Wikileaks have just released three insurance files

Originally posted by Maxatoria
Looking at the key size needed to brute force aes-256 i doubt that even the NSA has the pew to decode it by brute force but i'd imagine they'll slap a spare rig to have a go just in case they get lucky while probably using more normal techniques to see if they can get the keys from one of the people who must have it

Any enemy that tried to decode the blobs will probably be unsuccesful. They could be lucky of course and in theory might succeed on first try, but the odds are overwhelmingly against it. Firstly, they would need to know which algorithm to try - it is perfectly feasible to state that some blob is encoded using some encryption algorithm whilst you have used another. Then there is the possibility that the encrypting party used layers of encryption e.g. encrypted the message using some algorithms and key, then do the same to the result using another algorithm and key etc. It may even be that the largest blob they put on-line is an encrypted one time pad, needed to decrypt what is left after decrypting the smaller blobs. Perhaps the Wikileaks people have encrypted their blobs employing shared secrets, in which case nobody has the full key(s) in his posession and you'd need at least n out of m people to recreate the key to use to restore the original message.

These are all known and valid practices and the tools do to all this are freely avaialable. The NSA and other "secret" services know all this, of course, so they already know that, regardless computing power, anybody that wants to keep a on-line secret a secret - can. Hence they apply other forms of intelligence and other methods to obtain the messages. Asking a person what the message was he received is mostly a far better method than trying to decrypt an even moderately well encrypted message.

Originally posted by StargateSG7
Actually AES-256 IS NO LONGER SECURE because there are now newer software methods
to FACTOR the large integers used to create public and private keys or the intermediate
encrypt/encrypt keys.

You seem to confuse symmetric and public key encryption. AES-256 is a symmetric algorithm: you need a key to encode the message and the very same key to decode it. Public and private keys are used by other algorithms, asymmetric aka public key algorithm. Two (very) large primes are involved, from which two related keys are created: one to encode the message, another to decode the message. It is infeasible to compute the private key from the public key, though it is much easier to do than reverse engineer an AES symmetric key. Hence longer key lengths are required to make public key encrypted messages as safe as symmetric key encrypted messages.

Considering your remark about AES-256 being no longer secure: there are no indications whatsoever that that is true. There were some flaws found in the algorithm which have the effect of reducing the security somewhat - comparable as if you had used a few bits less in the key length. But nothing even remotely suggests that AES is 'broken'. Also, in 2011, an algorithm was demonstrated that could break AES in about a quarter of the time needed by a brute force attack. But you'd still need roughly 200 times the time that the Universe exists to crack but one AES256 key.

Of course, one could use side-channel attacks to break the AES key, but that requires you to have access to the computers on which the encoding/decoding is done. If you have just the AES encrypted messages, these 'side channel attacks' won't do you much good.

Elliptic curve estimation or estimation of the output of fractals could be used to ESTIMATE the sequence of iterative numerical equations and their source factors/multipliers to create an estimated series of integers that could represent the POSSIBLE encyrpt/decrypt keys of the insurance file. There are a number of modern papers that outline using these methods AND more which COULD BE USED to break the insurance file.

I must admit that even after reading your remark a number of times, it still does not make much sense to me. I'd be happy to learn which papers you are refering to. I am well aware of elliptic curve cryptography, which is a faster, less resource demanding and can offer better security with the same key lengths, but have never heard of a way to break AES256 keys using elliptic curves.

As a final remark: whatever algorithm you use to encrypt a message, to know that you broke the key you must be able to detect that you have the plain text message. If my message consists of say 1000 totally random bytes, and I were to encode them with whatever commonly used algorithm - even a weak one - you would not be able to decode the message. Or, to be exact: you would be able to decode it, but would not know you succeeded. The wikipedians may have choosen to use say Twofish instead of AES, or layered encryption, or shared key encryption, or all, in which case it is not only ifeasible, but impossible to extract the message, unless you knew all keys and algorithms and the sequence in which they should be employed.

All in all you seem to be either unclear in your utterings, misinformed or both. However, I will gladly stand corrected if you are able to support your opinions with proof.

reply to post by ForteanOrg


Good post. I had a similar thought reading the an earlier post. Not all encryption is done by the same method and the integer factoring didn't seem to apply. symmetric versus asymmetric.

reply to post by Rosinitiate

It's a game silly.....there would be no need for insurance if the all the cards were on the table. All WL has done is provide false hope.....hmmm.....I wonder why?

Yeah well....i very much doubt a certain Mr. Hastings would agree.

reply to post by MrInquisitive


It isn't making much sense is what is getting me. Why release these now? Where did they come from? Assange may just find himself taken out of a National Embassy and perp walked down the street to his shock and horror with a stunt like this. VERY stupid in my opinion. This hadn't even occurred to me until this morning, but consider something.

Ecuador's Embassy is safe haven. Indeed. He can't be touched while inside it.....unless one thing changes. It wouldn't change of course because Ecuador isn't stupid. However, Assange? Well... I'm not saying he's stupid but his crusade to change the world and sign his name to the end result has clouded his vision BADLY before so it won't shock me to see it again.

If the Embassy is *ACTIVELY* involved in the collection, analysis and distribution of classified U.S. Intelligence that poses a threat to our National Security? I don't think the Diplomatic Conventions necessarily give him the Superman level of protection he imagines he has.

Only one thing...to blow it. He may have just done it.

** On Wikileaks itself? I check them once or twice a month in both open web and deep web versions of their site. Honestly? I haven't seen much new cross their website worth mentioning damn near back to the release of the War Logs. I'm not sure what the idea is here...but wherever so much stuff came from? I hope for Assange's sake, he didn't directly work with it from where he sits right now.

Originally posted by Thorneblood
Forgive me if i am wrong here, but didn't Snowden flee to Russia with 4 laptops worth of stolen data? Wouldn't that amount of information be equivalent to what's being released here?

edit on 17-8-2013 by Thorneblood because: (no reason given)

What exactly is 4 laptops worth of data? A laptop could have a 40 (or less) gigabyte drive or a 1 terabyte drive... A "laptops worth" is not any kind of relevant measurement... I could put 3 drives in my current laptop or just stick a 4TB drive in my backpocket (It wouldn't be very comfortable to sit down, but I could do it...) I do regularly carry a couple of 32 gig flash drives in my pocket and another 32gig in my phones microSD slot though.

Long story short, there is no way to relate this release to whatever Snowden might or might not have with him.

Originally posted by Maxatoria
Looking at the key size needed to brute force aes-256 i doubt that even the NSA has the pew to decode it by brute force but i'd imagine they'll slap a spare rig to have a go just in case they get lucky while probably using more normal techniques to see if they can get the keys from one of the people who must have it

In reference to the encryption software, If the government had the source code for the encryption software would it be able to reverse engineer a way to break any code. It is encrypted with a program and I would think if they had the software code that was used then they would know how to decrypt it? Is this how it works or do you need the key no matter what?

reply to post by jlafleur02


In encryption the best software is out in the public eye as the real geeks with propeller hats and pocket protectors as they'll be able to crawl over the maths and check it over

Originally posted by wrabbit2000
reply to post by MrInquisitive

 

It isn't making much sense is what is getting me. Why release these now?

Backup and media attention.

They want to make the impression that these files contain important data, which could be unlocked by simply releasing the key.

There are (much) more sophisticated methods to keep your data safe, but they involve complex algorithms and infrastructures like for example darknets and/or encrypted, superredundant cloud storage. Darknets reek of childporn and drug abuse and their complexity is not well understood by most (let alone their ethics).

But everybody understands how a simple encrypted file works. Hence many people will download the files and store them on various media. It is infeasible that the enemy is able to track down all downloads and remove them from the various media. So, their data will remain available if they need it, yet still is encrypted.

As said, there are better ways to achieve the same and I assume the WL people are aware of that. But by choosing a method understood by most and one that is more simple to match with your ethics they ensure both ample backup of their data and they draw much more attention than when they simply had stored their stuff on a darknet or in an encrypted cloud container. Which they probably do too.

Originally posted by Maxatoria
reply to post by jlafleur02

 

In encryption the best software is out in the public eye as the real geeks with propeller hats and pocket protectors as they'll be able to crawl over the maths and check it over

so no matter what you need the key. The source code of the program gives you nothing. I was just on Wikipedia and they have a good write up on AES encryption.
AES explained

reply to post by ForteanOrg

Yup.. I got all that part. It's why I'm still sitting on the original 2010 Insurance file I got from WL. Always will have it ....never opened and never see a key for it either. I have no doubt by this point.

I also got the key to open the other insurance file like everyone else...to get a peak at what they consider to be worth encrypting. That was so much junk and general garbage I was pissed off for having even spent the time to download the stupid thing. I see BETTER than that on Cryptome, let alone a couple others not so well known. That was a WL issued insurance file too...so, I'm not impressed anymore. I'm absolutely not.

Now where this came from seems a fair question. Assange has said great portions of data WL held before becoming the anti-war crusaders have been lost. That's a shame I feel sick over when I think about it. Part of what was 'lost' for the exclusive focus on turning WL anti-war were multiple hard drives ..not files.. WHOLE DRIVES from Bank of America executive computer systems ...or so WL claimed before it changed the way it did.

I guess my biggest beef is that Wikileaks WAS a very valuable resource to the world community. They USED TO BE a place that took sensitive or even black classified data and turned it public. Prior to their becoming anti-war crusaders, I checked their site almost daily to see what might have been added. It was addictive like Drudge report once was.

Then Assange had to change the whole world and go so Anti-US? Everything else he's built and done with that wonderful thing of his was lost and destroyed by it. His leaks didn't change the war outcomes...one ended on schedule (literally) and the other is still raging. It DID totally obliterate Wikileaks as anything BUT an Anti-US outlet to crusade from.

So much lost... SO DAMN MUCH potential gone along with the data they HAD...and we'll never see now. I hope it was worth it for whatever was gained. I still don't see anything that was. Not for what was lost in the process. He can keep his new files.... I really don't give a hoot what is in them, as the one I did see makes me wish I hadn't bothered that much.

*A little more blunt in this one than normal..but that subject of what he threw down the crapper for his personal crusade will always piss me off ... Someone took VERY large risks getting those drives to him in good faith and trust. To be wasted and nothing come of it.

Originally posted by jlafleur02

Originally posted by Maxatoria
reply to post by jlafleur02

 

In encryption the best software is out in the public eye as the real geeks with propeller hats and pocket protectors as they'll be able to crawl over the maths and check it over

so no matter what you need the key. The source code of the program gives you nothing. I was just on Wikipedia and they have a good write up on AES encryption.
AES explained

Correct. And when you employ layered encryption, you'd need more than one key. And when you use keysharing you'd need a given number of people from a larger set to (re)create the keys.

Hence, "security by obscurity" refers to what you should do to the keys (or the private key, at least) - not to the algorithms.

Encryption routines, including AES, are developed by individuals or groups and are submitted for peer review in order to discover holes or short comings. The level of security doesn't depend on the actual code being unknown to those who seek to break it.

There is a rule of thumb that encryption based on not knowing how it works usually in not good encryption.

394 GB ?????? is bloat of the lowest order - a real insurance dump only needs one document .

reply to post by kloejen


Negative.
It will not take them a month.
Try on the order of years.
Even with the latest and greatest.

reply to post by Maxatoria


Two words.

Quantum Computing.

reply to post by John_Rodger_Cornman


Well if they do have a working quantum computer then its game over for encryption as we understand it and time for the maths guys to try and find something else

reply to post by Maxatoria

I really doubt it at this point. Hopefully when it becomes a usable platform, the inventors will put in a back door for use against the NSA. Turnabout is fair play after all.

Sounds neat... but...

So far, none of the wikileaks "insurance" files or releases of secret data have blown my hair back. Sure, there are thousands of cables between US embassies and others casting a poor view of their neighbours and allies, but shocking? World changing? Sadly no. Just a kind of "told you so" feeling..

I, as I suspect many others on here, want "the shizzle". The Real Deal. We want the "X marks the spot" alien deal. Or Project LookingGlass. Or any of the esoteric technologies or other super secret conspiracy things we all dream of.

I really don't care about more US (or otherwise) govt cover-ups or corruptions - that's part and parcel of everyday news! I want aliens, tech, anti-grav, etc.

C'mon, Wikileaks - if this is just more crap vids of Apache's blowing up civvies or a terrible viral campaign for the upcoming Julian Assange flick - I'll be sorely disappointed.

Maybe i missed this already but where is Anonymous in all this?