Given that the only scrutiny they're ever subject to is public opinion in an occasional news-cycle-long burst, one would have to be pretty gullible to assume these guidelines imply any operational restrictions whatsoever. If no better excuse could be found, I'm sure this one would be trotted out to justify indefinitely storing even plain-text email - "in case of stenography".
Given their other twisted interpretations of laws and policies to suit their purposes, I wouldn't be surprised. But we have no idea, because they classify everything, including how they interpret the existing laws.
>But we have no idea, because they classify everything, including how they interpret the existing laws.
We do have an idea, let's label it 'Clapperspeak'. "Common accepted best practices of espionage trade craft" gives state sanctioned CLASSIFIED license to lie, cheat, steal, bear false witness, interpret 12 ways to Sunday, anything and everything.
"Where does one draw the line between encryption,encoding and compression for example?"
I am told that the FBI does not actually draw such a distinction when dealing with criminal messages. The term "null cipher" is used to refer to messages encoded in a non-randomized fashion that does not involve any secret key. I was being a bit sarcastic above, but honestly, I would not be surprised if the government tried to claim that base64 encoding counted as "encryption" in this situation.
I'm wondering: what is the cost of such retention? If all intercepted data was encrypted, would that not eventually bankrupt the system?
While such a wide use of encryption seems unlikely, would it be possible to achieve the same effect by feeding the system with encrypted garbage? Even if it is eventually decrypted, it adds a lot of noise to the analysis effort, further increasing the cost.
If you read the doc, it says also that domestic communication "reasonably believed to contain evidence of a crime... may be disseminated to Federal Law Enforcement authorities".
Well then let's make them store the entire internet. It's about time that we encrypted everything. Flood the communication channels with encrypted chatter and let's see how long they can keep storing it all. If you really want to fuck with them intersperse your encrypted data with random bits from /dev/random. Even better, just steam random bits non-stop and every so often intersperse it with just a tiny bit of your real data.
The NSA knows how fucked they'd really be if everyone used end to end encryption. You can smell their fear.
I agree in principle. There might be some blow-back with regard to metadata that they can now legally (under their definition) track.
Let's do the math to see if that would even be possible:
* 144 billion emails per day in the U.S.
* Average email size is 75 kb.
* Works out to about 10 petabytes/day.
That facility they're building in Utah is exascale, so the computational burden isn't that much if they're simply looking at metadata. Obviously, decryption is more complicated.
Last I checked, a MW/year runs about $1m with long term agreements (old number; probably $2m now). Assuming a budget on the order of billions, that isn't a huge hurdle for a government snoop to clear.
Actually I'm sure the NSA is perfectly A-OK with techies, rather than getting involved politically and using their knowledge to mobilize the non-tech-savvy, instead expending their limited energy and time on weird slacktivism antics.
A good deal of encrypted material these days depends on the security of the private key, though -- e.g., HTTPS loses a good deal of security if the server's private key is known.
Given the reach of PRISM and related projects, and given that a lot of the internet was using 1024-bit RSA keys for HTTPS, it's a good question wondering how much of those private keys are still ... private.
I have always wondered about this. What kind of security do you really get if, for example, your SSL key is distributed to a couple thousand CloudFlare servers all over the world?
That is good because, provided there is not some enormous leap forward in number theory in the meantime, they can keep working on trying to break 256-bit key RSA encryption "indefinitely" as well thanks to a higher law by the name of thermodynamics.
"Longer key lengths are better, but only up to a point. AES will have 128-bit, 192-bit, and 256-bit key lengths. This is far longer than needed for the foreseeable future. In fact, we cannot even imagine a world where 256-bit brute force searches are possible. It requires some fundamental breakthroughs in physics and our understanding of the universe.
One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)
Given that k = 1.38 × 10^−16 erg/K, and that the ambient temperature of the universe is 3.2 Kelvin, an ideal computer running at 3.2 K would consume 4.4 × 10−16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.
Now, the annual energy output of our sun is about 1.21 × 10^41 ergs. This is enough to power about 2.7 × 10^56 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2^192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter.
But that's just one star, and a measly one at that. A typical supernova releases something like 1^051 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space."
I've seen this argument quoted a couple of times and blindly accepted it as a traditional Fermi-style attack on the problem. This is the first time I've pondered the implementation.
Schneier's argument that 3.2K is a limit is perhaps not the best one? Dilution fridges let you into the millikelvin quickly. Optical cooling can readily reach nanokelvin. Power dissipation remains a significant problem, but the power requirement is reduced by ~10^9.
From the quantum-computing side of things, it's not that crazy to imagine a 256 bit quantum computer, especially if you have a GDP-caliber budget. Researchers worldwide are working hard on the relevant technological precursors.
I'm under the impression that quantum computers buy you a square root. So instead of doubling the number of bits in your key to improve the strength of a key by a ludicrous amount, you should quadruple them.
In addition to this, I don't know how well quantum computers help against (good) symmetric encryption. They help against certain types of PKI because they give you the aforementioned speedup in factoring large integers. However, I think Schneier's argument holds, because brute forcing 2^256 possible keys is.. well, see the argument above about forcing a counter through all those states.
(apologies for not citing sources. Hopefully someone more knowledgeable can weigh in)
For AES you are correct. The best known quantum attack is Grover's Search Algorithm (but emphasis on 'known' here), reducing the key space to 2^128. RSA, however, is based on prime factors, so it can be broken with Shor's Algorithm, which means it will take on the order of (256)^3 operations.
Limiting the energy source to a single star is weak. If you use a whole galaxy (or several) you can easily bring that up to 256 bits. For example, the Milky Way has on the order of 10^11 stars; most of those aren't supernova-sized, but if we use a few million galaxies we can get that many. That gives you an extra 37 bits, bringing the counter to 256.
So, if you have terrifically huge enemies, who will burn galaxies to get at your secrets, you might want to use a few more bits.
You might worry about quantum computers, too, since afaik Grover's algorithm halves effective key size.
Even if Moore's Law holds up that long, Second Law of Thermodynamics says you can't brute-force 256-bit keys[1].
However, it's entirely possible (though unlikely) that actual, significant progress will be made either in DLP or in attacking AES/RC4 -- at which case, yeah, that data is as good as clear.
To expand on this a little, 256-bit RSA is easily crackable, since there are good algorithms for integer factorization. You need a significant increase in key length to get equivalent security to symmetric keys: Wikipedia claims 3072-bit RSA ~ 128-bit symmetric, 15360-bit RSA ~ 256-bit symmetric. [0]
test the forever stored future with ten thousand inviting Voynich manuscripts with buried url tripwire alert beacons and countdown n-folded damascene crypto layerings that annunciate when finally cracked and the hunter bot-spider races along the breadcrumbs, trips the wire, and `hello'!
A bit offtopic, but is there a style associated with the image at the top? Particularly the way that eyeball looks, I've seen that style of artwork a lot when reading surveillance-related stories.
