How Encryption Programs can be attacked

How Encryption Programs can be attacked - Printable Version

+- Deep Politics Forum (https://deeppoliticsforum.com/fora)
+-- Forum: Deep Politics Forum (https://deeppoliticsforum.com/fora/forum-1.html)
+--- Forum: Science and Technology (https://deeppoliticsforum.com/fora/forum-11.html)
+--- Thread: How Encryption Programs can be attacked (/thread-11095.html)

How Encryption Programs can be attacked - Carsten Wiethoff - 26-07-2013

If you thought you could use encryption to be safe from NSA wiretapping, think again. The following paper details a very successful attack on GnuPG, based on measuring L3 cache accesses and recovering key information from these measurements. I quote from the conclusion:

Quote:[size=12]
It is hard to overstate the severity of the weakness in GnuPG. GnuPG is a very popular cryptographypackage. It is used as the cryptography module of many open-source projects and is used, for example,for email, le and communication encryption. With our attack, any process running on the system canextract private keys. Hence, GnuPG in its current form is not safe for a multi-user system or for any
system that may run untrusted code.
[/SIZE]

The paper is availabe here: http://eprint.iacr.org/2013/448

How Encryption Programs can be attacked - David Guyatt - 26-07-2013

Carsten Wiethoff Wrote:If you thought you could use encryption to be safe from NSA wiretapping, think again. The following paper details a very successful attack on GnuPG, based on measuring L3 cache accesses and recovering key information from these measurements. I quote from the conclusion:

Quote:[size=12]
It is hard to overstate the severity of the weakness in GnuPG. GnuPG is a very popular cryptographypackage. It is used as the cryptography module of many open-source projects and is used, for example,for email, le and communication encryption. With our attack, any process running on the system canextract private keys. Hence, GnuPG in its current form is not safe for a multi-user system or for any
system that may run untrusted code.
[/SIZE]
The paper is availabe here: http://eprint.iacr.org/2013/448

I've always assumed that freely available encryption packages could be hacked by the NSA and other government bodies. I also imagine that PGP can be broken too?

How Encryption Programs can be attacked - Carsten Wiethoff - 26-07-2013

David Guyatt Wrote:I've always assumed that freely available encryption packages could be hacked by the NSA and other government bodies. I also imagine that PGP can be broken too?

GnuPG, which is the subject of the article, is the most common implementation of PGP.
The described procedure can be used to attack any encryption program, not by cryptoanalysis, but by monitoring the running decryption program and analysing the steps it takes during decryption.

How Encryption Programs can be attacked - Magda Hassan - 26-07-2013

David Guyatt Wrote:I've always assumed that freely available encryption packages could be hacked by the NSA and other government bodies. I also imagine that PGP can be broken too?

There are bigger issues with proprietary software. At least with the Libre software there are thousands of people watching for the problems and working on the solutions. The hive mind. And we will hear about the problems. With the closed and commercial systems they may have a commercial interest in not letting their clients know there are big problems with their products (both loss of sales and share price valuation) and they don't have any where near the numbers of eyes looking at the issues that could go wrong and how to fix them. And software programs of any kind, proprietary or Libre can be hacked.

Nevertheless, what Carsten has posted is rather unnerving to say the least.

How Encryption Programs can be attacked - Peter Lemkin - 26-07-2013

Though not an expert on this [ask some trusted White Hat Hackers], it is my understanding from reading non-technical literature on this subject that most proprietary encryption software have 'NSA backdoors or keys'; as mentioned above, most PGP encryption can be unlocked and viewed by 'watching' how the computer is unencrypting it; and, that the only people one is hiding anything from are other mortals [rather than intelligence, especially electronic intelligence agencies - US and some others]. ONLY custom made very advanced huge prime number encrypted things are safe [sort of].....NSA and others can [if they devote the considerable computer power/time to it, with effort still decrypt almost all of them [and these are not your usual encryption algorithms]. Usually, they just store all encrypted messages, decrypt as they are storing the 'easy ones' [along with most of the unencrypted ones], and later can decrypt higher level encrypted ones if they are curious and/or suspicious. While they realize that some encrypt just to be 'cool'; encryption + political dissent/disagreements [as they define it] with 'the Empire' = a graded and greater level of attention and suspicion, often. Its back to written letters, furtively exchanged hand to hand (and using dead drops, etc.), if you really have something secret to pass on to someone else.....The only thing going for us, is they do not have the time or manpower to look at everything and everyone - although they collect everything from everyone [if they need to 'go back' and look/listen]

Worship

Big Brother sees and hears all! Fascist Police State[s], spreading worldwide, with the NSA and its sister agencies well in the lead.....