« Work, marriage, and the industrial revolution | Main | where in the world is LJ open thread »

September 05, 2013

Comments

Interesting comments here from Bruce Schneier.

They couldn't do the math so they cheated.

They're like every asshole in college.

Schneier is smart, but some of his recommendations are nutty. Here's Thomas Ptacek critiquing his suggestions. The bits on preferring symmetric over asymmetric crypto and preferring IFP/DLP based crypto over ECC seem especially nuts. Very very few use cases involve a shared secret sufficient to kick off symmetric crypto right off the bat, so realistically, we're almost always going to need some sort of asymmetric crypto.

I don't know how helpful articles like that really are. Most people can't make informed decisions about this stuff and a lot of crypto/security products, especially those hyped by Wired and friends, are snake oil that actively endanger people (why hello there Haystack and Cryptocat!). I wish he would have talked more about threat models and practical things that people can do. Virtually no one reading the Guardian is in a position to decide between IFP/DLP versus ECC crypto.

Thanks Turb, and I bet I would agree. But I am high and have no clue what you are talking about. Could you bring it down to the level us dumb folk can understand?

Symmetric crypto allows me to communicate with you without any eavesdroppers understanding us. But it only works if we have a shared secret, some bit of knowledge that we both know but that no one else does. Asymmetric crypto allows me to communicate with you even if we don't have a shared secret, as long as one of us can publish some information (a public key) into a public directory. Symmetric crypto is fast and asymmetric crypto is much slower.

In practice, if I want to securely communicate with gmail.com or any other website, I can't just use symmetric crypto: I don't have a shared secret with every website I want to communicate securely with. So modern protocols, like TLS (which is the basis of HTTPS, the secure web browser to web server protocol), use a combination: they use asymmetric crypto to start the conversation and exchange a random shared secret, then they switch to using symmetric crypto using that random shared secret. That's the best of both worlds: we get the flexibility of being able to communicate with anyone without having to exchange secrets ahead of time and we only have to take the performance hit of asymmetric crypto for a very small amount of data while the rest of the transaction can use fast symmetric crypto.

This isn't the whole story (I'm glossing over large important issues) but that should give you the gist.

IFP stands for Integer Factorization Problem. A lot of asymmetric crypto relies on operations that are easy to perform, but hard to invert. IFP is one such problem. You take two large prime numbers and multiply them together. Multiplying them is easy. The inverse problem, factoring the product, is hard. You have to try dividing the product by every prime less than the square root of the product; there are many many many primes, and division is very slow, so this takes forever. We're talking about numbers that are a few hundred to a few thousand digits long. DLP is the Discrete Logarithm Problem; it is a similar problem (easy to do, hard to invert). IFP/DLP based asymmetric crypto is quite old: these were the first asymmetric crypto systems ever invented. ECC, elliptic curve crypto, is a newer technique for doing asymmetric crypto. ECC systems are faster than IFP/DLP and appear to be somewhat more resistant to some classes of theoretical attacks.

These are very important issues if you're a programmer designing crypto for a new piece of software or even if your a system administrator. They're not relevant at all for the average computer user.

And none of the math stuff you are talking about has anything to do with anything. That's not how the NSA operates.

They just say, give it all up or we are going to make it hard on you.

They're not mathematicians, they're mafia.

They're not mathematicians, they're mafia.

They're both. The NSA has one of the largest groups of mathematicians in the country. They heavily recruit from top math and computer science programs. I've known some very sharp folks who have been heavily recruited by them.

They also have a dual mandate that makes them a bit schizophrenic: comsec and infosec. They want to both have access to everything and at the same time ensure that US government and commercial operations are secure from traditional and industrial espionage.

The ability of the NSA to access the communications of every American wasn't done through the efforts of large groups of mathematicians.

The NSA, at the bequest of whoever, told the phone and internet companies that if they did not cooperate they would be destroyed.

Most of them cooperated.

It's mafia tactics, it isn't math.

It's mafia tactics, it isn't math.

It is weird how you don't acknowledge that one organization can do both of these things. I mean, when the NSA hardened DES against differential cryptoanalysis, they were protecting everyone from attacks that weren't discovered until years later. Their work on SELinux seems solid too. They do most of the heavy lifting for NIST which has an enormous and mostly beneficial effect on crypto development.

Snowden has written about how strong crypto properly used was a huge problem for the NSA.

It's weird how you stand up for an organization that is anti-american, that is against all the principles our forefathers fought for all these years.

Whose side are you on?


One of the few heartening things in this affair is seeing Bruce Schneier really go to war. For a decade and more, he's been trying to reason publicly about security in a wide sense. Despite the great respect he enjoys in cryptography circles, it's mostly fallen on deaf ears.

Turbulence:"I mean, when the NSA hardened DES against differential cryptoanalysis, they were protecting everyone from attacks that weren't discovered until years later."

They also reduced the key length from 128 to 56 bits. This weakened Lucifer (Horst Feistel's algorithm which became the basis for DES) a lot more than differential cryptanalysis would - remember, differential cryptanalysis requires millions of chosen plaintexts. In most use-cases you can't get that.

Thomas Ptacek agrees with Schneier on symmetric vs. asymmetric. Obviously there are times you don't have a choice, but there are useful protocols which can achieve their goals without public key cryptography.

On EC vs. DL & IF, I wouldn't worry too much about which expert to listen to. Even if NSA has made a dramatic breakthrough in integer factorization (and I actually think that's unlikely) that isn't going to make factorization free, so with a big key your data is probably still too expensive to attack. If NSA attacks my 1024 bit RSA key, I'm just happy that I'm wasting their time and resources. The important thing is defending against mass interception.

Is the deliberate and clandestine engineering of loopholes in this manner even legal ?

Whether something is legal or not doesn't seem to be a limiting factor.

Indeed, but it could be a question of some significance.

It's weird how you stand up for an organization that is anti-american, that is against all the principles our forefathers fought for all these years.

Whose side are you on?

Explaining how things are doesn't equal standing up for what the organization is doing. It just doesn't.

Turbulence is being rather matter-of-fact, here, but I don't see any defense of NSA intrusion into personal privacy. He's just telling you that in addition to doing things we don't like, NSA actually has some very smart and capable crypto people working for them. Which should surprise exactly no one that's ever considered NSA's role.

Turb - thanks for your comments. I was more of Schneier's general comments, rather than how to try to protect yourself from NSA snooping (which he notes is beyond most people anyway, even given his advice).

I would the programmers here this question: is it easier to break into a system if you know there is a back door or the encryption is not perfect or the random number is not quite random, as opposed to assuming it or suspecting it?

What Slarti says. And thanks for the defense Slarti. Also, I'm try to point out that the NSA has smart crypto people inside it. Those people are a resource that can be used for good or evil. But pretending that they're only mafia thugs whose skills are limited to shattering kneecaps isn't helpful.


They also reduced the key length from 128 to 56 bits.

That's the point though: they're doing contradictory things that both advance and retard our security at the same time. And you can't just compare DES to Lucifer straight up: DES was a standard that was primarily intended for hardware implementation. Plus, there were multiple variants of Lucifer with key sizes ranging from 48 to 128 bits.

Thomas Ptacek agrees with Schneier on symmetric vs. asymmetric. Obviously there are times you don't have a choice, but there are useful protocols which can achieve their goals without public key cryptography.

Can you give me a use case of a regular person (non-developer and non-cryptographer) communicating on the internet using only symmetric crypto? I'm honestly stuck coming up with examples....

On EC vs. DL & IF, I wouldn't worry too much about which expert to listen to.

All good advice.

thanks for your comments. I was more of Schneier's general comments

Oh. Sorry to threadjack then.

I would the programmers here this question: is it easier to break into a system if you know there is a back door or the encryption is not perfect or the random number is not quite random, as opposed to assuming it or suspecting it?

Yes, the first case is much easier.

Oh. Sorry to threadjack then.

Well, I'm just mathy enough not to run out of stupid questions to ask on encryption. So who's up for that?!

Is the deliberate and clandestine engineering of loopholes in this manner even legal ?

Not really. I mean, I suppose if the NSA threatens you or intimidates you, that part would be illegal, but if they merely "encourage" you, then I'm not sure what law they'd be breaking: it is not illegal to ask an engineer to change their design. Most hardware or software products are distributed with disclaimers of warranties, so the customer can't even complain by saying "hey, this encryption thing doesn't really work".

On the other hand, I think the efforts that the NSA makes to attack servers and steal keys are clearly illegal. The Computer Fraud and Abuse Act makes that sort of thing a crime, but if the NSA can get away with it, then the victims are too clueless to even realize that it has happened. Also, in order to launch those attacks, I assume that they're buying exploits on the black market (that's usually how people find fresh, un-patched vulnerabilities to exploit). Participating in those black markets may in itself be illegal: wiring large sums of money to, say, a Russian mob that you know to be involved in drug running seems legally sketchy to me, but IANAL. On the other hand, merely possessing an exploit is not illegal at all.

This article from way back seems relevant::

One major telecommunications company declined to participate in the program: Qwest.

According to sources familiar with the events, Qwest's CEO at the time, Joe Nacchio, was deeply troubled by the NSA's assertion that Qwest didn't need a court order — or approval under FISA — to proceed. Adding to the tension, Qwest was unclear about who, exactly, would have access to its customers' information and how that information might be used.

Financial implications were also a concern, the sources said. Carriers that illegally divulge calling information can be subjected to heavy fines. The NSA was asking Qwest to turn over millions of records. The fines, in the aggregate, could have been substantial.

The NSA told Qwest that other government agencies, including the FBI, CIA and DEA, also might have access to the database, the sources said. As a matter of practice, the NSA regularly shares its information — known as "product" in intelligence circles — with other intelligence groups. Even so, Qwest's lawyers were troubled by the expansiveness of the NSA request, the sources said.

The NSA, which needed Qwest's participation to completely cover the country, pushed back hard.

Trying to put pressure on Qwest, NSA representatives pointedly told Qwest that it was the lone holdout among the big telecommunications companies. It also tried appealing to Qwest's patriotic side: In one meeting, an NSA representative suggested that Qwest's refusal to contribute to the database could compromise national security, one person recalled.

In addition, the agency suggested that Qwest's foot-dragging might affect its ability to get future classified work with the government. Like other big telecommunications companies, Qwest already had classified contracts and hoped to get more.

Unable to get comfortable with what NSA was proposing, Qwest's lawyers asked NSA to take its proposal to the FISA court. According to the sources, the agency refused.

The NSA's explanation did little to satisfy Qwest's lawyers. "They told (Qwest) they didn't want to do that because FISA might not agree with them," one person recalled. For similar reasons, this person said, NSA rejected Qwest's suggestion of getting a letter of authorization from the U.S. attorney general's office. A second person confirmed this version of events.

In June 2002, Nacchio resigned amid allegations that he had misled investors about Qwest's financial health. But Qwest's legal questions about the NSA request remained.

Unable to reach agreement, Nacchio's successor, Richard Notebaert, finally pulled the plug on the NSA talks in late 2004, the sources said.

What strikes me most about all of the NSA revelations is that the most damaging hack committed against them required exactly no crypto wizardry at all. Or, at least, only the most minimal amount.

Snowden thought, rightly or wrongly, that what they were up to was wrong, so he copied a great big pile of stuff and made it public.

Same deal in the Manning case.

As far as obtaining useful intelligence, we probably have our antenna in every financial transaction that goes over a wire. None of that touches informal financial networks like hawala.

We almost killed Bin Laden many years ago when we traced his location via his cell phone usage. So, he stopped using a cell phone.

The NSA are no doubt extraordinarily good at what they do, but I wonder if their technical expertise, their astounding gear, their pots of money to spend, and the oceans of data they have to massage, creates a false sense of confidence that they're actually accomplishing the necessary and useful task of understanding the who, what, when, where, and why of the folks who are hostile toward the US.

Human beings are hugely complex, hugely resourceful, and can communicate and interact in ways that aren't really all that vulnerable to electronic snooping.

They also are expert at lying, obfuscating, misdirecting, and otherwise concealing their intentions and actions.

Other humans, who have a good understanding of the social context in which people operate, may be able to sort out what's going on.

Machines and algorithms, not so much. Or, only within fairly narrow boundaries.

It doesn't really bother me if the NSA knows everything there is to know about me, personally, because there just isn't that much of interest to know.

What I find most disturbing about all of the NSA news is how much we have invested in, and rely upon, technical solutions that are fairly easily defeated by a single clever person.

And, in another example of the random (or not so random?) wit of the machine mind, the captcha for my last comment was:

'technobs 8'

This article from way back seems relevant:

Who do you think you are? Hilzoy?

Oh, first comment:

Posted by: Ugh | May 11, 2006 at 12:08 PM

(The walls are closing in.)

What I find most disturbing about all of the NSA news is how much we have invested in, and rely upon, technical solutions that are fairly easily defeated by a single clever person.

it just shows that the worries about the NSA's mathematical and protocol-manipulating prowess are probably overblown. computer systems, even those designed by the people with the most to lose, are completely vulnerable to malicious insiders. a networked PC with the best security in the world will be irrelevant to someone with access and a thumb drive.

if the govt wants your data, they don't have to break AES and RSA, they just have to get access to your computer. and if you've encrypted everything, then it becomes a battle between your reluctance to give up your keys and your ability to withstand whatever pressure they can put on you.

It's not the walls, it's the NSA.

Also, I recall one of Joe Nacchio's (attempted) defenses at his insider trading trial was that when he refused to cooperate with the NSA, the government threatened retaliation, and that charging him with insider trading was part of that retaliation (among other things). IIRC the judge didn't let him put on that defense.

Explaining how things are doesn't equal standing up for what the organization is doing. It just doesn't.

He wasn't just explaining how things are. He was portraying the NSA as a beneficent organization who acted in the interests of the public.

In addition he was playing up the geeky technological side of the NSA's spying. His idea of what the NSA does vs. mine is, like most things on life, best summed up by an xkcd comic,


Several comments, more pet peeves than anything:

Turb's technical explanations are impressive and much appreciated, but I guess when I hear something along the lines of Integer Factorization Problem, I plead for someone to just shoot me. ;)

If I was being tortured, I prefer to just get on it with rather than listening to a detailed acronymed explanation of what's coming. Same with surgery .... spare me the "we'll irrigate the surrounding tissue before inserting the BHS Big Honking Sawzall through the incision and removing the necrotic blah blah"

Whatever happened to spies and the paranoid citizenry just memorizing passages from Catcher In The Rye and sitting in the dark corners of midtown bars awaiting an assignation?

Also, this fairy tale that we tell ourselves over and over again about the Founders fighting for years for our freedoms and their assumed outrage at contemporary violations of their very, very general principles ..... Abraham Lincoln ordered the interception of domestic telegraph traffic during the Civil War ..... FDR put American citizens in concentration camps ..... I'm convinced Washington, Jefferson, Madison, Jay, Franklin, and the lot of them would have been fully on board with these NSA actions, with Jefferson probably pontificating against initially and then reversing his position the first chance he got, and Samuel Adams raging for a bit and then employing the full arsenal of NSA capabilities against any American citizen who threatened revocation of the Second Amendment and watering his beer.

Not defending anything here, in fact, I find the entire edifice of the national security state as it is being presented to us to be monstrous.

Last but not least, may we finally put to bed the idiotic meme, which has existed since The Founders, that Federal Government employees to a man and woman are incompetent, middling boobs who take long lunches and do little more than check out porn at their desks and couldn't survive in the vaunted private sector. Turns out they are highly recruited, smart, capable geniuses who can hack every detail of our lives as well as anyone, as well as carrying out all of the other innocuous tasks of government.

Americans fear competence in government, while telling themselves all is gross incompetence, until of course they go to work for the government.

"Whose side are you on?"

Leaving aside the fact that Turbulence had displayed his bonafides regarding his opposition to the extent of NSA intrusions here numerous times, this question cracks me up.

We're on the Internet, very few of us use our real names, no one knows who the &uck I am and I don't know who anyone really is, we load up our computers with virus scans, encryption, anti-spam protection, etc because WHO can you trust?

Maybe I'm from the government. We should ask the NSA whose side Turb is on because they must be reading this.

He's on Duff Clarity's side. But who is Duff Clarity, besides a very cool blogging handle. You see, I kid

I remember reading a couple of decades ago how we would all live to regret the vast commercialization of the Internet and the inevitable follow up by government.

So here we are. It all happened without anyone asking each and every one of us permission to proceed.

Like every other effing thing.

It gives me no comfort that Snowden, regardless of the public service he has provided, seems to be in a position of trusting Vladimir Putin, who came up with the prototype for the NSA before the letters N, S, and A were invented.

How come each and every one of didn't offer Snowden safe houses and underground railroads in this country?

And why didn't he think to ask?


If the NSA had stuck to monitoring Joe Nacchio's insider trading, Qwest' pensioners and I would be good to go.

He wasn't just explaining how things are. He was portraying the NSA as a beneficent organization who acted in the interests of the public.

So what you're saying is that if I steal my grandmother's social security check, I didn't really mow her lawn.

So what you're saying is that if I steal my grandmother's social security check, I didn't really mow her lawn.

x2

The way I see things, Duff, the problem that you are having lies on your end of the conversation. Yes, indeedy, people and even large organizations can be both feckless and competent, perform evil deeds and good, and all sorts of seemingly contradictory things. Sometimes even simultaneously.

NSA can be a benificent organization in some respects and roles, and be a pushy, nameless-faceless abuse of government-granted power in others. There's no contradiction, here. Individuals (and corporations and agencies and...) actually are a mixed bag of behaviors.

I think there are endless examples of individuals having this bewildering combination of good and bad aspects, but there are probably at least two cups of coffee (for me) between now and a few examples of that kind of thing. My head keeps coming up with William Shockley for some reason. Probably a bad example.

As I said: more caffeine is needed today.

then I'm not sure what law they'd be breaking: it is not illegal to ask an engineer to change their design.

Thanks for the reply.

I was thinking along the lines of 4th Amendment.

To try a rough analogy, would it be legal to ask lock manufacturers to provide law enforcement with a spare key to every lock they install ?
And can an organisation with the power of government ever just 'ask' ?

Law enforcement already has snap guns.

Another thing that bothers me about this is that there was the whole blow up about the "Clipper Chip" back in the 1990s (as discussed in the article) and the answer was that the American People did not want the government to have the power to access all encrypted communications, but the NSA apparently decided otherwise anyway.

"He wasn't just explaining how things are. He was portraying the NSA as a beneficent organization who acted in the interests of the public."

What slarti just explained. Also, Duff, if you want to argue with someone who is steadfastly in favor of government spying, you should probably just stick around a bit and there's a fair to middling chance one will pop up, but Turb isn't your logical debate opponent. You're reading things into his comments that aren't there.

Now what bugs me about the NSA is not whether or not the government can track my movements or read my email and so forth. I imagine they could dig up some embarrassing fact somewhere if I were important, but there's the catch--I'm not. What bugs me is how closely the government might be able to monitor people who are important. They will go after investigative journalists, whistleblowers, and people we might not all agree are whistleblowers (but I do), people like MLK, etc.... This is what drives me nuts when I hear friends or relatives dismiss the NSA because they've got nothing to hide. Well, yeah, and who gives a crap about them anyway? They're about as likely to expose a major government scandal or lead a civil rights struggle as I am.

Ugh, it's always easier to break a system if you know it can be done. And if you know there is a flaw, you usually know at least a little about what kind of a flaw it is, which means that you know where to concentrate your efforts. It doesn't matter whether it's a backdoor, or a flaw in the encryption algorythm, or a flaw in the implementation -- just knowing which of those is present is a huge step forward to breaking in.

What strikes me most about all of the NSA revelations is that the most damaging hack committed against them required exactly no crypto wizardry at all. Or, at least, only the most minimal amount.

This is a good point but I'd phrase it a bit differently. Encrypting communications is relatively easy. The details are tricky, but doable. On the other hand, designing a usable access control system for a large organization is really really hard, especially if you don't want to cripple the organization by limiting information flows. I have no idea how one might do it.


I was thinking along the lines of 4th Amendment.

In general, I don't think this necessarily limits a provider. If I'm making cell phones and the NSA asks me to introduce bugs in the crypto, that primarily affects the security of customers who buy my cell phones: it doesn't really affect me. In any event, the 4A deals with actual seizures of data: I don't think it covers things that might facilitate data seizures later. I could be wrong about that, but the Communications Assistance for Law Enforcement (CALEA) law suggests that the 4A doesn't really apply.

Then again, Snowden's disclosures suggest that the NSA is just completely ignoring the 4A (IMO), so even if it did apply, I'm not sure that would matter much.

To try a rough analogy, would it be legal to ask lock manufacturers to provide law enforcement with a spare key to every lock they install ?
And can an organisation with the power of government ever just 'ask'?

I don't see why not....


the American People did not want the government to have the power to access all encrypted communications

I'm not sure that's the lesson I'd take away from that. Part of the key escrow controversy revolved around the question of how difficult would making your own encryption actually be. If your vision of technology trends was that encryption would only be feasible if big technical companies manufactured special hardware devoted to encryption, that's very different than a world where general purpose computers get dirt cheap and open source hackers from around the world collaborate so that anyone can run military grade crypto on their cheap computer.

There was also a big question of whether unaffiliated cryptographers and companies could put together crypto systems that were really secure and then manage to standardize them without the standardization process being totally compromised by the government.

Those are two big empirical questions and although the answers are obvious now, and maybe were obvious to some people in the mid 1990s, I'm not sure the government was completely nuts in getting those questions wrong at the time. I think they were just slow. Part of the reason that crypto wars ended was because the government realized that their empirical understanding of those questions was just wrong. Also, it helped that every time they pushed a new draft of a key escrow protocol, Matt Blaze and friends would publish devastating attacks against it the next week. After that happened a few times, the government's credibility was really shot.

His idea of what the NSA does vs. mine is, like most things on life, best summed up by an xkcd comic,

The comic is funny. But it misses the point. Crypto isn't supposed to be an insurmountable barrier, it is supposed to raise your adversary's costs.

That's just like any security system. The lock on my front door is not an impenetrable barrier. A locksmith can easily bypass it, someone who knows how to pick can pick it, the police can knock the whole damn door down with a battering ram and a dedicated thief can cut glass and enter through the window. The point is to raise the costs and make intrusion obvious: if I come home and the door has been knocked off its hinges, I know something serious went down.

So sure, the NSA could totally grab me off the street, lock me in a basement and beat me until I tell them whatever they want to know. How many people can they do that to in a day? Not many. Can they do that to me without me knowing that I'm being beaten to death? No. So the purpose of encrypting traffic isn't to guarantee perfect security, but rather to force adversaries into dramatically more costly moves.

So the purpose of encrypting traffic isn't to guarantee perfect security, but rather to force adversaries into dramatically more costly moves.

That's kind of what I don't understand about asymmetric encryption. What does the hacker have to do to break it that the intended receiver doesn't?

Count-me-in: "I'm convinced Washington, Jefferson, Madison, Jay, Franklin, and the lot of them would have been fully on board with these NSA actions, with Jefferson probably pontificating against initially and then reversing his position the first chance he got, and Samuel Adams raging for a bit and then employing the full arsenal of NSA capabilities against any American citizen who threatened revocation of the Second Amendment and watering his beer."

The Founders actually fought against the superpower of the world, with some rather bad odds against them.

Is it simply a matter of having to be lucky enough to pick up the one cruicial exchange that has, say, the integer to be factored in it?

"So what you're saying is that if I steal my grandmother's social security check, I didn't really mow her lawn."

Posted by: hairshirthedonist

IMHO, he's saying that you can't be trusted, and probably stole other things as well (and you probably didn't mow her lawn, but lied to her).

"Law enforcement already has snap guns."

Posted by: Slartibartfast

Please have a friend explain the analogy.

IMHO, he's saying that you can't be trusted, and probably stole other things as well (and you probably didn't mow her lawn, but lied to her).

He may well be, and I wouldn't take issue with any of that but the parenthetical. (It's my hypothetical, and I did mow her lawn.) He also doesn't deliver much in the way of specifics as Turb does in support of his position on the technical capabilities (or lack thereof) of some of the people in the NSA.

Besides that, the math stuff was in response to an article linked and then to a question about the response. It wasn't some "But the NSA is all mathy and stuff, so they must be cool. Stop saying they're bad." argument out of the blue from a guy who just loves him some NSA. The point was that the average Joe isn't going to understand the stuff and is in no position to do much about it.

That's kind of what I don't understand about asymmetric encryption. What does the hacker have to do to break it that the intended receiver doesn't?

the hacker would have to figure out the sender's private key, which is never published.

but you don't choose them directly, the way you pick a password for a symmetric cipher. for RSA, the private and public keys are numbers, which are related mathematically - they are derived together from two prime numbers, which you provide (or let something pick for you), and a bit of math.

you can encrypt with the public key (which you can share), but you need the private key to decrypt. it's a one-way conversation.

the encryption/decryption itself is just the application of some rather simple arithmetic. well, the math is simple, but the concept behind it is just a bit too subtle for me to be able to explain it well.

Thanks, cleek.

the hacker would have to figure out the sender's private key,

arrrgh!

the hacker would have to figure out the receiver's private key.

it works like this:
1. you create a public/private key pair. (these are a pair of big numbers)
2. you publish your public key.
3. anyone can use your public key to send you a message.
4. but only your private key can decrypt a message encrypted with your public key.

the mathematical relationship between the public and private keys is such that the encryption/decryption works, but that you can't guess (or easily derive) one from the other.

the big problem is that ever-increasing computer performance changes what "easily" means. keys need to keep getting bigger to outrun the hardware.

Please have a friend explain the analogy.

I have no idea what point it is you're trying to make here. My point, if less than clear, was that law enforcement doesn't need a key to your door locks, because they already have snap guns. They're not permitted (by law) to just open your doors without a warrant, and (I gather) neither is the NSA permitted by law to access your personal data without a warrant.

If these words don't work for you, I have other ones.

IMHO, he's saying that you can't be trusted, and probably stole other things as well (and you probably didn't mow her lawn, but lied to her).

Which is all well and good, but what Turbulence has stated as a given is that you did in fact mow the lawn. Whether you stole anything else from grandma is relevant, but doesn't negate the lawn getting mowed.

So what you're saying is that if I steal my grandmother's social security check, I didn't really mow her lawn.

I'm saying that in the case you describe, if someone shows up at the sentencing for the theft and testifies to your solid gardening skills, how beneficial your lawn care was to her, and how well you protected her finances, then I would not describe what the person was doing as explaining how things are. I would describe what the person was doing as taking your side.

people and even large organizations can be both feckless and competent, perform evil deeds and good, and all sorts of seemingly contradictory things. Sometimes even simultaneously.

If the mafia ran a bake sale to get money for sick kittens, I wouldn't then describe the mafia as both evil and good. I would describe them as evil criminals who probably have some sick kitten scam going on.

Turbulence described the contributions of the NSA as "beneficial" when in the past those contributions have turned out to weaken encryption in subtle ways that the NSA knew about and used to intrude even further on our liberty. I see two possibilities with the "beneficial" contributions he mentions - they are scams or they are contributed only to build up a reputation that can be exploited in future scams.

You don't usually strike me as a naive person (that word isn't actually in the English dictionary), but when it comes to the NSA it seems as though if there was a huge wooden horse outside your fort when you woke up, with a note marked "from your friends at the NSA", you would say, "Holy moly! A perfectly good wooden horse! Roll that sucker on in here!"

Turbulence, the CALEA only covers telecomunications services (ie those digital services which replicate the functions of the old telephone network).

It specifically excludes "information services", which is what we're discussing here.

I think there is a difference in expectation of privacy between the two things.


but there are probably at least two cups of coffee (for me) between now and a few examples of that kind of thing. My head keeps coming up with William Shockley for some reason. Probably a bad example.

As I said: more caffeine is needed today.

Posted by: Slartibartfast | September 06, 2013 at 12:05 PM


Looks like ask real problem, two cups of Joe away at noon. Wouldn't a beer work better at that point?

Turbulence, the CALEA only covers telecomunications services (ie those digital services which replicate the functions of the old telephone network).

Sorry, my last comment was unclear. CALEA doesn't apply to information services of course. But its existence does suggest that the 4A can't be used to stop the government from asking companies to break their own crypto. If the 4A really prevented such requests, CALEA would have violated it.

This particular issue of the NSA asking companies to weaken crypto has been well known in the industry for many years now. I know people who have seen it firsthand. Schneier has written about it over the years. If there was a legal leg to stand on, I expect the EFF would have made a case by now.

"But its existence does suggest that the 4A can't be used to stop the government from asking companies to break their own crypto."

Maybe not, but what about this analogy:

You make copies of your house keys at the hardware store. Let's assume you leave one copy behind at the hardware store (or the hardware store owner forgets to give you one, I don't think it matters). Then the FBI comes and asks the hardware store owner to give them that extra copy of your house key so that the FBI can go in your house, the store owner consents, FBI goes in your house. 4A violation?

I know that SCOTUS thinks the house is very special, but I still think it's a decent analogy.

@Julian: The FBI can have copies of ALL your keys, could have the master key to all your locks. You could be living in those (increasingly smaller) areas of the country where people don't bother to lock their doors.

It's not the locks that the 4A is concerned with. It's the entry & search. If the FBI doesn't break down the door, that should be counted as a benefit: good front doors are EXPENSIVE!

CALEA doesn't apply to information services of course. But its existence does suggest that the 4A can't be used to stop the government from asking companies to break their own crypto. If the 4A really prevented such requests, CALEA would have violated it.

This particular issue of the NSA asking companies to weaken crypto has been well known in the industry for many years now. I know people who have seen it firsthand. Schneier has written about it over the years. If there was a legal leg to stand on, I expect the EFF would have made a case by now.

The court decisions on CALEA do suggest that courts recognise an essential difference between 'information services' and telecommunications, and the justification for upholding CALEA are all by reference to the old fashioned means of physically tapping lines.

The NSA asking companies to weaken crypto might well have been 'well known in the industry for many years', but it legal terms it has been plausibly deniable.
Now that it is out in the open, I would be surprised if there is not a case (or cases) to be brought by the EFF in due course.

As for analogies, a better one might be that a means has been discovered to make all house walls transparent to the right equipment, and the government asserts not only the right to use that equipment, but also the right to prevent homeowners from fitting modifications to those walls which might defeat that equipment.
Even that analogy is inadequate (though it might appeal to technologically challenged Supreme Court Justices), as it fails to grasp the power of mass search with respect to the data of millions of citizens.

The hard fact is that electronic rights - and their potential denial - are of a different order to those developed constitutionally over the last couple of centuries. Analogies fail to grasp that the only way right are real in the datasphere is if they are coded into the system.

This article is interesting, and on point:

http://blog.cryptographyengineering.com/2013/09/on-nsa.html

...Which means there's a circumstantial case that the NSA and GCHQ are either directly accessing Certificate Authority keys** or else actively stealing keys from US providers, possibly (or probably) without executives' knowledge. This only requires a small number of people with physical or electronic access to servers, so it's quite feasible.*** The one reason I would have ruled it out a few days ago is because it seems so obviously immoral if not illegal, and moreover a huge threat to the checks and balances that the NSA allegedly has to satisfy in order to access specific users' data via programs such as PRISM.

To me, the existence of this program is probably the least unexpected piece of all the news today. Somehow it's also the most upsetting.

Curiously, his university requested that he take it down:
http://arstechnica.com/security/2013/09/crypto-prof-asked-to-remove-nsa-related-blog-post/

Would any of the academics posting here like to comment on the JHU dean's (less than unreserved) apology:
http://www.theguardian.com/world/2013/sep/10/johns-hopkins-dean-apologises-for-blog#start-of-comments

And just what might have been these "legal consequences" to which he referred (other than entirely imaginary) ?

Which means there's a circumstantial case that the NSA and GCHQ are either directly accessing Certificate Authority keys**

The problem with this assertion is that it doesn't make any sense. If you compromise a certificate authority (CA), you don't gain access to website's encryption keys. When a website gets their key signed by a CA, they don't turn over their keys. So the CA doesn't have their keys, and so compromising the CA doesn't get you the keys.

Compromising a CA does allow you to forge keys for a website though, which then allows you to launch an active man in the middle (MITM) attack against that site. This is a very expensive attack: it requires that the attacker intercept all traffic between the target and website. You can't actually run this attack on the population at large: you can only run it against a few selected people. If you try and run it against a large group of people, that will be very obvious to major service providers. It is feasible to run the attack if you're a small country where all internet access has to go through a single government run choke point; this doesn't apply to the US though.

Vulnerability to this MITM attack is a well known problem with the CA system. It is one of the big reasons why Google decided to spend a ton of money writing a web browser. When you use Google's Chrome browser, it knows how to externally verify certificates for Google sites; if they're altered by an attacker, the browser will notice. There's a proposal to extend this certificate pinning more generally, so that all users will be protected on all sites that care, rather than just Chrome users connecting to Google sites. I think this certificate pinning proposal will probably be adopted, but it will take a few years to see widespread adoption.

I don't think the NSA is doing this much. For passive surveillance, this attack doesn't work (MITM is very very active). And for targeted active surveillance, this attack is more expensive than just using a random flash/windows/java-plugin exploit to compromise the target's computer or just paying someone to break into their house and install a keylogger.


or else actively stealing keys from US providers, possibly (or probably) without executives' knowledge. This only requires a small number of people with physical or electronic access to servers, so it's quite feasible.***

That makes a lot more sense. There's been a consolidation of companies offering hardware security modules and a lot of web companies use those devices for all their key management. If the NSA compromised one or both of the big players in that industry, they'd have a huge win. And since those boxes are sealed, it is very difficult to verify what they're doing.


it seems so obviously immoral if not illegal

I know, right?! I mean, after the US government started a war for no apparent reason that ended up killing a million people, who could have imagined that they might do something immoral? I for one am shocked, shocked I say.

The comments to this entry are closed.