Of all the news, it seems that there has a thing: No one is certain that the exact capabilities of the NSA, other than the NSA itself. However, once limited information was released, we began to conduct research and were able to draw some conclusions. From now on, Bruce Schneier seems to be our best source of information regarding this issue because it is a specialist in security and cryptography, and often speaks in defense of civil liberties. He was given direct access to the source material NSA Snowden. As such, at this stage, it is the only one on our side, which is able to make conclusive guesses about the NSA.
Dead or Alive
First, the encryption in general is dead or useless. Both Schneier and Snowden have made strong statements indicating as much. "Encryption works. Strong cryptographic systems are correctly implemented one of the few things you can count on," said Snowden. In addition, Schneier said, "I think it's true," He went on to say... 'Trust the math Encryption is your friend Use it well, and do your best to ensure that nothing can compromise. Here's how you can stay safe even in the face of the NSA. "However, the media seems to run things as whether encryption is broken in its entirety. Otherwise, the question remains, what is broken?
live the king
It is our understanding that 1024bit RSA must be retired. It is likely that can be cracked in a time much smaller than previously thought to the possible origin. There are several facts we have observed that led us to this conclusion, with the following quote apparently confirming our suspicions: "Another program, codenamed Cheesy name, was to single out the encryption keys, known as the "certificates" which could be likely to be cracked by supercomputers GCHQ. "This is indicative of the fact that only certain types of certificates are crackable, and the most likely culprit for the low 1024bit RSA certificate that is still commonly used by many websites. If this is true, then it has huge implications for HTTPS traffic, but has a minimal impact on the OpenVPN traffic. due to the fact that most Web servers do not use an ephemeral key exchange, the vast majority of HTTPS traffic is readable obtaining or cracking the RSA private key certificate.
3 ghosts monitoring
ephemeral key exchanges differ greatly from that non ephemeral key exchanges due to the fact that they do not count, in any way, on the certificates to exchange their secret keys. in other words, if a criminal spy on your encrypted connection, even if the criminal was to somehow get the private key of the certificate, or she would not be able to decrypt the transmission. However, an exchange of non-ephemeral key is based only on the secret of the certificate private key in order to keep the exchange secret. As such, in this case, when a private key is compromised, then all past, current and future exchanges will not ephemeral compromise, just by looking at them.
The silver lining to this is that if all web traffic upgrades simply using ephemeral key exchange, so that the RSA 1024bit encryption is broken will be no Indeed whether dragnet decrypting HTTPS traffic can or will happen. Unfortunately, this is not the case in today's Internet, and as such, we must assume the NSA is dragnet perform decryption RSA 1024bit ephemeral non HTTPS connections, which makes most of the web / HTTPS traffic on the Internet.
OpenVPN
Fortunately, the open source OpenVPN is designed to use the ephemeral key exchange to avoid any kind of mass decryption net. That still leaves the OpenVPN open connections to the targeted man in the middle attacks assuming they have cracked the private key. We have set in motion a number of changes that harden our service and therefore prevent these new powerful attacks to occur.
Kryptonite is not the only weakness
There is still a less likely scenario than could be broken. It is possible that the 1024bit Diffie Hellman key exchange protocol can be cracked within a reasonable period of time. No one mentioned anything about it and therefore we believe it is unlikely to be the case. However, this could allow the NSA to decrypt past or future OpenVPN or HTTPS sessions (with an exchange of 1024bit keys) they can be passively recorded. Although this is probably not the case, we in the private Internet access is already updated all our exchanges Diffie Helman key to 2048bit to ensure that this is not even a realistic possibility.
National Security Agency
according to The Guardian, "the documents show that initial target of Edgehill was to decode the encrypted traffic certified by three major Internet companies (unnamed) and 30 kinds virtual private network (VPN). - used by enterprises to provide secure remote access to their systems in 2015, GCHQ hoped to have cracked the codes used by 15 major Internet companies, and 300 VPN "
. this statement was, at first, alarming. However, after we analyzed in depth all reports and experts consulted both internally and externally, we are in the belief that they refer to different types or implementations of PPTP VPN solutions including hardware, software, or even open source PPTP implementations. After all, PPTP has always used many cryptographic algorithms that were later proven to be broken or weakened to the point of uselessness. In addition, it is also an extremely old protocol / inheritance, so there are probably many variants included in trade deals. We believe that the NSA is simply reference to attempts to set up their systems to automatically detect and decipher all the different variants of PPTP. This, of course, allow them to get traffic from many large organizations, institutions, and even some governments still using these expensive existing commercial systems.
A second, less likely ( update pretending this is far more likely that we originally estimated), possibility is that they refer to cracking deals commercial IPSec VPN. This is probably not the case, because IPSec is a more secure protocol that uses the same building blocks as TLS. That said, there are still many possibilities which the NSA could have either found or forced weaknesses in the supply of commercial equipment IPSec. For example, this could include something similar to the HTTPS issue where non-ephemeral key exchange is used, using primitive weak or broken cryptographic random number generator weaknesses which the NSA can predict random numbers, or defects in the IPSec implementation that might leak secret information.
A third possibility is that they refer to the routing network technologies that are sometimes called VPN and may or may not even be encrypted, such as MPLS.
We do not believe that they refer to OpenVPN in any way, shape or form at this time on the basis of statements that were made. OpenVPN is based on the same TLS cryptographic building blocks, is built as an open source project, still uses the ephemeral key exchanges, and finally to be interoperable with all other OpenVPN / versions protocols. These four facts, it is extremely unlikely that there is a fatal flaw in OpenVPN makes it subjectable decryption in a dragnet fashion by the NSA. Even Schneier agrees when he says: "Try to use the public domain encryption that must be compatible with other implementations"
private Internet access has got your back [
As noted above, we have already increased our security key exchange for 2048bit prevent any kind of unknown NSA cracking capacity. in addition, in a few weeks, we will publish a new client that will allow people to choose how they want security, both for the certificate and key exchange and security of symmetric encryption. Our default certificate will be 2048bit, but we'll let users select both 3072bit and 4096bit if they want to be especially careful. We will also add support for something that no other vendor currently offering called Elliptic Curve cryptographic security, with the two curves of 256bit and 521bit. This is the advanced cryptography we want to provide our users who choose to use it.
0 Komentar