Jeremy Bentham
2015-10-21 21:39:07 UTC
Via SlashDot.org
There have been rumors for years that the NSA can decrypt a
significant fraction of encrypted Internet traffic. In 2012, James
Bamford published an article quoting anonymous former NSA officials
stating that the agency had achieved a "computing breakthrough" that
gave them "the ability to crack current public encryption." The
Snowden documents also hint at some extraordinary capabilities: they
show that NSA has built extensive infrastructure to intercept and
decrypt VPN traffic and suggest that the agency can decrypt at least
some HTTPS and SSH connections on demand.
However, the documents do not explain how these breakthroughs work,
and speculation about possible backdoors or broken algorithms has been
rampant in the technical community. Yesterday at ACM CCS, one of the
leading security research venues, we and twelve coauthors presented a
paper that we think solves this technical mystery.
If a client and server are speaking Diffie-Hellman, they first need to
agree on a large prime number with a particular form. There seemed to
be no reason why everyone couldn't just use the same prime, and, in
fact, many applications tend to use standardized or hard-coded primes.
But there was a very important detail that got lost in translation
between the mathematicians and the practitioners: an adversary can
perform a single enormous computation to "crack" a particular prime,
then easily break any individual connection that uses that prime.
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
This is not a new problem.There have been rumors for years that the NSA can decrypt a
significant fraction of encrypted Internet traffic. In 2012, James
Bamford published an article quoting anonymous former NSA officials
stating that the agency had achieved a "computing breakthrough" that
gave them "the ability to crack current public encryption." The
Snowden documents also hint at some extraordinary capabilities: they
show that NSA has built extensive infrastructure to intercept and
decrypt VPN traffic and suggest that the agency can decrypt at least
some HTTPS and SSH connections on demand.
However, the documents do not explain how these breakthroughs work,
and speculation about possible backdoors or broken algorithms has been
rampant in the technical community. Yesterday at ACM CCS, one of the
leading security research venues, we and twelve coauthors presented a
paper that we think solves this technical mystery.
If a client and server are speaking Diffie-Hellman, they first need to
agree on a large prime number with a particular form. There seemed to
be no reason why everyone couldn't just use the same prime, and, in
fact, many applications tend to use standardized or hard-coded primes.
But there was a very important detail that got lost in translation
between the mathematicians and the practitioners: an adversary can
perform a single enormous computation to "crack" a particular prime,
then easily break any individual connection that uses that prime.
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
http://instantlogic.net/publications/DiffieHellman.pdf
4 x 8 node 6600 based VAXClusters combined with a Cray were
routinely cracking this years ago.
To be fair, most of the exploits were the result of lazy, stupid
or incompetent programmers.