Friday, September 06, 2013

NSA did it all !

N.S.A. documents show that the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it.

Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.  Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.” 
“I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.” 
"In the future, superpowers will be made or broken based on the strength of their cryptanalytic programs," says one document. "It is the price of admission for the US to maintain unrestricted access to and use of cyberspace."
The New York Times says that it was asked not to publish the leaked materials, but did so anyway. It also reported that at one time the US government insisted that a hardware company install a backdoor into its kit before it was sent overseas. This request was met, it said. After some sleuthing, I'm pretty certain this is a reference to the Dual_EC_DRBG pseudorandom number generator scheme described in NIST SP 800-90. The weakness is that Dual_EC_DRBG appears to contain a backdoor, and anyone who knows the backdoor can totally break the PRNG. The weakness was first described in a rump session talk at CRYPTO 2007 and was subsequently discussed by Bruce Schneier in Wired.
To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. 
All TLS versions were further refined in RFC 6176 in March 2011 removing their backward compatibility with SSL such that TLS sessions will never negotiate the use of Secure Sockets Layer (SSL) version 2.0.
 
Website protocol support
Protocol
version		 Website
support[12]		 Security[12][13]
SSL 2.0 27.4% Insecure
SSL 3.0[n 1] 99.7% Insecure[n 2][n 3][n 4][n 1]
TLS 1.0 99.3% Insecure[n 2][n 3][n 4][n 5]
TLS 1.1 14.5% Depends on cipher[n 2][n 3][n 4][n 5]
TLS 1.2 17.0% Depends on cipher[n 2][n 3][n 4][n 5]
 
Browser support for TLS
Browser Platforms TLS 1.0 TLS 1.1 TLS 1.2
Chrome 0–21 Android, iOS, Linux, Mac OS X,
Windows (XP, Vista, 7, 8)[a][b]		 Yes No No
Chrome 22–28 Android, iOS, Linux, Mac OS X,
Windows (XP, Vista, 7, 8)[a][b]		 Yes[14] Yes[14] No[14]
Chrome 29-current Android, iOS, Linux, Mac OS X,
Windows (XP, Vista, 7, 8)[a][b]		 Yes[14] Yes[14] Yes[15]
Firefox 1–18 Android, Linux, Mac OS X, Windows (XP, Vista, 7, 8)[c][b] Yes[16] No[17] No[18]
Firefox 19-current Android, Linux, Mac OS X, Windows (XP, Vista, 7, 8)[c][b] Yes[16] Yes, disabled by default[17][19] No[18]
Firefox 24- (Beta, Aurora, Nightly) Android, Linux, Mac OS X, Windows (XP, Vista, 7, 8)[c][b] Yes[16] Yes, disabled by default[17][19] Yes, disabled by default[18][20][19]
IE 6 Windows (98, 2000, ME, XP)[d] Yes, disabled by default No No
IE 78 Windows (XP, Vista)[d] Yes No No
IE 89 Windows 7[d] Yes Yes, disabled by default Yes, disabled by default
IE 9 Windows Vista[d] Yes No No
IE 10 Windows (7, 8)[d] Yes Yes, disabled by default Yes, disabled by default
IE 11 (Preview) Windows (7, 8)[citation needed] 8.1[citation needed][d] Yes Yes[citation needed] Yes[citation needed]
Opera 5–7 Linux, Mac OS X, Windows Yes[21] No No
Opera 8–9 Linux, Mac OS X, Windows Yes Yes, disabled by default[22] No
Opera 10–12 Linux, Mac OS X, Windows[e] Yes Yes, disabled by default Yes, disabled by default
Opera 14–15 Linux, Mac OS X, Windows[f] Yes Yes[23] No[23]
Opera 16-current Linux, Mac OS X, Windows[f] Yes Yes[24] Yes[24]
Safari 4 Mac OS X, Windows (XP, Vista, 7), iOS 4.0[f] Yes[citation needed] No No
Safari 5-current Mac OS X (incl. 10.8[citation needed]),
Windows (XP, Vista, 7)[g]		 Yes No No
Safari 5–current iOS 5.0–[h] Yes Yes Yes


Here is the list of companies that implemented NSA flawed pseudorandom generator standard: IBM, HP, Cisco, Apple, Intel, BlackBerry, Symantec, McAfee, Open SSL, RSA , Oracle etc, etc. 


The Truth Behind the Pentium Bug 1995 : Intel to promote the Pentium as a CPU for scientific and engineering applications, as well as the best engine for mainstream software that relies primarily on integer operations.However, the chance of this happening randomly is only about 1 in 360 billion. Usually, the error appears around the 9th or 10th decimal digit. The chance of this happening randomly is about 1 in 9 billion.
___________________________  
99% BAD HARDWARE WEEK:  Since 2006 alas there have not been neither privacy, nor security and no prosperity. Regardless of what officials say. :(

THIS LINK posted by Joseph Bell : 7:49 AM
Comments: Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?