North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: 1024-bit RSA keys in danger of compromise (fwd)

  • From: Deepak Jain
  • Date: Mon Mar 25 20:33:51 2002

Exactly. Why think $2B is some insurmountable barrier when there are far
cheaper ways of  getting what you want. Most computer people think of
security only in terms of computers. Bribing a few night security guards is
far cheaper than even cryptanalysis and will give any sufficiently
interested party access to the machines signing the keys.

At present, if you have the sophistication to break an "interesting" key,
you could have the sophistication to not be detected MITM. The difference
between inserting/replacing a valid flow, and simply listening [unless the
attacker is stupid] isn't that big a difference from a detection [of the
attack] point of view.

Again, I am assuming things about the attacker that makes them scary. If the
attacker is a little kiddie using his home broadband connection, he is not
necessarily going to be able to use that information for anything
particularly harmful.

Yes, but the trust architecture out there today are far more vulnerable
[IMO] than the underlying key-encryption. Again, while key negotiation is
interesting and important, RSA/DSA/etc are only used in that stage, and
generally the underlying connection [for performance reasons] moves with a
significantly less bulky encryption algorithm. Blowfish, IDEA and a few
others come to mind.

It is far more trivial to capture and compromise an instream algorithm than
worrying about the key at the get go is [unless you are trying to
permanently compromise a victim, at which point the CA is an easier target
anyway]. This is especially the case when you allow for dedicated hardware.

I have always been of the opinion that all of this internet-widely-available
encryption is primarily to make customers feel safe and save credit card
companies some liability. There wasn't enough thought put into it at all
levels to make it more safe/secure than that.

No one is going to spend millions of dollars to get at most the same
millions of dollars of back in credit card fraud [good money after bad].
Anyone who is relying on these commercial architectures to secure gov't
secrets or secrets worthy of an intelligence outfit's attention is a moron
[for numerous reasons]. If all you are doing is trying to secure machines
against script kiddies, starting huge public debates and initiatives and the
like seems like overkill to me. [investment is greater than reward]. YMMV.

Deepak Jain

-----Original Message-----
From: [email protected] [mailto:[email protected]]On Behalf Of
Len Sassaman
Sent: Monday, March 25, 2002 8:14 PM
To: Deepak Jain
Cc: nano[email protected]
Subject: RE: 1024-bit RSA keys in danger of compromise (fwd)

On Mon, 25 Mar 2002, Deepak Jain wrote:

> Since you are mentioning Verisign here, and CA authorities in general, has
> anyone considered that factoring the CA authority's key is far simpler
> breaking the underlying key [no matter how large?]. Based on the

Well, that's not really the case. Breaking a 384 bit key is trivial.
Breaking a 1024 bit key is probably not possible without a multi-billion
dollar budget. 2048 bit keys are still in no danger of being broken any
time soon unless further advances are made in factoring.

But I see the point you are making, which is that targeting the CA lets
you attack all of the browsers that trust keys signed by that CA, rather
than specifically targeting that one site. However, MITM attacks are
active attacks, and run the risk of being detected by the the victim. If
you break the key a site is using for encryption, you can read the traffic
without fear of detection.

Other comments on this issue, which I covered in my DEFCON 9 presentation:
it would probably be a lot easier to compromise a CA's root key by means
of network or physical attack, rather than through cryptanalysis. It also
doesn't have to be Verisign you target -- there are over a hundred trusted
root certification authorities in IE, some of them issued to companies
that have gone bankrupt, or sold their root as part of their assets.

Remember, if you're attempting a MITM attack in TLS, you're really
exploiting poor design of the trust-management features of the client,
which is a whole can-o-worms in and of itself.