[Discuss] Encrypt Everything?

markw at mohawksoft.com markw at mohawksoft.com
Thu Sep 12 16:52:19 EDT 2013


>> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
>> bounces+blu=nedharvey.com at blu.org] On Behalf Of Jerry Feldman
>>
>> The main issue is that assuming you encrypt all your outgoing emails,
>> and most of your respondents encrypt email to you if someone with enough
>> compute power wanted to decrypt your emails they can do it. And,
>> essentially it comes down to the cost vs reward. So, the federal
>> government has the resources but very few criminal enterprises would
>> invest that much for us.
>
> "enough compute power" is basically a millenium of the entire energy
> output of our sun.  If you're using strong encryption, which is a given.
> There isn't any implementation of weak encryption supported in email
> encryption anymore - only weak key management.  Not even the government
> has the compute power to decrypt (in general) something you encrypted with
> a modern digital ID and S/MIME.  (The lowest key strength startcom will
> accept is 2048 bit RSA, and they recommend 4096 bit).

Yes, well that assumes a lot of things that I would have assumed a few
months ago and no longer trust.

Random number generators may be more predictable than we once thought,
specifically if the NSA has artificially limited there effectiveness. We
know SHA1 has been broken. We know that MD5 is long gone. We know that
SHA2 may be close to being broken.

Those are the most expensive methodologies. If as hinted by the Snowden
info, the NSA has surreptitious weakened encryption "systems" you may have
a far less encrypted data stream than you expect.

For instance, most software engineers and even the more experienced ones,
cryptography takes a lot of "in brain ram" knowledge to understand what's
going on. It would be fairly strait forward to artificially limit the size
and diversity of the "shared secret" generated in an SSL system to a known
quantity of testable secrets that could never be detected by anyone's QA
department. If the NSA had a list of known secrets, i.e. say 1,000,000
possible secrets out of 2^1024 then it would make quick work of any
encrypted application as long as both sides have been modified.

We trust that a lot of the software we use "works" as we expect it does.
The Snowden story should make us question these trusts.



> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>





More information about the Discuss mailing list