Posted on 10/18/2015 12:19:56 PM PDT by Mycroft Holmes
The great mystery since the NSA and other intelligence agencies’ cyber-spying capabilities became watercooler fodder has not been the why of their actions, but the how? For example, how are they breaking crypto to decode secure Internet communication?
A team of cryptographers and computer scientists from a handful of academic powerhouses is pretty confident they have the answer after having pieced together a number of clues from the Snowden documents that have been published so far, and giving the math around the Diffie-Hellman protocol a hard look.
The answer is an implementation weakness in Diffie-Hellman key exchanges, specifically in the massive and publicly available prime numbers used as input to compute the encryption key. The team of 14 cryptographers presented their paper, “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,” this week at the ACM Conference on Computer and Communications Security, which explains that given the budgets at the disposal of the NSA, for example, such an agency could build enough custom hardware and invest the time required to derive an output that would give the attacker “intermediate” information that would eventually lead to the breaking of individual encrypted connections.
“It’s not arriving at the key, instead it’s telling you something about the mathematical structure about that particular choice of the prime number when used in Diffie-Hellman,” said J. Alex Halderman associated professor computer science and engineering at the University of Michigan and one of the authors of the paper. “The analogy is sort of cracking the prime. After you crack the prime, breaking individual Diffie-Hellman connections that use that prime is easy.”
(Excerpt) Read more at threatpost.com ...
Easy for you.
I would ask a simple question. While an SSL connection does initially use a key pair, the first thing it does is switch to an asynchronous cipher. Naturally, you could catch the cipher key at the beginning of the handshake, but if you don’t catch it you can’t read the traffic.
The patent for D-H encryption awarded in 1977, the same year Star Wars is released.
In 2015, researchers claim D-H can be compromised, the same year a new Star Wars movie is scheduled for release.
When you spend all those millions building special hardware you don’t miss the cypher key.
Actually, easy for anyone. Cracking the prime gives a look-up table that lets you look up the key the parties are using from the data in the key agreement session, and then using whatever private-key encryption program they are using lets you read the communication the same way as the recipient.
Not quite the right term, but right idea.
The key exchange is to establish a symmetric cipher like 3DES or AES.
https://en.m.wikipedia.org/wiki/Symmetric-key_algorithm
Thanks Mycroft.
After 38 years, it is time to up the game on communications encryption.
The enemy just needs to find traitors and there are plenty of democrats who are selling our secrets to whoever for a price.
All the secret stuff on Hillary Clintons computer and the State dept computers were hacked into and I do not think it was an accident.
Hmmm. Have to think about this but my initial reaction is that the best target for such an attack would be Verisign. If they can crack Verisign’s private key then a man-in-the-middle attack becomes simply a matter of rerouting packets.
It's the asynchronous side of SSL that this attack targets. How does iMessage exchange session keys for synchronous ciphers?
So THAT’S how the Rebels were able to get the Death Star plans!
That’s why I use Optimus Prime.
Public key encryption was a solution for the key exchange problem.
In times past the encryption in use was excellent but the problem was having to exchange the keys. Sending a courier or transmitting the key via phone or radio has obvious problems.
With Public Key crypto you have a private key and a public key. Anyone can encrypt a message using your public key but only you can decrypt it using your private key.
Public key crypto is not as secure as many symmetric key methods. Symmetric means the same key is used to encrypt and decrypt. Public key is also much slower than symmetric key crypto, this is why on the internet generally only the symmetric key is sent using this method and not the actual data. The data is encrypted using a much faster cipher like AES.
One symmetric method is mathematically proven to be secure against any attack.. only the key can decrypt... no quantum computer could ever have a chance. This method is called a one-time-pad, it’s the system that the old German Enigma was based on. It’s security requires a source of true random numbers to function. Generating random numbers is easy now but the Enigma used a flawed mechanical random number generator and was broken. One-time-pad encryption can be totally secure but it has the key exchange problem in spades because the key is the same length as the message and can be quite large. The key must be stored as it cannot be remembered due to its huge size... of course this means it can be discovered by an adversary.
Public Key cryptography was a great breakthrough. If implemented very carefully it is still secure and will be for a long time. If there are flaws in the implementation of Diffie-Hellman key exchange I’m sure a secure work-around will be created.
Not sure what list you pinged here with comment #8 but I'd like to be on the list.
Thanks, dayglored
Hey, no problem, it’s not a specific list, really, just a very, very high volume mostly politics list, but other stuff (like this topic) creeps in from time to time.
George Boole topic:
http://www.freerepublic.com/focus/chat/3350083/posts
Probably George Lucas is behind it, or C3PO, he’s a hacker, plus he’s easy to ignore as a threat.
Ah, then I'm afraid I have to pass, as I'm verging on ping overload as it is. I was thinking it was topics like encryption and such (like the Boolean), but with the election season looming, political pings will send me over the edge! :-)
I note you've kindly put me on already, so I apologize for the trouble to take me off again. I do greatly enjoy being on your APOD list; don't take me off that one! Thanks, dayglored
Thanks, I’ll take you back off.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.