[Ach] recent spiegel docs

Aaron Zauner azet at azet.org
Mon Dec 29 04:21:48 CET 2014

christian mock wrote:
> So I've gone thru most of them and try to summarize what they mean in
> the context of ACH (as the accompanying article is rather light on the
> technical details).

Have done the same, although not very thoroughly. I've read the relevant
documents to our current draft.

> IPSEC: they seem to have the capability to decrypt based on pre-shared
> keys that they've got via some other means (pwning routers &
> extracting config, or snooping on admins). Can we still safely
> recommend using PFS as a safe thing (in phase 1 and phase 2)? (I think
> recommending certificates instead of PSKs is moot, they'd just extract
> the private keys instead of the PSKs).

Yes. Totally agree. They made some off-record references to ESP attacks
though. Mostly it seems to be brute-force on PSKs or failure in OPSEC on
PSKs/Certificates et al (XKEYSCORE,..).

The included pictures of traces are pretty obvious (look at the src
port), these are previous captures of plaintext telnet traffic from
cisco routers. No idea how they've collected this data though, as I'd
guess these management interfaces are (at least by trained people) only
accessed through routers with special ACLs and VLANs.

> TLS: they seem to decrypt non-FS connections by using RSA private keys
> extracted by other means (and weak debian keys). FS ciphers still seem
> safe, so shall we drop all non-FS ciphers (at least in config A)? No
> hint at whether they fool with the NIST EC curves...

These documents are from 2010 to 2012. I've not seen a single mention of
vulnerability discussed in them not known to the security community in
general (and public) at the time. Although - they had, even back then.
established better TLS analysis methods (down to Handshake Details, DH
params on eachs Handshake of an interesting target etc.) than most
researchers do nowadays. I'm sure this'll get mentioned in future (open)
security research publications ;)

> SSH: AFAICT, they only mention it in passing, no indications to the
> kind of techniques used, but they seem to have some capabilities.
> What's the buzz about that at the congress?

I've only seen references to OPSEC failures. Did I miss anything?

> My summary: the only thing they seem to attack cryptoanalytically is
> PPTP, and that's already public knowledge.

Also: they have better cryptanalytic power than estimated at the time,
some of these attacks are only feasible on /large/ clusters of special
hardware - if they do not exploit an unknonwn new vulnerability in a
protocol or cipher, which they do not refer to, not even in passing as
far as I can tell.

This might be very conservative and my opinion might change when I look
into the documents in more detail, but from the ~8 I've read mentioning
technologies related to this draft - that's my take on it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141229/510eae33/attachment.sig>

More information about the Ach mailing list