[32523] in North American Network Operators' Group
RE: Carnivore Update - Washington Post 11/21/00
daemon@ATHENA.MIT.EDU (Mathew Butler)
Mon Nov 27 05:24:54 2000
Message-ID: <F062E72E4BA2D4119F1700B0D03D205F39DA@MAIL>
From: Mathew Butler <mbutler@tonbu.com>
To: 'Philippe Landau' <lists@A-Z-Internet.com>, nanog@merit.edu
Cc: Eric Murray <ericm@lne.com>
Date: Mon, 27 Nov 2000 02:13:36 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0585A.B4617280"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0585A.B4617280
Content-Type: text/plain;
charset="iso-8859-1"
The _NSAKEY symbol in Windows does not affect the keys used or generated for
WinInet() or CryptoAPI calls.
128-bit open source is subject to a license exception, and can thus be
examined to a fare-thee-well.
I agree that the close-source nature of the CryptoAPI (and thus, crypto
smart cards, and the underlying crypto libraries) is detrimental to its
security evaluation. Thus, I am unwilling to state categorically that it is
a secure implementation.
But, Carnivore doesn't have the capability of decrypting anything, merely
decoding the packet headers. It can capture all traffic by a suspect,
including the SSL-encrypted payload; however, this means that the full
protocol exchange must be analyzed and cracked, and any session
renegotiations must be analyzed and cracked as well.
SSLv2 was (and is) insecure. Now that the RSA patent has fallen out of
protection, it's going to be more possible to use open-source (and other)
software that implements SSLv3 and TLS1.0; regardless, old standards die
hard.
However, I could get into a debate over whether 'self-signed certificates
are insecure'. This is not the place.
Just clearing up some misapprehensions,
-Mat Butler
-----Original Message-----
From: Philippe Landau [mailto:lists@A-Z-Internet.com]
Sent: Thursday, November 23, 2000 1:26 PM
To: nanog@merit.edu
Cc: Eric Murray
Subject: Re: Carnivore Update - Washington Post 11/21/00
>> of course carnivore has no problem decrypting SSL.
>Source, please.
(this seems obvious for the still widely distributed 40 bit versions.
there are many sources discussing the NSA key in windows
and apple is likely to have implemented similar backdoors.
there could be a reason why 128 bit SSL encryption has
been approved by the US for export in december 1999.
the question is if we have to prove they can decrypt SSL communications
or if the government agencies have to show they can't
(don't hold your breath).
how strong 128 bit encryption is is another question.)
this discussion is probably getting off-topic on this list.
i have just received some thoughts about it from security expert
Eric Murray and while he is less pessimistic, please see below.
kind regards philippe, http://A-Z-Internet.com
--- *** ---
http://remus.prakinf.tu-ilmenau.de/ssl-users/archive14/0158.html
http://www.mail-archive.com/cryptography-digest%40senator-bedfellow.mit.edu/
msg02375.html
http://www.tinhat.com/surveillance/code_breaking.html
SSL Server Security Survey - A random sample of 8081 different secure web
servers (servers running the SSL protocol) in active use on the Internet
shows that 32% are dangerously weak. These weak servers either support only
the flawed SSL v2 protocol, use too-small key sizes ("40 bit" encryption),
or have expired or self-signed certificates. Data exchanges with all types
of weak servers are vulnerable to attack.
http://www.meer.net/~ericm/papers/ssl_servers.html
--- *** ---
On Thu, Nov 23, 2000 at 08:55:52PM +0100, Philippe Landau wrote:
> Hello
>
> Is there a possibility that a government
> has a backdoor to decrypt SSL communications ?
>
> kind regards philippe, http://A-Z-Internet.com
Yes it is possible, in the code that calls SSL. It's not very possible
in the SSL protocol itself since that has been well investigated by
security researchers.
It's a little more possible in open-source SSL implementations
but still not very likely. It's most possible in closed-source
implementations, where the code that calls SSL is
only known to the author(s). A backdoor that say reduced the
entropy going into session keys would be difficult to detect--
even decompiling the code and stepping through it might not show it.
--
Eric Murray Consulting Security Architect SecureDesign
LLC
http://www.securedesignllc.com PGP
keyid:E03F65E5
------_=_NextPart_001_01C0585A.B4617280
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Carnivore Update - Washington Post 11/21/00</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>The _NSAKEY symbol in Windows does not affect the =
keys used or generated for WinInet() or CryptoAPI calls.</FONT>
</P>
<P><FONT SIZE=3D2>128-bit open source is subject to a license =
exception, and can thus be examined to a fare-thee-well.</FONT>
</P>
<P><FONT SIZE=3D2>I agree that the close-source nature of the CryptoAPI =
(and thus, crypto smart cards, and the underlying crypto libraries) is =
detrimental to its security evaluation. Thus, I am unwilling to =
state categorically that it is a secure implementation.</FONT></P>
<P><FONT SIZE=3D2>But, Carnivore doesn't have the capability of =
decrypting anything, merely decoding the packet headers. It can =
capture all traffic by a suspect, including the SSL-encrypted payload; =
however, this means that the full protocol exchange must be analyzed =
and cracked, and any session renegotiations must be analyzed and =
cracked as well.</FONT></P>
<P><FONT SIZE=3D2>SSLv2 was (and is) insecure. Now that the RSA =
patent has fallen out of protection, it's going to be more possible to =
use open-source (and other) software that implements SSLv3 and TLS1.0; =
regardless, old standards die hard.</FONT></P>
<P><FONT SIZE=3D2>However, I could get into a debate over whether =
'self-signed certificates are insecure'. This is not the =
place.</FONT>
</P>
<P><FONT SIZE=3D2>Just clearing up some misapprehensions,</FONT>
</P>
<P><FONT SIZE=3D2>-Mat Butler</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Philippe Landau [<A =
HREF=3D"mailto:lists@A-Z-Internet.com">mailto:lists@A-Z-Internet.com</A>=
]</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, November 23, 2000 1:26 PM</FONT>
<BR><FONT SIZE=3D2>To: nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>Cc: Eric Murray</FONT>
<BR><FONT SIZE=3D2>Subject: Re: Carnivore Update - Washington Post =
11/21/00</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2>>> of course carnivore has no problem =
decrypting SSL.</FONT>
<BR><FONT SIZE=3D2>>Source, please.</FONT>
<BR><FONT SIZE=3D2>(this seems obvious for the still widely distributed =
40 bit versions.</FONT>
<BR><FONT SIZE=3D2>there are many sources discussing the NSA key in =
windows</FONT>
<BR><FONT SIZE=3D2>and apple is likely to have implemented similar =
backdoors.</FONT>
<BR><FONT SIZE=3D2>there could be a reason why 128 bit SSL encryption =
has</FONT>
<BR><FONT SIZE=3D2>been approved by the US for export in december =
1999.</FONT>
<BR><FONT SIZE=3D2>the question is if we have to prove they can decrypt =
SSL communications</FONT>
<BR><FONT SIZE=3D2>or if the government agencies have to show they =
can't</FONT>
<BR><FONT SIZE=3D2>(don't hold your breath).</FONT>
<BR><FONT SIZE=3D2>how strong 128 bit encryption is is another =
question.)</FONT>
<BR><FONT SIZE=3D2>this discussion is probably getting off-topic on =
this list.</FONT>
<BR><FONT SIZE=3D2>i have just received some thoughts about it from =
security expert</FONT>
<BR><FONT SIZE=3D2>Eric Murray and while he is less pessimistic, please =
see below.</FONT>
</P>
<P><FONT SIZE=3D2>kind regards philippe, <A =
HREF=3D"http://A-Z-Internet.com" =
TARGET=3D"_blank">http://A-Z-Internet.com</A></FONT>
</P>
<P><FONT =
SIZE=3D2> &nb=
sp; --- *** ---</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://remus.prakinf.tu-ilmenau.de/ssl-users/archive14/0158.html=
" =
TARGET=3D"_blank">http://remus.prakinf.tu-ilmenau.de/ssl-users/archive14=
/0158.html</A></FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.mail-archive.com/cryptography-digest%40senator-bedfel=
low.mit.edu/msg02375.html" =
TARGET=3D"_blank">http://www.mail-archive.com/cryptography-digest%40sena=
tor-bedfellow.mit.edu/msg02375.html</A></FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.tinhat.com/surveillance/code_breaking.html" =
TARGET=3D"_blank">http://www.tinhat.com/surveillance/code_breaking.html<=
/A></FONT>
<BR><FONT SIZE=3D2>SSL Server Security Survey - A random sample of 8081 =
different secure web servers (servers running the SSL protocol) in =
active use on the Internet shows that 32% are dangerously weak. These =
weak servers either support only the flawed SSL v2 protocol, use =
too-small key sizes ("40 bit" encryption), or have expired or =
self-signed certificates. Data exchanges with all types of weak servers =
are vulnerable to attack. </FONT></P>
<P><FONT SIZE=3D2><A =
HREF=3D"http://www.meer.net/~ericm/papers/ssl_servers.html" =
TARGET=3D"_blank">http://www.meer.net/~ericm/papers/ssl_servers.html</A>=
</FONT>
</P>
<P><FONT =
SIZE=3D2> &nb=
sp; --- *** ---</FONT>
<BR><FONT SIZE=3D2>On Thu, Nov 23, 2000 at 08:55:52PM +0100, Philippe =
Landau wrote:</FONT>
<BR><FONT SIZE=3D2>> Hello</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Is there a possibility that a government =
</FONT>
<BR><FONT SIZE=3D2>> has a backdoor to decrypt SSL communications =
?</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> kind regards philippe, =
<A HREF=3D"http://A-Z-Internet.com" =
TARGET=3D"_blank">http://A-Z-Internet.com</A></FONT>
</P>
<P><FONT SIZE=3D2>Yes it is possible, in the code that calls =
SSL. It's not very possible</FONT>
<BR><FONT SIZE=3D2>in the SSL protocol itself since that has been well =
investigated by</FONT>
<BR><FONT SIZE=3D2>security researchers.</FONT>
</P>
<P><FONT SIZE=3D2>It's a little more possible in open-source SSL =
implementations</FONT>
<BR><FONT SIZE=3D2>but still not very likely. It's most possible =
in closed-source</FONT>
<BR><FONT SIZE=3D2>implementations, where the code that calls SSL =
is</FONT>
<BR><FONT SIZE=3D2>only known to the author(s). A backdoor that =
say reduced the</FONT>
<BR><FONT SIZE=3D2>entropy going into session keys would be difficult =
to detect--</FONT>
<BR><FONT SIZE=3D2>even decompiling the code and stepping through it =
might not show it.</FONT>
</P>
<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2> Eric =
Murray =
Consulting Security =
Architect SecureDesign =
LLC</FONT>
<BR><FONT SIZE=3D2> <A HREF=3D"http://www.securedesignllc.com" =
TARGET=3D"_blank">http://www.securedesignllc.com</A> &n=
bsp; &n=
bsp; =
PGP keyid:E03F65E5</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C0585A.B4617280--
