytic capabilities" NSA is developing. We don't know exactly how much NSA are spending on that, but the combined NSA and US armed forces cryptanalytic budget is said to be just over $10 beeeelion.

    RC4? well, it ain't that great but - the NSA have lots and lots of encrypted traffic they want to decrypt. It comes in chunks called sessions - roughly, the time you "are connected to" a single website - and each session has a different key.

    If the NSA had a method to break RC4, they would have to break it again and again for each session. That's a huge amount of work. There are some other problems too, about obtaining the needed plaintext - you can't expect to break a RC4 session key from just examining the ciphertext, there isn't enough of it. You need a crib. Not impossible, but again it's a lot of work.

    It would be far more effective to attack the mechanisms by which the session keys are set up - mostly RSA, though people sometimes use ECDHE instead. The big websites only changed their RSA keys every couple of years. Break one of those and you can easily calculate several million, or even several billion, session keys.

    Personally I think they may well have found a method to break RSA - each break might be expensive, but as I said they can get millions of session keys from a single break. They may have a method to break, or partly break, ECDHE instead or as well, but my money is on RSA.

    And it doesn't have to be RSA-2048 either - there are petabytes or more of old ciphertext which NSA would love to decrypt, collected over many years, which was protected by RSA-1024. Heck, until a few weeks ago the vast majority of internet SSL/TSL sessions were only protected by RSA-1024 or equivalent. I think it's still well over 50%.

    1. Anonymous Coward
      Anonymous Coward

      Re: Some misunderstandings here.

      How do you know all of this ? Extrene Conjecture or what ?

  12. Anonymous Coward
    Anonymous Coward

    It's all good

    I hope the NSA and other government agencies working to protect the citizens are able to crack all encryption schemes. It's in the public's best interest and security.

  13. Berge

    RE: CIA cracking encryption

    Hate to tell you this, folks, but it is a certainty that any system of encryption that is sold in the US is automatically breakable by the some agency (presumably, one that spies on people regularly, and not, say, the Dept. of Transportation) in the US government. That is because it has long been literally a federal crime to sell an encryption system in the US that the the our feds can't crack.

    I learned of this back in the late 1990's when the a small company was put out of business before it was barely off the ground, because the two who started it had come up with an "uncrackable" encryption system. They were about to launch, with a demonstration at a conference on internet security that was being held overseas outside of the US. They were contacted by the CIA/NSA and told they couldn't present, as our/my government couldn't crack their code. And, they couldn't sell it, either, as they were US citizens. Their company went bankrupt. However, the kicker in the story is that they found out about five years later that the US govt. already knew how to crack their encryption system when they were told they couldn't sell it - the Feds didn't want other countries to know that the US already had the capacity to crack that level of encryption.

    By the way, there is really little that Mr Snowden has revealed about the level of surveillance that the US govt. routinely carries out that wasn't established in (an apparently little-read) book on the NSA entitled "The Puzzle Palace." Though it was written several decades ago, it lays out the very broad jurisdiction that the US Congress gave the NSA to monitor any information entering or leaving the US. Those powers started pre- internet (during or just after WWI, actually), with (snail)mail and telegraphy. The book goes on to detail how those powers had been sequentially extended to include any and all electronic communications which crossed the borders of the US. Since satellites are well outside of the boundaries of the US, any data (then, phone and TV/radio broadcasts) that were relayed via satellite were deemed fair game for US govt. interception by the US courts. It doesn't take much imagination to realize that some court or another later included internet traffic.

    As for the collection of internet addresses of individuals that corresponded with reporters for the Washington Post, again, the book mentioned above indicated that agencies like the FBI have long had the right to intercept the mail to or from any US citizen, and record the names, dates, and addresses with whom the person was corresponding. They couldn't open/read that mail without a court order, nor could they substantially delay the delivery of that mail. As above, I can't imagine a court not allowing the extension of the concept of recording snail mail addresses to recording email addresses.

    This is also undoubtedly the reason that the US govt is being allowed to slurp up yottabytes of raw raw email traffic, with attached email addresses, and then being allowed to run electronic database queries cross-correlating patterns of communication, with the goal of finding patterns that are suspicious. The "key" word or phrases they are cross-correlating aren't known to belong to any specific person or address at the time that they are being searched - the search is for a statistically significant "outlier" in the reams and reams of data - so it could (and probably was) argued that no one person's rights are violated. And, as its for the goal of national security, in the post-9/11 world, its all likely fair game at this point, the Constitutional niceties be damned.

    By the way, I didn't glean information on how literally billions of dollars of money appropriated for national security was siphoned off for the construction of several (seven, I believe) massive electronic data-slurping edifices from secret files. See the story in Wired magazine from about a year ago.

    One nice thing about being over 60, and a nerd/geek before it was a compliment to one's intellect, and having taken the time to read over the years, is that there is really not much that is fundamentally new. Details change, technology gets more complicated, but the basic players, and their goals and strategies remain the same.

    "The Puzzle Palace" is still a great read, by the way, for those who want to hone their paranoid instincts. For instance, when the President signed the law that established the NSA, the name of the agency wasn't allowed to be printed in the document tha he was signing - its presence was divulged on an need to know basis, and he was not considered to have to know. Until the 1970's it was illegal for any publisher in the US to publish anything that named the agency. A head of the CIA (Admiral Stansfield Turner, if I recall correctly) had also been head of the NSA for a time - asked to compare the two agencies (the existence of the NSA had been revealed by then), he reportedly stated that the budget of the NSA "dwarfed" the budgets of the CIA and FBI combined. When IBM was estimating its computing power in in hundreds of square yards, the CIA was estimating its computing power for Congress in terms of acres.

    Happy dreams.

  14. Shaha Alam

    i don't get it

    any other organisation that conducted themselves in this way would be branded as criminal and investigated.

    what's the difference here?

  15. fLaMePrOoF
    Big Brother

    "What the NSA appears to have done is circumvent or nobble the software and hardware that underpin widely used encryption systems, rather than all-out breaking the mathematical foundations of modern-day cryptography."

    This puts the US / UK attitude towards Huawei & other Chinese firms in an interesting perspective...

    It may be that western spooks aren't so much concerned with China's ability to compromise Chinese built kit, but rather THEIR INABILITY to compromise it...

  16. Anonymous Coward
    Anonymous Coward

    Scared Chickens

    First, where is the proof ? This article is full on incoherent, unrelated arguments mixed together into an ugly stew.

    I am still not convinced RC4 has been broken. If I have something which I need to hide from NSA/CGHQ, sure as hell I will not use RC4. I will use something like RC4+MyFeistel. With MyFeistel being a cipher of my own invention, not being published.

    1. Anonymous Coward
      Anonymous Coward

      Re: Scared Chickens

      Read

      http://en.wikipedia.org/wiki/Feistel_cipher

      Mr Feistel was a great man, as you can instantly convert any (nonlinear) function into a cryptosystem without much effort. If you know how to make "good" hash functions, you can use the Feistel ladder to quickly build something very secure. E.g. H(x)=RandomTableOfValues.

      Then a quite strong Feistel function would be

      F(_32bitsinput) = RandomTableOfValues(32bitsinput & 0xff) ^ RandomTableOfValues( (32bitsinput >> 8 )& 0xff) >> 1 ^ RandomTableOfValues( (32bitsinput >> 16 )& 0xff) >> 2 ^ RandomTableOfValues( (32bitsinput >> 24 )& 0xff) >> 3 ^ SecretKey

      RandomTableOfValues being a list of 256 random 32bit integers. Like the fraction of PI or the Euler Number. Or what your dice says.

      Mr Feistel is probably their biggest Nemesis. Ironically, he was paid by USAF to invent this.

    2. Daniel B.

      Re: Scared Chickens

      RC4 has enough attacks against it that it is no longer considered "really secure" by cryptoanalysts. It is probably why FIPS 140-2 doesn't have it within its approved ciphers anymore. The best bet would be to use SSL with AES/GCM but the GCM part isn't quite supported by everyone yet ... still, AES is still a much better bet than RC4 anything or 3DES anything.

      1. Anonymous Coward
        Anonymous Coward

        @Daniel B:3DES, Really ?

        I know that the first few thousand bytes from RC4 can be used to infer the RC4 internal state, which is somewhat serious. You could still discard the first couple of thousand bytes, though.

        Your claim that AES is "better" (in which ways ?) than AES is highly dubious, though. Afaik, there are no real break-ins to DES known, except for exhaustive keyspace iteration. That one is lame, as 3DES has a keyspace of 112 bits. Too much for anyone on the globe, as the sum of all global electricity generated would not be enough to compute in hundreds of years. DES was purposefully weakened to 56bit keyspace, but the general design is still excellent.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Daniel B: And

          There are rumours the German gubmint uses a DES-like cipher for their diplomatic cipher activities.

Page:

This topic is closed for new posts.

Other stories you might like