All your base are belong to us - NSA and crypto

wes allen

Just a few links that I found interesting:

One of the original articles:

http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all&_r=0

And additional commentary:

A Few Thoughts on Cryptographic Engineering: On the NSA

Schneier on Security: The NSA's Cryptographic Capabilities

Schneier on Security: The NSA Is Breaking Most Encryption on the Internet

010101

RIP cloud.
You would have to be a fool to put your data in the cloud now.
How long until China hacks the NSA and has every ounce of data in existance?

Asif Dasl

If they have cracked or placed a backdoor in AES which is what they are suggesting then why do they need to get companies to hand over the keys to encrypted services? Also $250 million dollars for putting backdoors in to software & hardware doesn't seem like a lot of money.

Thanks for sharing!

DevilWAH

Come on this has been going on since the dawn or time (or shortly after). Its all about numbers and time. I am sure NSA an the likes can crack encryptions such as AES, given enough time we know they can simple with brute-force.

But its still a time consuming and requires a lot of focus, so while high profile targets are at risk, the likes of the consumer will never be targeted, no government is going to divert millions of pounds of hardware and days of staff time to check what I ordered down the shops for my dinner.

Its a double edged sword. do you push for tougher encryption and then are unable to monitor any thing good or bad. Or do you control things to a level where you try to keep the bad guys out but allow the good guys to keep an eye on things.

I sit here monitoring the network each day, my aim is not to spy on the company workers, but to keep an eye on the network and make sure nothing bad is happening. To achieve this i need ways to bypass the users security settings, and the most basic of this is having access to an account with "domain admin" privileges. Because I have access to this account does not mean the network is insecure because possible an attacker could also get hold of it.

Same with the NSA, is not like they will have all there eggs in one basket, for the last 30+ years governments have been hacking each other, and jsut like physical war they understand the need to keep multiple layers of defence and to out menovour the enemy. I would much rather they are then than leaving us alone to face the likes of China!

colemic

My guess is that although they have a backdoor, it would be noticed if they used it... why break a window, when you can get the key to the front door.

DevilWAH

there are plenty of mathematical solutions to cracking AES, one for example can crack AES-128 in 80000000000000000000000000000000000000 steps.

this might sound a lot but it shows that its not a process of brutforce, its a quite straight forward formula that has been know about in forms every since AES was created. With asymstric encryption which is what we are talking about it is wrong to think about it being irreversible. this is completely incorrect. Its just it takes a very very long time with today's computers. If we do see some one managed to create a quanton computer that has 128bits, then expect AES to fall apart very quickly.

Claymoore

010101 wrote: »

You would have to be a fool to put your data in the cloud now.

I have seen so many on-premise installations that could be completely pwned by a 12 year-old script kiddie. The servers may have hidden back doors, but at least the known vulnerabilities are patched. The backups may be shared with the spooks, but at least the server was backed up. I can't say the same thing about some of the on-prem environments.

010101

^^^ True, but it's up to a company to hire good people or cheap people. You can choose to have a good environment or not.
If you put your data in the cloud, you're guaranteed to have the US and British governments snooping through it.
It would be funny if Google/Microsoft/etc got kickbacks in the form of IP for helping the NSA.
Here google, here's the blueprint for the next X device. Here Ford, here's the plans for the new BMW M3.

Where it gets Sketchy is when you figure China hacks everything.
They've hacked Amazon, Google, Microsoft, RSA, US Government, etc, etc.
Only a matter of time before they hack the NSA.
When they do, good bye secrets for Coke, Pepsi, etc etc.


.

DevilWAH

when you business relies on protecting people data then you put a lot of effort in to it. So the likes of google and amazon put huge resources in to security and you get the benifit of this if you use the cloud. If you send a file via email to a third party it leaves your control, so in this case you could argue that having it in the cloud is no more of a security risk.

On the otehr hand financial and IP property you probable should not use cloud for. The role of a good security analyst is not to find one solution that fits all, but classifie the data your company holds, define the policies and then chose the solution that meets them.

MrAgent

010101 wrote: »

^^^ True, but it's up to a company to hire good people or cheap people. You can choose to have a good environment or not.
If you put your data in the cloud, you're guaranteed to have the US and British governments snooping through it.
It would be funny if Google/Microsoft/etc got kickbacks in the form of IP for helping the NSA.
Here google, here's the blueprint for the next X device. Here Ford, here's the plans for the new BMW M3.

Where it gets Sketchy is when you figure China hacks everything.
They've hacked Amazon, Google, Microsoft, RSA, US Government, etc, etc.
Only a matter of time before they hack the NSA.
When they do, good bye secrets for Coke, Pepsi, etc etc.


.

Im not sure of your experience with the government, but all the highly classified stuff cannot be accessed via the internet. There are multiple classified networks, of which none are connected to the internet.

ptilsen

DevilWAH wrote: »

With asymstric encryption which is what we are talking about it is wrong to think about it being irreversible. this is completely incorrect. Its just it takes a very very long time with today's computers. If we do see some one managed to create a quanton computer that has 128bits, then expect AES to fall apart very quickly.

For starters, AES (or the Rijndael cipher) is symmetric. It's true that it's reversible given enough computational power, but right now even a higher-that-known-to-exist-qubit quantum computer would struggle with strong AES-256 keys, even with AES-128 keys.

You're thinking of RSA. One of the allegations is that the NSA has developed a mathematical breakthrough that breaks RSA. Another, is again that they have a stronger quantum computer than expected, which will pretty much break asymmetric encryption altogether. The third, and more likely explanation in my opinion, is a combination of backdoors and bad implementations that make a wide variety of systems vulnerable. It's already known (and it was linked elsewhere here) that NSA is breaking into routers, switches, and firewalls all over the world using published vulnerabilities, but almost certainly using unpublished ones as well.

While the privacy implications are serious, the thing to realize is that these capabilities aren't limited to the NSA. The NSA just happens to be the best-equipped entity for circumventing and breaking digital security measures. Even if you're just trying to protect IP, business plans, financial data, credit card numbers, whatever it may be, the breadth and scope of vulnerabilities is astounding. Organizations across the world don't manage their technology well, and the technology is often insecure to the point that makes even really good management all but pointless.

But whether it's cloud or not, as Claymoore points out, is largely besides the point. It is probably much, much easier to break into your typical on-prem implementation than any public cloud. You think your processes and technology are better than Amazon's and Microsoft's and Google's? Perhaps, perhaps not, but for most non-government, non-military organizations, I highly doubt it. For most organizations, even if your external network is rock-solid (which is somewhat unlikely but not wholly unfeasible), chances are a simple Java payload could circumvent or penetrate every single defensive measure in the environment.

No, for most circumstances I think using a public cloud is probably just fine, even preferable from a security standpoint. I certainly don't think the NSA's capabilities really change it one way or the other. If they have backdoors in the major public cloud providers, they probably have backdoors or exploits for what you're using anyway.

DevilWAH

ptilsen wrote: »

For starters, AES (or the Rijndael cipher) is symmetric. It's true that it's reversible given enough computational power, but right now even a higher-that-known-to-exist-qubit quantum computer would struggle with strong AES-256 keys, even with AES-128 keys.

You're thinking of RSA.

I swear that's what my mind said but my fingers typed some thing else but yes of course AES is symmetric and not asymmetric. I was talking about Asymetric encryption though when I talked about the simple formula to crack it and that fact quantum computers will make this very easy. The formula leans is self perfectly for the kind of algorithms that quantum computers do very well at. however things like RAS are normally only used to exchange symmetric keys, and unless some one captures this exchange and the data its self it will not help much. Cracking symetric encryption with quantum methods is not as easy, you need to know the number of steps and rounds used for it to work, other wise you could end up with thousands of possible solutions but have no idea what one is correct.

The other question people have to ask themselves is would they like the NSA to leave it to china and other countries to work on cracking the internet encryption standards? Personal I would feel much happier if my own government was the first to get the upper hand than some other countries.

The NSA and GHQ have a vested interest in insuring the economy of there respective countries prospers. This means not destroying the reputation of some of there largest companies (Google / Amazon / Microsoft for starters), which means not exposing them as week and insecure. As much as the NSA might have back doors in to some of these companies, they are also working to help improve there protection against others.

Why do people always assume big brother only has a negative effect?

tpatt100

I saw Amazon is hiring 100 engineers who can attain Top Secret Clearances lol.

What I do find funny is how other countries are using this as a reason why people should look for local hosting solutions and services. That is fine and dandy but it's not like the US government is not working WITH other countries in surveillance activities.

The big thing I tell people I know who are not technically competent is to just recognize that somebody somehow can see stuff you put out "there" not just the government. It is good business to ensure you protect the privacy and security of your customers but if you are not comfortable with anybody seeing your stuff then keep it local to your home network.