[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 06/09/13 13:55, Martijn Grooten wrote: > On Fri, 6 Sep 2013, Philip Hudson wrote: >> Dancing around saying clearly whether PGP has been cracked or not. >> What do you think? Non-tech journo so hard to tell and harder to know >> whether to rely on his analysis. >> >> https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all >> > > The article doesn't mention PGP, but here is Phil Zimmermann quoted > saying that he doesn't believe PGP to have been cracked: > > http://wapo.st/1aaRi6r > > Obviously, he has a vested interest in saying this. And I don't find > his argument that the US government still uses PGP so it can't have > been cracked very strong: the NSA and GCHQ are pretty secretive about > what they have cracked and I can see why it would be in the former's > interest to be able to decrypt government documens. > > But Bruce Schneier, who has seen the original documents, has been > quoted saying "math is good, code has been subverted". > > In other words, (most) algorithms haven't been cracked. > Implementations have. That's the more boring version of the story, but > even without Schneier's quote would have been the most likely one. > > Martijn. > This is completely correct - I've been reading all the latest "leaks" and commentary and it's exactly what anyone sensible would expect, i.e., formally proved maths remains invulnerable, logically so. It's *always* the implementations, the users, or another form of side-channel attack that are being utilised for the NSA's near-omnipresent abilities. You can't break a *correctly* generated AES-256 key. Similarly, good luck fighting the second law of thermodynamics as you factor a 4096 RSA key. I'll come back after the eventual heat death of the universe and see how you're getting on (hint: you'll still not have cracked it). All the acres of specially built ASICs manned by the world's biggest team of elite mathematicians and cryptographers can't do the impossible. Broken PRNGs (see the Debian ssh keygen fiasco), bad code (see the CRIME/BEAST ssl attacks), stupid users (reused passwords, weak phrases, poor general security), insiders (see Manning and Snowden) and massive sweeping governmental powers (CA coercion, legal bullying, forced record disclosure, SSL MITM, fibre taps, etc) are how the NSA/GCHQ do their work. They are *not* magicians! There is an awful lot of *nudge nudge wink wink* going on as a painfully transparent attempt by the spooks to imply they have truly omnipotent code-breaking skillz, and you'd have to be a moron to fall for it. Propaganda as per usual. Proper crypto still works, bad crypto is broken: inviolable laws of maths and physics still apply even to government agencies. News at 11! Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq