One possibility is what is mentioned above --- that boneheaded governments (repeating the same mistakes as Microsoft, the DVD consortium, cell phone companies etc) refused to believe in open source and math, and bought compromised proprietary machines. (As an aside, I do have to wonder just how stupid are countries that buy high-end arms from the US. Do you really believe that the US doesn't have some radio-based "off-switch" that they can and will use against the fancy radars and fighters they have just sold you?)
But the other possibility, which makes the compromise more of an issue, is that the crypto algorithms are fine, but the US had access to the keys --- through bribery, bugging or whatever. This being revealed is, in some sense, more serious than revealing that an algorithm or machine is compromised. Presumably it means that human assets in Iran are, even in the best case scenario, no longer useful because they've fled to another country.
Thirty years ago it was highly likely that the NSA was a decade or two ahead of the open literature in knowledge of the theory of cipher design and cryptanalysis. It is widely believed that since then this gap has significantly narrowed - modern ciphers designed with an open process, such as AES, are probably secure against NSA cryptanalysis.
However, encryption schemes can be compromised by a failure in system design or due to a poor implementation, not just because the cipher on which it is based has been broken. For example, a secure encryption scheme ultimately relies on having a secure key distribution scheme; an unbreakable cipher does you no good if your adversary knows your keys. Similarly, implementations of encryption systems are inherently fragile - there are many details to get exactly right, such as secure pseudo-random number generation, resistance to side-channel attacks, etc. An error in any one of the many implementation details can result in system compromise.
The NSA is unquestionably the most experienced organization in the world when it comes to the practical cryptanalysis required to exploit the weaknesses of actual systems - it would not be at all surprising if Iran's secure communications channels had a weakness in design or implementation, despite using, at their core, a secure cipher.
What makes you think the NSA can't break 128-bit encryption? Nobody really knows what sort of capabilities the NSA has. For all we know they've been using quantum computers for some time which would make breaking conventional encryption extremely trivial.
The other comments raise good points too. It could be that we simply have access to a different channel which exposes the plaintext, or we have access to the keys.
How do many hackers get into "secure" systems? "Social engineering."
It doesn't matter if a message is encrypted with 256-bit encryption, or 1028-bit, if someone put a program on your computer to capture all the key-strokes. Or otherwise bugged your computer. Or otherwise fished out your password. The number of methods are nearly infinite, and all without having to crack the encryption the hard way.
At this point the U.S. has about seventy years of significant practice, not counting the WWI Black Chamber.
What makes you think the NSA can't break 128-bit encryption? Nobody really knows what sort of capabilities the NSA has. For all we know they've been using quantum computers for some time which would make breaking conventional encryption extremely trivial.
This is, IMHO, the same sort of thinking that believes that Microsoft (or for that matter the US govt) can't make mistakes. The NSA has lots of money and people, but they don't have as much money and as many people as the rest of the world. For the NSA to be using, for example, quantum computing in a usueful fashion, requires that they have made a long series of breakthroughs on their own, and without the benefits of the advice of others, while vastly many more people on the outside have not been able to do so, something I regard as highly unlikely.
What makes you think the NSA can't break 128-bit encryption? Nobody really knows what sort of capabilities the NSA has. For all we know they've been using quantum computers for some time which would make breaking conventional encryption extremely trivial.
I disagree. The possibility that the NSA might have huge quantum computers (which, frankly, I find extremely unlikely) isn't a problem for modern ciphers. The design requirements for modern ciphers like AES specifically include the consideration that they might have to resist attack by a quantum computer during their design lifetime.
A conventional computer can perform a "brute force" exhaustive key search attack in 2^n steps against a cipher with an n-bit key. A sufficiently large quantum computer can brute-force a cipher in the square-root of the number of steps that it would take a conventional computer to perform a similar attack, thus a quantum computer could brute-force a 128-bit cipher in the same number of steps as a conventional computer can brute-force a 64-bit cipher. The remote possibility of a breakthrough in quantum computing is exactly why the AES cipher supports 256-bit keys - these 256-bit keys are as resistant to brute-force attack by quantum computer as 128-bit keys are versus conventional computer, and 128-bit keys are considered to be sufficient to resist brute-force attack against any reasonable conventional computer for decades to come.
Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. (Gene Spafford)
A couple of days ago the BBC published an article titled "Breaking codes: An impossible task?" in which the BBC discusses with several cryptographers the reports that the United States broke the code used by the Iranian intelligence service. They appear to come to the same conclusions as we did. Ross Anderson of Cambridge University is quoted as saying "As the former chief scientist of the NSA once remarked at one of our security workshops, almost all breaks of cipher systems are due to implementation errors, operational failures, burglary, blackmail and bribery." Similarly, Fred Piper of the Royal Holloway College made the same point: "There is a difference between breaking a code and breaking a system. In general it is true that a system using a practically unbreakable cipher might be broken though a management fault."
Simple, the governments of 120 countries have less of a clue than your random Linux hacker who knows how to install PGP: It's Cryptogate!!
Posted by Manfred Traven | Link to this comment | 06- 4-04 1:12 AM
One possibility is what is mentioned above --- that boneheaded governments (repeating the same mistakes as Microsoft, the DVD consortium, cell phone companies etc) refused to believe in open source and math, and bought compromised proprietary machines. (As an aside, I do have to wonder just how stupid are countries that buy high-end arms from the US. Do you really believe that the US doesn't have some radio-based "off-switch" that they can and will use against the fancy radars and fighters they have just sold you?)
But the other possibility, which makes the compromise more of an issue, is that the crypto algorithms are fine, but the US had access to the keys --- through bribery, bugging or whatever. This being revealed is, in some sense, more serious than revealing that an algorithm or machine is compromised. Presumably it means that human assets in Iran are, even in the best case scenario, no longer useful because they've fled to another country.
Posted by Maynard Handley | Link to this comment | 06- 4-04 1:42 AM
Thirty years ago it was highly likely that the NSA was a decade or two ahead of the open literature in knowledge of the theory of cipher design and cryptanalysis. It is widely believed that since then this gap has significantly narrowed - modern ciphers designed with an open process, such as AES, are probably secure against NSA cryptanalysis.
However, encryption schemes can be compromised by a failure in system design or due to a poor implementation, not just because the cipher on which it is based has been broken. For example, a secure encryption scheme ultimately relies on having a secure key distribution scheme; an unbreakable cipher does you no good if your adversary knows your keys. Similarly, implementations of encryption systems are inherently fragile - there are many details to get exactly right, such as secure pseudo-random number generation, resistance to side-channel attacks, etc. An error in any one of the many implementation details can result in system compromise.
The NSA is unquestionably the most experienced organization in the world when it comes to the practical cryptanalysis required to exploit the weaknesses of actual systems - it would not be at all surprising if Iran's secure communications channels had a weakness in design or implementation, despite using, at their core, a secure cipher.
Posted by Richard Parker | Link to this comment | 06- 4-04 4:33 AM
What makes you think the NSA can't break 128-bit encryption? Nobody really knows what sort of capabilities the NSA has. For all we know they've been using quantum computers for some time which would make breaking conventional encryption extremely trivial.
The other comments raise good points too. It could be that we simply have access to a different channel which exposes the plaintext, or we have access to the keys.
Posted by Peter Kovacs | Link to this comment | 06- 4-04 6:58 AM
How do many hackers get into "secure" systems? "Social engineering."
It doesn't matter if a message is encrypted with 256-bit encryption, or 1028-bit, if someone put a program on your computer to capture all the key-strokes. Or otherwise bugged your computer. Or otherwise fished out your password. The number of methods are nearly infinite, and all without having to crack the encryption the hard way.
At this point the U.S. has about seventy years of significant practice, not counting the WWI Black Chamber.
Posted by Gary Farber | Link to this comment | 06- 4-04 7:26 AM
What makes you think the NSA can't break 128-bit encryption? Nobody really knows what sort of capabilities the NSA has. For all we know they've been using quantum computers for some time which would make breaking conventional encryption extremely trivial.
This is, IMHO, the same sort of thinking that believes that Microsoft (or for that matter the US govt) can't make mistakes. The NSA has lots of money and people, but they don't have as much money and as many people as the rest of the world. For the NSA to be using, for example, quantum computing in a usueful fashion, requires that they have made a long series of breakthroughs on their own, and without the benefits of the advice of others, while vastly many more people on the outside have not been able to do so, something I regard as highly unlikely.
Posted by Maynard Handley | Link to this comment | 06- 4-04 7:58 AM
Thanks all (particularly Richard); this is very helpful.
Posted by ogged | Link to this comment | 06- 4-04 8:26 AM
What makes you think the NSA can't break 128-bit encryption? Nobody really knows what sort of capabilities the NSA has. For all we know they've been using quantum computers for some time which would make breaking conventional encryption extremely trivial.
I disagree. The possibility that the NSA might have huge quantum computers (which, frankly, I find extremely unlikely) isn't a problem for modern ciphers. The design requirements for modern ciphers like AES specifically include the consideration that they might have to resist attack by a quantum computer during their design lifetime.
A conventional computer can perform a "brute force" exhaustive key search attack in 2^n steps against a cipher with an n-bit key. A sufficiently large quantum computer can brute-force a cipher in the square-root of the number of steps that it would take a conventional computer to perform a similar attack, thus a quantum computer could brute-force a 128-bit cipher in the same number of steps as a conventional computer can brute-force a 64-bit cipher. The remote possibility of a breakthrough in quantum computing is exactly why the AES cipher supports 256-bit keys - these 256-bit keys are as resistant to brute-force attack by quantum computer as 128-bit keys are versus conventional computer, and 128-bit keys are considered to be sufficient to resist brute-force attack against any reasonable conventional computer for decades to come.
Posted by Richard Parker | Link to this comment | 06- 4-04 8:34 AM
My favorite quote about security:
Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. (Gene Spafford)
Posted by Matt | Link to this comment | 06- 4-04 10:29 AM
I'm with Gary. It's standard operating procedure that we bug their offices and embassies. It's expected. We also have a lot of bribe money.
Posted by Michael | Link to this comment | 06- 4-04 3:02 PM
A couple of days ago the BBC published an article titled "Breaking codes: An impossible task?" in which the BBC discusses with several cryptographers the reports that the United States broke the code used by the Iranian intelligence service. They appear to come to the same conclusions as we did. Ross Anderson of Cambridge University is quoted as saying "As the former chief scientist of the NSA once remarked at one of our security workshops, almost all breaks of cipher systems are due to implementation errors, operational failures, burglary, blackmail and bribery." Similarly, Fred Piper of the Royal Holloway College made the same point: "There is a difference between breaking a code and breaking a system. In general it is true that a system using a practically unbreakable cipher might be broken though a management fault."
Posted by Richard Parker | Link to this comment | 06-19-04 7:35 AM
Thanks, Richard.
Posted by ogged | Link to this comment | 06-19-04 8:07 AM