[147010] in cryptography@c2.net mail archive
[Cryptography] Defenses against pervasive versus targeted intercept
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Wed Sep 11 13:04:37 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 11 Sep 2013 12:11:52 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============5022650988336262392==
Content-Type: multipart/alternative; boundary=001a11c33fe6280a1004e61de12c
--001a11c33fe6280a1004e61de12c
Content-Type: text/plain; charset=ISO-8859-1
I have spent most of yesterday writing up much of the traffic on the list
so far in the form of an Internet Draft.
I am now at the section on controls and it occurs to me that the controls
relevant to preventing PRISM-like pervasive intercept capabilities are not
necessarily restricted to controls that protect against targeted intercept.
The problem I have with PRISM is that it is a group of people whose
politics I probably find repellent performing a dragnet search that may
later be used for McCarthyite/Hooverite inquisitions. So I am much more
concerned about the pervasive part than the ability to perform targeted
attacks on a few individuals who have come to notice. If the NSA wanted my
help intercepting Al Zawahiri's private emails then sign me up. My problem
is that they are intercepting far too much an lying about what they are
doing.
Let us imagine for the sake of argument that the NSA has cracked 1024 bit
RSA using some behemoth computer at a cost of roughly $1 million per key
and taking a day to do so. Given such a capability it would be logical for
them to attack high traffic/high priority 1024 bit keys. I have not looked
into the dates when the 2048 bit roll out began (seems to me we have been
talking about it ten years) but that might be consistent with that 2010
date.
If people are using plain TLS without perfect forward secrecy, that crack
gives the NSA access to potentially millions of messages an hour. If the
web browsers are all using PFS then the best they can do is one message a
day.
PFS provides security even when the public keys used in the conversation
are compromised before the conversation takes place. It does not prevent
attack but it reduces the capacity of the attacker.
Similar arguments can be made for other less-than-perfect key exchange
schemes. It is not necessary for a key exchange scheme to be absolutely
secure against all possible attack for it to be considered PRISM-Proof.
So the key distribution scheme I am looking at does have potential points
of compromise because I want it to be something millions could use rather
than just a few thousand geeks who will install but never use. But the
objective is to make those points of compromise uneconomic to exploit on
the scale of PRISM.
The NSA should have accepted court oversight of their activities. If they
had strictly limited their use of the cryptanalytic capabilities then the
existence would not have been known to low level grunts like Snowden and we
probably would not have found out.
Use of techniques like PFS restores balance.
--
Website: http://hallambaker.com/
--001a11c33fe6280a1004e61de12c
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">I have spent most of yesterday writing up much of the traf=
fic on the list so far in the form of an Internet Draft.<div><br></div><div=
>I am now at the section on controls and it occurs to me that the controls =
relevant to preventing PRISM-like pervasive intercept capabilities are not =
necessarily restricted to controls that protect against targeted intercept.=
</div>
<div><br></div><div>The problem I have with PRISM is that it is a group of =
people whose politics I probably find repellent performing a dragnet search=
that may later be used for McCarthyite/Hooverite inquisitions. So I am muc=
h more concerned about the pervasive part than the ability to perform targe=
ted attacks on a few individuals who have come to notice. If the NSA wanted=
my help intercepting Al Zawahiri's private emails then sign me up. My =
problem is that they are intercepting far too much an lying about what they=
are doing.</div>
<div><br></div><div><br></div><div>Let us imagine for the sake of argument =
that the NSA has cracked 1024 bit RSA using some behemoth computer at a cos=
t of roughly $1 million per key and taking a day to do so. Given such a cap=
ability it would be logical for them to attack high traffic/high priority 1=
024 bit keys. I have not looked into the dates when the 2048 bit roll out b=
egan (seems to me we have been talking about it ten years) but that might b=
e consistent with that 2010 date.</div>
<div><br></div><div>If people are using plain TLS without perfect forward s=
ecrecy, that crack gives the NSA access to potentially millions of messages=
an hour. If the web browsers are all using PFS then the best they can do i=
s one message a day.</div>
<div><br></div><div>PFS provides security even when the public keys used in=
the conversation are compromised before the conversation takes place. It d=
oes not prevent attack but it reduces the capacity of the attacker.</div>
<div><br></div><div><br></div><div>Similar arguments can be made for other =
less-than-perfect key exchange schemes. It is not necessary for a key excha=
nge scheme to be absolutely secure against all possible attack for it to be=
considered PRISM-Proof.=A0</div>
<div><br></div><div>So the key distribution scheme I am looking at does hav=
e potential points of compromise because I want it to be something millions=
could use rather than just a few thousand geeks who will install but never=
use. But the objective is to make those points of compromise uneconomic to=
exploit on the scale of PRISM.</div>
<div><br></div><div><br></div><div>The NSA should have accepted court overs=
ight of their activities. If they had strictly limited their use of the cry=
ptanalytic capabilities then the existence would not have been known to low=
level grunts like Snowden and we probably would not have found out.=A0</di=
v>
<div><br></div><div>Use of techniques like PFS restores balance.</div><div>=
<br clear=3D"all"><div><br></div>-- <br>Website: <a href=3D"http://hallamba=
ker.com/">http://hallambaker.com/</a><br>
</div></div>
--001a11c33fe6280a1004e61de12c--
--===============5022650988336262392==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============5022650988336262392==--
