Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Wednesday October 21 2015, @07:46PM   Printer-friendly
from the what-are-you,-hourly? dept.

Just recently, I moved my personal website to HTTPS, making sure to use a secure 2048-bit RSA key and TLS 1.2, and guarding against vulnerabilities such as POODLE and Logjam. It took some work, but not that much work, even for doing the research. Yet there are some people who just don't care.

Due to a new technique, 512-bit keys are now completely vulnerable for as little as $75.

The technique, which uses Amazon's EC2 cloud computing service, is described in a paper published last week titled Factoring as a Service .

[...] The researchers concluded that despite widespread awareness that 512-bit keys are highly susceptible to breaking, the message still hasn't adequately sunk in with many administrators. The researchers wrote:

512-bit RSA has been known to be insecure for at least fifteen years, but common knowledge of precisely how insecure has perhaps not kept pace with modern technology. We build a system capable of factoring a 512-bit RSA key reliably in under four hours. We then measure the impact of such a system by surveying the incidence of 512-bit RSA in our modern cryptographic infrastructure, and find a long tail of too-short public keys and export-grade cipher suites still in use in the wild. These numbers illustrate the challenges of keeping an aging Internet infrastructure up to date with even decades-old advances in cryptanalysis.

The article reports finding a significant number of sites that are still using 512-bit RSA keys to protect HTTPS, DNSSEC, ssh, e-mail (SMTP, POP3, and IMAP), and other services.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by Hyperturtle on Wednesday October 21 2015, @08:01PM

    by Hyperturtle (2824) on Wednesday October 21 2015, @08:01PM (#252889)

    You should be using 2048 at least, and should have been for a year or two now.

    128bit, 256 bit and 512 bit were all feasibly hacked on the cheap a long time ago. 1024 is also hackable and 2048 is not feasible with this strategy, but as new GPUs and CPUs come out, it too will fall. I dont know how high they let you create them, but I think 4096 was the highest some local CA root servers allowed for self signed creations.

    RSA Keys on lots of network hardware is also limited to 2048, but I may be thinking of SSH certs.

    And really, for some of the connections, it 512 is fine. How many bits of encryption do you need to get a map and print it out or check webmail for something you believe is disposal? The right tool for the right job.

    Just because my hammer is big doesn't mean it is good for a job requiring small nails.

    Likewise, many things dont even really require encryption and the whole "ENCRYPT EVERYTHING" draws attention away from the fact that many things are sending data, encrypted so you cant look at it, to places you didn't ask it to go. Consider all of those apps that steal your info. They are doing it safely, via encryption! And anyone without a MiTM (man in the middle) server would have no concept what is being stolen, because it's for the best that you are not able to see what your device is doing.

    Security can mean you are made secure, or you are being secured.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by maxwell demon on Wednesday October 21 2015, @08:13PM

    by maxwell demon (1608) on Wednesday October 21 2015, @08:13PM (#252895) Journal

    Since there is no HTTP protocol variant that just signs the sent data, full encryption is the only way to make sure that the data was not tampered with during transport. Note that such tempering might include adding hidden malicious payload that ultimately targets not the page it was included into, but for example your online banking account.

    Probably not all data needs to be hidden, but definitely all data sent over an untrusted network needs to be secured against tampering.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 3, Interesting) by Hyperturtle on Wednesday October 21 2015, @10:44PM

      by Hyperturtle (2824) on Wednesday October 21 2015, @10:44PM (#252963)

      I would never suggest to not encrypt when the option is available.

      And to your credit, the tampering is different than forever in archive for posterity. There are differences and convenience trade-offs I'd make to allow an older less CPU capable device still have a private connection while doing mundane things online, and while I otherwise may be willing to wait for a higher encryption type of connection to do its thing because real-time encrypted traffic can take a while on older stuff. But I should not have my older things be made obsolete because someone else decided it wasn't secure enough for me to look at a lunch menu before walking in to make an order...

      I would encrypt my stuff just because I don't want anyone else to monetize it or see what I am doing, and I shouldn't need a reason for it. But many in marketing are spinning it as having something to hide, or violating their contract because ads make the internet what it is, etc.

      When the ads become encrypted by google because they succeed in making everything encrypted, it will be much more difficult for the common person to block. As such... I endorse security but I also endorse choice. People that choose to have no security, well, i don't endorse that, but being able to turn it off also is a great boon for troubleshooting something. We should have the option for our own stuff, but I think it won't be long before only criminals will be able to both maintain a sense of privacy and also be able to block ads. Google has made it known they want to make the decisions for us, and I do not see that trend ending any time soon.

      • (Score: 2) by maxwell demon on Thursday October 22 2015, @06:55PM

        by maxwell demon (1608) on Thursday October 22 2015, @06:55PM (#253331) Journal

        When the ads become encrypted by google because they succeed in making everything encrypted, it will be much more difficult for the common person to block.

        I don't see that. After all, not loading content from a specific URL is not dependent on whether that URL is HTTP or HTTPS. Moreover, the browser definitely has to decrypt and thus will be able to access any information, as will any extensions running in the browser. As long as the browser doesn't get locked down, there's no way anyone can prevent you from blocking ads.

        --
        The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 2) by Hyperturtle on Friday October 23 2015, @06:39PM

          by Hyperturtle (2824) on Friday October 23 2015, @06:39PM (#253698)

          That is assuming that the ads are coming from outside of the original domain.

          If ad delivery starts to take place from common content delivery networks that also share the same resources as movie and music delivery, (or more generically, use google servers for motion video content delivery since that network also already exists), then it could become quite challenging to determine which server is which. The same domain may play youtube videos and ads. The server might not be the same, but we may not get to see that name if this happens behind a load balancer and we get a single IP for what could be a farm of servers.

          That requires effort, community contributed effort, for identification. It may be time consuming but possible... and so, the day may come when it takes more than blocking doubleclick.net and others like it. The enemy may decide to wear sheep's clothing instead of simply turning it's evil bit on so we know to drop it. You have to admit, they are being very obvious about it for the most part. there are even domains with advertising related words in them! Not too hard to identify which ones are problematic.

          Consider all of that javascript that can be blocked and the domains dont even get looked up -- that javascript is often coming from the source domain to call other resources.

          If the resources are then all held in the same "cloud" and not spread out, it will be difficult to filter because they will all have a commonality in their names; DNS names may be more or less aliases to consumers, with the servers serving the ads and the content from the same domain on the back end. How the browser chooses to display this may be different than what you could find in a packet capture -- the browser is application that interprets commands, and you have seen how google and others want to remove http or https because protocols are hard for people to understand.

          Anyway, my fear, and am not claiming it will happen... is that companies work to block ads by presenting the data as coming from a single source, and primarily choosing to do so in response to people blocking third party everything.

          My experience is that many good things get ruined when it gets a review by kim kommando. I see the value in what she provides to her audience, but when you start to share our dirty ad blocking secret with the masses, then the people leading the masses (or at least, showing them ads) start to take note.

          My last comment is consider microsoft.

          Lots of their problem servers are in the microsoft.com domain. And many of their good ones are. Which ones do you block? You can't just block the microsoft domain entirely... and they have many many servers, some of them are dynamically created. It'd be very hard to map that out!

          If google took that approach for the ad delivery, ad blocking would have a challenge. Otherwise, if blocking from the same domain is easy, then I'd just block that annoying windows 10 update server and never get it. But that update is mixed with other stuff I want to get! From the same servers! I can't block those and still get updates. It is not a punch the monkey type of obvious to block scenario -- its where windows as a service makes it hard to disable various services because they do more than one thing.

  • (Score: 1, Interesting) by Anonymous Coward on Wednesday October 21 2015, @08:16PM

    by Anonymous Coward on Wednesday October 21 2015, @08:16PM (#252899)

    Just because my hammer is big doesn't mean it is good for a job requiring small nails. Likewise, many things dont even really require encryption[snip]

    That is a valid point, however, regardless of whether or not what I am looking at is disposable, regardless of whether I 'care' that anyone is looking at my traffic or even whether or not it requires encryption, it is still my traffic and you have no business looking at it in the first place. Me employing encryption on it should be none of your damn business.

    Likewise, many things dont even really require encryption and the whole "ENCRYPT EVERYTHING" draws attention away from the fact that many things are sending data, encrypted so you cant look at it, to places you didn't ask it to go.

    This is a valid point, I have nothing to add :) Except for: open up the source

    Security can mean you are made secure, or you are being secured.

    Very eloquently put!

    • (Score: 4, Insightful) by VLM on Wednesday October 21 2015, @09:10PM

      by VLM (445) Subscriber Badge on Wednesday October 21 2015, @09:10PM (#252919)

      Me employing encryption on it should be none of your damn business.

      There is an obvious herd immunity effect where the NSA or KGB or WTF spending hours trying to decode your 4096 bit encrypted supermarket shopping list does benefit the herd who are trying to overthrow the government of Germany (like, who doesn't?) or do online banking or just download lots of pr0n or whatever floats your boat.

      And there's the "brotherhood of admins" where in private and politely its a good idea to help each other do it right for the time when you really need to do it the right way.

      • (Score: 0) by Anonymous Coward on Wednesday October 21 2015, @09:39PM

        by Anonymous Coward on Wednesday October 21 2015, @09:39PM (#252931)

        Moooo?

        • (Score: 2) by Hyperturtle on Wednesday October 21 2015, @10:21PM

          by Hyperturtle (2824) on Wednesday October 21 2015, @10:21PM (#252955)

          my distributed.net client mooed every time it completed a workload... I think that was back when the md5 contest or rc4 contest was going on. didn't a 386 sx 20 win the prize? it was a long time ago...

          I used to participate in the project and was so pleased that my overclocked pentium 2 made the top 100 list... now, java script locking up takes more cpu cycles. and cpus...

  • (Score: 2) by VLM on Wednesday October 21 2015, @08:34PM

    by VLM (445) Subscriber Badge on Wednesday October 21 2015, @08:34PM (#252911)

    but as new GPUs and CPUs come out, it too will fall

    No, cracking a 512 in four hours doesn't mathematically mean you can crack a 1024 in eight hours.

    Its more like you can crack a 513 bit number in eight hours.

    So if you run the math going from 512 to 4096 is a factor of 2 to the power of 3584. If you assume the old engineering estimate of about 3 bits per decimal digit, thats a thousand digit number. No not a factor of a thousand, a factor of a thousand digit number like 10e1000

    Even going from 512 to 1024 that factor is a roughly 150 digit number. That's going to take awhile to scale.

    Moores law etc had a real easy time of it the past couple decades going from transistor masks you could see with a magnifying glass down to a couple nm. And endless cheap available energy. Those days are done, technological advancement is over.

    • (Score: 0) by Anonymous Coward on Wednesday October 21 2015, @10:13PM

      by Anonymous Coward on Wednesday October 21 2015, @10:13PM (#252947)

      Those days are done, technological advancement is over.

      That's quite the claim, there. Just because Moores law isn't really true anymore for our specific technology, that doesn't mean all technological advancement is over.

    • (Score: 2) by Hyperturtle on Wednesday October 21 2015, @10:18PM

      by Hyperturtle (2824) on Wednesday October 21 2015, @10:18PM (#252952)

      oh I know that, you add 1 bit and expotentially increase the space. i tell lay people it is like calculating the amount of heinz varieties.

      No there are not really 57 different types ketchup, but if we pretended, there are really 57 to the 57th power, because you can have 1/57th of this flavor and that flavor, or 3/57ths of that flavor and 5 of this one, or 57 of the same to make one solid flavor and... this is something people understand. That is like binary for laypeople, saying that I have add more bits doesn't always make sense to people.

      So, I fully agree that taking 512 to 1024 isn't doubling it; if looked at just 512 and added one bit, we have 513 bits, and that adds 513 permutations for possible combinations possible for brute forcing, since that new bit can then match all values of 0 to 512 and add one to it, leading to 513 new values just from adding a single bit. That's more than doubling it, and we only just considered a single bit! there are 511 more to add permutations of. Much much harder to do than simply having twice the PCs going at it, but that'd sure help. Strong passwords are still useful in any event...

      My point is that it too will fall--not in a linear fashion, but because projects like distributed.net, motivated players, etc all exist to defeat this all via brute force.

      It may not be a concern now, but it too will fall is just my saying that the pope denounces violence, water is wet... some type of encryption was found to be crackable via brute force.

      I do not have a chart handy, but if you look at the presumed crack rates for various encryption types, they show things in so many seconds, minutes, hours, days, years, centuries, etc, and who can be reasonably expected to do it.

      Up until recently, no one ever thought to pretend CPU power got better, they just presumed it was the same hardware going at it.

      So, not only can we not assume that it will take 4x as long to crack 64 bit instead of 32 bit, but we can't even use a constant value for the strength/speed of the hardware doing this attack. It will change, just like those people that mine bit coins. new hardware will come out and do it all faster.

      but please don't think I had some timeline in mind. I wanted to make clear that it is silly to say 512 is broken and the solution is to upgrade to the next lowest value generally available. I really thought no one was actually was using 512 and if they were, that certificate is probably due to expire. And that the upgrade drum will always get beaten for this, because the dominos will always manage to eventually fall, either via a sweeping gesture, or through the crumbling via the resources of time. If you are going to upgrade, please upgrade to something greater than the next rung up. That's the most I can ask for!

      • (Score: 2) by fnj on Thursday October 22 2015, @12:29AM

        by fnj (1654) on Thursday October 22 2015, @12:29AM (#253009)

        There is a point where brute-forcing becomes impossible for all time. That occurs when the smallest-power theoretically possible operation (per quantum physics), times the number of operations necessary to brute-force within time t, exceeds the energy content of the universe.

        Time t? It doesn't matter much what you choose. One human lifetime would satisfy a lot of us. Ten lifetimes, a lot more. A thousand lifetimes, anyone with any sense (if technological-level humanity lasts more than 100-1000 more years, I will eat my hat from the grave - just put a little thought into what geometric growth means).

        Whatever value of t you settle on determines how many bits you need.

        • (Score: 2) by Kromagv0 on Thursday October 22 2015, @11:59AM

          by Kromagv0 (1825) on Thursday October 22 2015, @11:59AM (#253177) Homepage

          For symmetric key encryption that point is somewhere around 270 bits using classical computers or about 540 bits using quantum computers. Beyond that it requires more energy than would be available if the entire visible universe was converted to energy. Also that is just the energy to cycle a counter of the appropriate size through all states with no energy used for doing actual decryption. For asymmetric key encryption that uses prime factorization for its keys quantum computing breaks it, but Lattice based [wikipedia.org] cryptography so far seem to be immune to quantum attacks.

          --
          T-Shirts and bumper stickers [zazzle.com] to offend someone
      • (Score: 2) by SecurityGuy on Thursday October 22 2015, @06:57PM

        by SecurityGuy (1453) on Thursday October 22 2015, @06:57PM (#253332)

        So, I fully agree that taking 512 to 1024 isn't doubling it; if looked at just 512 and added one bit, we have 513 bits, and that adds 513 permutations for possible combinations possible for brute forcing, since that new bit can then match all values of 0 to 512 and add one to it, leading to 513 new values just from adding a single bit. That's more than doubling it, and we only just considered a single bit! there are 511 more to add permutations of. Much much harder to do than simply having twice the PCs going at it, but that'd sure help.

        Adding a bit precisely doubles the number of possible values. A 1 bit key can be 0 or 1 (2 values), a 2 bit key can be 00, 01, 10, or 11 (4), and so on. 2 to the n possible values for an n bit key. A 512 bit key space has exactly half as many keys as a 513 bit key space IF all possible value are valid keys.

        That's an important IF, by the way, as most n-bit values are not valid RSA keys. If they were, then you couldn't brute force even a 400 bit key in the length of time the universe has existed even if every atom in the universe could test a trillion a second.

  • (Score: 2) by stormwyrm on Wednesday October 21 2015, @09:46PM

    by stormwyrm (717) on Wednesday October 21 2015, @09:46PM (#252935) Journal
    And really, for some of the connections, it 512 is fine. How many bits of encryption do you need to get a map and print it out or check webmail for something you believe is disposal? The right tool for the right job.

    To get a map and print it out and make sure that it's the real map? Check webmail for something you believe is disposable? You might believe something is disposable but do remember that miscreants can always find creative uses for such things that you haven't thought of. I'd say 2048 at least, or 4096 even better. I'd say a bit of paranoia is better given that it in this day and age when Moore's Law has given us so much computing power it doesn't really cost that much more to be using 4096-bit keys rather than 512. Can you really notice the difference when connecting to such sites? And if someone out there is still using a weak key like that how do you know they aren't using it to encrypt other data that you do care about? Better to use something stronger when possible. There is no reason and no excuse to be using a 512-bit key in this day and age!

    --
    Numquam ponenda est pluralitas sine necessitate.
    • (Score: 2) by deimtee on Thursday October 22 2015, @02:00AM

      by deimtee (3272) on Thursday October 22 2015, @02:00AM (#253040) Journal

      And really, for some of the connections, it 512 is fine. How many bits of encryption do you need to get a map and print it out or check webmail for something you believe is disposal? The right tool for the right job.

      To get a map and print it out and make sure that it's the real map?

      If I ask for a map, I expect it within a few seconds. Even if someone wants to spend $75 and crack the encryption, I am not going to wait four hours for them to fudge around with it. For certifying that content is not tampered with, 512 bits is fine.
      If you have something that needs to remain secret then sure, you need more bits.

      --
      If you cough while drinking cheap red wine it really cleans out your sinuses.
      • (Score: 2) by stormwyrm on Thursday October 22 2015, @02:08AM

        by stormwyrm (717) on Thursday October 22 2015, @02:08AM (#253047) Journal
        Will it cost you less to you use weaker encryption where you think it might not matter? I'd say it will cost you more to bother to even make that kind of decision in the first place than the relatively minuscule amount extra of computing power it would cost to use strong(er) encryption. And if you make the mistake of using a weak key where you should have used a strong one that would be a disaster. Better to use strong keys everywhere no matter if the data they're protecting isn't that important. There is no point to using 512-bit keys in this day and age.
        --
        Numquam ponenda est pluralitas sine necessitate.