ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » What if CAs give our digital certs to the NSA?

Post new topic  Reply to topic Goto page 1, 2  Next
 What if CAs give our digital certs to the NSA? « View previous topic :: View next topic » 
Author Message
bruce2359
PostPosted: Thu Jul 18, 2013 12:53 pm    Post subject: What if CAs give our digital certs to the NSA? Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.

As more details surface about the NSA snooping on phone calls, email, and data communications, we need to ponder if and where our organizations are exposed.

The foundation of our WMQ security environment is digital certificates. Theory has it that my private key is private as long as I don't share it. What if, under a(nother) secret court order, our trusted CAs deliver our certs to the government? Are our secrets safe now? Will they be in the future?

Is NSA snooping a subject of discussion at your shop? Have you brought this subject to management?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Jul 18, 2013 7:41 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

Did not know you had so much to hide...
Anyways your communications are only as secure as the keys you have.
If the CA give your public key to the NSA, and the NSA has the public key of your counterpart, a number of things can be looked at...

However
If you use the public key to encrypt the data exchange key, only the private key is supposed to be able to decrypt this.

AFAIK the SSL key exchange goes....
Send encrypted by private key and flow public key => anybody with public key can decrypt
On response get public key of counterpart
Use public key of counterpart to encrypt data key => only counterpart is supposed to be able to decrypt data key

counterpart will use your public key to encrypt datakey => only you can decrypt.

Think about "man in the middle attack".

Have fun.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Michael Dag
PostPosted: Thu Jul 18, 2013 11:41 pm    Post subject: Reply with quote

Jedi Knight

Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)

Seen Sneakers?

it seems the NSA is able to snoop and tap wherever they want and leads me to believe sometimes and hopefully NOT true is that they have some SSL master key...

in the meantime we think we are safe using encryption and CA's make a lot of money every year...
_________________
Michael



MQSystems Facebook page


Last edited by Michael Dag on Fri Jul 19, 2013 12:51 am; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
mqjeff
PostPosted: Fri Jul 19, 2013 12:08 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

What if the NSA simply has bigger computers running better algorithms that can decrypt anything by brute force with keys less than 32768 kb ?

What if the NSA has actually hired your CEO's secretary on the sly to use his login to give them wide open access to any data they want to get?

What if your CEO simply thinks it's a great joke to share his password with all his golf buddies?

What if your front desk receptionist posts the CEO's password on a sticky note on her desk, because he's always asking her to print out his email so he can read it?

Never attribute to government conspiracy that which can be attributed to management incompetence.
Back to top
View user's profile Send private message
Michael Dag
PostPosted: Fri Jul 19, 2013 12:21 am    Post subject: Reply with quote

Jedi Knight

Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)

http://blog.ted.com/2013/07/17/security-experts-on-the-nsas-real-problems/

it's not me... experts say they can see and hear all...
_________________
Michael



MQSystems Facebook page
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Michael Dag
PostPosted: Fri Jul 19, 2013 12:29 am    Post subject: Reply with quote

Jedi Knight

Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)

mqjeff wrote:
What if the NSA simply has bigger computers running better algorithms that can decrypt anything by brute force with keys less than 32768 kb ?

suppose this is true, where did they get them from? would make a joke of these public super computer lists... to begin with... secondly the technology must have come from some big vendor, this you don't build in a garage...

only viable option for cracking everything on the fly is a master key, i am open to other suggestions, but don't belief the bigger better technology... as it would make fools or collaborators of all big technology vendors.
_________________
Michael



MQSystems Facebook page
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
mqjeff
PostPosted: Fri Jul 19, 2013 12:33 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Michael Dag wrote:
mqjeff wrote:
What if the NSA simply has bigger computers running better algorithms that can decrypt anything by brute force with keys less than 32768 kb ?

suppose this is true, where did they get them from? would make a joke of these public super computer lists... to begin with... secondly the technology must have come from some big vendor, this you don't build in a garage..


You seem to underestimate the NSA's garage. Remember, these are people who build satellites.

This not at all an unreasonable hypothesis. If you remember all of the US policies on security export restrictions, where no software that could use keys bigger than X were legal....
Back to top
View user's profile Send private message
Michael Dag
PostPosted: Fri Jul 19, 2013 12:47 am    Post subject: Reply with quote

Jedi Knight

Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)

mqjeff wrote:
Michael Dag wrote:
mqjeff wrote:
What if the NSA simply has bigger computers running better algorithms that can decrypt anything by brute force with keys less than 32768 kb ?

suppose this is true, where did they get them from? would make a joke of these public super computer lists... to begin with... secondly the technology must have come from some big vendor, this you don't build in a garage..


You seem to underestimate the NSA's garage. Remember, these are people who build satellites.

This not at all an unreasonable hypothesis. If you remember all of the US policies on security export restrictions, where no software that could use keys bigger than X were legal....


so i guess that brings us back to the Sneakers scenario, they have some piece of hardware so smart that can crack all on the fly...

corrected Secrets to Sneakers
_________________
Michael



MQSystems Facebook page
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
mqjeff
PostPosted: Fri Jul 19, 2013 1:05 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Too Many Sneakers.
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Jul 19, 2013 1:44 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

It's all moot anyway - 'they' (the government) can serve a court order that requires you to relinquish the key, and they can do it in camera so that no publicity ensues.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Jul 19, 2013 5:12 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Michael Dag wrote:
collaborators of all big technology vendors.


Of course no technology vendor would participate in a project to build super-size computer hardware just because the NSA offered them a multi-billion dollar contract due to the ethical questions of what they'd use the hardware for.

I also wonder what all the 50 Shades Of Blue IBM chess playing super computers that the US government bought are doing. Offically they were purchased to "model underground nuclear testing in real time" and save the expense of actually detonating bombs; how many computer generated expolosions does the US govenerment need? They must have some down time & there's no real difference between cracking SSL & cracking a Suduko.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Jul 19, 2013 5:15 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Vitor wrote:
...there's no real difference between cracking SSL & cracking a Suduko.

Except that sometimes Sudoku can be harder
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Jul 19, 2013 5:21 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

mqjeff wrote:
What if the NSA has actually hired your CEO's secretary on the sly to use his login to give them wide open access to any data they want to get?

What if your CEO simply thinks it's a great joke to share his password with all his golf buddies?

What if your front desk receptionist posts the CEO's password on a sticky note on her desk, because he's always asking her to print out his email so he can read it?


I feel all 3 of these scenarios are perfectly plausible. In any security scenario it's the people who are the weak link.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Jul 22, 2013 5:22 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.

I gather from responses here that there is little interest in bringing this subject to the attention of management. Your organization will take no action to improve security?

Your organization will not even contemplate the risk of data capture and disclosure?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Jul 22, 2013 5:44 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

bruce2359 wrote:
I gather from responses here that there is little interest in bringing this subject to the attention of management. Your organization will take no action to improve security?

Bruce, please define what you mean by '...improve security...'. At my current organisation they're pretty much as secure as they can be in terms of business data etc., but if a government body serves up a legally binding request for that data just what is 'secure'?

bruce2359 wrote:
Your organization will not even contemplate the risk of data capture and disclosure?

I have an encrypted password vault, to which (as far as I am aware) I am the only person to possess the master password and private key necessary to access the vault. Should my duly-elected government think I am up to something nefarious it is a criminal offence for me to not provide the master password and private key should it be requested of me - provided of course that request is contained within a duly authorised court document.

However, I store nothing in the cloud as I don't know where (geographically) it's stored, and some countries have a more 'relaxed' relationship with their governments' when it comes to handing over data etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » What if CAs give our digital certs to the NSA?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.