How Advanced Is the NSA's Cryptanalysis, and Can We Resist It?

We can and we must.<p>I&#x27;m glad that Bruce Schneier has now had a chance to view some of the primary source documents from the Snowden leaks, because I trust him to speak frankly and I trust his technical ability.<p>(I&#x27;m referring to <a href="http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html" rel="nofollow">http:&#x2F;&#x2F;www.schneier.com&#x2F;blog&#x2F;archives&#x2F;2013&#x2F;09&#x2F;the_nsa_is_bre...</a>, not the above link).<p>Both he and Snowden have essentially said that we can still trust the math. Modern symmetric crypto has enough safety margin that even extremely surprising breakthroughs wouldn&#x27;t give the NSA practical decryption capabilities. (Asymmetric crypto is less certain, but even there Schneier still says discrete-log-based methods with sufficiently large keys are likely ok, and I would bet he&#x27;s right.)<p>So the bottom line is this:<p>- using crypto correctly really matters, because they really <i>are</i> out to get you. Most software gets it wrong, not because there are no good cryptosystems, but because people are ignorant of how to do it right.<p>- build attack-resistant organizations, not just protocols. The more transparent, flat, and distributed an organization, the harder it is to secretly coerce into cooperating with the NSA. It&#x27;s a lot harder to force a backdoor into Firefox than into Chrome.<p>- it turns out open source really matters. The tinfoil hat brigade is vindicated. Closed source vendors really are actively working against their customer&#x27;s security.

What is not being said is &quot;Which if any of the CAs have been compromised?&quot; There is this ongoing conversation of &quot;Use HTTPS&quot; (as one of the defense mechanisms) but there is been very little discussion from what I have seen around the scenario where CAs have been compromised&#x2F;backdoor&#x27;ed.

Schneier has been giving some pretty weird advice lately. This is probably the weirdest thing I&#x27;ve seen from him:<p>&quot;Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.&quot;<p>There are plenty of ECC systems that have virtually no chance of NSA influence. Curve25519&#x2F;Ed25519 come to mind.

Politics and civil freedoms aside, I think it&#x27;s fascinating that there can essentially be this black box, i.e. the NSA, that can make breakthroughs in <i>new mathematics</i> with only its employees and those on the outside sworn to secrecy. They obviously have brilliant mathematicians, but more brilliant than the best ones at the world&#x27;s best universities or tech companies? Or are their suspected&#x2F;hypothetical theoretical breakthroughs a product of the <i>efficiency</i> of academic thinking that comes from being under one roof, a la the Manhattan Project (which, like the NSA, obviously had more than just people brilliant in an academia sense)<p>When I studied cryptography in college, our professor said matter of factly that the NSA is likely at least a decade ahead in terms of known mathematical breakthroughs, but perhaps he was biased toward thinking that because he was in the field during the 1970s breakthrough that Schneier mentions. It seems more feasible that the breakthrough is in engineering and technology, but hey, I guess it&#x27;s good to know the boundaries of mathematical reasoning can be pushed (hopefully, those gains will be available to the rest of the world for non-spying means)<p>edit: Case in point, Schneier&#x27;s 2007 post that&#x27;s now on the front page<p><a href="https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html" rel="nofollow">https:&#x2F;&#x2F;www.schneier.com&#x2F;blog&#x2F;archives&#x2F;2007&#x2F;11&#x2F;the_strange_s...</a><p>Schneier describes a random number generator, released as the standard by the U.S. government, that he concludes was likely back-doored through NSA intervention. This hypothesis was made by two independent researchers in the previous months, and others had suspicions a year before. My point being: in terms of open encryption standards, it&#x27;s very amazing that the NSA (or any private entity) can make a purely mathematical breakthrough that&#x27;s well-ahead of the field.

Yet they let one random contractor steal a ton of their secrets. What are the odds that one person out of those 35,000 that knows these secrets, if they exist, and has a conscience won&#x27;t come forth and spill the magic beans.

Does anyone know of any research surrounding the usage of meshnets (security wise)? I know they are springing up in places like chicago (I&#x27;m following the forum[0] so I can at least be conscious of the technical aspects and their implementations when I can do something like that where I live), but somehow they remain disconnected from general conversation (on HN) surrounding passive surveillance.<p>[0] <a href="http://cmn-forum.karmanebula.com/" rel="nofollow">http:&#x2F;&#x2F;cmn-forum.karmanebula.com&#x2F;</a>

Here is an interesting startup idea that may be a step towards a solution.<p>Setup an organization that gives a tick of approval similar to ISO quality standards but for NSA Free software. It would involve selling your logo to business that meet a defined list of processes and practices to harden their software against 3rd party spying and security flaws.<p>Then you can preform audits and sell your logo on a yearly basis to businesses around the globe.

Ok Snowden, now release the secure algorithms. :)<p>If they can break the known algorithms, they probably have better stuff for their own communication.

Wow, I disagree with him about the relative security of RSA vs. ECC. First, ignoring any clues from NSA&#x27;s behavior entirely, RSA attacks have gradually gotten better, and an RSA&#x2F;DH-based system with 256-bit security would be very slow (3072-bit RSA keys).<p>Second, I really doubt NSA&#x27;s recommendations for Suite B algos are head fakes, because the public justification for them makes sense and head faking doesn&#x27;t. US and allied governments can&#x27;t use secret algorithms everywhere, and their systems need to talk securely. And they seem to actually be using Suite B, so it would be an expensive, risky head fake to standardize your whole government around something you know can in principle be cracked (even if you think only you can currently do it). On the other hand, I think it doesn&#x27;t matter to NSA much if Suite B reveals that NSA thinks 521-bit ECDH is OK; notice how it hasn&#x27;t led to ubiquitous ECDH usage.<p>2.5th, if all the latest hints mean they&#x27;re breaking tons of real traffic with a mathematical breakthrough, it&#x27;s got to be in implementing RSA cracks, because most real traffic isn&#x27;t using ECC. (Schneier admitted that might be possible when a &quot;crypto breakthrough&quot; claim came out early last year: <a href="http://www.schneier.com/blog/archives/2012/03/can_the_nsa_bre.html." rel="nofollow">http:&#x2F;&#x2F;www.schneier.com&#x2F;blog&#x2F;archives&#x2F;2012&#x2F;03&#x2F;can_the_nsa_br...</a>)<p>But there is at least one way to deal with an unresolvable uncertainty about which of two algos is badly broken. For secure one-to-one communications, you only need to establish a secure session once, then keep a secret key stashed for secrecy and authentication (auth through MACs or authenticated encryption, not signatures). So just frickin&#x27; use both: do two key negotiations, hash the results to get your key, and don&#x27;t worry how slow it is because chips are fast and you only need to do this once.<p>Anyway, I do echo Schneier that the math is probably not the weakest point; it&#x27;s consistent with experience in the world outside, where there are far more bugs and so on than algorithm failures (though algo failures happen, e.g., the 2008 MD5 SSL break). And it&#x27;s consistent with all the other NSA leaks, which are mostly about non-cryptographic ways to data. Regaining some privacy looks like a long and difficult process.

If you&#x27;re a brilliant mathematician who has made a breakthrough in breaking cryptography, wouldn&#x27;t you want to make a deal with the NSA? Reveal breakthrough in return for more knowledge.

The NSA, I&#x27;m sure is able to break *encryption schemes. That is, in deed their job.<p>For my friend, The pig is about to roost in the henhouse.