| |
| ▲ | tialaramex 2 days ago | parent | next [-] | | I don't buy it. These systems are always multiparty. In a single party cryptosystem we can have internal integrity. We know we're not the bad guys and we didn't share the private information with the bad guys, therefore the bad guys don't have the data. Once you're multiparty that goes away, any other party can definitely betray you and then it's game over, your own integrity doesn't matter. Historically NOBUS was about having a particular technological lead, that's very fragile and didn't work out long term. If anybody has that lead today it's the Chinese, but realistically nobody has such a lead. | | |
| ▲ | Kim_Bruning 2 days ago | parent | next [-] | | The other party doesn't even need to betray you, just have their systems compromised. See also, eg. : Salt Typhoon. * https://en.wikipedia.org/wiki/2024_global_telecommunications... "The hackers were also able to access wiretapping systems used to conduct court-authorized wiretapping." | |
| ▲ | tptacek 2 days ago | parent | prev [-] | | The argument about who the trustworthy "us" is is deeply uninteresting to me. I just care that there's precedent that if you stipulate the existence of such an "us", computer science does allow for NOBUS-y access mechanisms. | | |
| ▲ | Kim_Bruning a day ago | parent [-] | | Interesting. My understanding has always been that there wasn't, at least in practice. But you're so insistent, so maybe I've missed something. Do you have some references? I'll go read! |
|
| |
| ▲ | nemomarx 2 days ago | parent | prev | next [-] | | At minimum, bad actors inside the government could always use the access mechanism. What's your concept for preventing other bad actors from getting it though? | | |
| ▲ | tptacek 2 days ago | parent [-] | | "What if 'us' is bad" is a separable question from "is NOBUS possible". I'm not advocating for it, I'm just saying the computer science of this matters, and a lot of people have objections to the concept of NOBUS that are more ideological than empirical. | | |
| ▲ | AnthonyMouse 2 days ago | parent | next [-] | | I don't think it's a computer science claim to begin with. To my knowledge nobody has ever broken 256-bit AES, but that's not the part of the system that fails. There are two things that prevent it from working in practice: The first is that "us" would be something like "governments in the US"; but then that's too big of an organization to sustain as free from compromise. There are tens of thousands of judges in the US, well over a million police and military. All it takes is one of them to be corrupt or incompetent or lazy and the bad guys get to use the skeleton keys to everything in the world, which can unlock secrets worth billions or get people killed. And that's assuming they only compromise the authorization system; if they actually gets the keys it's practically armageddon. And the second is that it's not just one government. If the UK makes Apple and Google build a system to unlock anybody's secrets, is Australia not going to want access? Is China? Let's suppose we're not going to give access to Russia; can the fallible humans operating this system fend off every attack once the FSB has been ordered to secure access by any mean necessary? It's a system that combines many points of compromise with an overwhelming incentive for everyone from state-level attackers to organized crime to break in and severe consequences when they do. | |
| ▲ | Nasrudith 2 days ago | parent | prev | next [-] | | The logistics are non-trivial. If you have to be nation-state intelligence level of scale then no, you cannot maintain NOBUS level of secrecy because you have too many people involved. That sounds pretty damn empirical to me. The objections to NOBUS aren't ideological, they are moral by the way. They are literally choosing to keep vulnerabilities in place for others to discover under arrogant assumptions that they will be the only ones who will know. | | |
| ▲ | dragonwriter 2 days ago | parent [-] | | > The objections to NOBUS aren't ideological, they are moral “ideological” and “moral”, as bases for objection, mean exactly the same thing, though people will often use “ideological” to mean “based in principles of right and wrong that I don’t agree with” and “moral” or “ethical” to mean “based in principles of right and wrong that I agree with”. |
| |
| ▲ | nemomarx 2 days ago | parent | prev [-] | | I think any practical implementation needs to have an "us" that's like "with a valid warrant" or secured on the govt end anyway, right? Otherwise you have to deal with "what if someone in the govt leaks the keys" or "what if someone in the govt is a spy". I consider those outcomes the same as foreign governments getting backdoor access basically. |
|
| |
| ▲ | Kim_Bruning 2 days ago | parent | prev | next [-] | | If 100 different governments think "nobody but us have access", between 99 to 101 governments are wrong. O:-) (I will grant number 101 is the hard one to defend.) | |
| ▲ | throw0101c 2 days ago | parent | prev | next [-] | | > "NOBUS" isn't a fallacy. We can build systems that have access mechanisms that are for all intents and purposes NOBUS. Have any such system been built? | | |
| ▲ | commandersaki 2 days ago | parent | next [-] | | China iCloud? Not sure it is actually a NOBUS or just key escrow mechanism with administrative controls. | |
| ▲ | tptacek 2 days ago | parent | prev [-] | | Have the private keys for Dual EC ever been disclosed, or is there any evidence of them having leaked? | | |
| ▲ | AnthonyMouse 2 days ago | parent [-] | | Sort of: https://blog.cryptographyengineering.com/2015/12/22/on-junip... But also, Dual EC was suspected of being backdoored from day one, was slower than existing CSPRNGs, and was therefore avoided like the plague. Whereas the premise is that if you put all the world's secrets behind one set of keys, there doesn't exist a level of defense that can withstand the level of attacks that will attract. Which doesn't apply when it isn't widely used. On top of that, the attackers would be the likes of foreign intelligence agencies, and then them not getting it and the public not hearing about them getting it are two different things. | | |
| ▲ | tptacek 2 days ago | parent [-] | | That was a Juniper supply-chain backdoor, not a compromise of the Dual EC keys. | | |
| ▲ | AnthonyMouse 2 days ago | parent | next [-] | | Exactly. They built a backdoor that "only they" could get into and then somebody else slipped into it anyway. The backdoor is a vulnerability even if you don't have the keys because it requires the trappings of third party access. If you try to get something in the shape of a backdoor through code review, you should get knocked back. But if something in the shape of a backdoor is required then a change in who has the keys to the lock is much smaller, more subtle and easier to sneak in. | | |
| ▲ | tptacek 2 days ago | parent [-] | | No, that's exactly what didn't happen here. The attackers in this case got and maintained for years the ability to slip code into Juniper/Netscreen releases. That the backdoor they chose happened to replace NSA's NOBUS backdoor is just a funny detail. | | |
| ▲ | AnthonyMouse a day ago | parent [-] | | I don't think it's actually irrelevant; there's a reason they did it that way. Getting commit access and being the only one who can even read the code are two very different things. Even if you can modify the code, the less obvious it is that the change is adding a backdoor the less likely someone else is to catch you. | | |
| ▲ | tptacek a day ago | parent [-] | | I think it would be so difficult to convince me that a state-level adversary who has obtained persistent access to Netscreen's builds can't hide arbitrary backdoors that it isn't really worth hashing this out. I'm just going to point out again that the Netscreen attack didn't break the "NOBUS" property of Dual EC --- so far as we know, the Dual EC private keys have never leaked. | | |
| ▲ | AnthonyMouse a day ago | parent [-] | | It seems like you're implying they'd be too good to ever get caught, but... they got caught. The trouble is, making a backdoor less obvious makes it more likely that if they try it 10 times they don't get caught all 10 times, more likely it gets into production before they get caught, more likely that it stays in production for a year instead of a month, etc. | | |
| ▲ | tptacek 17 hours ago | parent [-] | | Who got caught? The Juniper hackers? Obviously yes. They're not NSA. Also, "never getting caught" isn't what NOBUS means. | | |
| ▲ | AnthonyMouse 15 hours ago | parent [-] | | I mean, didn't the NSA also get caught by Snowden? They intended it to be a secret. But the Juniper hackers are the NOBUS failure because changing the locks on a backdoor that somebody else had installed is easier than getting one installed yourself. | | |
| ▲ | tptacek 14 hours ago | parent [-] | | I don't think you're following. "NOBUS" doesn't mean "nobody but us can ever find out about the backdoor"; it means "nobody but us can actually use the backdoor". Ironically, the Juniper PKRNG backdoor --- I assume it was Chinese --- is also a NOBUS backdoor! | | |
| ▲ | AnthonyMouse 10 hours ago | parent [-] | | > it means "nobody but us can actually use the backdoor". Ironically, the Juniper PKRNG backdoor --- I assume it was Chinese --- is also a NOBUS backdoor! Except that it was intended to be "nobody but the us (i.e. the NSA)" and now you've got China using it. | | |
| ▲ | tptacek 9 hours ago | parent [-] | | No, we don't. Respectfully, I don't think you're working from an accurate notion of what "NOBUS" means, and I don't think you have your head fully around the Juniper hack. The Juniper hack replaced the existing backdoor; it didn't break it. NOBUS or not, if your adversary controls your source tree, you're boned. Here, the adversary replaced "our" NOBUS backdoor with theirs. Two different backdoors, different keys, same structure. |
|
|
|
|
|
|
|
|
| |
| ▲ | immibis 2 days ago | parent | prev [-] | | Why are all of your comments consistently just nonconstructively calling other people wrong? |
|
|
|
| |
| ▲ | ls612 2 days ago | parent | prev | next [-] | | And then Salt Typhoon happens and suddenly it isn't NOBUS anymore and we are hosed. | |
| ▲ | bccdee 2 days ago | parent | prev [-] | | NOBUS is only NOBUS until a spy gets their hands on the escrow master key (or until Donald Trump shares it at a dinner party on a lark, for that matter). If RSA's signing keys can be compromised¹, anything can be compromised. [1]: "The Full Story of the Stunning RSA Hack Can Finally Be Told," https://www.wired.com/story/the-full-story-of-the-stunning-r... | | |
| ▲ | tptacek 2 days ago | parent [-] | | I don't understand the latter assertion. What's so special about RSA getting compromised? | | |
| ▲ | bccdee a day ago | parent [-] | | They're a world-class security organization. If a nation-state actor can get access to their most important keys the hard way, then a nation-state actor has a decent shot at compromising any private key on the planet, if they're willing to put enough money into it. | | |
| ▲ | tptacek 17 hours ago | parent [-] | | They were just an enterprise software company. People have weird ideas of what RSA was. They bought the name RSA. | | |
| ▲ | bccdee 14 hours ago | parent [-] | | They're a large, trusted enterprise software company specializing in security. I'm very comfortable using them as a heuristic for the most secure that a regularly-used private key can possibly be. | | |
| ▲ | tptacek 14 hours ago | parent [-] | | I think you need to adjust your priors on the capabilities of enterprise security companies. I don't think you will find many practitioners that would rank RSA Security in "the most secure that a regularly-used private key can be". |
|
|
|
|
|
|
