Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic
That's with a recommendation of using RC4. Head on over to the Wikipedia page for SSL/TLS and then decide if you want rc4 to be your preference when trying to defend against a adversary with the resources of a nation-state. Cheers, Harry Niels Bakker <niels=nanog@bakker.net> wrote:
* mikal@stillhq.com (Michael Still) [Fri 01 Nov 2013, 05:27 CET]:
Its about the CPU cost of the crypto. I was once told the number of CPUs required to do SSL on web search (which I have now forgotten) and it was a bigger number than you'd expect -- certainly hundreds.
False: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
"On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that."
-- Niels.
So even if Goog or Yahoo encrypt their data between DCs, what stops the NSA from decrypting that data? Or would it be done simply to make their lives a bit more of a PiTA to get the data they want? -Mike
On Nov 1, 2013, at 19:08, Harry Hoffman <hhoffman@ip-solutions.net> wrote:
That's with a recommendation of using RC4. Head on over to the Wikipedia page for SSL/TLS and then decide if you want rc4 to be your preference when trying to defend against a adversary with the resources of a nation-state.
Cheers, Harry
Niels Bakker <niels=nanog@bakker.net> wrote:
* mikal@stillhq.com (Michael Still) [Fri 01 Nov 2013, 05:27 CET]:
Its about the CPU cost of the crypto. I was once told the number of CPUs required to do SSL on web search (which I have now forgotten) and it was a bigger number than you'd expect -- certainly hundreds.
False: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
"On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that."
-- Niels.
On Nov 1, 2013, at 7:18 PM, Mike Lyon <mike.lyon@gmail.com> wrote:
So even if Goog or Yahoo encrypt their data between DCs, what stops the NSA from decrypting that data? Or would it be done simply to make their lives a bit more of a PiTA to get the data they want?
Markhov chain text generators are cheap. Rather than amping up the crypto, why not bury them under heaping piles of steaming bullshit? After all, it would be the patriotic thing to do. Not only would you be helping employ your fellow network engineers (someone has to increase the size of the effluent pipes), you would be boosting manufacturing (disks for storage, high-end network gear for capture, mainframes and asics for filtering and analysis) and helping the much-maligned coal industry ensure its future prospects (that gear isn't built from electron sipping Atom CPUs, you know!). --lyndon
Money. The better the encryption the more it costs to crack. With forward security you can even protect against your private key leaking. In short, you can raise the stakes and make it economically unfeasible for even the NSA. John John Souvestre - New Orleans LA - (504) 454-0899 -----Original Message----- From: Mike Lyon [mailto:mike.lyon@gmail.com] Sent: Fri, November 01, 2013 9:19 pm To: Harry Hoffman Cc: Niels Bakker; nanog@nanog.org Subject: Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic So even if Goog or Yahoo encrypt their data between DCs, what stops the NSA from decrypting that data? Or would it be done simply to make their lives a bit more of a PiTA to get the data they want? -Mike
On Nov 1, 2013, at 19:08, Harry Hoffman <hhoffman@ip-solutions.net> wrote:
That's with a recommendation of using RC4. Head on over to the Wikipedia page for SSL/TLS and then decide if you want rc4 to be your preference when trying to defend against a adversary with the resources of a nation-state.
Cheers, Harry
Niels Bakker <niels=nanog@bakker.net> wrote:
* mikal@stillhq.com (Michael Still) [Fri 01 Nov 2013, 05:27 CET]:
Its about the CPU cost of the crypto. I was once told the number of CPUs required to do SSL on web search (which I have now forgotten) and it was a bigger number than you'd expect -- certainly hundreds.
False: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
"On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that."
-- Niels.
On Fri, Nov 1, 2013 at 7:18 PM, Mike Lyon <mike.lyon@gmail.com> wrote:
So even if Goog or Yahoo encrypt their data between DCs, what stops the NSA from decrypting that data? Or would it be done simply to make their lives a bit more of a PiTA to get the data they want?
-Mike
I'm just gonna toss this URL out here... http://www.gdc4s.com/Documents/Products/SecureVoiceData/NetworkEncryption/KG... and note the terms and conditions for purchase: General Terms & Conditions Delivery dates for all products will be established by General Dynamics at the time of order acceptance. All specifications, products and pricing are subject to change or discontinuance at anytime without notice. Prior written approval from the National Security Agency (General Dynamics will submit request) and a current COMSEC account is required for all purchases I'll leave it as an exercise for the reader to think about what it means to put encryption technology into the network that requires written approval from the NSA to purchase... Matt
On Nov 1, 2013, at 19:08, Harry Hoffman <hhoffman@ip-solutions.net> wrote:
That's with a recommendation of using RC4. Head on over to the Wikipedia page for SSL/TLS and then decide if you want rc4 to be your preference when trying to defend against a adversary with the resources of a nation-state.
Cheers, Harry
Niels Bakker <niels=nanog@bakker.net> wrote:
* mikal@stillhq.com (Michael Still) [Fri 01 Nov 2013, 05:27 CET]:
Its about the CPU cost of the crypto. I was once told the number of CPUs required to do SSL on web search (which I have now forgotten) and it was a bigger number than you'd expect -- certainly hundreds.
False: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
"On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that."
-- Niels.
On 11/01/2013 07:18 PM, Mike Lyon wrote:
So even if Goog or Yahoo encrypt their data between DCs, what stops the NSA from decrypting that data? Or would it be done simply to make their lives a bit more of a PiTA to get the data they want?
My bet is that when the said the were "partially" capable of intercepting things, that means that they haven't broken any of the usual suspects in a spectacular way, but instead are using anything they can think of to do what they want to do. So all of the known crypto vulnerabilities, backdoors, breakins, etc, etc are added to the "partial" bucket. And it wouldn't surprise me that that "partial" is an impressive amount, because so much of internet security is a big old maginot line. Mike
On Nov 1, 2013, at 7:06 PM, Harry Hoffman <hhoffman@ip-solutions.net> wrote:
That's with a recommendation of using RC4.
it’s also with 1024 bit keys in the key exchange.
Head on over to the Wikipedia page for SSL/TLS and then decide if you want rc4 to be your preference when trying to defend against a adversary with the resources of a nation-state.
Cheers, Harry
Niels Bakker <niels=nanog@bakker.net> wrote:
* mikal@stillhq.com (Michael Still) [Fri 01 Nov 2013, 05:27 CET]:
Its about the CPU cost of the crypto. I was once told the number of CPUs required to do SSL on web search (which I have now forgotten) and it was a bigger number than you'd expect -- certainly hundreds.
False: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
"On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that."
-- Niels.
On Fri, Nov 1, 2013 at 10:40 PM, joel jaeggli <joelja@bogus.com> wrote:
On Nov 1, 2013, at 7:06 PM, Harry Hoffman <hhoffman@ip-solutions.net> wrote:
That's with a recommendation of using RC4. it’s also with 1024 bit keys in the key exchange.
Better leverage quantum encryption tech to exchange those symmetric keys securely; I wouldn't be surprised if the NSA has DH, DSA, and RSA key exchange schemes defeated or backdoored. RC4 while not a particularly strong cipher may be strong enough cryptography to dissaude the NSA, until the matter comes up to budgeting, and they get a few hundred billion extra in taxpayer money allocated in order to get their truckload of ASICs live for rapidly brute-forcing RC4 keys, or AES keys, or $cipher_of_the_day_keys. With near certainty, there would be more invasive methods of attack available that do not require beating the actual cipher algorithm, and they would exploit any available options --- figure out which devices are responsible for doing the encryption, and compromise the security of those instead. oh RC4 may be strong enough otherwise, but the cryptosystem or library that actually implements the AES RC4 or whatever key/cipher scheme, weak. It's also entirely possible, the implementation you get of RC4, AES, RSA, etc... will contain subtle backdoors in the library, that reduce the cipher strength to a level far less. -- -JH
Head on over to the Wikipedia page for SSL/TLS and then decide if you want rc4 to be your preference when trying to defend against a adversary with the resources of a nation-state.
i got hit with the clue bat on this one. we have kinda settled on allowing rc4 for smtp as the least preferred. if we did not it would fall back to cleartext. otoh, for web, all browsers can do better, so we don't allow rc4 ykmv randy
participants (9)
-
Harry Hoffman
-
Jimmy Hess
-
joel jaeggli
-
John Souvestre
-
Lyndon Nerenberg
-
Matthew Petach
-
Michael Thomas
-
Mike Lyon
-
Randy Bush