Silk Road forums

Discussion => Security => Topic started by: SelfSovereignty on August 07, 2013, 01:18 am

Title: RSA encryption may be useless in less than a decade...
Post by: SelfSovereignty on August 07, 2013, 01:18 am
Just in case you aren't uncomfortable enough yet after the past week -- http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/

From the article: "Our conclusion is there is a small but definite chance that RSA and classic Diffie-Hellman will not be usable for encryption purposes in four to five years..."  Lovely.  Juuuuust lovely.  I don't know about any one else, but I've always used RSA.  I think I'll look into changing that...


... so, I looked into changing it, and to save every one else the trouble: the main branch of gpg and gpg2 that everyone else uses doesn't support elliptic curve algorithms.  There's gpg2ecc which does, and the development (beta) release of gpg does... but the problem is that nobody else is going to be using these things.  So in other words, nobody except those who went out of their way to get these programs will be able to decrypt your messages, which makes sending them to begin with pretty pointless.  I guess we're stuck with RSA for the time being.
Title: Re: RSA encryption may be useless in less than a decade...
Post by: astor on August 07, 2013, 03:56 am
Five fucking years? I quit!

Just kidding, but we can't get any good news this week, can we? :)
Title: Re: RSA encryption may be useless in less than a decade...
Post by: kmfkewm on August 07, 2013, 08:22 am
Most popular EC algorithms based on Elliptic Curve Discrete Logarithm, I wonder if a solution for non elliptic discrete logarithm would work for them as well.
Title: Re: RSA encryption may be useless in less than a decade...
Post by: Baraka on August 07, 2013, 09:25 am
Bitmessage is the only email-like messaging app that uses 256-bit ECC, but no one here except me seems to like it or use it. Too bad I guess.  :(
Title: Re: RSA encryption may be useless in less than a decade...
Post by: kmfkewm on August 07, 2013, 09:58 am
Bitmessage is the only email-like messaging app that uses 256-bit ECC, but no one here except me seems to like it or use it. Too bad I guess.  :(

BitMessage has a lot of problems with it
Title: Re: RSA encryption may be useless in less than a decade...
Post by: Nightcrawler on August 07, 2013, 02:45 pm
Just in case you aren't uncomfortable enough yet after the past week -- http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/

From the article: "Our conclusion is there is a small but definite chance that RSA and classic Diffie-Hellman will not be usable for encryption purposes in four to five years..."  Lovely.  Juuuuust lovely.  I don't know about any one else, but I've always used RSA.  I think I'll look into changing that...


... so, I looked into changing it, and to save every one else the trouble: the main branch of gpg and gpg2 that everyone else uses doesn't support elliptic curve algorithms.  There's gpg2ecc which does, and the development (beta) release of gpg does... but the problem is that nobody else is going to be using these things.  So in other words, nobody except those who went out of their way to get these programs will be able to decrypt your messages, which makes sending them to begin with pretty pointless.  I guess we're stuck with RSA for the time being.

They say bad things happen in threes, so I guess what I am going to report will be the third item.

2013 IEEE Symposium on Security and Privacy

Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization
Alex Biryukov, Ivan Pustogarov, Ralf-Philipp Weinmann - University of Luxembourg
{alex.biryukov,ivan.pustogarov,ralf-philipp.weinmann}@uni.lu

Abstract -- Tor is the most popular volunteer-based anonymity network consisting of over 3000 volunteer-operated
relays. Apart from making connections to servers hard to trace to their origin it can also provide receiver privacy for
Internet services through a feature called "hidden services". In this paper we expose flaws both in the design and
implementation of Tor's hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take
down hidden services and deanonymize hidden services. We give a practical evaluation of our techniques by studying:

(1) a recent case of a botnet using Tor hidden services for command
and control channels;

(2) Silk Road, a hidden service used to sell drugs and other contraband;

(3) the hidden service of the DuckDuckGo search engine.

Keywords-Tor; anonymity network; privacy; hidden services


IX. CONCLUSION

We have analyzed the security properties of Tor hidden services and shown that attacks to deanonymize hidden
services at a large scale are practically possible with only a moderate amount of resources. We have demonstrated
that collecting the descriptors of all Tor hidden services is possible in approximately 2 days by spending less than USD
100 in Amazon EC2 resources. Running one or more guard nodes then allows an attacker to correlate hidden services
to IP addresses using a primitive traffic analysis attack.

Furthermore, we have shown that attackers can impact the availability and sample the popularity of arbitrary hidden
services not under their control by selectively becoming their hidden service directories.

To address these vulnerabilities we have proposed countermeasures. These prevent hidden service directories from
learning the content of any the descriptors unless they also know their corresponding onion address and significantly
increase the resources required to selectively become a hidden service directory for a targeted hidden service.
However, note that the above suggestions are nothing more than stop-gap measures. We believe that the problems
we have shown are grave enough to warrant a careful redesign of Tor's hidden services.

Source: http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf (clearnet)

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B      (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B    (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090     (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07  B66B AFC8 CE71 D9AF D2F0
Title: Re: RSA encryption may be useless in less than a decade...
Post by: DanDanTheIceCreamMan on August 07, 2013, 02:56 pm
fuck..... :(