SoylentNews is people
SoylentNews
Crypto Needs More Transparency, Researchers Warn
Researchers with at the French Institute for Research in Computer Science and Automation (INRIA) and the University of Pennsylvania have called for security standards-setters to publish the seeds for the prime numbers on which their standards rely.
The boffins also demonstrated again that 1,024-bit primes can no longer be considered secure, by publishing an attack using "special number field sieve" (SNFS) mathematics to show that an attacker could create a prime that looks secure, but isn't.
Since the research is bound to get conspiracists over-excited, it's worth noting: their paper doesn't claim that any of the cryptographic primes it mentions have been back-doored, only that they can no longer be considered secure.
"There are opaque, standardised 1024-bit and 2048-bit primes in wide use today that cannot be properly verified", the paper states.
Joshua Fried and Nadia Heninger (University of Pennsylvania) worked with Pierrick Gaudry and Emmanuel Thomé (INRIA at the University of Lorraine) on the paper, here.
They call for 2,048-bit keys to be based on "standardised primes" using published seeds, because too many crypto schemes don't provide any way to verify that the seeds aren't somehow back-doored.
NSA Could Put Undetectable "Trapdoors" in Millions of Crypto Keys
Researchers have devised a way to place undetectable backdoors in the cryptographic keys that protect websites, virtual private networks, and Internet servers. The feat allows hackers to passively decrypt hundreds of millions of encrypted communications as well as cryptographically impersonate key owners.
The technique is notable because it puts a backdoor—or in the parlance of cryptographers, a "trapdoor"—in 1,024-bit keys used in the Diffie-Hellman key exchange. Diffie-Hellman significantly raises the burden on eavesdroppers because it regularly changes the encryption key protecting an ongoing communication. Attackers who are aware of the trapdoor have everything they need to decrypt Diffie-Hellman-protected communications over extended periods of time, often measured in years. Knowledgeable attackers can also forge cryptographic signatures that are based on the widely used digital signature algorithm.
As with all public key encryption, the security of the Diffie-Hellman protocol is based on number-theoretic computations involving prime numbers so large that the problems are prohibitively hard for attackers to solve. The parties are able to conceal secrets within the results of these computations. A special prime devised by the researchers, however, contains certain invisible properties that make the secret parameters unusually susceptible to discovery. The researchers were able to break one of these weakened 1,024-bit primes in slightly more than two months using an academic computing cluster of 2,000 to 3,000 CPUs.
(Score: 3, Interesting) by tangomargarine on Tuesday October 11 2016, @10:41PM
I'll admit I'm terrible at advanced math...but I *think* I have a vague understanding of what's going on.
So due to mathematical properties, it's easier to "crack" some 1024/2048-bit numbers, and some encryption suites just come with a pregenerated list of said numbers, which could be pre-cracked by the NSA or whoever. Cf. elliptic curve.
So instead of just trusting the software's authors to have picked good numbers, we should...publish the numbers?* Not sure whether that really gets the NSA anywhere, since in theory it shouldn't be possible to work backwards from the end result to figure out the key, which is the whole concept the crypto is based on in the first place. But wouldn't openly saying which algorithms you used to find the keys still make it easier for them to know where to start trying to crack them?
*may already be published for open-source crypto?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Interesting) by frojack on Tuesday October 11 2016, @11:19PM
I read it as your latter asterisked interpretation. I didn't see it as a call for publishing MORE numbers, simply pointing out that some implementations simply use standard numbers embedded in the code because its computationally cheaper.
I would think publishing a known list of easy to trap primes would make more sense.
Personally, I've just moved to larger keys of 4097 or 3072 bits, even if they are marginally slower.
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by NCommander on Wednesday October 12 2016, @12:38AM
Essentially, the issue is a variation of the LOGJAM attack; crypto isn't my specialty but let me see if I can try and put this more in layman terms. TLS is underpinned by a Diffie–Hellman key exchange which requires creation of a set of 'known primes' on both ends of the connection. A set of DH parameters basically consists of a prime number and set of generators that are used. They're by definition public as they're transmitted between the client and the server at connection time. These known primes are used to calculate differential equations to exchange season keys for establishing the initial round of crypto. The problem is these primes are very slow to generate (45 minutes for a 2048 bit prime), so most vendors ship pre-calculated ones which have been copied over and over again.
However, by having a common set of known parameters, if you can factor them once, you can drastically reduce the complexity of breaking any other DH exchanges using the same set of primes. Thus if you identify that a given DH set is used by 70% of internet traffic, if you can break it (which may take thousands of compute years; well within the realm of the NSA), you could decrypt any TLS traffic relatively easily that was established using those same primes.
I changed out the primes used by SN, but I won't be surprised if most client browsers used a pre-generated set, as well as embedded devices that haven't been updated in X years.
Still always moving