Posted on 09/05/2013 12:14:05 PM PDT by Alter Kaker
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.
(Excerpt) Read more at nytimes.com ...
That is incorrect advice. It is MUCH more important that passwords are long, than it is to use random characters.
For example the password “Cat1-Dog2” is ~100 times harder to crack than “dF*$j)J4” just because it has one more character.
Each character you add makes the password 10-100 times harder to crack depending on what characters you use.
See here: https://www.grc.com/haystack.htm
I thought SSL used Diffie-Hellman key exchange, which is susceptible to a man-in-the-middle attack unless at least one party to the communication can send the other a “signed” copy of a hash of its random key, but would not allow for retrospective analysis—even by someone who had access to all of the information that parties to the communication would typically retain afterward (the parameters necessary to generate the per-session key are typically generated randomly at the start of a conversation and, along with the key, discarded afterward)
The problem is a dictionary attack will find something like cat1-dog2-texas or whatever combination of those in seconds. They can search trillions of combinations instantly. A shorter random one will have more entropy and often be harder to guess.
IMO for online stuff using keepass is the best and just have 1 file that they’d have to get and remember one password for it. Use a separate keyfile for it if you want as well. It still might not help much against the NSA, but at least if someone hacks into say your PSN account they won’t have any leads to go after your Yahoo ones.
Even one time codes?
A major problem with one-time pads is that it's necessary to share an amount of key data equal to the amount of real data that is going to be exchanged, and unless both parties destroy their key data as they use it, capture of the key data held by either party will allow retrospective decoding of previously-captured transmissions. That having been said, improved flash densities would seem to make such an encryption approach (including the destruction of used key data) more practical than in years past.
I suspect the biggest weakness with many encryption protocols stems from a desire to have them be usable for establishing initial contact between strangers who have not previously exchanged other secret information. That requires both parties have a third party whom they can trust, and who is worthy of that trust.
Is the Navajo language still available?
This is a key part of this document, Null. I know we had our discussions earlier, but having just read this article, I believe this is game, set, match for anyone trying to secure their privacy online.
Short of going completely "dark," folks, you cannot conduct any private business electronically anymore.
It's over. Pack it up and hit the trail.
In the comments to the article at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html, Bruce Schneier, the creator of Blowfish and codesigner of Twofish, said in response to a comment:
Commenter: “On the crypto bits in your guardian piece, I found especially interesting that you suggest classic discrete log crypto over ecc. I want to ask if you could elaborate more on that.”
Bruce: I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.
In other words, ECC is probably compromised.
You could just use an ARM chip to make a secure crypto box...ez-pz
Raspberry Pi and an Altoids tin.....
it is pfwhhy ekdy to wfjre a mdsdwge tgwt a cuhkydwr hws a hewd tjee rwafikg bit pkjefe chn fujefe ogt.
Yup, the Pi might work.
You could write a small secure OS for the Pi and use it as the link to the web. It would be mighty hard to compromise a Pi with a secure OS :-)
Broadcom made the SOC for the Pi, it’s not an open SOC and you have to sign a non-disclosure to get the nitty-gritty on it.
Perhaps a small and cheap secure computer built with the guts all inside an FPGA would be better still.
No, just build a dedicated encryption/decryption box, not connected to the net. Sneakernet the messages between the 2 for encryption / decryption. The net never touches the encryption box so keys can’t be discovered, short of physical access to the box.
There is the point that it is better known not than previously.
The Japanese were of two minds about their intercepts of the Navajo: Some thought it was a language, others thought it wasn’t and was just random gibberish designed to mislead.
I agree. NSA and others will generally not know your dogs name, cousin’s name, or reading habits in order to exploit those in an attack. Their computers will just keep grinding away, dumb but hard working.
Feyneman told a story of how he cracked a co worker’s safe because the coworker used the first digits of “e” backwards as his combo. He had tried pi, pi backwards, e and e backwards while waiting in the guy’s office. Left him a note in his safe that those were not good combos to choose.
Feyneman doesn’t work at the NSA breaking your codes.
Ever heard of Google®?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.