Is this the smoking gun?

There are suggestions that the NSA may have had in a hand in weakening SHA-3. Judging by revelations that they have cracked AES (used in encrypting the private key for transactions using SSL, HTTPS in essence), I find this quite likely. Worryingly for SSL, the only other option to protect keys is 3-DES, so you may as well leave your keys plain text, oh, and have a file called “passwords.asc” on your web server.

Oh, to make matters really dire, RSA have suggested not trusting their random number generator, integral for encryption. Really, what they are saying is “don’t use our software at all it is compromised”, and it doesn’t take two guesses as to who did that. What worries me is that leaves pretty much GNU Privacy Guard as the only kid on the block. Is RSA safe for Public/Private key encryption. To be honest, no one is really sure. If the NSA has figured out a mathematical back door, then key size won’t help (and judging by their enormous budget, this may be possible). Matters are made worse by peoples tardy security practices, making the theft of the key easy, exacerbated by key passwords. No need to crack the key then (snowden had warned frequently on this). Elliptic Curve Cryptography is the new kid on the block, but there is mounting evidence that the NSA has screwed with the specification on this too, making it a dead horse at the gate (I wouldn’t use it, put it that way). and if RSA is secure beyond a second key length, it will only be secure for a few years, so if they can’t crack it now, they will a few years down the road. Just pray you didn’t steal the Presidents favourite recipe for strawberry cake, because it could be used against you. And if quantum computers take off (last I checked, they were building 512 qubit machines commercially. I think they are viable, and are the future), you are totally screwed.

So be careful out there, and don’t say it unless it needs to be said. and get smart on using crypto, your life may one day depend on it.

https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s