| Author |
Message
|
| bruce2359 |
 Posted: Thu Jul 18, 2013 12:53 pm Post subject: What if CAs give our digital certs to the NSA? |
 |
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
As more details surface about the NSA snooping on phone calls, email, and data communications, we need to ponder if and where our organizations are exposed.
The foundation of our WMQ security environment is digital certificates. Theory has it that my private key is private as long as I don't share it. What if, under a(nother) secret court order, our trusted CAs deliver our certs to the government? Are our secrets safe now? Will they be in the future?
Is NSA snooping a subject of discussion at your shop? Have you brought this subject to management?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Jul 18, 2013 7:41 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Did not know you had so much to hide...
Anyways your communications are only as secure as the keys you have.
If the CA give your public key to the NSA, and the NSA has the public key of your counterpart, a number of things can be looked at...
However
If you use the public key to encrypt the data exchange key, only the private key is supposed to be able to decrypt this.
AFAIK the SSL key exchange goes....
Send encrypted by private key and flow public key => anybody with public key can decrypt
On response get public key of counterpart
Use public key of counterpart to encrypt data key => only counterpart is supposed to be able to decrypt data key
counterpart will use your public key to encrypt datakey => only you can decrypt.
Think about "man in the middle attack".
Have fun. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Jul 18, 2013 11:41 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
Seen Sneakers?
it seems the NSA is able to snoop and tap wherever they want and leads me to believe sometimes and hopefully NOT true is that they have some SSL master key...
in the meantime we think we are safe using encryption and CA's make a lot of money every year...
_________________
Michael
MQSystems Facebook page
Last edited by Michael Dag on Fri Jul 19, 2013 12:51 am; edited 1 time in total |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jul 19, 2013 12:08 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
What if the NSA simply has bigger computers running better algorithms that can decrypt anything by brute force with keys less than 32768 kb ?
What if the NSA has actually hired your CEO's secretary on the sly to use his login to give them wide open access to any data they want to get?
What if your CEO simply thinks it's a great joke to share his password with all his golf buddies?
What if your front desk receptionist posts the CEO's password on a sticky note on her desk, because he's always asking her to print out his email so he can read it?
Never attribute to government conspiracy that which can be attributed to management incompetence. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Fri Jul 19, 2013 12:21 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| Michael Dag |
| Posted: Fri Jul 19, 2013 12:29 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| mqjeff wrote: |
| What if the NSA simply has bigger computers running better algorithms that can decrypt anything by brute force with keys less than 32768 kb ? |
suppose this is true, where did they get them from? would make a joke of these public super computer lists... to begin with... secondly the technology must have come from some big vendor, this you don't build in a garage...
only viable option for cracking everything on the fly is a master key, i am open to other suggestions, but don't belief the bigger better technology... as it would make fools or collaborators of all big technology vendors.
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jul 19, 2013 12:33 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Michael Dag wrote: |
| mqjeff wrote: |
| What if the NSA simply has bigger computers running better algorithms that can decrypt anything by brute force with keys less than 32768 kb ? |
suppose this is true, where did they get them from? would make a joke of these public super computer lists... to begin with... secondly the technology must have come from some big vendor, this you don't build in a garage.. |
You seem to underestimate the NSA's garage. Remember, these are people who build satellites.
This not at all an unreasonable hypothesis. If you remember all of the US policies on security export restrictions, where no software that could use keys bigger than X were legal.... |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Fri Jul 19, 2013 12:47 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| mqjeff wrote: |
| Michael Dag wrote: |
| mqjeff wrote: |
| What if the NSA simply has bigger computers running better algorithms that can decrypt anything by brute force with keys less than 32768 kb ? |
suppose this is true, where did they get them from? would make a joke of these public super computer lists... to begin with... secondly the technology must have come from some big vendor, this you don't build in a garage.. |
You seem to underestimate the NSA's garage. Remember, these are people who build satellites.
This not at all an unreasonable hypothesis. If you remember all of the US policies on security export restrictions, where no software that could use keys bigger than X were legal.... |
so i guess that brings us back to the Sneakers scenario, they have some piece of hardware so smart that can crack all on the fly...
corrected Secrets to Sneakers 
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jul 19, 2013 1:05 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jul 19, 2013 1:44 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
It's all moot anyway - 'they' (the government) can serve a court order that requires you to relinquish the key, and they can do it in camera so that no publicity ensues.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 19, 2013 5:12 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Michael Dag wrote: |
| collaborators of all big technology vendors. |
Of course no technology vendor would participate in a project to build super-size computer hardware just because the NSA offered them a multi-billion dollar contract due to the ethical questions of what they'd use the hardware for.
I also wonder what all the 50 Shades Of Blue IBM chess playing super computers that the US government bought are doing. Offically they were purchased to "model underground nuclear testing in real time" and save the expense of actually detonating bombs; how many computer generated expolosions does the US govenerment need? They must have some down time & there's no real difference between cracking SSL & cracking a Suduko.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jul 19, 2013 5:15 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| ...there's no real difference between cracking SSL & cracking a Suduko. |
Except that sometimes Sudoku can be harder 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 19, 2013 5:21 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
What if the NSA has actually hired your CEO's secretary on the sly to use his login to give them wide open access to any data they want to get?
What if your CEO simply thinks it's a great joke to share his password with all his golf buddies?
What if your front desk receptionist posts the CEO's password on a sticky note on her desk, because he's always asking her to print out his email so he can read it? |
I feel all 3 of these scenarios are perfectly plausible. In any security scenario it's the people who are the weak link.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jul 22, 2013 5:22 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
I gather from responses here that there is little interest in bringing this subject to the attention of management. Your organization will take no action to improve security?
Your organization will not even contemplate the risk of data capture and disclosure?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jul 22, 2013 5:44 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| I gather from responses here that there is little interest in bringing this subject to the attention of management. Your organization will take no action to improve security? |
Bruce, please define what you mean by '...improve security...'. At my current organisation they're pretty much as secure as they can be in terms of business data etc., but if a government body serves up a legally binding request for that data just what is 'secure'?
| bruce2359 wrote: |
| Your organization will not even contemplate the risk of data capture and disclosure? |
I have an encrypted password vault, to which (as far as I am aware) I am the only person to possess the master password and private key necessary to access the vault. Should my duly-elected government think I am up to something nefarious it is a criminal offence for me to not provide the master password and private key should it be requested of me - provided of course that request is contained within a duly authorised court document.
However, I store nothing in the cloud as I don't know where (geographically) it's stored, and some countries have a more 'relaxed' relationship with their governments' when it comes to handing over data etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
