[Ach] ECDHE and DHE

Aaron Zauner azet at azet.org
Thu Jan 9 13:25:31 CET 2014 

Hi Ian,

ianG wrote:
> True, absence of evidence is not evidence of absence.
> 
> But how do you disambiguate the absence of evidence from blind luck?
> 
> From myth and fantasy?  From FUD & Marketing?  From government policy to
> weaken you and employ techies and corporates on charity programmes for
> dying industries like PKI?
> 
> This is why I ask for rain, so as to separate the science of weather
> from the dance of the rainman.

Let's do a rain dance then and hope security researcher will pick up on
the vibes! *dances* :)

> 
> 
>> People might just not have been putting enough effort into
>> exploiting weaknesses of NIST/SECG curves. I'm really worried about
>> that.
> 
> 
> Well, I guess we'll see some more attention on this.  I saw a proof of
> concept on the DUAL_EC backdoor recently (didn't read it tho).
I read it (well at least the python part) It's well done. BTW the smae
guy also supplied DJB curves as patch to the OpenSSH project recently.
They'll be incorporated into the next release.

> It can only be exploited on a wide scale by those that can map and
> attack your traffic.  For the session stuff, this is pretty much the
> telcos (immoral), national governments (qausi-legal if kept secret) and
> foreign spooks (illegal, espionage).  So even if it were to happen,
> there isn't a scenario where everyone is suddenly at risk of everything.
>  And we know that those who will do these MITMs will also think
> carefully about the costs of being caught.  So even a found-weakness in
> EC is not going to cause the house of cards to come tumbling down.
Uhm. Yea. But what we've seen since this summer is that people do in
fact MITM, sniff and exploit on a wide scale (often without clear legal
arguments). With "people" I mean our US overlords of course. (Well. The
chinese, israelis and russians are also reportedly engaging in those
tactics)


> 
> Yep.  Me neither.  What is surprising is that we've been using the stuff
> for 10 years, and now, only now, is someone poking holes in it.
Yup. That confuses me as well. Feedback I got from a lot of people
working in Crypto for Clients and Server is (paraphrased): "We trust the
ECC recommendation since we do not fully understand how ECC works and
need to rely on expert" - Well those experts are a scares resource.


> However, still no prize.  If Dan & Tanja found an exploit, I'm pretty
> sure they would shout it from the rooftops.
I guess so.

> Ya know, there is huge value in having a body of 768 bit keys out there
> in use, because then we get to find out when it breaches.  The attacker
> envelope is critical information.  We only found attacks on 512b in the
> last 3 years or so.  While the sun shines, make hay...
RSA? 512bit is factorable in AWS EC2 within 42hours. 768bit RSA was
factored a few years ago in an university setup(!). I operate a larger
cluster then they do. So that does not make me feel any safer.

Besides, have you seen the factorable.net project? what they basically
did was to use zmap(.io) to mass scan the public internet and compare
keys, turns out a lot of them are the same due to entropy problems in
virtualization environments, embedded devices or simply the copying of
keys. (https://factorable.net/weakkeys12.conference.pdf)

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140109/334f36a2/attachment.sig>

More information about the Ach mailing list