[nycbug-talk] Hot Story: German Gov. intelligence agencies decrypt PGP, SSH

Fabian Keil freebsd-listen at fabiankeil.de
Mon Jun 17 06:26:44 EDT 2013


George Rosamond <george at ceetonetechnology.com> wrote:

> Isaac (.ike) Levy:

> > A google translation says: "The federal government declared that its
> > secret services were basically able to decrypt PGP and Secure Shell,
> > at least partially."
> > 
> > http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http://www.golem.de/news/bundesregierung-deutsche-geheimdienste-koennen-pgp-entschluesseln-1205-92031.html
> >
> >  -- Apparently, GnuPG list and others merely have links to this
> > article, I haven't found anything more except links to this vague
> > original article.
> > 
> > Thoughts?  Is tomorrow morning's commute to work going to look like
> > that new Brad Pitt movie, *or*, are we looking at a dopey expose of
> > well-known widespread worst-practices in cryptographic
> > misunderstandings?
> 
> I don't know if there's more to this, but this may be the important part:
> 
> <quote>
> The response of the federal government is: "Yes, the technology used is
> generally in a position, depending on the type and quality of the
> encryption."
> </quote>
> 
> What?  Key length?  Encryption type?  Password strength?

Note that the question roughly translates to:

"Is the technology used also capable of, at least partly, decrypting
and/or analysing communication that is encrypted (e.g. by SSH or PGP)."

Obviously traffic analysis allows to figure out the destination
of a vanilla ssh connection or OpenPGP-encrypted mail. Due to
the "or", the question can be truthfully answered with "yes",
even if nothing can be decrypted.

The "type and quality of the encryption" part could refer to
the use of Tor or remailers which would complicate things.

> My feeling has always been that an adversary with sufficient resources
> and high enough stakes can break anything.
> 
> If you're Jane Q Nobody crossing a border, and they image your drive and
> there's cipher text that's hard to crack, I doubt they devote the
> resources.  But if you're a priority target, I'm sure they would and
> ultimately could.

Germany has no "the constitution doesn't matter at the border" case law.
If your drive gets accessed at the German side of the border you already
are a priority target (and it's unlikely that the "accessing" would be
done by the BND).

> Passwd strength is usually the weak link though, not the encryption
> itself.

Sometimes its the master key generation:
http://www.fabiankeil.de/gehacktes/geli-key-monitor/

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20130617/0df911a7/attachment.bin>


More information about the talk mailing list