[nycbug-talk] Hot Story: German Gov. intelligence agencies decrypt PGP, SSH

[Isaac (.ike) Levy]

On Jun 16, 2013, at 8:09 PM, George Rosamond <george at ceetonetechnology.com> wrote:

> I don't know if there's more to this, but this may be the important part:
> 
> <quote>
> The response of the federal government is: "Yes, the technology used is
> generally in a position, depending on the type and quality of the
> encryption."
> </quote>
> 
> What?  Key length?  Encryption type?  Password strength?
> 
> My feeling has always been that an adversary with sufficient resources
> and high enough stakes can break anything.

I believe you forgot 1 element, enough time, (time offset by greater resources, of course).

I mean, theoretically, how fast do folks think Google could brute-force a 4096 bit RSA ssh key?  or a 1024 bit DSA key?  (or an 8 bit ECDSA key haha?)

Even if it's faster, with ma$$ive resources thrown at "high value targets", it's still got to take a quantifiable amount of time- which could mean something in the context of the reason to throw the resources at it...

> 
> If you're Jane Q Nobody crossing a border, and they image your drive and
> there's cipher text that's hard to crack, I doubt they devote the
> resources.  But if you're a priority target, I'm sure they would and
> ultimately could.
> 
> Passwd strength is usually the weak link though, not the encryption itself.

Agreed, and frustrating.
(It's always a last-mile problem- perhaps the true nature of understanding scale are found in the last mile problems.)

Rocket-
.ike