Pages:
Author

Topic: New Snowden Leak Reports ‘Groundbreaking’ NSA Crypto-Cracking (Read 2527 times)

legendary
Activity: 1176
Merit: 1001
minds.com/Wilikon
NIST: "we are not deliberately... working to undermine or weaken encryption."

http://arstechnica.com/security/2013/09/government-standards-agency-strongly-suggests-dropping-its-own-encryption-standard/

Following revelations about the National Security Agency's (NSA) covert influence on computer security standards, the National Institute of Standards and Technology, or NIST, announced earlier this week it is revisiting some of its encryption standards. But in a little-noticed footnote, NIST went a step further, saying it is "strongly" recommending against even using one of the standards.

The institute sets standards for everything from the time to weights to computer security that are used by the government and widely adopted by industry.

As ProPublica, The New York Times, and The Guardian reported last week, documents provided by Edward Snowden suggest that the NSA has heavily influenced the standard, which has been used around the world. In its statement Tuesday, the NIST acknowledged that the NSA participates in creating cryptography standards "because of its recognized expertise" and because the NIST is required by law to consult with the spy agency. "We are not deliberately, knowingly, working to undermine or weaken encryption," NIST chief Patrick Gallagher said at a public conference Tuesday.

Various versions of Microsoft Windows, including those used in tablets and smartphones, contain implementations of the standard, though the NSA-influenced portion isn't enabled by default. Developers creating applications for the platform must choose to enable it.

The New York Times noted earlier this week that documents provided by Snowden show the spy agency played a crucial role in writing the standard that the NIST is now cautioning against using, which was first published in 2006. The NIST standard describes what is known as an "elliptic curve-based deterministic random bit generator." This bit of computer code is one way to produce random numbers that are the cornerstone of encryption technology used on the Internet. If the numbers generated are not random but in fact predictable, the encryption can be more easily cracked.

The Times reported that the Snowden documents suggest the NSA was involved in creating the number generator. Researchers say the evidence of NSA influence raises questions about whether any of the standards developed by the NIST can be trusted. "NIST's decisions used to be opaque and frustrating," said Matthew Green, a professor at Johns Hopkins University. "Now they're opaque and potentially malicious. Which is too bad because NIST performs such a useful service."

Cryptographers have long suspected the standard in question was faulty. Seven years ago, a pair of researchers in the Netherlands authored a paper that said the random number generator was insecure and that attacks against it could "be run on an ordinary PC." A year after that, in 2007, two Microsoft engineers flagged the standard as potentially containing a backdoor.

Following the criticism, the standard was revised in 2007 to include an optional workaround. The NSA has long been involved in encryption matters at the standards institute. "NIST follows NSA's lead in developing certain cryptographic standards," a 1993 Government Accountability Office report noted. A 2002 law mandates that the NIST set information security standards and lists the NSA merely as one of several other agencies that must be consulted.

Asked how often standards are reopened, NIST spokesperson Gail Porter said, "It's not frequent, but it does happen." She added that it would be "difficult to give you an exact number of times." Asked whether Microsoft would continue to use the encryption standard in some of its software, a spokesperson said the company "is evaluating NIST's recent recommendations and as always, will take the appropriate action to protect our customers." The NSA declined to comment.
hero member
Activity: 793
Merit: 1026
self issued SSL certificates, some sites are already doing this

ya any privacy conscious site should just have a self signed cert, with the cert fingerprint pgp clear-signed by the site admin or something.
sr. member
Activity: 322
Merit: 250
They injected their own modifications into many protocols 10 years ago as major security protocols were being " revamped ".

Its obvious in the SSL layer, see the development history Smiley
hero member
Activity: 980
Merit: 500
FREE $50 BONUS - STAKE - [click signature]
"The Post said it withheld the rest, and kept some information out of its reporting, in consultation with the Obama administration to protect U.S. intelligence sources and methods."

Censorship at its finest.

Not quite. Whole article may be total bullshit, or they have no meaningful info, so they at least pretend they have.
legendary
Activity: 1680
Merit: 1035
I was going to update my thread but I see people keeping track. That is good.

Obviously the bitcoin ecosystem is not surprised by all those revelations. It simply means there is not enough tinfoil hats for everyone on this planet now as it is all factual.

We need tinfoil computer cases...  Undecided
b!z
legendary
Activity: 1582
Merit: 1010
Im not too savvy on all the crypto shit, but does this mean that Pretty Good Privacy isn't so good and private anymore?

its now going to be called kinda-ok privacy w. the acronym (KOP)

lol.

I'd say they won't touch pgp for the next 10ish years. hopefully.

What they're capable of is https, SSL and VoIP, but that's obvious IMO

I think PGP is itself still sound. But there is a big trust issues...

Maybe it's time to find a new root authority and not involve it with USA in anyway...

self issued SSL certificates, some sites are already doing this
hero member
Activity: 728
Merit: 500
Im not too savvy on all the crypto shit, but does this mean that Pretty Good Privacy isn't so good and private anymore?

its now going to be called kinda-ok privacy w. the acronym (KOP)

lol.

I'd say they won't touch pgp for the next 10ish years. hopefully.

What they're capable of is https, SSL and VoIP, but that's obvious IMO

I think PGP is itself still sound. But there is a big trust issues...

Maybe it's time to find a new root authority and not involve it with USA in anyway...
full member
Activity: 238
Merit: 100
Im not too savvy on all the crypto shit, but does this mean that Pretty Good Privacy isn't so good and private anymore?

its now going to be called kinda-ok privacy w. the acronym (KOP)

lol.

I'd say they won't touch pgp for the next 10ish years. hopefully.

What they're capable of is https, SSL and VoIP, but that's obvious IMO
legendary
Activity: 1176
Merit: 1001
minds.com/Wilikon
I was going to update my thread but I see people keeping track. That is good.

Obviously the bitcoin ecosystem is not surprised by all those revelations. It simply means there is not enough tinfoil hats for everyone on this planet now as it is all factual.
legendary
Activity: 2926
Merit: 1386
Breaking: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Quote
US and UK spy agencies defeat privacy and security on the internet

• NSA and GCHQ unlock encryption used to protect emails, banking and medical records
• $250m-a-year US program works covertly with tech companies to insert weaknesses into products
• Security experts say programs 'undermine the fabric of the internet'

...The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

Quote
The document also shows that the NSA's Commercial Solutions Center, ostensibly the body through which technology companies can have their security products assessed and presented to prospective government buyers, has another, more clandestine role.

It is used by the NSA to "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret "at a minimum".
Of course, since it's existence has now been revealed, the utility of these efforts has been compromised.

If the US ever fell apart like Russia did in 1990-1992 timeframe, and all those NSA creeps were out of jobs with the knowledge of these backdoors....
hero member
Activity: 680
Merit: 500
Breaking: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Quote
US and UK spy agencies defeat privacy and security on the internet

• NSA and GCHQ unlock encryption used to protect emails, banking and medical records
• $250m-a-year US program works covertly with tech companies to insert weaknesses into products
• Security experts say programs 'undermine the fabric of the internet'

...The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

Quote
The document also shows that the NSA's Commercial Solutions Center, ostensibly the body through which technology companies can have their security products assessed and presented to prospective government buyers, has another, more clandestine role.

It is used by the NSA to "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret "at a minimum".
full member
Activity: 134
Merit: 100
Im not too savvy on all the crypto shit, but does this mean that Pretty Good Privacy isn't so good and private anymore?

its now going to be called kinda-ok privacy w. the acronym (KOP)
legendary
Activity: 1148
Merit: 1048
Im not too savvy on all the crypto shit, but does this mean that Pretty Good Privacy isn't so good and private anymore?
full member
Activity: 336
Merit: 140
Hmmm what could it be? Large MITM attack against SSL encrypted web traffic using certificates signed by root authorities? Pay millions $ to everyone involved to both keep enthusiastic and keep mouth shut. Thank You America!


Time-Memory-Data (TMD) trade-off, most-likely. Further considerations ULTRA.
newbie
Activity: 17
Merit: 0
"The Post said it withheld the rest, and kept some information out of its reporting, in consultation with the Obama administration to protect U.S. intelligence sources and methods."

Censorship at its finest.
It is, after all, very important to allow the ministry of truth to have the final say in what can be published.
b!z
legendary
Activity: 1582
Merit: 1010
"The Post said it withheld the rest, and kept some information out of its reporting, in consultation with the Obama administration to protect U.S. intelligence sources and methods."

Censorship at its finest.
sr. member
Activity: 364
Merit: 253
Maybe this is the reason why primecoin is so difficult to mine now. They are selling 20k XPM a day to cover costs of the equipments!!! Grin
newbie
Activity: 56
Merit: 0
Some of this is not even suprising me anymore  Wink
legendary
Activity: 1680
Merit: 1035
Among the surprises reported by Post writers Barton Gellman and Greg Miller is that the CIA receives more money than the NSA: $14.7 billion for the CIA, versus $10.8 billion for the NSA.

Actually not too surprising, considering CIA's toys include U2 Spy Planes, SR-71 Blackbird, and currently drones.
full member
Activity: 238
Merit: 100
Love the Bitcoin.
That'd be a very awesome rig to mine bitcoins!!!!!!! Shocked

 Wink
Pages:
Jump to: