NSA "telephone monitoring" program

Discussion in 'Computer Security' started by ~David~, Feb 7, 2006.

  1. ~David~

    ~David~ Guest

    I know this is a general security newsgroup but here are my thoughts
    on this issue: the government will probably let this pass without
    much more then a wrist-slap for those involved because when it comes
    down to it, they wouldn't care about spying on a few people (and
    possibly violating a few civil rights...) when they are trying to
    stop things like global terrorism.

    So rather than rant endlessly about the legality or politics of the
    situation, the thing to do is support efforts like gnPGP, OpenSSL,
    OpenSSH, Enigmail/OpenPGP and other things that make our computing
    lives more secure.

    And get STRONG algorithms/primitives that we know are SECURE. This
    means from the government and NSA if possible (though unlikley), and
    because most of us do not know what the NSA's decryption
    capabilities really are, the algorithms need to be a strong as
    reasonably possible.

    Hashing: SHA-1 is broken, and SHA-2(256, 384, 512) is really just a
    TEMPORARY drop-in replacement for a hash. What we need is a strong
    hash with at least a 1024 bit output, meaning 512 bits of security
    against the birthday attack, possibly based on techniques other than

    Symmetric cipher: AES is the current champ, but with AES built-in
    on everything from USB-thumb drives to consumer wireless encryption
    like WPA2, with its huge popularity it seems like a nice target for
    an NSA back-door. While it seems secure, I have read on a possible
    attack on it that essentially represents the cipher text as a system
    of equations to be solved, and if solved one can derive the key.
    While this is only theoretical and I am not advocating for
    security-through-obscurity, a backdoor or weakness an AES would
    probably not be un-welcome at the NSA. Blowfish seems good; open
    source, up to 448-bit (so brute-force is out of the question,
    probably even for the NSA), tested and analyzed, and based on good
    mathematical techniques.

    Asymmetric cipher: both RSA and DSA seem like they are holding up
    well; assuming we can not solve the factor problem or log problem
    soon, they will hold probably be safe. I would recommend 4096-bit
    for anyone making new keys these days. Now they just need to get
    extend hashes > 160-bits with DSA...

    Encrypting modes: for hard-disk encryption CBC seems to be the
    current standard, with LRW mode a likely successor (used in
    TrueCrypt). I know almost nothing on how these work so I can't

    Of course the best algorithms in the world do nothing if not
    securely and correctly implemented, but gnupg, commercial pgp,
    OpenSSH, and many others seem mature and well-tested. This seems to
    be the best realistic defense against eavesdropping (until quantum
    computing becomes reality...)


    ~David~, Feb 7, 2006
    1. Advertisements

  2. ~David~

    lgr_joly Guest

    Some would add here an old friend: the one time pad. For simple
    communication systems there's nothing like some random bits, an xor
    function and careful users. The NSA won't break it.
    lgr_joly, Feb 7, 2006
    1. Advertisements

  3. ~David~

    nemo_outis Guest

    I have only minor quibbles regarding most of your points. For instance:

    While it is (nearly) correct to say that MD5 is broken, SHA-1 is, for the
    present, only damaged. If possible one should use SHA-256 or SHA-512 if
    available in whatever encryption suite your programs use, pending the
    general availability (in working programs, not just crypto literature) of
    stronger alternates (e.g., Whirlpool). However, there is every indication
    that SHA-1 still has enough "residual strength" for an orderly transition
    to a successor rather than panic flight (i.e., a timeframe of several

    And I have other minor quibbles as well.

    But, really, my objection to your post is not that it is "wrong" (it is
    not) but that it is incomplete and misdirected.

    Even that assessment is overly harsh - your post focuses on one aspect and
    it is unfair to demand that it encapsulate an entire "privacy management
    through encryption" strategy.

    But the point I would like to make is that while selection of algorithms
    has some importance (a castle should have a strong foundation) the real
    efforts must be made elsewhere, in developing whole systems (e.g., crypto
    voip), in campaigns to get people to adopt them broadly, in rolling back
    oppressive and intrusive legislation, and so forth. Privacy is
    fundamentally a social issue, not a techy issue.

    nemo_outis, Feb 7, 2006
  4. ~David~

    ~David~ Guest

    I appreciate constructive critique - it helps me learn - I am NOT an
    expert on encryption.
    MD5 is broken - someone posted exploit code on Slashdot, and on my
    P4 3.0 ghz compiled in gentoo linux with gcc 3.3 it took around 45
    mins to "break" the hash. SHA-1 is still "good enough" for now but
    when designing new programs or setting up new implementations, SHA-2
    is a must.
    I'm sorry if my post sounded that way - it was not meant to and I do
    not advocate the "lets just encrypt everything" strategy. I've
    heard the arguments about algorithm selection akin to putting a mile
    high post or a two mile high post in an area that needs a wall.
    I totally agree with you. I have posted similar discussions to the
    alt.security.pgp group and have recently signed up on the gnupg
    mailing list. I take an interest in this from a technical
    perspective, although the media seems to want the general public to
    think we are all being spied on. Amazing how the government doesn't
    encourage wide spread use of e-mail encryption, and promote products
    that provide phone-line securing ;-)
    ~David~, Feb 8, 2006
  5. ~David~

    nemo_outis Guest

    It is a bit too strong to say that MD5 is completely broken (although it is
    fatally wounded and is breathing its last). Yes, *arbitrary* collisions
    can now be found pretty quickly (per Wang, Feng, Lai, and Yu and subsequent
    papers). But it is still somewhere between difficult and intractable to
    find a *different* intelligible plaintext that hashes to the same MD5 as a
    *given* plaintext.

    And that is why I added my parenthetical "nearly."

    nemo_outis, Feb 8, 2006
  6. ~David~

    lgr_joly Guest

    Because collisions can be found, MD5 as a cryptographic hash function
    is dead. Now, since MD5 is actually supposed to be a cryptographic hash
    function, we might simply consider that it's dead and gone.

    Kind regards
    Ludovic Joly
    lgr_joly, Feb 8, 2006
  7. ~David~

    cypher Guest

    Hash: SHA1

    - wrote in

    Yes, and it's dead in a natural way. It was obvious from long
    time that MD5 is not enough secure and it's not used in good
    security software. So no reason to panic. Flaws found in SHA1
    were much more surprising, but it is still enough secure for
    most purposes and we have good alternatives.


    Version: PGP 8.1

    -----END PGP SIGNATURE-----
    cypher, Feb 8, 2006
  8. ~David~

    nemo_outis Guest

    wrote in @g47g2000cwa.googlegroups.com:

    What a lot of fuss about a lousy parenthetical "nearly."

    To clarify once again:

    It is now computationally tractable to create *two* plaintext messages
    which hash to the same MD5 value. That, however, is not a common situation
    - although it is ominous regarding the underlying strength of the hash

    What still is NOT computationally tractable is to find a different
    meaningful plaintext which hashes to the same MD5 value as a *given*
    plaintext. That means it is still not possible to pass off counterfeits as
    genuine, etc. - which, while not the sole use for a hash, is surely a main

    So, yes, MD5's day is over and we should leave it behind as soon as
    possible. But we should not do so without understanding where the weakness
    lies, what exploits are now possible, and which ones ***still aren't!***

    Yours for clear thinking and careful distinctions,
    nemo_outis, Feb 8, 2006
  9. ~David~

    nemo_outis Guest

    Those who wish to further examine the question of whether MD5 is broken or
    not should scan the current thread on sci.crypt called:

    HMAC-MD5 shown not compromized by MD5 collisions

    nemo_outis, Feb 10, 2006
  10. ~David~

    cypher Guest

    Hash: SHA1

    Yes, you have right. The problem is that not all utilities are
    using HMAC algorithms for e.g. key derivation, and HMAC can't be
    used everywhere.

    We have good alternatives, so why we should not use them? We have
    *no* benefit from using MD5, so why stick to it? It doesn't matter
    if it is completly broken or not. SHA1 is much stronger than MD5,
    and we will still move to better hash functions.


    Version: PGP 8.1

    -----END PGP SIGNATURE-----
    cypher, Feb 11, 2006
  11. ~David~

    nemo_outis Guest

    Yep, as I've said here before, MD5 should be abandoned. But we can afford
    to walk, not run, to the exits :)

    nemo_outis, Feb 11, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.