On Thu, Sep 5, 2013 at 11:38 AM, grarpamp <grarpamp@gmail.com> wrote:
...
however, the crypto breakthrough discussed is more mundane:
Source? Sure, non-PFS can be exploited.
i asked Snowden for an authoritative copy... ;P
But extending that as underlying explanation of the Bamford quote is dangerous. It's Bamford's quote, ask him.
there's lots of disinformation around this topic, comparisons and analogies that indicate this has been filtered through less technical intermediaries. he can't say much about specifics, remember?
deployment of deep packet inspection with SSL/TLS capabilities.[0]
I'd call it 'applied decrypting' not some breakthrough in 'cryptanalyze'ing or 'break'ing any crypto. Words are important.
see above regarding technical vs. non-technical. for the high ups, getting access to encrypted communication is "breaking encryption". whether that is breaking by cooperative agreement and new hardware, or breaking by new attacks on crypto primitives themselves, it is indistinguishable to them but makes all the difference to us. to walk through with rough ballpark but by no means representative numbers, consider: - modern CPU - 1,500 to 9,000 sessions per second - "typical web 2.0 service provider" - SSL ops: 800k/min, 13,333/sec (no keep-alive) - Bandwidth: 24kB/s or 200kbps (no CDN) verdict: medium to large internet sites can offload SSL/TLS to their front-end load balancers or servers without much effort. crypto accelerators no longer required (unless used for HSM protection of server keys). Google proved this. now do the math for OC48 passive drops feeding the DPI collectors: - for sake of argument, consider just 5% of channel capacity using SSL/TLS: 2.5Gb / 20 == 125Mb/sec - for sake of argument, consider 5k/sec sessions per 200kbps (gloss over specific algo. overhead) - 125Mb/200kb= 625 times more load than our provider example above with 3.1mm sessions/sec. verdict: you need a rack of servers at each collection point just to extract keys for the DPI sniffer. summary: NSA "breakthrough" at the Multiprogram Research Facility, or Building 5300, is a system for the real-time recovery of session keys from public key exchanges, which do not implement forward secrecy, the session keys then used for DPI of SSL/TLS traffic. (AES faster and easier to do in hardware, solved already.) conveniently enough the real-time support can be applied retroactively against all stored encrypted communications (c.f. NSA Utah) which are now vulnerable to recovery as server public keys for the period in question are handed over, taken, or cracked. what would be even more interesting is if Building 5300 also built a TWIRL[0] or SHARK[1] device to get the 1028 bit secret keys used by servers all over the world for their traffic, thus achieving DPI-SSL visibility for non-cooperative entities. to the critics: sorry, i have nothing to prove. there hints are out there, but sadly, you'll just have to take me at face value or dig along with others until you've got your own compelling picture of what this entails. like a good spy or journo, i don't burn intelligence sources; least of all just to prove i'm right on the internets ;P to everyone else: start using 2k or 4k keys immediately! burn your 1k keys with fire!!! 0. "The TWIRL integer factorization device" http://cs.tau.ac.il/~tromer/twirl/ 1. "SHARK - a realizable special hardware sieving device for factoring 1024-bit integers" http://www.crypto.ruhr-uni-bochum.de/imperia/md/content/texte/publications/c...