scary certificate for www.update.microsoft.com
igb at batten.eu.org
Mon Jun 18 22:26:39 BST 2012
On 18 Jun 2012, at 20:16, Peter Fairbrother wrote:
> Ben Liddicott wrote:
>> RSA is not in suite B either.
> A big trail of big suppositions follows. There may be nothing in it.
> Suppose GCQH have made a small theoretical improvement in factoring or breaking RSA, and NSA has built the hardware to do it - maybe enough for 200 1kbit keys per year.
> As many sites update their keys twice a year, suppose that NSA has the private keys to 1000 certificates at any time. Say 50 of these are used for spy stuff, and 500 are the keys are used to - unlock the 50 biggest https sites.
Presumably that's 100, 50, 50 not 1000, 50, 500.
> Now NSA can collect internet traffic because the President lets them, and GCHQ want access to raw internet traffic - after all, it's no good having the keys if you can't access the traffic, it's not usually sent by broadcast radio any more.
But how would this work in practice? Google roll their certificate over. Unless you can MITM the key immediately (ie, break RSA on demand) then you have to somehow make sure that traffic you collect is readable using a later factorisation. You need to hope that the website whose certificate you intend to factor doesn't supprt PFS. Oh dear: http://www.imperialviolet.org/2011/11/22/forwardsecret.html
> What better way to collect traffic than a comms bill like the proposed one?
But the moment there is the slightest suggestion that your hypothesis is true, PFS is there to thwart it. Spending £1.8bn on something to which there's a trivial counter-measure might rebound on the people asking for the budget.
More information about the ukcrypto