| General > General Technical Chat |
| Crypto bombshell |
| << < (7/14) > >> |
| Mr. Scram:
--- Quote from: borjam on February 13, 2020, 12:13:15 pm ---Remember that getting a cryptosystem right is much harder than it seems. It doesn't matter how strong your algorithms are if your application of them has some weakness. Remember OpenSSL severely compromised because of two apparently harmless lines of code were removed, which resulted in a dramatic drop of the entropy of the random generated keys. Now, good luck making such kind of software or even auditing it. Some weaknesses can be extremely subtle! --- End quote --- Extremely subtle especially when intentionally introduced. Even with the bare code chances are well hidden weaknesses won't be easily spotted especially if measures are taken to prevent that. Another example is the attempted backdooring of Linux in 2003. https://lwn.net/Articles/57135/ |
| madsbarnkob:
--- Quote from: ebastler on February 13, 2020, 02:29:34 pm --- --- Quote from: edy on February 13, 2020, 02:04:57 pm ---I "discovered" spy transmissions of data and numbers over the shortwaves from Cuba and other countries. I am puzzled to understand why they broadcast this stuff over the public airwaves... in plain radio (not SSB) and regularly on a schedule and on frequencies that are known for that matter... so that anyone can hear it. --- End quote --- I thought that the whole point is that this is indeed "broadcasting" of information to agents in the field. Anyone (well, any agent) is supposed to be able to hear it, without the need for any specialized equipment -- which they might not have, or which might compromise their mission if it were discovered. --- End quote --- It is because there is only one key, known only to transmitter and one receiver. From: https://www.thedailybeast.com/the-stupidly-simple-spy-messages-no-computer-could-decode --- Quote ---That’s because the message was encrypted using a simple but enormously effective key known only to two parties—the sender and the recipient. Whomever the numbers were meant for would have been listening to the Numbers Man at the same time as me. “7…6…7…4…3.” He might write the numbers down in a row on a piece of paper. But underneath that, he’d write another row of the same length, using random numbers given to him earlier by the CIA or whatever intelligence agency was running him. These numbers were the key. Going number by number, he’d subtract row two from row one and come up with a third row. And those numbers corresponded to letters, which spelled out a message. This is just one example of how a listener might decrypt a numbers broadcast. But in all cases, the immutable characteristic of the system is that it’s easy to use. Decoding requires no special skills. No facility with cryptography. Anyone who can listen to a series of numbers, write them down, and perform basic math can do the job. Had I known the key, at age 10, I could have spelled out the spy’s message. But the numbers are just gibberish without that key, known in spycraft as a one-time pad. As its name suggests, it’s used only once. And that’s what makes it so secure. A former career U.S. intelligence officer told me that the pads were distributed to agents in tiny booklets composed of dozens of pages filled with numbers. Each day, the agent would rip out one page from the booklet and discard it. The intelligence officer told me that some of the pages were designed to dissolve in water. The agent could flush it down a toilet or even drop it in a glass of water at a café. The CIA reportedly made other pad pages that turned into gum on contact with saliva. I don’t know if they were mint flavored. Every day, a new key. Even if another spy found that day’s key, it’d be useless come midnight. And if the entire book were compromised, well, just make a new one. It is the beautiful paradox of the numbers stations that secret messages were literally sent into the air, for anyone to hear, but could only be understood by one person. So long as the pad wasn’t compromised, the numbers station codes were unbreakable. Perfect secrecy. All out in the open. --- End quote --- |
| SiliconWizard:
--- Quote from: imo on February 13, 2020, 11:05:20 am ---When you get a chance to talk with experts from that crypto community (especially those veterans from cold war time) you will get the basic rule - what is not home-made is always considered unsafe. Even home-made systems were always handled with pretty paranoia (the another basic rule - all the designers of your home made crypto systems are infiltrated agents of Dr. No). --- End quote --- Of course. And that was my point too. |
| SiliconWizard:
--- Quote from: ebastler on February 12, 2020, 07:09:43 pm ---Who would you turn to if you need encrypted communications for your embassies and don't have the technology capabilities yourself? A company based in Switzerland, run by Swiss and Swedes, with their reputation and their whole business existence on the line if they mess with their customers' cryptography, is not the most absurd choice in my mind. --- End quote --- You build it. As imo also noted, yes it is "absurd" per se, however good and apparently trustworthy said company looks. --- Quote from: ebastler on February 12, 2020, 07:09:43 pm ---Anyway, the point was not whether or not it was a smart decision by those dozens of governments. The point is that it indeed qualifies as a big deal that the meddling of the US and German secret service at Crypto AG has now been confirmed. --- End quote --- Of course it's a big deal, but how surprising is it? Past history for several decades has shown constant similar meddling from the CIA and NSA. Big deal yes, surprising, absolutely not, and will it have any consequence? Absolutely none IMO, just as with all the other "awful" past stories of meddling. And yes this is fully the point to me. It's all about responsibilty and how to reasonably deal with national security concerns. Yes this was dumb to trust a third-party for this, and I think it still is. And IMO it's the only lesson to learn here. Again, the fact the CIA has meddled, meddles and will meddle is a sure thing, we all look shocked when we learn about a new one, we get busy talking about it for a couple weeks, and it's done. We move on, you get irritated but nothing else, the US still does whatever they want and we just shut up usually. Point is, from this there's absolutely nothing new to learn, so big deal or not, this is just pointless. This is like playing the victim game, while the CIA will just keep doing it forever. Whining gets us nowhere. Taking a lesson or two about it for how to deal with national security is more interesting IMO. Just a thought though. |
| iMo:
And perhaps the final point after this CAG exercise - here is a great web page for all fans of James Bond movies :) CAG in the Breaking news: https://www.cryptomuseum.com/index.htm https://www.cryptomuseum.com/intel/cia/rubicon.htm daqq's One Time Pad: https://www.cryptomuseum.com/crypto/otp/index.htm Crypto AG machines: https://www.cryptomuseum.com/crypto/hagelin/index.htm |
| Navigation |
| Message Index |
| Next page |
| Previous page |