Slashdot Mirror
New NSA-Approved Encryption Standard May Contain Backdoor
Hugh Pickens writes "Bruce Schneier has a story on Wired about the new official standard for random-number generators the NIST released this year that will likely be followed by software and hardware developers around the world. There are four different approved techniques (pdf), called DRBGs, or 'Deterministic Random Bit Generators' based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. The generator based on elliptic curves called Dual_EC_DRBG has been championed by the NSA and contains a weakness that can only be described as a backdoor. In a presentation at the CRYPTO 2007 conference (pdf) in August, Dan Shumow and Niels Ferguson showed that there are constants in the standard used to define the algorithm's elliptic curve that have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG."
Don't look for malice where incompetence will do.
-- NapoleonAny guest worker system is indistinguishable from indentured servitude.
Anyone else reminded of the little Black Box from Sneakers? The one that used a mathematical backdoor to break any encryption based on a certain algorithm that was only used in the USA?
End of lesson. You may press the button.
Is what is essentially a random number generator really an 'encryption' standard? And if it's really a backdoor, don't you still need to know rather quite a bit more than the random number seeds to break something like AES or RSA?
My blog
As a person, I am not very surprised. Software can be hard to develop. But on the other hand, I wonder what we as a nation (USA) can ever get right.
When I thought we had [finally] got the Boeing 787 Dreamliner right, I was informed the execution of the whole project was flawed.
Result? The plane will be delayed by more than 6 months, not to mention that a big chunk of the plane is manufactured abroad. I continue to be disappointed.
On the last slide, the researchers add some suggestions:
I wonder how long it'll be before that "skeleton key" becomes public knowledge and makes the entire encryption scheme more worthless than it already is.
I don't think you understand the meaning of the word "may".
The correct word to use is "does".
-- Tigger warning: This post may contain tiggers! --
secret numbers appearing on T-shirts in Finland in 3.. 2.. 1..
- For the complete works of Shakespeare: cat
They're in the business of national security. That's generally at odds with personal security and liberty. Those who would trust such a product from them are suckers.
--scsg
"It's possible to implement Dual_EC_DRBG in such a way as to protect it against this backdoor, by generating new constants with another secure random-number generator and then publishing the seed. This method is even in the NIST document, in Appendix A. "
Should use the one that is hardest to break. If the NSA thinks elliptic curves are the best, only the NSA should use it. Let's see how happy they are having their own "unbreakable" code just for them.
Personally, I wish the NSA was a bit more chivalrous when it comes to these kind of things. If it is your **JOB** to break codes, why whine when people pick the one that is hardest to break. The rest of the world doesn't have the luxury to pick how hard their job gets to be, so why should you?
The NSA is like an anti-virus / a pharmaceutical company where a cure is only good if it's in the company's best interests. Not to say that anti-virus / pharmaceutical companies are not ethical. But there is a saying along the lines of "If you can't come up with the solution, there is good money to be made in the problem."
That's in fact the best way to defeat such backhanded efforts if they were intentional and not due to incompetence which thanks to chaos theory happened to create a seemingly planned back door. Offer the skeleton key freely to the masses disseminating it as much as possible thereby making the encryption scheme worthless. Without people using it it would do the NSA little good.
That's just my POV... no more, no less.
"Flyin' in just a sweet place,
Never been known to fail..."
Are you stating you are going to do that? *Dials 911 to report you and ask for a reward* :)
I smoked pot once. But I DID NOT inhale. Will you hire me?
That would explain why SELinux isn't widely used.
-- This space for lease, low setup fee, inquire within!
I don't think you can preemptively call and ask for a reward for reporting a crime yet to be committed. Just for that, I *won't* rob your bank, out of spite. ;-)
sudo eat my shorts
The NSA is spying on all telecom signals passing through the US (including this message. Hi, Dick Cheney!). Despite the Constitution's prohibitions. Why would you trust them not to make your crypto crackable?
This situation shows one of the strongest arguments for open source. Trust no one.
--
make install -not war
Sessions can be recorded and cracked later when cpu is even more plentiful.
Encryption keys can be demanded by the government, they'll throw you in jail for not complying.
Keep your dirty laundry out of your computer.
The government doesn't think that your data is something that should be protected from unreasonable search, you shouldn't either.
Damn you!!!!
I smoked pot once. But I DID NOT inhale. Will you hire me?
Why bother looking, when the NSA's malicious incompetence (at respecting the Constitution - they're excellent at invading privacy) is already proven beyond doubt?
Don't look for excuses where criminal convictions will do much better.
--
make install -not war
All you need are more lava lamps.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
I can't be the only one who clicked on the link and was astonished to see:
"On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng - by Dan Shumow, Niels Ferguson, Microsoft"
Microsoft are exposing this? Are they funding the group making these kind of claims? If this was true, wouldn't this intensely annoy the NSA to have this exposed? Am I missing something here? .
- I see the disclaimer ("What we are NOT saying") where they seem to be saying - "No way did the NSA intentionally make this broken - maybe it was an errant developer and maybe they knew what they were doing", but it amounts to the same thing, surely?
'This writing business. Pencils and what-not. Over-rated if you ask me. Silly stuff. Nothing in it' - Eeyore
Go back to your xboxes idiots!
This is why encryption algorith designer use Nothing Up My Sleeve numbers
http://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number
RNG problems in xp/2k? Isn't the POINT of encryption to defeat/make EXTREMELY difficult the work undertaken by snoops?
Maybe they need to listen to Mylene Farmer's "Fuck them all"...
"Fuck Them All" is better than any Madonna song...heheh
http://youtube.com/watch?v=3lcbkFcK-zY&feature=related
"Hey bitch, you're not on the list. You wish. You suck. You bitch. What's your name again? Hey bitch, you're not on the list. You bitch, you're not on the list. You wish. You suck, you bitch."
Well, Pardon her French.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Just look what they did with the telcos. The administration knew that it couldn't just go and force the telcos to install their drag net hardware to sweep up each and every electronic communication of ordinary Americans.
So what did they do? Instead of ordering the telcos to do it, we now know that they paid them to do it.
Would it be at all surprising if we were to find that the Bush administration also plans to pay crypto hardware manufacturers to install backdoors to allow them to better snoop on ordinary Americans' encrypted information?
If anything, I'd be surprised if they hadn't thought of this.
So, if the NSA was indeed intentionally creating a backdoor, then they were doing a disservice to the "national security" they are supposedly protecting. By allowing (encouraging, in fact) top-secret government data to be encrypted in this way, they would be making the nation's secrets quite vulnerable. By comparison, private citizens and corporations can use whatever encryption they like, regardless of NSA recommendations.
I suppose one could argue that the NSA thought that no one would figure it out, so that they (and they alone) would be able to break that encryption for all time (so that they can spy on other branches of the government?). I think a simpler explanation is that NSA just made a mistake in endorsing that algorithm, and never intended to threaten national security. Of course it will be interesting to see what position they take now that a flaw has been publicly identified.
Does the term "NSA Key" ring a bell for anyone?
It should come as no surprise that the NSA want to read your communications. The U.S.A. is the new oppressive state. Shredding the constitution at lightening speeds. Between spying, being labeled as an enemy combatant, gitmo, and rendition, could someone tell me why I should fear the terrorists more than my own government?
Hell, they want prison time for copyright violation, and they haven't even ironed out an exact definition of copyright infringement. "Fair Use" is too nebulous, so almost anyone with a browser cache can be arrested and threatened with jail time. Just think about how useful this is in making people shut up about things like the Iraq war, impeachment, and the worst president ever.
Gotta go, black helicopters circling
I wish I could remember the show I saw. But the scientist (MIT, PhD scientist) was amazed at the intellect of the NSA folks who came to see him about his research. I can't remember who it was - it was a NOVA episode (but it stuck in my head because of his fear!). And after talking to friends who work with various internet security companies and defense contractors, I have to reiterate their opinion of these guys - they're really sharp. And as much as I like to disparage Government workers, these guys aren't to be trifled with.
And, as I was previewing, I noticed that the parent was moderated "Offtopic".
As an Offtopic note: 2 out of 3 down mods that I meta mod are unfair. Keep that in mind. It's really pissing me off.
I prefer Flambe as apposed flamebait.
The NSA is a lot more competent than you think.
:-P
Go google "NSA DES" sometime.
"The NSA was embroiled in controversy concerning its involvement in the creation of the Data Encryption Standard (DES), a standard and public block cipher used by the US government. During development by IBM in the 1970s, the NSA recommended changes to the algorithm. There was suspicion the agency had deliberately weakened the algorithm sufficiently to enable it to eavesdrop if required. The suspicions were that a critical component -- the so-called S-boxes -- had been altered to insert a "backdoor"; and that the key length had been reduced, making it easier for the NSA to discover the key using massive computing power, although it has since been observed that the changes in fact strengthened the algorithm against differential cryptanalysis, which was not publicly discovered until the late 1980s."
So they made some small changes to DES... then a *decade* later, the rest of the crypto world says, "Huh. We've just done the sums and that actually made it better."
Not to say that in this case they're just screwing with the algorithm though
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
The crypto community spoke out strongly against it, and the proposal, despite having a great deal of political muscle behind it, did not fly very far. Another sensible reason for its failure to gain acceptance was that it would have had no chance of success on the international market. Even if domestic use could have been forced through legislation, let's say, no other nation with a clue would pick it up.
Parity: What to do when the weekend comes.
It's not the same thing. For a start, it's not even necessarily software. It's a mathematical algorithm.
So, yes, the implementation can be buggy, but for something like cryptography you'd at least expect the maths behind it to be rock-solid.
A lot of cryptography is based on stuff like that it's _far_ easier to multiply two prime numbers, than to find out which two large primes are the factors of a very large number. (I don't know this particular algorithm in TFA yet, so I used RSA as a simple example.) Once some maths guy has figured that out, and how it can be used, then the actual implementation in software tends to be actually very simple and straightforward. You just do one operation over and over again to encrypt the stuff, and another operation again and again to decrypt it. So even an error in the implementation is pretty inexcusable, because it's not a lot of code and you have a step-by-step description of exactly what to do.
Usually when an error in the implementation happens, it's not as much a programming bug, as the fact that (again) someone didn't understand the underlying maths and principles. E.g., I vaguely remember a disk encryption program which used a secure algorithm, but... had an invariable and huge block of known text at the beginning of it, which meant it was crackable anyway.
Anyway, to get back to the important part: it's not software, it's maths. Pure old-fashioned maths.
And... well, I'm not saying that that maths is easy. The average code monkey trying to invent encryption _will_ come with something ridiculously easy to crack.
But I'll say this: if the best and brightest mathematicians the NSA can find, still aren't competent enough, then I'd worry about the USA. I'm not even an American, and my attitude is somewhat anti-American (or at least anti-Bush), but even I in my crankiest hour wouldn't have _that_ bad an opinion of the USA.
To put it in perspective: something like this isn't like your average piece of code that someone typed on a Friday afternoon and never bothered to test. Something like this is bound to be reviewed by at least 2-3 other pairs of eyes before it becomes an official spec. So if they simply couldn't find anyone qualified enough to review it... I'd worry. A lot.
The conspiracy theory there is actually the _far_ more flattering alternative.
A polar bear is a cartesian bear after a coordinate transform.
I guessing the elliptical basis PRNG was only included to allow for a checkmark to be put on a list for the requirements - "ensure there is a simple method to bypass security for agencies that have clearance to do so" or similar. This smacks of a top-down request, mathematically, it's a ludicrous concept to rely on for practical considerations - if not because of its strength but for its speed in current implementations.
More likely it can already be easily cracked.
Or maybe they know we know that and are using a double bluff? or that could be a bluff as they will know that we know what they know we will know.
I see how it could be a problem for embedded work. But on personal computers, which nowdays have tremendously abundant resources, why not use multiple algorithms and entropy sources to build your pool? (Yes, I know some systems already do this.) NSA may be able to predict one sequence, but they sure as hell can't predict a bunch of them, XORed. They'd need mathematicians to crack all the RNGs, have a camera on your lava lamp, a microphone listening to the room, a tap on your power line, etc. By the time they do all of that, they might as well have just asked you what your plaintext is.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Enough said.
I'm not saying that there isn't/wasn't an NSA-requested backdoor in Windows, however I'm sure that they wouldn't make it obvious by calling it NSAKEY (most likely, it would have been sneaked in as an undocumented API).
SHOCKING!
Funny, some dolt on Xbox Live told me to "go back to Slashdot, idiot!"
I suppose one could argue that the NSA thought that no one would figure it out, so that they (and they alone) would be able to break that encryption for all time
I think this is very poor thinking. China, Russia et al have plenty of top-grade mathematicians, and governments with the resources to throw at trying to get the prize of being able to crack US encryption. Encouraging the wide deployment of an encryption algorithm that has a backdoor is only a good idea right up until the time other people figure out what the backdoor is. The day could conceivably come where foreign governments are decrypting "secure" US traffic faster than even the NSA can?
This is why when Im communicating with my business associates in Columbia, or reporting to my controller in Moscow .. we choose to always stick with the good old one time pad.
Tiny little yellow Post-it-notes still beats elliptical curves anyday.
They totally got the idea from Digital Fortress.
So does that mean the NSA really does have a 3 million processor supercomputer? I find the individually soldered in by hand part hard to believe (not to mention everything else in dan brown books).
...is that they didn't get this algorithm EXACTLY right.
N.S.A. already owns the patent to DES and the whole point of that was have a backdoor when Clipper failed to pass.
You also know that N.I.S.T. is a front for N.S.A. too right? Of course there's a backdoor.
This and other stories are available in the latest issue of DUH!
Has anyone read Digital Fortress ? All this sounds familiar !
Oh, gee, I don't know. How many countries out there can mass-produce millions of machines able to sieve RSA factors, brute force DSA keys, and generally out-compute our agencies at a fraction of the cost?
Nah.... not happening.
I said no... but I missed and it came out yes.
There is another explanation; difference of opinion between management and staff
- Management wants a backdoor in public standard, orders their very smart math geeks to make it so
- Math geeks say it can't be done
- Management insists
- Math geeks go away and come up with something out of left field that technically fulfils the request of management, knowing it's vulnerabilities. They probably tell management that their solution is the best they could do, but it still has all the following problems (slow, crypto-nerds will see through it sooner or later, etc)
- Management hears the 'best' and 'done' part, discounts possibility of anyone outsmarting their 'uber-elite' NSA math geeks
predictable results follow.
for a change :)
Hexayurt - open source refugee shelter,
I'm not saying that there isn't/wasn't an NSA-requested backdoor in Windows, however I'm sure that they wouldn't make it obvious by calling it NSAKEY (most likely, it would have been sneaked in as an undocumented API).
If you remember clearly, you will recall that it was an accident that the information was released. Normally various symbol names are stripped from the SDK/DDK. By accident, one release had the symbols intact.
Then all sorts of bizarre explanation came out of Microsoft, my favorite was that it was a "backup key" in case the main key was "lost." I guess they hoped most people would equate losing a house key with losing an encryption key. Looking back, it wasn't so stupid because it seemed to have worked.
My new standard answer to anyone that calls me paranoid is this: If I told you that the government had secret rooms in all the telecoms that monitored all the internet activity, you'd call me paranoid, but the truth is so bad that one is justified in being paranoid.
I'm not so sure this is a bad thing or an afront to our freedoms. I know this is slashdot blasphemy but hear me out.
When the modern phone systems were first being built part of getting the liscensing from the US government was that it would be technologically possible to tap into those lines if the appropriote warrants were filed. Same thing now with the Voip services and there hasn't been much of an uproar over that. This as, as far as I see it, pretty much the same thing.
Now, I'm not saying that the government is perfect or that this won't be abused (it almost definatly will be). If TFA had been about thousands of servers under NSA headquarters that monitor every byte of encrypted traffic that would be one thing. But it is on almost the exact same level as wiretapping technology which has existed for decades.
Again, because we are talking about public algorithms. Things like this are public, open algorithms. Anyone can evaluate them, as Bruce noted. As such you can't "hide" something in there unless you are waaaay better than anyone else. If that is the case, well then why bother with any deception in the first place? This isn't a "This is a black box just trust it." It's an open algorithm and any experts can look at it, as has happened.
In my final year in CS, I wrote a lengthy paper researching various DRBGs. To my surprise, there were very few good candidates for cryptographic DRBGs, but of the 7 I looked at, Dual_EC_DRBG rated the worst. I was unable to find any theoretic proofs for Dual_EC_DRBG, but I did find a few papers exposing serious flaws in Dual_EC_DRBG including this one which describes a tractable distinguisher so efficient it can run on a modest desktop.
The other three DRBGs recommended by NIST were all reliant on the security of various other cryptographic primitives such as SHA (Hash_DRBG), HMAC (HMAC_DRBG - which is often based on SHA) and AES or 3DES (CRT_DRBG). They were all reasonably obvious, and only really tried to set out some sort of standard for jumbling the output of their respective primitives enough that they would be resilient to any unknown vulnerabilities in said primitives (though certain paths also failed to do this). This was mostly accomplished by calling the primitives several times (HMAC_DRBG with the NIST HMAC implementation called for 6 SHA hashes per SHA sized output) which isn't very efficient.
I suspect they only included Dual_EC_DRBG because it wouldn't have looked too good if they were unable to come up with a single number theoretic or otherwise novel DRBG. They shouldn't be too disappointed, however, as the only one I was able to find was Blum Blum Shub which is terribly inefficient. CryptMT (Cryptanalysis) also deserves a mention as it looks like a promising pseudo-number theoretic DRBG, at least a better candidate than Dual_EC_DRBG.
I thought the article was saying something slightly different: The standard does have a backdoor, it's just not clear who - if anyone - holds the keys.
The safe assumption is that someone does hold the keys and therefore the standard is useless for cryptography, even though it might be just fine for other applications.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
Rule of thumb: If any agency of the government in any way, shape or form has even the remotest, most tangential, most tenuous link to it, assume it has a backdoor.
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
bhima's comment was alluding to the fact that while NSA designed and distributed the Dual_EC_DRBG algorithm, they had no part in the other two algorithms (that we know of) other than as an outside commentator, and thus could not put a backdoor into them. In other words 'you' referred to the NSA, not to you, a user of the algorithms.
Bug in software a US Gov't agency is promoting? (some of) Your tax dollars at work!
And then there were three.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Open source alone is not enough. In fact these algorithms ARE open source. There even public domain standards!
Crypto is a special case. While it's true that "open source" cryptographic algorithms/protocols tend to be far safer choices then proprietary/secret/home-brew algorithm the problem is that correctness of a cryptographic algorithm is a far stronger notion to achieve and verify then for a normal program. For a normal program "correct" implies producing the right out put. In a cryptographic setting we want the the "correct" output which must be "secure". Precisely understanding the meaning of "secure" for a given app. and context is a central concern of cryptographers.
What is needed for crypto is the next step beyond open source, namely open process. That is along with an algorithm the NSA (or NIST or IBM or whoever) should be publishing a complete security definition, analysis and reasoning behind the design choices. (See The Making of Rijndael for example.)
If the NSA had provided ANSI, NIST and the public with such documentation then the problems pointed out by Shumow and Ferguson would not exist. The reasoning behind the choice of all constants would be clear to all.
On a realistic note it's not exactly likely that the an organisation like the NSA would ever do such a thing. Take the case of the DES algorithm developed by IBM with help from the NSA. Only a decade later later when Eli Biham and Adi Shamir published their work on Differential Cryptanalysis did the reasons for the choices of constants in DES become clearer. However at the time of DES's creation this (very powerful) cryptanalytic method was not known to the public. Thus by demanding open process the NSA would effectively have been required to release what was probably one of their most guarded technological advancements.
Thus since it can not be expected that the NSA adhere to open process development I think our best bet is to simply go with another algorithm which does. Like rijndael for example...
The thirty-year-old F-15 has been "defeated" during exercises with allied powers, flying planes developed twenty-five years later that are it's equal in technology, with pilots as well trained as ours.
The US free market: two halves of a government-granted duopoly are free to set the market price.
Curiously, other people in the business of national security may use this. Like the DOD, DOE, Ag Dept, FAA, Treasury, etc. For the time that the encryption method works and remains secure, federal agencies really won't have much to worry if the people signing their paychecks have access to their secure data (within reason, but that's what private networks are for).
If the second batch of numbers becomes compromised, do what comes naturally with encryption methods: pick a different set of arbitrarily large prime numbers and release build N+1.
or just U.S.?
Hardware manufacturers? How about certificate authorities?
If any of you think this is the least bit specious, the VeriSign website proudly proclaims that they will subcontract to telcos/ISPs that are ordered to eavesdrop in a "legal intercept" capacity. There is no other reason for VeriSign to be in that line of work unless they are using their ability as CA to stage undetectable MITM surveillance attacks.
Only if "National Security" meant keeping those currently in power in power. Which seems to be what the US government is for these days.
However, if "National Security" meant the security of the nation, which is the ideology in the case of the US, then there'd be no problems.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
Looks like Lew Giles is running the Random Number Generation department at the NSA. :P
What does the NSA use for encryption itself, to the extent that it can be known? Part of their charter is to provide public expertise in securing information (thus, SE Linux); contributing to open standards for encryption is part of that. But when you're talking about what they actually use, that should be indicative of where real crypto strength lies.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
Using the backdoor requires solving a discrete log problem. The NSA may have an actual proof of hardness for these problems putting a minimum bound on the amount of computer power required. This in turn might give them a minimum bound of a decade or so (someone really needs to check just how hard this discrete log problem turns out to be) for anyone else to discover the secret keys and they can just announce finding a security flaw in the algorithm 2 years before anyone might have found the keys.
Supposing they have separate classified advice for top secret material and this RNG will only be used on low security documents the tradeoff between an enemy potentially having access to low security information from several years ago and giving them potential access to other people's communications might be favorable.
Still, the problem with this scenario is that it seems implausible that they were ever going to get widespread adoption of this RNG outside the government. Then again many things agencies do can't be explained by smart people behaving reasonably. Maybe some mucky mucky over at the Bush admin got a bug in their britches about us helping the terrorists when they found out that they were using strong encryption the NSA had helped strengthen (like DES) and ordered them to start putting in back doors ignoring arguments to the contrary.
I can certainly see the 9/11 changed everything attitude justifying this sort of crap to some self-righteous and idiotic official.
If you liked this thought maybe you would find my blog nice too:
Seriously. I read a credible article that stated that the NSA suggested a certain group of algorithms back in the 70s. At the end of the 90s a method was "discovered" to make it easier to break the algorithm. The suggest group was most resistent to the attack.
That's more than 20 years ahead. Now they suggest something and after a couple month people find flaws in that?
The only thing I remember clearly was that no respectable security professional ever found any actual backdoor. There was only ever those six letters, nothing else.
Why not use the encryption as-is, but swap out the random number generator with something else?
I've always wondered why random number generators don't pull values from an A/D converter hooked to a white noise generator or Lorenz attractor or some such.
Weaselmancer
rediculous.
I think you are mistaken. It wasn't a "back door" it was an "alternate door." A fully functioning access point for the holder of the second key. Now, Microsoft's explanation makes this perfectly clear as they say, it is a "backup key in case they lose the original."
Now, you and I both know that losing an encryption key is ridiculous because it is something that can be stored on magnetic media and is something encoded in multiple applications that Microsoft uses to update Windows.
So I ask you, what is a *second* key for? Oh, and by the way, the name was leaked and it was "nsakey."
If this were NOT the NSA and encryption science in particular, I'd agree that there's a possibility for incompetence.
I've heard some stories from people who have the right background and certainly don't need to make stuff up that make me believe with certainty the back door is real.
Somewhere in a D.C. building there's a public mural/sculpture with an encrypted message in it that has yet to be decrypted after how many years of people trying????? I don't have a link, if someone would please provide one that would be great.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
No, that's what crackpots and people with an axe to grind with Microsoft claimed it was.
If you know different, please quote a reliable source. That would mean a real security researcher.
People are making something big out of this because it involves crypto, but honestly, is it so different from a case involving a physical key to a physical door?
For example, let's say the police suspect person X of murdering person Y. They have reason to believe that evidence of the crime is kept in a storage locker rented by person X. They go to court, present their evidence and get a search warrant, plus a court order requiring one or more of A) The storage locker company to open the locker rented by person X; B) Person X to turn over his own key to the police.
The storage locker company's nearest analog in the world of crypto would be key escrow, and it's no wonder people don't want it. For criminals, it would make it possible to decrypt evidence against them. For honest people, it would be a huge PITA and could also result in the revelation of confidential things totally unrelated to any crime of which they might be erroneously accused. I don't like the idea of key escrow, either. I think it would do more harm than good, overall.
What if person X has lost or destroyed his key, or lies and says he has done so? He might face jail time, since he can't prove that negative, but that probably beats the jail time for a murder conviction. What if, further, the storage company has lost its key, or person X has rendered the lock unusable by superglueing it or jamming in a key and snapping it off? A setback, but not a huge problem. Even the strongest door isn't that hard to brute-force. There are not likely to be many people complaining that person X was compelled to turn over his key and subsequently jailed for not doing so.
The only problem I have with this is that it's doesn't seem to be by court order; rather, RIPA appears to allow the police to tell a suspect "Give us the key or be prosecuted for it." I believe that decision should be made by a judge. However, apart from that, I don't see a huge problem with the overall concept of being compelled to turn over a crypto key as part of a criminal investigation. It's not different than being compelled to open a storage locker.
Well, It happened a long time ago and quoting knowledge rather than fresh research tends to lack annotation. Anyone can site any number of sources if they google, you can too. I'm not concerned with siting some arbitrary researcher. Everything I wrote can be verified by anyone willing to use google for 5 minutes. It is up to the reader to choose whom they believe, I'm confident that facts are on my side.
That being said, if I told you there was a secret room run by the U.S. government in all the telocs through which all internet traffic is passed, you'd probably call me a "crackpot with an axe to grind" wouldn't you?
Kudos to Bruce Schneier for being a respected voice of reason and (seen to be) a disinterested party to critically analyze the strengths and weaknesses of what will be a backbone of computing (and, indeed, our daily lives).
If I were the NSA trying to work in a back door, instead of coming up with a subtle flaw in the algorithm, I'd get Bruce Schneier to publicly praise an algorithm known to have flaws, while simultaneously offering to pay him a gajillion bucks and threatening his family if he refuses. That would probably derail publicly available encryption for a while. ("Bruce Schneier recommends: WinCrypt Terrorist Edition!")
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
These guys have echelon. They probably are managing the puppet strings of the botnet herders. They sit on unimaginable brute force supercomputing power. And when things get difficult, they can always pick a lock, enter a home, and install a keylogger.
Consider this scenario:
A hardware vendor contracts out to a software firm to write drivers for their device. Maybe it's an ethernet card chipset. The software developer is an NSA front operation. They code a real-time keylogger that adds-in keystroke data to packets going out over the wire. The packets go to the desired recipient server, but with echelon, the NSA can collect them nonetheless. Oh, but wouldn't we see this ourselves in our own surveillance of our packets? Might be that the code activates on specific targets by remote command. Man-in-the-middle altering of packets travelling from a popular website like google heading to the targets computer triggers the hidden keylogger to reply with collected info.
Done with the today's conspiracy concept.
Seth
$5 / month hosted VPS on linux = awesome!
You are the person making the claim, the job to supply proof is yours. Do it, or retract your claim.
Link at wiki the P's Kryptos
Took a bit for me to dig this up, but here ya go: In the 1984 William Tell exercise, flying F-4C Phantoms, the 123rd FIS / 142nd FIG beat out all but 2 F-15 units finishing third overall. The 123rd is an Oregon Air National Guard unit.
:-)
Not to say the F-15 isn't a fine aircraft, of course.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
in big bold letters in the presentation they have typed as their first conclusion:
"NIST intentionally put a back door in this PRNG"
which follows the line
"WHAT WE ARE NOT SAYING:"
a technique used extenisvely on FAUX's O'Reily factor and other far right wacko dishonest outlets. Kudos for these folks for using it so well. By so forcefully NOT stating something, it is exactly the poosibility they want us to consider.
Without this constant, it looks like the algorithm basically depends on the difficulty of solving the elliptic curve discrete log problem. As with most such problems used in crypto systems (like prime-factoring large numbers), it's believed to be difficult but not proven to be.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Anyone can write such a message. All you need is a one time pad generated with truly random noise. Encrypt your message, burn the pad.
Things like this have been done in the past by sampling radio noise from deep space to generate the pads. The problem is protecting and distributing the pads. In this case, that would not be a problem, just destroy it.
If the bad guys have a bomb, I think we can all agree that decrypting their plans is a good thing.
Smarter then most, with an unlimited black budget to play with , and no overseeing authority to call the shots or get in the way.. and they get to carry guns and fly in black helicopters scaring people..
Hmm forget not trifle with, where do i sign up to work with these guys ?
---- Booth was a patriot ----
So the point is that everyone agrees that you're an idiot?
My blog. Good stuff (when I remember to update it). Read it.
The CIA believe in a voodoo device invented by a comic book writer to peer into men's minds and see if they are telling the truth - wonder woman's golden lariat was sold as a con by it's writer and is called the polygraph. Court cases over unfair dismissal disputes (eg. trnaslators) are also giving some insight into the place and how clueless, petty and nasty some of the management is. They may have some sharp people in there but the collective mass is a herd of dumb frightened animals that kill people in horrible ways in flawed attempts to get information (they missed the memo from the Russians, Japanese etc that you use torture to scare people but it's useless if you want to get information). They have not been under adult supervision since before the days of Kennedy.
The one time pad is good only if it TRULY is random noise.
If your random number generation algorithm has a backdoor in it, your random noise will become
transparent, and your "One Time Pad" has become susceptible to analysis.
You are the person making the claim, the job to supply proof is yours. Do it, or retract your claim.
I have made no claims upon which the facts are in dispute.
Microsoft did claim that the "NSAKEY" was a backup key in case the original was lost. This is a well established fact. If you are to lazy to use google for "microsoft nsakey" then live in ignorance.
Furthermore, I submit that me saying "google for 'microsoft nsakey'" is just as valid a reference as anything else I could post.
You said you'd keep it a secret!
I was asking for some proof that the whole NSAKEY deal was anything other than a storm in a teacup. Like, a single example of what kind of maliciousness it was supposed to represent.
4 8 15 16 23 42
That isn't really encryption is it. The raison d'etre of encryption is that someone else can recover the message following a defined process.
If I take a signal and add random noise to it then remove all references to the specific random numbers I won't be able to recover the original signal. That's not encryption - that's more like shredding and burning.
Standard MO in the intelligence community: find a moron with power with a predictable kneejerk paranoia, then pull the string whenever the expected response suits your interests. No doubt the NSA holds a special place in their hearts for people who conclude their posts with "period" or "'nuff said".
I was asking for some proof that the whole NSAKEY deal was anything other than a storm in a teacup. Like, a single example of what kind of maliciousness it was supposed to represent.
Show me one a single example of what kind of maliciousness the secret rooms in the telcos is supposed to represent.
The issue is that the back door is there, that we *can* know. What they do with it is labeled as top secret and tucked away in an NSA data base or Cheney's office safe.
Countering "Trusting Trust":
"It's interesting: the "trusting trust" attack has actually gotten easier over time, because compilers have gotten increasingly complex, giving attackers more places to hide their attacks."
January 23, 2006
http://www.schneier.com/blog/archives/2006/01/countering_trus.html
Ref.
Reflections on Trusting Trust:
http://cm.bell-labs.com/who/ken/trust.html
Truly, ALL your base is belonging, not just a little.
[firmware]
~hylas
"Mr. Potato Head? Mr. Potato Head! Back doors are not secrets!"
No, SELinux isn't very broadly used because it breaks things at unpredictable times and has exceptionally poor documentation.
That's dumb and smells suspicious to any sane person.
/dev/urandom.
You can say:
RGN() = RNG1() ^ RNG2() ^ RNG3()
Where RNG1 is the NSA RGN, RGN2 is mersenne twister and RNG3 comes from
Even if one of these functions is unpredictable problem solved.
NSA may suggest a "good" RNG, but restricting the users to use ONLY that RNG and not XOR it with another RNG proves that the conspiracy theories are right.
Also, an projects that use only RNG1, prove that they are bribed/extorted.
I'm posting this from an Internet Cafe and I have to leave before they detect my carrier.
> New NSA-Approved Encryption Standard May Contain Backdoor
I am shocked, shocked, to find that an organization whose tasks include breaking other peoples encryption publishes a standard that will make their lives easier.
Listen, obviously you do not wish to believe that a back door exists and arguing with you at this point is pointless, sometimes you don't get a "smoking gun," but instead get a lot of little facts that never the less paint a picture. I will leave you with these facts:
(1) An encryption key in MS Windows is labeled NSAKEY. You may dismiss this fact, but I can't believe it means nothing.
(2) Microsoft has said that this is a redundant key in case the first key is lost. We all know that is a bogus explanation.
(3) It was placed there to comply with the laws on restricted export of encryption technology.
(4) The key is for access to the encryption system, the Cryptographic API.
(5) The key is used to update the cryptography components, and we all know that if you can update one component, you can update any.
Going back to the NSA:
"Show me one a single example of what kind of maliciousness the secret rooms in the telcos is supposed to represent."
This is valid because it is the same basic motive, spy on people's communications, and the same people NSA. We *know* the NSA wants to spy on U.S. citizens. We have proof they are taping the web in all major telcos. Why is it so hard to believe or accept that an encryption key named NSAKEY in a large government contractor's software: Windows, wouldn't be for the NSA?
Thats totally on topic, everyone does it, I was just beating an actual linker to the punch. . . . its generally referred to as sarcasm.
(5) The key is used to update the cryptography components, and we all know that if you can update one component, you can update any. And what is your attack scenario for using this supposed backdoor? This is valid because it is the same basic motive, spy on people's communications, and the same people NSA. You are begging the question by claiming it "the same basic motive", as you do not know the motive, and again when you say the same people, because you do not know that either. Why is it so hard to believe or accept that an encryption key named NSAKEY in a large government contractor's software: Windows, wouldn't be for the NSA? Because the NSA has not traditionally been in the business of weakening encryption, but strengthening it. The wiretapping thing is by all indications a very recent development, and it has shocked many because the NSA has been so very strongly against doing that sort of thing in the past. As the NSAKEY thing happened quite some time in the past, you'd have to show that the NSA would actually want to do such a thing at that time, which by most indications they would not.
[offtopic]
I'm glad other people are beginning to notice. Some of the most interesting threads are offtopic and are especially entertaining on slow news days. If somebody posts "LOL www.goatse.cx!!1" there's always the "troll" option.
Just a rant
[/offtopic]