Silk Road forums
Discussion => Security => Topic started by: UKMJ on May 24, 2012, 01:38 pm
-
German article ran through google translate:
http://translate.google.com/translate?hl=en&sl=de&tl=en&u=http%3A%2F%2Fwww.golem.de%2Fnews%2Fbundesregierung-deutsche-geheimdienste-koennen-pgp-entschluesseln-1205-92031.html
Not sure how much of an issue this is given that SR users tend to only send addresses for delivery encrypted by PGP, it could lead to customs love letters or interceptions, potentially controlled deliveries for larger orders.
Of course it may not be worth the processing power to crack every PGP message just to get a delivery address for a gram of cocaine or 3.5g of hash but the risk is there.
Just a heads up for my fellow travellers on the road.
-
Hi UKMJ,
I have just read the original German article* - the important word here is "teilweise" - i.e partly!
The question was framed by a German Politician in general terms and a generic answer was given that it is indeed possible to monitor encrypted communications depending on the type of encryption and encryption strength.
The article makes for an interesting read but I don't see any reason to pack up and go home just yet.
Firstly, this is hardly big news. We've known for some time that older ciphers like 3DES and 1024 Bit Public Keys have been vulnerable to brute force attacks.
Secondly, you'll see the BND have declined to comment on the exact methods used to intercept communications for fear of malicious people being able to defend against it. If a consistently viable way to crack PGP had been invented, using the evidence in a public trial would be tantamount to an admission of the same.
As such even if the NSA have managed to find a way to break open our e-mails, do you really think they'll show their entire hand for the sake of a few kilos of drugs?
V.
*Deutsch ist geil!
German article ran through google translate:
http://translate.google.com/translate?hl=en&sl=de&tl=en&u=http%3A%2F%2Fwww.golem.de%2Fnews%2Fbundesregierung-deutsche-geheimdienste-koennen-pgp-entschluesseln-1205-92031.html
Not sure how much of an issue this is given that SR users tend to only send addresses for delivery encrypted by PGP, it could lead to customs love letters or interceptions, potentially controlled deliveries for larger orders.
Of course it may not be worth the processing power to crack every PGP message just to get a delivery address for a gram of cocaine or 3.5g of hash but the risk is there.
Just a heads up for my fellow travellers on the road.
-
As such even if the NSA have managed to find a way to break open our e-mails, do you really think they'll show their entire hand for the sake of a few kilos of drugs?
Exactly. Truly cracking RSA is one of the holy grails of cryptography. If the NSA (or anyone else) has developed a way to do it, they're absolutely not going to share it, not even with the LEA of their own governments, because it would be one of the most powerful intelligence gathering methods available. Cryptographic agencies are some of the most, if not THE most, secretive branches of government. By using their ability to catch a few low-level drug buyers/dealers, they'd effectively be giving up their ability to read other government's and terrorists' communication at will
-
As such even if the NSA have managed to find a way to break open our e-mails, do you really think they'll show their entire hand for the sake of a few kilos of drugs?
Exactly. Truly cracking RSA is one of the holy grails of cryptography. If the NSA (or anyone else) has developed a way to do it, they're absolutely not going to share it, not even with the LEA of their own governments, because it would be one of the most powerful intelligence gathering methods available. Cryptographic agencies are some of the most, if not THE most, secretive branches of government. By using their ability to catch a few low-level drug buyers/dealers, they'd effectively be giving up their ability to read other government's and terrorists' communication at will
I've posted in a separate thread a link to Simon Singh's Code Book which actually provides the RSA algorithim and explains in Layman's terms that it works by using modular arithmetic on large prime numbers.
In order to beat RSA we'd need a faster way to factor Prime numbers - this as you say is something of a Holy Grail of Cryptography and Singh postulates a "quantum" computer would be able to do just that but the technology is apparently still in its infancy.
Certainly keeping the methods used close to their chest would be in keeping with governments in ages past. The government in my country asked Charles Babbage not to publish his solution to the Vignere Cipher (the so-called "unbreakable" cipher!). Similarly after the war we supplied our former colonies with captured German Enigma machines, the encryption for which we'd been cheerfully breaking throughout the war.*
As we said though, if you were in the German government's position would you risk revealing that information in an open trial for the sake of a few drug dealers or keep it a secret and spy in your country's enemies?
V.
*For the purists out there, yes there was more than one type of machine and no we didn't break Nazi naval encryption.
-
oh boy. dont really know where to start here :D
first: german law enforcement is extremely incompetent in all internet/computer regards. they had a personal malware program to spy on computers of people they where investigating, which opened up backdoors any 12yo russian scriptkiddie could abuse for even worse stuff they used the program for. mostly because there was no proper encryption between the CC server and clients and you could easily attach worse payloads and code to any infected machine. when it went public, they became the laughing stock of the whole german speaking internet. not just because their terribly written malware was violating pretty much every legal basis they got for using it in the first place, but mostly because of the circumstance what a giant piece of shit software it was.
second: golem.de is a tabloid newspaper for nerds. very bad source for information regarding computer stuff.
conclusion: hold your phones. especially if the german goverment boasts with such circumstances in public and nobody else is really reporting it besides a nerd tabloid, its probably even mostly made up on behalf of the germans.
if i have more time ill sum up the whole deal with their really bad malware for all you non-german-speakers, it was/is really funny :D
-
Singh postulates a "quantum" computer would be able to do just that but the technology is apparently still in its infancy.
You kind of have to wonder sometimes though... your GCHQ developed public key cryptography secretly three years before Diffie and Hellman did. And they didn't bother saying so until 1997.
-
Thanks everyone for your comments, I really should not have sensationalised that title by adding in the bit about the NSA by the way.
Thanks vladimir for the translation, the google one is average at best.
I didn't think anyone would use it against SR specifically because there is little value in buyers addresses, but security is security so I'm glad I posted it.
-
If you can please post the full article in this thread.
as far as I know, NSA doesnt share information with any other agency. So you have to be classified as a national security rick. I'm sure this applies to some, but not most of SR users.
-
The German gov probably thinks they have found some big cryptographic secret, but really their police just still have not figured out that everyone else knows not to use ECB mode ;)
-
oh boy. dont really know where to start here :D
first: german law enforcement is extremely incompetent in all internet/computer regards. they had a personal malware program to spy on computers of people they where investigating, which opened up backdoors any 12yo russian scriptkiddie could abuse for even worse stuff they used the program for. mostly because there was no proper encryption between the CC server and clients and you could easily attach worse payloads and code to any infected machine. when it went public, they became the laughing stock of the whole german speaking internet. not just because their terribly written malware was violating pretty much every legal basis they got for using it in the first place, but mostly because of the circumstance what a giant piece of shit software it was.
second: golem.de is a tabloid newspaper for nerds. very bad source for information regarding computer stuff.
conclusion: hold your phones. especially if the german goverment boasts with such circumstances in public and nobody else is really reporting it besides a nerd tabloid, its probably even mostly made up on behalf of the germans.
if i have more time ill sum up the whole deal with their really bad malware for all you non-german-speakers, it was/is really funny :D
"IF VE CANNOT KAPUT ZE DRUGGIES ENCRYPTION, VE SHALL CHATTEN ZE SHITZER AND PRETEND VE HAVE KAPUT ZE ENCRYPTION! HAHAHAHA!" <<< Said in a Nazi uniform....
-
Quantum computers can pwn RSA with Shors algorithm. Quantum computers have already been used for prime factorization just against really small numbers. A quantum computers ability to pwn RSA is dependent on the size of the key versus the number of qubits the quantum computer has. Real cryptographers are worried about quantum computers though, and the number of stabilized qubits is indeed growing at a steady rate. I have heard that RSA with realistic key size is probably going to be dead within a decade or so. Bit for bit ECC is significantly stronger than RSA, although it is still weak to quantum computing attacks, it requires significantly more qubits to pwn ECC based algorithms than RSA, bit to bit. There are public key encryption algorithms that are so far immune to quantum computing, traditionally they have had very large key sizes and very large ciphertexts (measured in megabytes instead of bits) but I believe there are some other quantum resistant techniques that have more practical parameters. Merkle hash tree signatures are quantum resistant, and there are quantum resistant multi-variable quadratic PK crypto schemes for signatures and session key encryption, also goppa code pk schemes that are quantum resistant. NSA currently suggests using elliptic curve PK crypto, they don't even include RSA on their list of suggested algorithms, but it is still thought to be secure against all but quantum computer attacks once you get to ~2,048 bit keys.
-
Quantum computers can pwn RSA with Shors algorithm.
True, it can. But same aforementioned issues apply. I have no doubt quantum computers are being deployed to pwn with Shors via brute force, but the last thing they're going to want to do is tip their hand.
Because if they do decide to announce to the world they have reasonably powerful quantum computers doing their dirty work, it's going to be over much bigger fish they can fry than a few drug dealers.
Like pwning bitcoin. If they start by pwning ECDSA and SHA2 algorithms used in bitcoin, they could modify the transaction protocol of bitcoins in their possession (they could monopolize ownership of bitcoin majority just by using quantum computing to mine most of the 11+ million left to be mined) then the immediate mass distribution of their malicious bitcoins would force a fork in the blockchain creating two currencies in its wake with autonomous independent transaction histories. Such instability and widespread loss of public trust would drive the price through the floor. They could cock and reload wave after wave of malicious bitcoins, each with varying transaction protocols, until it forked itself into disuse.
Yes the modularity of bitcoin means a future update can upgrade to a post quantum crypto algorithm. But theoretically, this is the type of attack worthy of tipping their hand over. SR and other markets that predominantly thrived on btc underground currency destroyed. Non fiat currency that could threaten dollar supremacy destroyed.
-
Quantum computers can pwn RSA with Shors algorithm.
True, it can. But same aforementioned issues apply. I have no doubt quantum computers are being deployed to pwn with Shors via brute force, but the last thing they're going to want to do is tip their hand.
Because if they do decide to announce to the world they have reasonably powerful quantum computers doing their dirty work, it's going to be over much bigger fish they can fry than a few drug dealers.
Like pwning bitcoin. If they start by pwning ECDSA and SHA2 algorithms used in bitcoin, they could modify the transaction protocol of bitcoins in their possession (they could monopolize ownership of bitcoin majority just by using quantum computing to mine most of the 11+ million left to be mined) then the immediate mass distribution of their malicious bitcoins would force a fork in the blockchain creating two currencies in its wake with autonomous independent transaction histories. Such instability and widespread loss of public trust would drive the price through the floor. They could cock and reload wave after wave of malicious bitcoins, each with varying transaction protocols, until it forked itself into disuse.
Yes the modularity of bitcoin means a future update can upgrade to a post quantum crypto algorithm. But theoretically, this is the type of attack worthy of tipping their hand over. SR and other markets that predominantly thrived on btc underground currency destroyed. Non fiat currency that could threaten dollar supremacy destroyed.
-
oh boy. dont really know where to start here :D
first: german law enforcement is extremely incompetent in all internet/computer regards. they had a personal malware program to spy on computers of people they where investigating, which opened up backdoors any 12yo russian scriptkiddie could abuse for even worse stuff they used the program for. mostly because there was no proper encryption between the CC server and clients and you could easily attach worse payloads and code to any infected machine. when it went public, they became the laughing stock of the whole german speaking internet. not just because their terribly written malware was violating pretty much every legal basis they got for using it in the first place, but mostly because of the circumstance what a giant piece of shit software it was.
second: golem.de is a tabloid newspaper for nerds. very bad source for information regarding computer stuff.
conclusion: hold your phones. especially if the german goverment boasts with such circumstances in public and nobody else is really reporting it besides a nerd tabloid, its probably even mostly made up on behalf of the germans.
if i have more time ill sum up the whole deal with their really bad malware for all you non-german-speakers, it was/is really funny :D
"IF VE CANNOT KAPUT ZE DRUGGIES ENCRYPTION, VE SHALL CHATTEN ZE SHITZER AND PRETEND VE HAVE KAPUT ZE ENCRYPTION! HAHAHAHA!" <<< Said in a Nazi uniform....
I spent some time living in Deutschland and I couldn't get over how kind and friendly everyone was - of course I regularly mentioned the war, that's a given.
"You started it!" :-)
V.
-
"You started it!" :-)
"We did not start it."
"Yes you did - you invaded Poland."
Awesome - John Cleese is a very funny fucker
-
Singh postulates a "quantum" computer would be able to do just that but the technology is apparently still in its infancy.
You kind of have to wonder sometimes though... your GCHQ developed public key cryptography secretly three years before Diffie and Hellman did. And they didn't bother saying so until 1997.
Yes indeed Clifford Cocks and James Ellis - worked out both concept and proof of Public Key Cryptography. Unfortunately computers in the UK weren't up to scratch to implement - also it was far from clear that patenting mathematical algorithms was possible in my country (this would be possible now). As you can imagine GCHQ also had a vested interest in keeping such revelations to themselves, given the nature of their work!
It makes you wonder what they've come up with in the past ten years!
V.