On 03/22/2012 09:57 AM, Peter Maxwell wrote:

From http://blogs.computerworld.com/19917/shocker_nsa_chief_denies_total_informat...

...

"Remember," former intelligence official Binney stated, "a lot of foreign government stuff we've never been able to break is 128 or less. Break all that and you'll find out a lot more of what you didn't know-stuff we've already stored-so there's an enormous amount of information still in there."

In other words, they've accumulated a backlog of ciphertext. Encryption working as designed.

...

Binney added the NSA is "on the verge of breaking a key encryption algorithm."

This sounds like budget boondoggle baloney to me. How can you be "on the verge" of something like that? You might have some ideas on how to attack it, but until they're proven they're just guesses and likely to be dead ends. Not something you should justify reworking your computing systems around. But once they're proven, you're not "on the verge".

That sounds far more plausible than the previous explanations. I'd also suspect the "key encryption algorithm" may be RC4 and not AES at the moment.

Or it could just be all the 40- and 56- bit stuff that was captured by wiretapping Americans and not decrypted way back when the NSA felt constrained by laws. Or it could be everything using 512-bit RSA key exchange. Or it could be everything for which the security of the encryption ultimately depends on a user-chosen password. E.g., MS-PPTP/MPPE (but there's nothing really new about this). Or it could be a common protocol using a cipher weakly. For example, I noticed this the other day about RDP "standard, non-FIPS" mode: http://msdn.microsoft.com/en-us/library/cc240771%28v=prot.10%29.aspx If the endpoints do actually manage to negotiate the use of 128 bit (as opposed to 40 or 56 bit) security, it uses the output of RC4 without discarding any initial bytes. Those initial bytes have some correlations, some of which can expose the whole key. Just to make sure the 1684 bit state size of RC4 doesn't get stale, the protocol refreshes the key every 4096 packets. (Actually better than MPPE which seems to rekey every 1 or 256 packets depending on negotiated options). Or it could be complete BS. - Marsh _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE