D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OT: NSA: Do they or don't they?

 

On 06/09/13 13:55, Martijn Grooten wrote:
> On Fri, 6 Sep 2013, Philip Hudson wrote:
>> Dancing around saying clearly whether PGP has been cracked or not.
>> What do you think? Non-tech journo so hard to tell and harder to know
>> whether to rely on his analysis.
>>
>> https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all
>>
>
> The article doesn't mention PGP, but here is Phil Zimmermann quoted
> saying that he doesn't believe PGP to have been cracked:
>
> http://wapo.st/1aaRi6r
>
> Obviously, he has a vested interest in saying this. And I don't find
> his argument that the US government still uses PGP so it can't have
> been cracked very strong: the NSA and GCHQ are pretty secretive about
> what they have cracked and I can see why it would be in the former's
> interest to be able to decrypt government documens.
>
> But Bruce Schneier, who has seen the original documents, has been
> quoted saying "math is good, code has been subverted".
>
> In other words, (most) algorithms haven't been cracked.
> Implementations have. That's the more boring version of the story, but
> even without Schneier's quote would have been the most likely one.
>
> Martijn.
>

This is completely correct - I've been reading all the latest "leaks"
and commentary and it's exactly what anyone sensible would expect, i.e.,
formally proved maths remains invulnerable, logically so. It's *always*
the implementations, the users, or another form of side-channel attack
that are being utilised for the NSA's near-omnipresent abilities. You
can't break a *correctly* generated AES-256 key. Similarly, good luck
fighting the second law of thermodynamics as you factor a 4096 RSA key.
I'll come back after the eventual heat death of the universe and see how
you're getting on (hint: you'll still not have cracked it). All the
acres of specially built ASICs manned by the world's biggest team of
elite mathematicians and cryptographers can't do the impossible. Broken
PRNGs (see the Debian ssh keygen fiasco), bad code (see the CRIME/BEAST
ssl attacks), stupid users (reused passwords, weak phrases, poor general
security), insiders (see Manning and Snowden) and massive sweeping
governmental powers (CA coercion, legal bullying, forced record
disclosure, SSL MITM, fibre taps, etc) are how the NSA/GCHQ do their work.

They are *not* magicians! There is an awful lot of *nudge nudge wink
wink* going on as a painfully transparent attempt by the spooks to imply
they have truly omnipotent code-breaking skillz, and you'd have to be a
moron to fall for it. Propaganda as per usual.

Proper crypto still works, bad crypto is broken: inviolable laws of
maths and physics still apply even to government agencies. News at 11!

Regards

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq