Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

NSA could put undetectable "trapdoors" in millions of crypto keys

From: "Dave Farber" <farber () gmail com>
Date: Tue, 11 Oct 2016 11:20:23 -0400



Begin forwarded message:


From: Hendricks Dewayne <dewayne () warpspeed com>
Date: October 11, 2016 at 10:19:57 AM EDT
To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>
Subject: [Dewayne-Net] NSA could put undetectable "trapdoors" in millions of crypto keys
Reply-To: dewayne-net () warpspeed com

NSA could put undetectable “trapdoors” in millions of crypto keys
Technique allows attackers to passively decrypt Diffie-Hellman protected data.
By DAN GOODIN
Oct 11 2016
<http://arstechnica.com/security/2016/10/how-the-nsa-could-put-undetectable-trapdoors-in-millions-of-crypto-keys/>

Researchers have devised a way to place undetectable backdoors in the cryptographic keys that protect websites, 
virtual private networks, and Internet servers. The feat allows hackers to passively decrypt hundreds of millions of 
encrypted communications as well as cryptographically impersonate key owners.

The technique is notable because it puts a backdoor—or in the parlance of cryptographers, a "trapdoor"—in 1,024-bit 
keys used in the Diffie-Hellman key exchange. Diffie-Hellman significantly raises the burden on eavesdroppers because 
it regularly changes the encryption key protecting an ongoing communication. Attackers who are aware of the trapdoor 
have everything they need to decrypt Diffie-Hellman-protected communications over extended periods of time, often 
measured in years. Knowledgeable attackers can also forge cryptographic signatures that are based on the widely used 
digital signature algorithm.

As with all public key encryption, the security of the Diffie-Hellman protocol is based on number-theoretic 
computations involving prime numbers so large that the problems are prohibitively hard for attackers to solve. The 
parties are able to conceal secrets within the results of these computations. A special prime devised by the 
researchers, however, contains certain invisible properties that make the secret parameters unusually susceptible to 
discovery. The researchers were able to break one of these weakened 1,024-bit primes in slightly more than two months 
using an academic computing cluster of 2,000 to 3,000 CPUs.

Backdooring crypto standards—"completely feasible"

To the holder, a key with a trapdoored prime looks like any other 1,024-bit key. To attackers with knowledge of the 
weakness, however, the discrete logarithm problem that underpins its security is about 10,000 times easier to solve. 
This efficiency makes keys with a trapdoored prime ideal for the type of campaign former National Security Agency 
contractor Edward Snowden exposed in 2013, which aims to decode vast swaths of the encrypted Internet.

"The Snowden documents have raised some serious questions about backdoors in public key cryptography standards," 
Nadia Heninger, one of the University of Pennsylvania researchers who participated in the project, told Ars. "We are 
showing that trapdoored primes that would allow an adversary to efficiently break 1,024-bit keys are completely 
feasible."

While NIST—short for the National Institute for Standards and Technology—has recommended minimum key sizes of 2,048 
bits since 2010, keys of half that size remain abundant on the Internet. As of last month, a survey performed by the 
SSL Pulse service found that 22 percent of the top 200,000 HTTPS-protected websites performed key exchanges with 
1,024-bit keys. A belief that 1,024-bit keys can only be broken at great cost by nation-sponsored adversaries is one 
reason for the wide use. Other reasons include implementation and compatibility difficulties. Java version 8 released 
in 2014, for instance, didn't support Diffie-Hellman or DSA keys larger than 1,024 bits. And, to this day, the DNSSEC 
specification for securing the Internet's domain name system limits keys to a maximum of 1,024 bits.

Poisoning the well

Solving a key's discrete logarithm problem is significant in the Diffie-Hellman arena. Why? Because a handful of 
primes are frequently standardized and used by a large number of applications.
If the NSA or another adversary succeeded in getting one or more trapdoored primes adopted as a mainstream 
specification, the agency would have a way to eavesdrop on the encrypted communications of millions, possibly 
hundreds of millions or billions, of end users over the life of the primes. So far, the researchers have found no 
evidence of trapdoored primes in widely used applications. But that doesn't mean such primes haven't managed to slip 
by unnoticed.

[snip]

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>






-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20161011112033:3E8F1E80-8FC6-11E6-BC22-2FD4EF10038B
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: