On Friday 18 Apr 2014 21:27:28 Dale wrote: > Mick wrote: > > On Friday 18 Apr 2014 19:08:21 Dale wrote: > >> I'm a little vague on some things but it seems the claim was that NSA > >> had some sort of backdoor that was built in from the beginning of the > >> project for encryption which sounded like it would include httpS and > >> others. Again, the details are fuzzy. I would say that I need to > >> bookmark this sort of thing but I already have so many bookmarks that it > >> is very hard to dig through them as it is. Adding more may be > >> counterproductive, yet again. > > > > I think that you are referring to their Dual_EC_DRBG (Dual Elliptic Curve > > Deterministic Random Bit Generator) which is/was used by RSA Security > > (not RSA > > > the algorithm developed by Ron Rivest, Adi Shamir and Leonard Adleman). > > http://www.computing.co.uk/ctg/news/2295881/rsa-warns-customers-against-nsa > -compromised-security-product# > > > I don't know if Schneier said, stay away from elliptic curve algos and > > use > > > symmetric keys instead, because of this. Others have tried to crack > > elliptic > > > curves and have not been successful - so one has to tread carefully. > > Given > > > the NSA/NIST and big corporates are all in it up to their neck, I > > would guess > > > that distrusting *everything* they have or could be behind is a healthy > > attitude to take at the moment. ;-) > > Well, I just wondered if it was true or not. If the NSA has some sort > of back hack then encryption to them is meaningless. Thing is, I don't > know if it is true or not. I wouldn't be surprised if it is for sure. > > I try to keep things as secure as I can and protect myself from the bad > guys but this sort of things makes me wonder if it really does much if > any good. If companies/governments have backdoor ways to get passed it, > then there is no way to know who else can use that too. All it takes is > for one employee/contractor with the knowledge to decide to sell out and > then the whole thing is compromised. > > Imagine if it were to come out that there is a backdoor key to all the > encryption that is currently in use. That would really throw a wrench > into the whole internet community. I just read that yet another store > has been hacked into and customer info stolen here in the USA. Waiting > to see it from a reputable source before getting to deep into it. > > Of recent, I have seriously thought of encrypting my /home partition. > I'm not a crook but like a guy said once in a TV interview, if a person > looks long enough and hard enough, they will find something then build a > career off building the rest. There are to many laws for anyone to > really be able to safely say they have never broken the law before. > > I thought I read that article on Linux Journal but I can't find it there > so it must have been somewhere else. < shrugs >
Encryption still works, at least for some attackers. The fact that burglars can pick locks doesn't mean that you should leave your door unlocked. FWIW I just checked my bank's website encryption ... they *still* use RC4!!! O_O I guess they are keen to make sure all these customers with WinXP and MSIE 7.0 can still login? For crying out loud! It seems that RSA's days may be numbered and elliptic curve cryptography would be the way forward, not because of resource constrained mobile devices, but also because of recent advances in crypto-analytics which may make RSA obsolete: http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
