Читать книгу Security Engineering - Ross Anderson - Страница 33

Bulk key theft and supply-chain tampering are not the only ways to defeat cryptography. The Xkeyscore training deck gives an example: “Show me all the VPN startups in country X, and give me the data so I can decrypt and discover the users”. VPNs appear to be easily defeated; a decryption service called Longhaul ingests ciphertext and returns plaintext. The detailed description of cryptanalytic techniques is held as Extremely Compartmented Information (ECI) and is not found in the Snowden papers, but some of them talk of recent breakthroughs in cryptanalysis. What might these be?

The leaks do show diligent collection of the protocol messages used to set up VPN encryption, so some cryptographers suggested in 2015 that some variant of the “Logjam attack” is feasible for a nation-state attacker against the 1024-bit prime used by most VPNs and many TLS connections with Diffie-Hellman key exchange [26]. Others pointed to the involvement of NSA cryptographers in the relevant standard, and a protocol flaw discovered later; yet others pointed out that even with advances in number theory or protocol exploits, the NSA has enough money to simply break 1024-bit Diffie-Hellman by brute force, and this would be easily justified if many people used the same small number of prime moduli – which they do [854]. I'll discuss cryptanalysis in more detail in Chapter 5.