Hacker News new | past | comments | ask | show | jobs | submit login

How is ssl broken when many different ciphers can be used?



Bruce Schneier recently suggested that encryption-the-math wasn't broken so much as encryption-the-implementation. The math is pure, abstract, and pristine, but the implementation is not. Hacks, lies, and backdoors. He strongly hinted not to trust anything you can't see the source for.


Do you suppose that a government team "responsible for identifying, recruiting and running covert agents in the global telecommunications industry" might be able to steal a private key from one of Google's many data centers? Without forward secrecy, the theft need not even go undetected for it to be useful for decrypting all the data that has been storing.

Or perhaps the Bullrun project had something to do with Bull Mountain, Intel's random number instruction (RDRAND), which was used by the Linux kernel for a while as a primary source of entropy (causing Matt Mackall to resign as maintainer of /dev/random, later reverted by Ted Ts'o). If RDRAND is indeed compromised, then keys generated on a machine that trusted RDRAND would have very low effective entropy for anyone knowing the secret. How confident are you that proprietary systems do not trust RDRAND or have other backdoors that could compromise their available entropy? (That could be an interesting reverse-engineering project.)

Whether or not there is any truth to either of these scenarios, I think they can no longer be considered conspiracy theory paranoia, and indeed have entered the realm of downright plausible.

https://www.eff.org/deeplinks/2013/08/one-key-rule-them-all-... https://news.ycombinator.com/item?id=6336505 http://thread.gmane.org/gmane.linux.kernel/1173350/focus=117...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: