I wonder if the NSA can crack open-source public-key encryption

Saavik: [back at Enterprise] I don't understand. We were immobilized. Captain Spock said it would be two days.
Kirk: Come, come, Lieutenant. You of all people go by the book: "If communications are being monitored during battle..."
Saavik: "...no uncoded messages on an open channel." [astonished and looking at Spock] You lied.
Spock: I exaggerated.
 
Charlie Wilkes said:
I see they have a program that can break or compromise web security.

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Assuming I use GPG to generate a 2048-bit key with a good pass phrase, and do all my encryption/decryption offline to produce email attachments, I wonder if they can crack that, too.
Click to expand...

Yes. All they need is your pass phrase.

It will take them just a wee bit longer than you can hold out under torture. Or they can install something that watches as you type in your pass phrase. This 'something' might be on your computer, in your apartment, or even 'listening' to the vibrations on your window as you type.
 
Last edited:
Hmm. Sounds pretty grim.

But they wouldn't really torture me, do you think?

Or would they?

If I buy cyanide pills, how can I be sure it's the good stuff?

I guess I could nail plywood over my windows...
 
Charlie Wilkes said:
I see they have a program that can break or compromise web security.

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Assuming I use GPG to generate a 2048-bit key with a good pass phrase, and do all my encryption/decryption offline to produce email attachments, I wonder if they can crack that, too.
Click to expand...

They don't need/care to. They prefer to simply track the unencrypted (and unencryptable) header information. They can figure out who you're talking to, where you are, where your contacts are, who those contacts are talking to, and how much time lapses between your communication and their replies. They build up a web of information about you and everyone around you: who's influencing who, how important people are, who is a hub, who is a node, who is trivial. A simple 'not-a-warrant' to your ISP gives them your personal info, and all your friends' info is easy to figure out from there. Once they know why you are, and determine you are of interest, they send over a couple of guys with a middle name of "the" to get your passwords using lead-pipe cryptography. They never need the actual contents of the letters.

There are two ways to beat this.

First is to minimize the signal by constantly use throw-away addresses through proxies for both sending and receiving. If all your contacts do the same, trying to track responses and create a network map becomes far more time consuming. However, you have to get these addresses to the contacts, and have a way to synchronize their use, making communication much more cumbersome.

Second is to generate so much noise that any signal is unnoticeable. If every address is sending mail to every other address, there is no pattern to discern. That's right: the best way to fight the NSA is to turn every computer on the internet into a spam server.
 
GodMark2 said:
Second is to generate so much noise that any signal is unnoticeable. If every address is sending mail to every other address, there is no pattern to discern. That's right: the best way to fight the NSA is to turn every computer on the internet into a spam server.
Click to expand...

That would produce two other results:
One, it would also destroy the usefulness of e-mail quite completely and
two, it would get you killed by a lynch mob.

I'm not entirely certain fighting the NSA is worth it. For you, maybe, but expect me in the lynch mob :)

McHrozni
 
GodMark2 said:
They don't need/care to. They prefer to simply track the unencrypted (and unencryptable) header information. They can figure out who you're talking to, where you are, where your contacts are, who those contacts are talking to, and how much time lapses between your communication and their replies. They build up a web of information about you and everyone around you: who's influencing who, how important people are, who is a hub, who is a node, who is trivial. A simple 'not-a-warrant' to your ISP gives them your personal info, and all your friends' info is easy to figure out from there. Once they know why you are, and determine you are of interest, they send over a couple of guys with a middle name of "the" to get your passwords using lead-pipe cryptography. They never need the actual contents of the letters.

There are two ways to beat this.

First is to minimize the signal by constantly use throw-away addresses through proxies for both sending and receiving. If all your contacts do the same, trying to track responses and create a network map becomes far more time consuming. However, you have to get these addresses to the contacts, and have a way to synchronize their use, making communication much more cumbersome.

Second is to generate so much noise that any signal is unnoticeable. If every address is sending mail to every other address, there is no pattern to discern. That's right: the best way to fight the NSA is to turn every computer on the internet into a spam server.
Click to expand...

I could use a stripped-down browser with TOR or a VPN, and it might be pretty hard to track my activity.

But my question is theoretical more than practical. Sure, they can use a range of tools ranging from keyloggers to physical violence to get whatever they want. They are the US gov't after all. What I am wondering is whether they can secretly break open source, public-key encryption even if it is used correctly.
 
Wasn't there some reports of government agencies being able to crack or otherwise render the anonymity of TOR useless?
 
Just so you know, the NSA is reading this thread and is already taking proper action.
 
Charlie Wilkes said:
But my question is theoretical more than practical. Sure, they can use a range of tools ranging from keyloggers to physical violence to get whatever they want. They are the US gov't after all. What I am wondering is whether they can secretly break open source, public-key encryption even if it is used correctly.
Click to expand...

My guess, probably not.

#1, NSA aren't the only ones trying. They have a big budget, but there are lots of math folks that would enjoy finding flaws as well.
#2 They're doing a lot of work to get around it. That work would not need to be done if they could just exploit the encryption directly.

http://www.newscientist.com/article...RSS|NSNS|2012-GLOBAL|online-news#.Uio9Zxush8E
The Snowden files say the NSA spends $250 million a year on covertly influencing the product designs of technology companies, suggesting inserting such vulnerabilities is a high priority for the agency.
Click to expand...
 
megaresp said:
Yes. All they need is your pass phrase.

It will take them just a wee bit longer than you can hold out under torture. Or they can install something that watches as you type in your pass phrase. This 'something' might be on your computer, in your apartment, or even 'listening' to the vibrations on your window as you type.
Click to expand...

Usually they just call people up and ask for their password. Many are stupid enough to give it to them.
 
Apparently some bad news out of this all for encrypting businesses/programs was that sending encrypted messages gets you more government attention. Makes sense.
 
I suggest anyone that wants to send encrypted messages that they write the code themselves. There are several ways to encode messages that do not involve prime numbers. Though not many use a one way function.
 
rjh01 said:
I suggest anyone that wants to send encrypted messages that they write the code themselves.
Click to expand...

That method will probably be obscure, but it will almost certainly not be (mathematically) secure unless the person has done this before and has already walked into the myriad pitfalls in this area.

I cannot imagine that "write your own code" is the correct choice for more than 1 in 1000, and that's probably generous. Writing good cryptographic code has been repeatedly shown to be difficult, and unlike a game, it's almost impossible for the author to test how good it is.
 
Darat said:
Wasn't there some reports of government agencies being able to crack or otherwise render the anonymity of TOR useless?
Click to expand...

Someone came up with a javascript exploit that could record a MAC address and host name for users who visited infected websites, but it only worked for a specific browser running under Windows. They were able to use this to track down some people who were distributing CP.

The need for such a convoluted, indirect approach suggests TOR must actually be quite effective in protecting the anonymity of users. A number of security-oriented browsers and Internet clients are available that strip out all but essential services and don't run scripts of any kind without user permission. It might be possible to thwart the NSA. But I don't know.
 
BowlOfRed said:
That method will probably be obscure, but it will almost certainly not be (mathematically) secure unless the person has done this before and has already walked into the myriad pitfalls in this area.

I cannot imagine that "write your own code" is the correct choice for more than 1 in 1000, and that's probably generous. Writing good cryptographic code has been repeatedly shown to be difficult, and unlike a game, it's almost impossible for the author to test how good it is.
Click to expand...

I am not so sure about that. To be able to decode the German Enigma codes the British had to obtain a working machine, then exploit its weaknesses. Now update the machine including remove its weaknesses and I am sure it would very hard to break. That would not be too hard.
 
Use a Code, don't encrypt. A Coded message will read like boring bland text but have the real message hidden in it.

'Aunt Irma is coming to stay this weekend'
 
You must log in or register to reply here.

Back
Top Bottom