[cryptography] regarding the NSA crypto "breakthrough"

Thu Sep 5 13:17:03 PDT 2013

On Thu, Sep 5, 2013 at 11:38 AM, grarpamp <grarpamp at gmail.com> wrote:
> ...
>> however, the crypto breakthrough discussed is more mundane:
>
> Source? Sure, non-PFS can be exploited.

i asked Snowden for an authoritative copy... ;P

> But extending that
> as underlying explanation of the Bamford quote is dangerous.
> It's Bamford's quote, ask him.

there's lots of disinformation around this topic, comparisons and
analogies that indicate this has been filtered through less technical
intermediaries.

he can't say much about specifics, remember?

>>  deployment of deep packet inspection with SSL/TLS capabilities.[0]
>
> I'd call it 'applied decrypting' not some breakthrough in 'cryptanalyze'ing
> or 'break'ing any crypto. Words are important.

see above regarding technical vs. non-technical.  for the high ups,
getting access to encrypted communication is "breaking encryption".
whether that is breaking by cooperative agreement and new hardware, or
breaking by new attacks on crypto primitives themselves, it is
indistinguishable to them but makes all the difference to us.

to walk through with rough ballpark but by no means representative numbers,

consider:
- modern CPU - 1,500 to 9,000 sessions per second
- "typical web 2.0 service provider"
  - SSL ops: 800k/min, 13,333/sec (no keep-alive)
  - Bandwidth: 24kB/s or 200kbps (no CDN)

verdict: medium to large internet sites can offload SSL/TLS to their
front-end load balancers or servers without much effort. crypto
accelerators no longer required (unless used for HSM protection of
server keys). Google proved this.

now do the math for OC48 passive drops feeding the DPI collectors:
- for sake of argument, consider just 5% of channel capacity using
SSL/TLS: 2.5Gb / 20 == 125Mb/sec
- for sake of argument, consider 5k/sec sessions per 200kbps (gloss
over specific algo. overhead)
- 125Mb/200kb= 625 times more load than our provider example above
with 3.1mm sessions/sec.

verdict: you need a rack of servers at each collection point just to
extract keys for the DPI sniffer.

summary: NSA "breakthrough" at the Multiprogram Research Facility, or
Building 5300, is a system for the real-time recovery of session keys
from public key exchanges, which do not implement forward secrecy, the
session keys then used for DPI of SSL/TLS traffic. (AES faster and
easier to do in hardware, solved already.)

conveniently enough the real-time support can be applied retroactively
against all stored encrypted communications (c.f. NSA Utah) which are
now vulnerable to recovery as server public keys for the period in
question are handed over, taken, or cracked.

what would be even more interesting is if Building 5300 also built a
TWIRL[0] or SHARK[1] device to get the 1028 bit secret keys used by
servers all over the world for their traffic, thus achieving DPI-SSL
visibility for non-cooperative entities.

to the critics:
sorry, i have nothing to prove. there hints are out there, but sadly,
you'll just have to take me at face value or dig along with others
until you've got your own compelling picture of what this entails.

like a good spy or journo, i don't burn intelligence sources; least of
all just to prove i'm right on the internets ;P

to everyone else:
start using 2k or 4k keys immediately!
burn your 1k keys with fire!!!

0. "The TWIRL integer factorization device"
  http://cs.tau.ac.il/~tromer/twirl/

1. "SHARK - a realizable special hardware sieving device for factoring
1024-bit integers"
  http://www.crypto.ruhr-uni-bochum.de/imperia/md/content/texte/publications/conferences/shark.pdf