----- Forwarded message from Phillip Hallam-Baker <hallam@gmail.com> ----- Date: Wed, 11 Sep 2013 12:11:52 -0400 From: Phillip Hallam-Baker <hallam@gmail.com> To: "cryptography@metzdowd.com" <cryptography@metzdowd.com> Subject: [Cryptography] Defenses against pervasive versus targeted intercept I have spent most of yesterday writing up much of the traffic on the list so far in the form of an Internet Draft. I am now at the section on controls and it occurs to me that the controls relevant to preventing PRISM-like pervasive intercept capabilities are not necessarily restricted to controls that protect against targeted intercept. The problem I have with PRISM is that it is a group of people whose politics I probably find repellent performing a dragnet search that may later be used for McCarthyite/Hooverite inquisitions. So I am much more concerned about the pervasive part than the ability to perform targeted attacks on a few individuals who have come to notice. If the NSA wanted my help intercepting Al Zawahiri's private emails then sign me up. My problem is that they are intercepting far too much an lying about what they are doing. Let us imagine for the sake of argument that the NSA has cracked 1024 bit RSA using some behemoth computer at a cost of roughly $1 million per key and taking a day to do so. Given such a capability it would be logical for them to attack high traffic/high priority 1024 bit keys. I have not looked into the dates when the 2048 bit roll out began (seems to me we have been talking about it ten years) but that might be consistent with that 2010 date. If people are using plain TLS without perfect forward secrecy, that crack gives the NSA access to potentially millions of messages an hour. If the web browsers are all using PFS then the best they can do is one message a day. PFS provides security even when the public keys used in the conversation are compromised before the conversation takes place. It does not prevent attack but it reduces the capacity of the attacker. Similar arguments can be made for other less-than-perfect key exchange schemes. It is not necessary for a key exchange scheme to be absolutely secure against all possible attack for it to be considered PRISM-Proof. So the key distribution scheme I am looking at does have potential points of compromise because I want it to be something millions could use rather than just a few thousand geeks who will install but never use. But the objective is to make those points of compromise uneconomic to exploit on the scale of PRISM. The NSA should have accepted court oversight of their activities. If they had strictly limited their use of the cryptanalytic capabilities then the existence would not have been known to low level grunts like Snowden and we probably would not have found out. Use of techniques like PFS restores balance. -- Website: http://hallambaker.com/ _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5