[nycbug-talk] Hot Story: German Gov. intelligence agencies decrypt PGP, SSH
Isaac (.ike) Levy
ike at blackskyresearch.net
Sun Jun 16 22:20:18 EDT 2013
On Jun 16, 2013, at 8:09 PM, George Rosamond <george at ceetonetechnology.com> wrote:
> I don't know if there's more to this, but this may be the important part:
> The response of the federal government is: "Yes, the technology used is
> generally in a position, depending on the type and quality of the
> What? Key length? Encryption type? Password strength?
> My feeling has always been that an adversary with sufficient resources
> and high enough stakes can break anything.
I believe you forgot 1 element, enough time, (time offset by greater resources, of course).
I mean, theoretically, how fast do folks think Google could brute-force a 4096 bit RSA ssh key? or a 1024 bit DSA key? (or an 8 bit ECDSA key haha?)
Even if it's faster, with ma$$ive resources thrown at "high value targets", it's still got to take a quantifiable amount of time- which could mean something in the context of the reason to throw the resources at it...
> If you're Jane Q Nobody crossing a border, and they image your drive and
> there's cipher text that's hard to crack, I doubt they devote the
> resources. But if you're a priority target, I'm sure they would and
> ultimately could.
> Passwd strength is usually the weak link though, not the encryption itself.
Agreed, and frustrating.
(It's always a last-mile problem- perhaps the true nature of understanding scale are found in the last mile problems.)
More information about the talk