Majority of Tor crypto keys could be broken by NSA, researcher says

Majority of Tor crypto keys could be broken by NSA, researcher says.

Note: EC (Elliptical Curve) encryption patents are held by Blackberry, Ltd formerly known as Research in Motion (RIM). The value of those patents has probably skyrocketed since the NSA revelations by whistleblower Edward Snowdon.

-- Tom

 

...

"Certainly the fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break them more easily."
-Bruce Schneier

 

The question is can (if they have reason to) vs. may be able to (ref. Schneier's use of the term - more easily). Sure the NSA has massive resources, but mostly targeted toward finding the terrorist needle in the haystack that fits that profile, and collecting humongous amounts of data with their dragnet the majority of which will sit in that big warehouse in Utah for generations under cold storage.

Given that the common computer user on the Internet barely uses anything like encryption, and that most tools are neither implemented nor hardened for end-to-end encryption, the common user is likely to never be targeted by the NSA unless their profile starts to match the characteristics shared by suspicious activities likely to be terrorist related.

I agree with Schneier's assessment, but EC is not widely used, and Blackberry has brought many a lawsuit against commercial concerns attempting to use EC without paying the fees to license its use to Blackberry. I can just see the big $$$ in Microsoft's eyes to own those patents.

Also, there is a technical issue regarding ECs - which EC is least amenable to being cracked, not susceptible to side-channel attacks, and the fact that EC cryptography is vulnerable to quantum computing attacks via re: solving the discrete log problem on ECs. My $$ is on the NSA getting the first real general purpose quantum computer - and then like crypto products once having been banned from export, keeping them from all users except the enterprise level corporations that cooperate with it.

-- Tom

 

See recent posts by Nick Mathewson in tor-talk at -https://lists.torproject.org/pipermail/tor-talk/2013-September/author.html

 

...which ultimately means everybody and everything, when you take into account how the word terrorism has been totally hi-jacked to mean any dissent whatsoever to big brothers purposes. All this really points to a total dictatorship.

 

If they design most security and cryptography systems, what makes you think they can't crack them?

 

It is possible to design crypto that one can't crack. Indeed, anything that one can crack is inadequate. That's NSA's major sin. And it (or its precursors) have been sinning in that way for over a century.

 

I don't know if it's ever possible to design crypto that can't ever be cracked. That implies a system where infinite inputs equals infinite outputs with an inability to determine the output or input from either side.

Just not sure if that will ever exist, or if it even can exist.

 

It seems to me that encryption could be made much harder to crack. With most conventional encryption, if you try to use a wrong password or key, the decryption process fails completely. What if instead of producing no decrypted output, it produced gibberish or something that still looked like encryption when a wrong key was used. Think in terms of a letter or character substitution cipher for the outer layer of encryption.

I'm thinking of 2 layers of encryption. The first encryption is conventional strong encryption. Then take the encrypted output and apply a letter/character substitution cipher, or shift each character by a specific amount. There'd be no way to determine if you'd successfully cracked the first decryption when the output still looks encryption whether you got it right or not.

 

whatever...who cares if AES is going to get cracked by 2018? We will start using stronger encryption before 2018 which by 2018 will not be cracked.

 

Well, it'll take more than a few years for new encryption algorithms to be accepted and widely supported. Maybe switching to an existing alternative will work, but nothing's fool-proof, especially after crackers already know them.

 

I am going to continue using Blowfish... you know, the encryption that's still not broken. Ignoring the fact that reverse psychology captures a lot of silly people.

 

90 percent of Tor keys can be broken by NSA: what does it mean?.

Related article: Tor is still DHE 1024 (NSA crackable).

-- Tom

 

I've just read a post by Gregory Maxwell in tor-talk that supports Bruce Schneier's assessment that ECC may be backdoored by the NSA. It's at -https://lists.torproject.org/pipermail/tor-talk/2013-September/029956.html Rather than attempting a summary, the bulk of the post follows.

 

As far as everyone in academia knows, Twofish, Serpent, and Rijndael haven't been broken either.

Also...

"There weren't enough alternatives to DES out there. I wrote Blowfish as such an alternative, but I didn't even know if it would survive a year of cryptanalysis. Writing encryption algorithms is hard, and it's always amazing if one you write actually turns out to be secure. At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead."
-Bruce Schneier, 2007

 

I only say Blowfish because its been out a long time. Its also being ignored by a lot of government entities because why break something so old when most people are moving onto the new stuff, more important to target those.

 

I actually think your second sentence gives more of a reason to use Twofish. Blowfish is arguably more popular and has seen wider usage. I don't think being around just 5 years longer makes up for the fact that if you're just going on "most people are using something else", then Twofish may actually have the "less widely used" edge.

Then you've got the lead designer of both of them specifically recommending the one over the other.

Either way, if you still insist on what Schneier considers his inferior cipher, at least use a truly random number generator and avoid the known weak keys.

 

Rilla927 said in this (closed) thread (emphasis mine) ... "NSA Can Crack TOR Encryption"

The heading from the link given was then titled " Snowden files : NSA can crack almost any Encryption including Tor anonymity network"

What a difference one word makes. It doesn't help when one is trying to separate the facts from speculation.

 

Nothing in that statement describes Blowfish as inferior. IMO it describes Blowfish as proving to be far better than he ever expected. Surviving 20 years unbroken speaks for itself. Twofish may be newer but that doesn't prove it to be better. That said, I'll take either one over AES. After the last round of revelations, there's no way I'd use anything that was ever recommended by the NSA. There's no way they'd recommend something that they can't defeat.

 

So Bruce is just surprised people still use Blowfish because he thinks it's a dumb name? And he recommends something else not because it's theoretically more secure, but because it's exactly the same?

Yes that makes a lot of sense.

That's not an opinion. He admitted that. Simply doing better than he expected says nothing about it being better than his later cipher.

And surviving 15 years (under arguably more scrutiny, including an AES competition) doesn't?

No one said it did. That is what we who practice logic call a "straw man". No one said Twofish simply being newer is what makes it more secure.

a) The AES competition was an open, public affair. All the candidates were vetted by the cryptographic community, and the final selection was proposed by NIST before going through a three-month public review prior to being formalized as AES. The NSA basically recommends AES by default. That's the whole point of an "Advanced Encryption Standard." You make it sound like the agency created some cipher in secret and then just put it out there and said "everyone use this."

b) The NSA recommends AES for it's own government's secrets. The entire government is using the standard to encrypt their data...128 bit for up to the SECRET level, and 192 or 256 for TOP SECRET. Continuing to endorse the standard if they could break it would mean the government was knowingly putting all of its secrets at risk. I doubt that would be the case. As Schneier said, they would essentially have to be willing to sacrifice their own secrets to perpetuate such a false belief (that AES couldn't be broken when it actually could). That's a pretty big gamble.

c) As I linked the last time you were making claims about AES and Blowfish and Twofish, Schneier himself recommends AES.

 

Yes, he does:

-https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

 

Have I ever said anything wrong here?

But that is a good catch, as it's likely the latest reiteration of his confidence in the cipher (and one which I hadn't seen yet). (It's also nice to see he's back responding to comments again.)


On a related note, getting back to the OP and elliptical curve:

Hanno: "I found especially interesting that you suggest classic discrete log crypto over ecc. I want to ask if you could elaborate more on that."

Schneier: "I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry."

 

Right, like P-256r's seed being "c49d360886e704936a6678e1139d26b7819f7e90", as Gregory Maxwell noted in the tor-talk post that I quoted.

 

Blowfish for me as like a Windows 2000 ME edition computer that has never been broken. Why in the world would you try to go back and break Windows 2000 ME when nobody uses it anymore? Sure it may be older, but nobody expects it and if you use large keys its a sneaky gem.