Again, All Together Now: You can not have an agency responsible for the safety of citizens and the security of the government at the same time

12:55:00 PM
Again, All Together Now: You can not have an agency responsible for the safety of citizens and the security of the government at the same time -

again, an electronic listening skills NSA was discovered - or made credible, anyway - which highlights two completely incompatible faces the National Security Agency in the United States. It turns out that the NSA has (probably) been able to wiretap many encrypted traffic on the net, due to poor cryptographic implementations combined with hundreds-de-million-dollars-worth of cracking the pre NSA -calculs. Again, this shows that the NSA can not protect citizens against the government and protect the government against the citizens simultaneously.

What was crypto strong this morning, may be weak crypto tomorrow. It just happened again, with many implementations 1024-bit Diffie-Hellman key exchange is apparently wiretappable NSA, due to the implementation of shortcuts that seemed inconsequential at the time - in particular, first hardcoded number seeds in some SSH, HTTPS and VPN software. Accordingly, if the NSA cracked a special 1024-bit prime number (a hardcoded seed), it would be able to wiretap two thirds of previously encrypted VPN traffic and a quarter of SSH traffic. Another, and he would be able to decipher about 20% of HTTPS traffic. This seems to have been the case.

Now, to their credit, the NSA a was gently pushing people may not be used key exchange Diffie-Hellman, but use Elliptic key exchange of curve instead. Considering that the NSA has actively sabotaged the specification and implementations of Elliptic Curve Cryptography, though, to make the deliberately low and crackable, people have rightly been skeptical - even downright dismissive - to nudge the NSA to a standard or family of standards, they were found to have deliberately weakened. It was seen as an attempt to get people to use weak crypto - .. Another word for non-crypto

This highlights the absurdity of the NSA's value proposition in the first place

what (wrongly!) since government security is the ability to wiretap anyone and everyone at will, to get the information coveted advantage . Citizen safety however depends on having a so-called sphere of private life, defined by the seven intimacies (body, correspondence, data, finance, identity, location and territory) where the Government can not encroach, or as it has evolved, at least not intrude without special treatment and a good reason. When a single organization's mission is to protect both, it will sell. We know that one gave way.

(In the long run, however, it is a complete mistake to government security depends on the wiretap its citizens. Citizens are hiring a government, well, govern the nation. Wiretapping your boss is bad management, real long term safety results from the safety of individual citizens decentralized components of a nation, not the temporary safety of a centralized power base fortified)

You can not have the same agency. responsible wiretapping everyone the same and to protect everyone in the same wiretap at the same time. Who thought that was a good or even any reasonable sound idea?

Oh, and as a final note, as is the blog of private Internet access VPN and it was estimated that two-thirds VPNs are vulnerable to this attack and therefore wiretappable, our technical team jumped to investigate and found that PIA not vulnerable - PIA uses a key 2048-bit Diffie-Hellman normally, and a key 1536 bits for its special iOS. In no event uses the now low-key of 1024 bits.

Previous
Next Post »
0 Komentar