21 comments

[ 2.7 ms ] story [ 53.7 ms ] thread
> We've known how to send cryptographically secure e-mail since the early 1990s.

Can we even trust encryption? How can we know that the NSA haven’t found weaknesses in common encryption algorithms? They have some of this field’s best people in the world on this.

I think it was mentioned somewhere that Snowden used GPG in his communication with Greenwald. At least some people inside the NSA seem to regard it as secure.
Snowden said "Encryption works. Unfortunately, endpoint security is still weak."
You can't know that. You can even worry about the fact that James Bamford wrote in Wired in 2012 [1]:

"According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US."

What do many average computer users use? TLS is my guess. So, perhaps they've found a way to get into RC4, or made an advance in factoring. And the history of cryptanalysis says that they are likely years and years ahead of what's known outside. So, what can you do?

Well, you can read the ECRYPT II report [2] and see for yourself what Europe's cryptographers think about the security of various algorithms and what key lengths they recommend.

For example, the report recommends that an asymmetric key of 3,248 bits should be secure to 2040 (they recommend a symmetric key of 128 bits for the same period). So, the subtext is that an 2,048 bit RSA key is going to be breakable soon by a powerful adversary.

The report says, for example of RSA OAEP: "If used, we recommend at least |N|>1024 for legacy systems and |N|>2432 for new systems."

My brief summary is that I'm happiest with RSA keys of 4,096 bits or above and with symmetric keys of 256 bits.

[1] http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/

[2] http://www.ecrypt.eu.org/

PS I'd be curious to know what key length Snowden used for the GPG key he apparently used when communicating with Greenwald.

Anonymous sources might be supplying real information but they could also be trying to manage beliefs.

Undoubtedly the NSA is ahead of everyone else in cryptanalysis but I think it is also advantageous for the NSA to have foreign governments think the NSA has a bigger lead than they actually do. This belief would cause foreign governments to use larger key sizes, and so drive up their costs, or switch to less well tested encryption methods that the NSA might be able to break.

> ... but I think it is also advantageous for the NSA to have foreign governments think the NSA has a bigger lead than they actually do.

I would think it is more advantageous for the NSA to have others believe that it has less capabilities than they actually do.

The NSA is well known for its disinformation campaigns. Why wouldn't they try to make others (governments, end users, etc.) believe that they don't have the ability to break various key sizes.

This could provide a false sense of security to others and cause them to believe that, for example, a 2048-bit PGP key is more than sufficient when, in fact, it isn't.

I'm not arguing that there aren't situations where then spreading the belief that their capabilities are less than actual would be a good thing. If the goal is to break a specific subset of all encrypted messages then this is exactly what they would want.

But there are also situations where they would want the opposite. For example, suppose the NSA has no advantage in breaking RSA over public knowledge, but can easily break NTRU and their goal is to read as many encrypted messages as possible. Then if they can get everyone to believe they can break RSA but not any cryptosystem based on lattices then some people will switch to NTRU. Now its much cheaper for the NSA to achieve their goal of breaking lots of encrypted messages since they have a very efficient algorithm for reading NTRU encryptions.

(This belief could be spread simply by having an "anonymous but very senior" official talk to Wired about how the US government has made a major step towards building the first scalable quantum computer)

In short, what they should want the world to believe depends on their capabilities and goals. Without knowing those anything is possible.

The NSA has a history of using those best people in the world to improve security of encryption, even when the general public does not understand their improvements at the time.

Now, maybe something has changed since then, but I am fairly confident that is not the case.

Encryption is worthwhile because even if the NSA has decryption capabilities that they have kept secret, the very secrecy of this ability is valuable enough to strongly discourage its use.

It is extremely unlikely that your email is important enough to the NSA for them to risk disclosing their ability and pushing everyone to different or stronger algorithms.

Mmmm, though that depends how effectively can credibly you can publish them attacking you that way.
Well, to a degree. It also depends on the extent to which the NSA believes they can trust their low/mid-level analysts: after the recent incident with Snowden, I'd argue "not much".

The more widely they allow such attacks to be used, the more people need know of its existence, and the greater their risk of exposure (even if the victims of these attacks are themselves oblivious).

Depending on who we're imagining as the victim, you also don't necessarily have to publish at all.

If the NSA can break encryption, they're probably only doing it for specific individuals they're interested in. And if the NSA is interested in spending resources on you, specifically, you have a world of problems besides encryption:

- Are you managing TEMPEST? Do you know what's on the other side of your walls?

- Who else has an access card/PIN/key to get near your computer? Cleaning service? Custodians? Other tenants?

- Are you running Windows?

- Do you read and fully understand every line of code of every security patch all of the time? Do you compile them yourself? Because no matter how much you may believe in Linux, package maintainers and repository owners are still people who are subject the laws of a sovereign nation.

- Do you trust your BIOS? Does your motherboard have Intel vPro or similar?

- Is your Java out of date?

- Where else have you used your password?

- If you're doing anything other than Gmail via Chrome, do you check to make sure the SSL certificate is from the correct CA? Do you check it every time?

- Do you know that everyone you ever communicate with is always perfectly on top of all of these (and other) potential vulnerabilities all of the time with no exceptions ever?

If not, then it doesn't matter whether we can still trust encryption. Because we certainly can't (by default) trust endpoints.

If you also want to have your meta data encrypted (which you have not with Email):

Just use http://retroshare.sourceforge.net/ for your entire communication needs (it's not only file sharing!).

EDIT: Ok, maybe I was too naive thinking NSA & Co do not have their people on HN...

You know, when you spam HN with an endless stream of advertisements for something and get downvoted, there are simpler explanations available than that HN is under the thumb of government goons who are out to get you.
Disinformation campaigns, for example.
Or we just get tired of the same spam on every article.
Talking about encrypting metadata doesn't really make a whole bunch of sense - at least not by itself. The metadata is, more or less, who you're sending the thing to. It's like saying you encrypted the address on an envelope - you know? The postman's not going to take that anywhere if it's got gibberish printed on the front of the envelope. If I'm your ISP, then I can read who you're sending it too right off of your packets, and if that information's not there, then I can't send the packets on - the message doesn't go anywhere.

You can, perhaps, obfuscate it with onion routing - provided a significant percentage of the network hasn't been compromised - but .... Well, I don't think Onion routing is really secure in the long-term because:

A ) ISPs taken as a group will have a look-down/shoot-down sort of perspective on the whole thing. If I know who you talk to and all the people who you talk to talk to (and so on) then I can follow you through the system fairly easily. You can insert dummy packets to try to obfuscate the message but -

1. I don't think Tor or any of the other mainstream progs currently do that. It's a bandwidth-expensive move.

2. Anything that contacts a person of interest can be prioritised for and even with some low level obfuscation in place, you'll appear on a list of a few tens or hundreds of people who might have sent something to them, which can then be combined with other data, (i.e. you still give up a great many bits of information even if you attempt to obfuscate at a low level.)

B ) I think that it probably makes sense as a cost exercise for nation states to become significant parts of the network which will give them a decent chance of having the entire message chain through to your endpoint.

I think you really need the system to pass on messages through the endpoint with a semi-random number of jumps to make things worthwhile and for the person you're sending to to be part of that network and pass on regular coms for a significant time before anyone tries to contact them with something non-regular.

Someone asked me on here, a while back, how many terrorists I wanted to talk to. And it really is that sort of problem, I think.

(comment deleted)
Question: is it worth using a service like Hushmail or Cryptoheaven? It seems like the best way to ease my friends and family into using encryption. Any thoughts?
This is probably quite obvious, but I do not yet see it stated here:

Another response I take from what Mr. Schneier didn't say is that the more of our normal data we encrypt, the sooner we again have the "drinking from the fire hose" situation he referred to.

If we can make more and more of our apps use encryption by default without any steps needed by the end-user, we can work towards overwhelming the "save all encrypted data streams" scenario described.

Is there anyway to make email metadata, such as headers, more secure against eavesdropping?