Since you are mentioning Verisign here, and CA authorities in general, has anyone considered that factoring the CA authority's key is far simpler
Exactly. Why think $2B is some insurmountable barrier when there are far cheaper ways of getting what you want. Most computer people think of security only in terms of computers. Bribing a few night security guards is far cheaper than even cryptanalysis and will give any sufficiently interested party access to the machines signing the keys. At present, if you have the sophistication to break an "interesting" key, you could have the sophistication to not be detected MITM. The difference between inserting/replacing a valid flow, and simply listening [unless the attacker is stupid] isn't that big a difference from a detection [of the attack] point of view. Again, I am assuming things about the attacker that makes them scary. If the attacker is a little kiddie using his home broadband connection, he is not necessarily going to be able to use that information for anything particularly harmful. Yes, but the trust architecture out there today are far more vulnerable [IMO] than the underlying key-encryption. Again, while key negotiation is interesting and important, RSA/DSA/etc are only used in that stage, and generally the underlying connection [for performance reasons] moves with a significantly less bulky encryption algorithm. Blowfish, IDEA and a few others come to mind. It is far more trivial to capture and compromise an instream algorithm than worrying about the key at the get go is [unless you are trying to permanently compromise a victim, at which point the CA is an easier target anyway]. This is especially the case when you allow for dedicated hardware. I have always been of the opinion that all of this internet-widely-available encryption is primarily to make customers feel safe and save credit card companies some liability. There wasn't enough thought put into it at all levels to make it more safe/secure than that. No one is going to spend millions of dollars to get at most the same millions of dollars of back in credit card fraud [good money after bad]. Anyone who is relying on these commercial architectures to secure gov't secrets or secrets worthy of an intelligence outfit's attention is a moron [for numerous reasons]. If all you are doing is trying to secure machines against script kiddies, starting huge public debates and initiatives and the like seems like overkill to me. [investment is greater than reward]. YMMV. Deepak Jain AiNET -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Len Sassaman Sent: Monday, March 25, 2002 8:14 PM To: Deepak Jain Cc: nanog@merit.edu Subject: RE: 1024-bit RSA keys in danger of compromise (fwd) On Mon, 25 Mar 2002, Deepak Jain wrote: than
breaking the underlying key [no matter how large?]. Based on the
Well, that's not really the case. Breaking a 384 bit key is trivial. Breaking a 1024 bit key is probably not possible without a multi-billion dollar budget. 2048 bit keys are still in no danger of being broken any time soon unless further advances are made in factoring. But I see the point you are making, which is that targeting the CA lets you attack all of the browsers that trust keys signed by that CA, rather than specifically targeting that one site. However, MITM attacks are active attacks, and run the risk of being detected by the the victim. If you break the key a site is using for encryption, you can read the traffic without fear of detection. Other comments on this issue, which I covered in my DEFCON 9 presentation: it would probably be a lot easier to compromise a CA's root key by means of network or physical attack, rather than through cryptanalysis. It also doesn't have to be Verisign you target -- there are over a hundred trusted root certification authorities in IE, some of them issued to companies that have gone bankrupt, or sold their root as part of their assets. Remember, if you're attempting a MITM attack in TLS, you're really exploiting poor design of the trust-management features of the client, which is a whole can-o-worms in and of itself. --Len.