Silk Road forums
Discussion => Security => Topic started by: jackthetripper on March 01, 2012, 06:28 pm
-
Hey guys, just something I have been wondering as I have been learning more about it, I wonder if it is possible to break PGP messages. You would sure think that our spooky 3-letter government agencies (NSA) could do it, but how? I mean your public key is related to your secret key by complex mathematics, I don't think a brute force technique could uncover that link between the public and the private key. They would have to covertly search you to find your secret key saved on your computer. Or disk. But if this was the case, then why wouldn't the terrorists (real bad guys) just encrypt everything pgp and not have to worry about any government? Anybody else wonder about this? I mean I'm not worried about it, and I sure feel safer using pgp, at least you know it would take someone higher than local to figure out what you were doing.
Oh and lets just say that the FBI gets a warrant for your electronic communications, like I saw on the movie The Town last night. If they encounter an encrypted PGP message, can they shoot it to NSA to decrypt it? They probably have their own cryptologists anyway.
-
No, PGP is based on 3DES (I think) which to crack would take an enormous amount of time (years) with a very expensive system and it wouldn't be worth it.
A more recent incident in December 2006 (see United States v. Boucher) involving US customs agents and a seized laptop PC which allegedly contained child pornography indicates that US Government agencies find it "nearly impossible" to access PGP-encrypted files. Additionally, a judge ruling on the same case in November 2007 has stated that forcing the suspect to reveal his PGP passphrase would violate his Fifth Amendment rights i.e. a suspect's constitutional right not to incriminate himself.[6][7] The Fifth Amendment issue has been opened again as the case was appealed and the federal judge again ordered the defendant to provide the key.[8]
Evidence suggests that as of 2007, British police investigators are unable to break PGP,[9] so instead have resorted to using RIPA legislation to demand the passwords/keys. In November 2009 a British citizen was convicted under RIPA legislation and jailed for 9 months for refusing to provide police investigators with encryption keys to PGP-encrypted files.[10]
*EDIT* It is possible to break just very very very unlikely.
-
Ahhh. Fascinating. Thank you.
-
keylength.com is a fun toy to play with when you're wondering this
-
Wow QTC that's awesome so I wonder what my key length is? Whatever the default was, I noticed some people on sr have these super long keys relative to mine so I guess that's why. That is very interesting down at the bottom at the highest level of encryption it said it would protect against quantum computers (which who knows, maybe the NSA has) unless Shor's algorithm applies- I would love to know what that is, from a math/physics viewpoint. Thanks for the link, that is really mind bending to think about levels of encryption like that... maybe something I'll do on my acid journey tomorrow.
-
Possible? Yes. But given current knowledge, the only attack would be to brute force it.
(Imagine you and I are playing a game - guess the number. I give you a range the number falls in - it's somewhere between 0 and 500 quintillion. You have to guess each number individually - I won't give you any clues if you get closer. This is brute force decryption in a nutshell).
It would take an extremely long amount of time (millions of years), with significant computing resources (electricity adds up) to crack a single key.
Key length is the important part here - we use 4096 bit keys for a reason. As the key length increases, the difficulty in breaking it increases exponentially.
As for potential govt backdoors into PGP - very unlikely, considering it's open source. Nowhere to hide the backdoor.
A quantum computer would be the best bet for hardcore brute force cryptography of this type - but those are a long, long way off, and research funding for them is low. I put them up there with fusion reactors and a moon colony as things that we know could be viable, but are pricey and the return on investment, while potentially very high, will take a long time to achieve.
-
Shors algorithm requires a quantum computer with a certain number of stable qubits. If anyone has such a comp it would be NSA but most security people I talk with think that they do not.
If NSA runs into someone using GPG they will just remotely hack them and steal their key if they are not using airgaps (encryption operations on a computer that never has access to the internet at all, hand typing ciphertexts back and forth). If they are using airgaps NSA will remotely hack them to trace them and then get the key via some other method, maybe transient electromagnetic signal analysis unless the target is in a secure compartmentalized information facility. In short NSA doesn't really need to break encryption to get to the plaintext.
I have a friend who is a professional cryptographer. He says that the vast majority of implemented cryptosystems are improperly implemented and vulnerable to side channel data leaks, which can be used to compromise them (even from over the internet in many cases): https://en.wikipedia.org/wiki/Side_channel_attack
-
hell, didn't the feds use some kind of "freeze-spray" and only RAM to bypass the encryption on the seized server of that one carder in SF? it still remains that you'd hafta bee "pretty important" for them to break out those big guns though. ya know?
-
Freezing RAM to get at encryption keys has gone from "in the realm of elite law enforcement operations" to "standard procedure for many law enforcement units". Particularly in organized CP distribution cases, they have come to recognize the importance of getting the RAM while it is still on (and freezing it as soon as possible after gaining access to it). Although plenty of LE will still power down machines during raids, you really shouldn't count on them doing this these days, particularly if you are raided by the feds and they have any experience with people using encryption.
Forensic methodologies, generally fall into two broad camps.
The first is the “pure” pull-the-plug traditional forensic methodology advocated for many years by
most of the law enforcement community. This method is great for preserving data on disk, but you
lose allot of volatile data which may be useful. A skillful attacker may never even write their files to
disk. A real world example of this is the code red worm.
The second methodology, live forensics, recognizes the value of the volatile data that may be lost by
a power down and seeks to collect it from a running system. As any such action will in some minor
ways later the system, it is not pure in forensic terms. Many people, including the author of this
presentation, feel this is an acceptable tradeoff given the value of the data that can be collected from
a running system (with minimal impacts).
-
Also noteworthy:
Others may remember this also. When PGP was still under ownership of MIT, I believe there was something in the news about a contest where they would award someone a huge cash prize for cracking a PGP encrypted message. No one ever won.
Basically, it would take hundreds of computers coordinating efforts and even then would take years if not decades. Here's a watered down version of understanding public key cryptography. Say I have two numbers, which are both prime numbers and both enormous, like 300-digits-long each. When multiplied together, you get a monstrously huge product number. To crack encryption would be similar to if I gave you that huge product and you had to have a computer try to figure out what those original 2 prime numbers were. It's possible, but computationally infeasible, and would take years/decades.
I also recall a news story about a criminal kingpin in the 90s or 00s, where police got access to his laptop, but found his data was PGP encrypted. They ended up not being able to access it at all until they used a keystroke logger on him to get his passphrase.
PGP = good shit!
-
thanks kmf. i've been really curious about that. so i guess it remains to say, if your up to no good, it's important to remember to power down your laptop as often as possible then..
peace
-
Install truecrypt, use cascading protection on a memory stick with a 64 digit password that you know in your head, or write it and store it somewhere safe, in your truecrypt volume add a .txt file with a 512 digit password, symbols + alpha numeric, and numbers, this should be adequate. Also 1024bit minimum for pgp-key.
-
If the password is generated with a PRNG and a random seed anything over 37 chars is over kill since the encryption key could be brute forced first. If the password is not random having more will be helpful though.
-
Even IF the government had a way of breaking it, they would never reveal it, not ever. Not even to get at serial killers or worse.
The reason is that it would immediately become the highest grade of military secret, only usable in a world war or similar.
You know how they say war increases technological advancement? Well, that's not quite true. There's some truth in it, but not much. What really is happening is that the governments of the world deliberately hides certain technologies e.g. there are computer viruses in research labs that make STUXNET look like a toy. Often when you hear about some innovation in the private sector, it actually turns out some government scientist discovered it decades ago, but wasn't able to talk about it. Then they suddenly bring this box of toys out in wartime to gain the upper hand. Technology hording makes perfect strategic sense. There's a limit to this logic of course, if you applied it to every possibility you'd throttle the economy. I'm sure the RAND corporation would have something to say about all this.