German Gov is able to decrypt PGP and SSH

German Gov is able to break PGP and SSH

www.golem.de

For the non-German speaking:

The official answer to some MPs and the party
"Die Linke" is here:
www.andrej-hunko.de...
eldeaufklaerung-durch-geheimdienste-des-bundes

On page 3 of the official document:

Question:
"3. Is the technique used also able to at least in part decode and/or
analyze encrypted communication (e.g. by SSH of PGP)?"
Answer: "Yes, the technique used is in principle able to do this, depending on
the way and quality of the encryption."

(visit the link for the full news article)


Related News Links:
osdir.com

In 2010 they found in 37,5 Million mails "suspicious" words...only 213 lead to activity of the BND (german CIA)...in 2009 they searched for 15.300 words, 3000 terror related, 13.000 WMD related and 300 related to human trafficing...

13.000 words about WMDs...i cannot imagine how many words non related were in this list...good old double-speak: "we are only looking for WMDs.." srsly?




www.golem.de
(visit the link for the full news article)

I wonder how many flags came up about people looking for information on Fukashima, when they used words like nuclear, disaster, uranium, plutonium, radiation, fallout, and the like.......oh crap!

Long ago, there was a PGP working group insider that claimed one of the team had 'cooperated' with authorities to include a predictable pattern that those same authorities could use to facilitate breaking the encryption... and intimated that there was no such thing as a truly 'unbreakable' encryption because all the encryption working groups and all the commercial developers had, in effect, "sold out."

Of course, that was long ago... so it does not surprise me that this could be true.


I have said it before; I will repeat myself. If you are an important target - you cannot avoid being scrutinized - once you are found. And if they want you badly enough, they will find you.

As for the rest of us innocent bystanders; we just don't want to get caught up in the increasingly wider net they trawl with. Why? Not because we have anything to hide, but because at some point, our business is supposed to be "our" business ... not theirs.

The matter is rather simple.

There is no such thing as unbreakabke encryption.

Encrypting something only makes sense if there does exist a way to decrypt it.

Except certain exploit based attacks, such as WEP which has a built in flaw, it boils down to basically one thing, and that is computing power.

Even if your hash is 512 bit, when I can randomly create terabytes of hashes a minute and throw them at the encryption it's only a matter of time until I get one that fits.

Check out this older article here, already two years old, but the trend goes to using GPU's for cracking encryption algorithms. CLICK

Total Time for Search If You're Churning Through 28 Million Passwords/Second (Current benchmark for a common i7 intel 64bit CPU)

reply to post by Maxmars


can you look for that source, would be very nice =)

All of which points to password length instead of password character sets used best keeps encrypted data secure.

I really don't understand this problem. If you have secure data and that data is mission critical or highly illegal or life ending, then a 22-26 multi-character password - yes all those $, + and ~ keys - isn't too much to ask to memorize and toss n change every so often.

Originally posted by H1ght3chHippie
The matter is rather simple.

There is no such thing as unbreakabke encryption.

Encrypting something only makes sense if there does exist a way to decrypt it.

Except certain exploit based attacks, such as WEP which has a built in flaw, it boils down to basically one thing, and that is computing power.

Even if your hash is 512 bit, when I can randomly create terabytes of hashes a minute and throw them at the encryption it's only a matter of time until I get one that fits.

Check out this older article here, already two years old, but the trend goes to using GPU's for cracking encryption algorithms. CLICK

As I'm sure you know, the ability to effectively use a GPU to crack an encryption depends on the encryption algorithm. Scrypt, for example, is quite resistant to GPU hashing. Also, the article references PGP and not gpg. PGP uses the proprietary IDEA algorithm, whereas gpg uses RSA, ECDSA, and AES. I think if you stick with RSA or ECDSA 2048+, you'll be fine. It's probably also worth mentioning that you can go past the 4096 ceiling in gpg by making a few mods to the source before compiling.

The current RSA factorization record is for a 768-bit integer, announced in December 2009. It took four years and involved the smartest number theorists currently living on Earth, including Lenstra and Montgomery, who have somewhat god-like status in those circles. I recently learned that the selection of the parameters for a 1024-bit number factorization has begun (that's the "brainy" part); the sieving is technically feasible (it will be expensive and involve years of computation time on many university clusters) but, for the moment, nobody knows how to do the linear reduction part for a 1024-bit integer. So do not expect a 1024-bit break any time soon.

Right now, a dedicated amateur using the published code (e.g. Msieve) may achieve a 512-bit factorization if he has access to powerful computers (several dozens big PC, and at least one clock full of fast RAM) and a few months of free time; basically, "dedicated amateur" means "bored computer science student in a wealthy university". Anything beyond 512 bits is out of reach of an amateur.

Why is this even news? It's common knowledge that most governments do not even allow the continued existence of PGP or similar type encryption without the ability to obtain and use a key if it's thought they have national security sensitive material they need to examine. It's very illegal in most places to develop encryption that the government cannot break.

Originally posted by JohnPhoenix
Why is this even news? It's common knowledge that most governments do not even allow the continued existence of PGP or similar type encryption without the ability to obtain and use a key if it's thought they have national security sensitive material they need to examine. It's very illegal in most places to develop encryption that the government cannot break.

Proprietary encryption, like PGP, is only available to US citizens, and countries that the US has authorized to receive the proprietary encryption algorithms. Open-source encryption, such as gpg and ssh, are completely legal and available to anyone and everyone. They are also more secure than their proprietary counterparts. Only capturing the pass-phrase of the secret key, or using brute-force hashing will break those. See my previous post for information about the current state of brute-force hashing.

Also, I'm quite sure you are mistaken about it being illegal to develop encryption technology in most countries. If you can provide specific laws to the contrary, I would be very interested in reading those.

Originally posted by draco49

Proprietary encryption, like PGP, is only available to US citizens, and countries that the US has authorized to receive the proprietary encryption algorithms. Open-source encryption, such as gpg and ssh, are completely legal and available to anyone and everyone. They are also more secure than their proprietary counterparts.

OS encryption is considered more secure but sines I have never seen anyone due diligence an entire set of open source encryption code - and if they had, that would be one code and that code only not all codes.

Originally posted by draco49

Also, I'm quite sure you are mistaken about it being illegal to develop encryption technology in most countries. If you can provide specific laws to the contrary, I would be very interested in reading those.

Gosh, there are many including China which require government oversight and or permission to do so.

Originally posted by AlchemicalMonocular
OS encryption is considered more secure but sines I have never seen anyone due diligence an entire set of open source encryption code - and if they had, that would be one code and that code only not all codes.

I believe the the RSA and EFF have both conducted full audits of the most popular O/S algorithms. I'll see if I can dig up the studies and post them here. Also, encryption hacking is attempted every year at DEFCON, and as far as I know, nobody has ever been successful.

Gosh, there are many including China which require government oversight and or permission to do so.

I could be mistaken, but even in China accessing and utilizing O/S encryption is permitted, and I believe they consider development benign (at least until it becomes a viable product). I know for a fact that the Great Firewall does not restrict access to O/S encryption software an encryption research.

Originally posted by Hessdalen
reply to post by Maxmars

 

can you look for that source, would be very nice =)

edit on 24-5-2012 by Hessdalen because: mindcontrol

I will try...

reply to post by Hessdalen


Just as a point of interest, there was much talk of "back dooring" encryption countless times over the years. In fact, as I used to develop using a particular cryptographic (at the time) activex object, then the wrapper for .NET...there was talk from the developer that he was going to be forced to change his activex to support law enforcements requirement to provide such back doors.

While, the FBI's, CIA's, (likely also) the BND's official stance is that they have not forced these policies on anyone, do we honestly believe they aren't "backdoor" policies themselves and already being done?

I personally believe they don't NEED to find a way to decrypt communications, I believe it has been being done all along and they need a way to come clean about it.....the article you linked is a great first way to come clean.

Just as an example of some backpedaling by the US Administration....here is a snip of an article from 2010 on CNET:

The Obama administration will seek a new federal law forcing Internet e-mail, instant-messaging, and other communication providers offering encryption to build in backdoors for law enforcement surveillance, The New York Times reported today. Communication providers, apparently including companies that offer voice over Internet Protocol (VoIP) services, would be compelled to reconfigure their systems so that police could be guaranteed access to descrambled information. Encryption image It could become illegal for a company to offer completely secure encrypted communications--through a protocol such as ZRTP, for instance--if its customers held the keys and the provider did not. Valerie Caproni, the FBI's general counsel, stressed to the Times that agents would still need a court order to force providers to unlock encrypted data. "We're talking about lawfully authorized intercepts," Caproni said. "We're not talking expanding authority. We're talking about preserving our ability to execute our existing authority in order to protect the public safety and national security."

The above found here Report: Feds to push for Net encryption backdoors


And here, the (retraction?)

The FBI said today that it's not calling for restrictions on encryption without back doors for law enforcement. FBI general counsel Valerie Caproni told a congressional committee that the bureau's push for expanded Internet wiretapping authority doesn't mean giving law enforcement a master key to encrypted communications, an apparent retreat from her position last fall. "No one's suggesting that Congress should re-enter the encryption battles of the late 1990s," Caproni said. There's no need to "talk about encryption keys, escrowed keys, and the like--that's not what this is all about." Instead, she said, discussions should focus on requiring that communication providers and Web sites have legally mandated procedures to divulge unencrypted data in their possession.

Link for above FBI: We're not demanding encryption back doors


So, *I* think, they do for sure....but hey, that's just me.

Originally posted by AlchemicalMonocular
I really don't understand this problem. If you have secure data and that data is mission critical or highly illegal or life ending, then a 22-26 multi-character password - yes all those $, + and ~ keys - isn't too much to ask to memorize and toss n change every so often.

I've started playing with tools like Keepass and have been switching all passwords over to at least 30 character ones generated by the built-in generator.

I only have to remember one, which is over 30 characters, and I made use of an extra "key" file to access all the others.

So far it's been working pretty well. Crazy long and convoluted passwords to everything.

As a side note, I broke ATS changing my password. It seems like the field for changing passwords accepts one number of characters while the field to enter the password accepts another so when I made the change, though the system approved it, entering it to log in was impossible. That's why I've cut lengths to 30.

Originally posted by alphabetaone

Just as a point of interest, there was much talk of "back dooring" encryption countless times over the years. In fact, as I used to develop using a particular cryptographic (at the time) activex object, then the wrapper for .NET...there was talk from the developer that he was going to be forced to change his activex to support law enforcements requirement to provide such back doors.

While, the FBI's, CIA's, (likely also) the BND's official stance is that they have not forced these policies on anyone, do we honestly believe they aren't "backdoor" policies themselves and already being done?

I personally believe they don't NEED to find a way to decrypt communications, I believe it has been being done all along and they need a way to come clean about it.....the article you linked is a great first way to come clean.

I think you may be confusing proprietary systems and open-source systems. Proprietary systems often do have back-doors, either at the request of whoever is paying for it, or by developers with over-inflated egos. It would certainly not surprise me in the least to know that some Microsoft technologies have back-doors integrated within them. But open-source is different. In an open-source system the source code is, well, open. That an environment of developmental transparency which would automatically preclude the inclusion of a back-door. If one was put in, it would be discovered and patched by the community. That's also one of the reasons why proprietary applications, such as Microsoft products, are generally garbage. They employ a limited number of developers, which equates to a limited amount of brain-power, and they have a primary responsibility to their employers as opposed to the advancement of the software.

reply to post by draco49


No, honestly, I understand the difference....my comment was not so much on the technical aspect of encryption development, but on the various 3 letters agencies desire to actually backdoor them.

I was simply using my own experiences as an example of their ongoing effort to do so

Our government has a "master key" for gpg and pgp too, but it ONLY works with gnupg versrions higher than gnupg-w32cli-1.2.2 . How do I know this? Well, I use gpg encryption in my current job all the time. It is 2048 bit ElGamel encryption that is done through the commandline. For some of the idiots I work with, I wrote a GUI front end completely using JAVA. Anyway, if you can find the version gnupg-w32cli-1.2.2 and use it, there will be no worries for the real paranoid person.

Ron Paul 2012