[tor-talk] NSA has cracked web encryption!

Nick Mathewson nickm at alum.mit.edu
Sat Sep 7 02:26:55 UTC 2013

On Fri, Sep 6, 2013 at 9:56 PM,  <hikki at safe-mail.net> wrote:
> It's not like I blew off my chair in surprise:
> "U.S. and British intelligence agencies have cracked the encryption designed to provide online privacy and security, documents leaked by former intelligence analyst Edward Snowden show."
> http://www.usatoday.com/story/news/nation/2013/09/05/nsa-snowden-encryption-cracked/2772721/

I'd seriously recommend the primary sources rather than USA today.
Try the Propublica writeup, the Guardian writeup, or the Nytimes
writeup -- those are the ones with the original research.  I'd also
have a close look at Bruce Schneier's two essays on the topic.

All of these are linked to from the following Bruce Schneier blog post:


Basically -- I wouldn't suggest USA Today for summarizing information
about cryptography.

> But I do have a question:
> Where does this leave Tor and _its_ encryption??

It seriously depends on what the NSA has broken.  If they've got a
strong AES break, or a cheap way to break ECDH-P256 or
ECDH-Curve25519, then we're pretty screwed.  But none of the good
reporting I'm seeing suggests that.  (FWICT, none of the good
reporting is actually being very specific at all, and the stuff that
*is* being specific is speculating or misunderstanding or
free-associating, for the most part.)  The stuff I'm seeing is pretty
vague, but if I had to speculate myself, I'd most suspect:

   * Dubious stuff in NIST standards. Everybody's pointing at that
Dual_EC RNG, but other stuff will be getting a lot of cryptographer
scrutiny.  What isn't broken may often be found to be deliberately
   * The commercial CA world is possibly a house of cards.
   * Operating system RNGs are a black hole of stupidity. On the one
hand, entropy collection really ought to be an OS function.  On the
other hand,
   * Paranoia time: I suspect deliberate obstruction of progress and
encouragement of complacency in relevant standards bodies.  Seriously,
it's 2013, and our options for TLS are mac-then-encrypt-with-CBC, CTR
CGM (which-will-be-usually-implemented-with-table-lookups), and RC4? I
suppose that human frailty alone might explain such a sorry state of
affairs, but everybody knows That One Guy who won't let a simple
standard get approved when a complex protocol already exists, and who
won't stand for fixing the mistakes of yesterday so long as a
half-assed workaround is conceivable.
    Then again, it's not like non-cryptograhpic standard move any
faster than cryptographic ones, so this could be my paranoia acting

Also, RSA1024 and DH1024 are *not* what folks ought to be using
nowadays.  (See that article where a guy who knows how to use   So
please, everybody upgrade to Tor 0.2.4.x once you can so that we can
start getting our forward secrecy with stronger keys.

Over the 0.2.5 series, I want to move even more things (including
hidden services) to curve25519 and its allies for public key crypto.
I also want to add more hard-to-implement-wrong protocols to our mix:
Salsa20 is looking like a much better choice to me than AES nowadays,
for instance.  I also want to support more backup entropy sources.

Then again, I'm not a cryptographer myself, so you might want to check
out what actual cryptographers are saying.

These are interesting times for crypto.


More information about the tor-talk mailing list