NSA Still Ahead In Crypto, But Not By Much

Hugh Pickens writes "Network World summarizes an RSA Conference panel discussion in which former NSA technical director Brian Snow said that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years, but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt. 'I do believe NSA is still ahead, but not by much — a handful of years,' says Snow. 'I think we've got the edge still.' Snow added that that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. 'Now we are very close together and moving very slowly forward in a mature field.' The NSA has one key advantage (besides their deep staff of Ph.D. mathematicians and other cryptographic experts who work on securing traffic and breaking codes): 'We cheat. We get to read what [academics] publish. We do not publish what we research,' he said. Snow's claim of NSA superiority seemed to rankle some members on the panel. Adi Shamir, the "S" in the RSA encryption algorithm, said that when the titles of papers in NSA technical journals were declassified up to 1983, none of them included public key encryption; 'That demonstrates that NSA was behind,' said Shamir. Snow replied that when technologies are developed separately in parallel, the developers don't necessarily use the same terms for them."

Re:they aren't very well going to admit defeat.

[ipquickly]

We do not publish what we research

And they also do not publish what they don't research.
Or if and when they suffer or do not suffer defeat.

key areas of competition

The reality is that any private organisation will always say that their software is best or their crypto rocks the world.. There is one big difference with the NSA and that is they have very deep pockets when it comes to cracking encryption which very very few private organisations can afford. Which president would turn the NSA down if they came asking for money with a request like... 'we have managed to get xyz encrypted file that we need xyz cpu's to crack so that we can identify a leak who is selling secrets to the taliban/chinese/bob next door'.

Whatever!

[martin-boundary]

"We know Saddam has WMD, but we can't show you what we know because it's secret!". Everybody knows how that argument went in Iraq.

I'm with Shamir, the only correct response here is: "Yeah, right, whatever", not "OMGOMGOMG, the NSA cAn readz my stuffz!!1".

Frankly, I don't see how any mathematician would want to waste his talent working for the NSA.

Re:Whatever!

Exactly. The USA intelligence agencies have shown their moronity and so many occasions. I'm not sure which is their greatest hit: helping traffic cocaine into American cities to fund arms transfers to Iran OR helping Osama Bin Laden build and develop the Al-Qaeda network. The NSA/CIA/FBI might be able to catch child porn wankers and craigslist hookers but the Chinese/Israelis/Indians will eat them for lunch. Go to a computer science dept. anywhere: You will see almost all Phd students are Chinese/Jewish/Indian. The NSA makes me laugh.

Even if they could decrypt the shit they probably don't have anyone who can read whatever language it's fucking written in! Don't worry about encryption just write the shit in Bengla they won't figure out for five years...

Re:Whatever!

[martin-boundary]

Sure, I accept that the toys are great, but scientifically? It's time wasted. At some point people are going to ask what did you accomplish?

If you're a mathematician especially, you'll have nothing to show for it, and if your reports ever get published in the future, they'll be long obsolete and irrelevant.

Re:Whatever!

[jpmorgan]

Academia is not the only profession that provides job satisfaction and a sense of fulfillment. Guess what, 99.9% of the world's population lives a happy life without ever publishing anything.

Re:Whatever!

[AHuxley]

They are all learning from US books under US profs and going back home with US ideas ...
Its just the old cold war idea of get them young.
Years later your "Chinese/Jewish/Indian" is going to sit in front of a mutil billion $ contract with a local build %.
If trained in the US who do you think they will recall fondly ?
France, Italy, Brazil, Germany, Russia?
The USA hopes years of quality education will give them that "reality distortion" edge.
Then when they sign up for a few billions of $ worth of US hardware and software - its happy times in the NSA as they are now connected directly or via soft/hardware upgrades.
If not your left with the digital version of "Iranian Tomcats".
As for Al-Qaeda they have learned via CIA death squads or state sponsors not to trust tech beyond dead drop for propaganda uploads.

Re:Whatever!

[Sir_Lewk]

Who says the best always have to get their kicks off with public masturbation? While they may never be able to publish, it is also quite likely they will be exposed to concepts and ideas they never would have had the chance to be exposed to otherwise. I'm sure a very large percentage of these sorts of people are driven by a desire to self-improve.

Re:Whatever!

[elrous0]

lives may be saved by your hard work.

Considering the way the NSA has behaved in the last 9 years, I'd say it was way more likely that your work would be used to spy on innocent Americans, prop up phony wars, gather dirt on Administration political opponents, etc.

Re:Whatever!

[Bakkster]

lives may be saved by your hard work.

Considering the way the NSA has behaved in the last 9 years

You mean, considering the reports we have heard. There's a pretty obvious selection bias, in that only the illegal activities (which there certainly are, sanctioned or otherwise) will be notable enough to publish and publicize. I highly doubt that illegal activities accounted for more than 1% of work performed by the NSA (again, including both sanctioned and unsanctioned activities), let alone 51% for cryptologic work to be 'more likely' to be used illegaly.

Re:they aren't very well going to admit defeat.

[zappepcs]

It occurs to me to think that real encryption is not beatable, but workable encryption is. The problem is not who has the best or admits to not having it, it's who has best real encryption that is workable between arbitrary peers. I can easily encrypt a drive that you will NEVER decrypt, but then neither will I be able to. It's the secrecy of the key that is the quest, not the encryption particularly. Hiding the key when it is shared publicly is a problem, will always be a problem, and the race is not necessarily one brain trust against another for the best hiding technique, but rather a race to figure out the best way to hide it for a reasonable amount of time from the most people. The fastest car on the planet is not declared the Indy500 winner, only the car that conforms to the rules of the race is. This race is not winable in the long term, and only valid as a race in the very short term. Don't count on your encrypted hard drive to protect your data from everyone, for all time. That's simply not going to happen.

Crypto is only the Beginning

[introspekt.i]

Crypto's not the weak link in security anymore, nor has it been for a long time. I think the real security money now is in automated (or proven) software verification and model checking. Private industry is only beginning to understand this, and as a whole, probably will not employ it for some time to come. Why bother testing for security errors when you can prove they don't exist?

Re:the NSA has motivation

racism is not insightful

Re:they aren't very well going to admit defeat.

[Kjella]

You don't think someone, given enough time, would be able to brute-force your password? The use of Never in zeppepcs post would imply he means literally NEVER. Not "in a reasonable amount of time" or "within a timeframe that the information stored is still valuable" but NEVER IN ALL TIME!!!

No, and there's good physical arguments to "NEVER IN ALL TIME!!!" despiate your attempts at hyperbole. Currently the best theories we got suggests there's a lower entropy limit of kT*ln 2 (the Von Neumann-Landauer limit) per operation, which is on the order of 10^-23 joule. The energy of the sun via E=mc^2 is on the order of 10^47 joule. So at most you can do is 10^70 operations but 2^256 = ~10^77. In other words you can't get through the keyspace before you run out of energy, even taking ideal assumptions.

Granted, this doesn't account for all the matter in the universe. If you include that, you probably have to move to a 384 bit key but it's still quite finite as opposed to burning through every star in every galaxy in the observable universe. Of course, this is only if you have a 256-bit cipher with no cryptological attacks. AES256 is already shown to be flawed with a strength of only 119 bits, though that too is considered practically impossible but not nearly as physically impossible. But I'm sure we will find such a cipher, it's just that we'll never know when we're there.

Re:they aren't very well going to admit defeat.

[smallfries]

While it is true that it would not be in his interest to admit if they are beat that does not imply that they are beat. And you would have to be an idiot to believe that they are. To pick up on three points from the video:

• They employ several hundred PhDs and have a budget that would make any company or university in the sector weep.
• They can read the literature and take ideas but don't have to reciprocate by publishing their work.
• They are not handicapped by inconveniences like the law when it comes to experiments on traffic analysis.

Re:they aren't very well going to admit defeat.

[Ed+Avis]

You would literally have to generate universes

Isn't that what quantum computing does?

NSA vs. PUBLIC

[muckracer]

> cryptographers for the NSA have been losing ground to their
> counterparts in universities and commercial security vendors for
> 20 years, but still maintain the upper hand in the sophistication
> of their crypto schemes and in their ability to decrypt.

Nevermind the intellectual "my code's better than yours" games
between arguably otherwise brilliant researchers.

Where the NSA certainly has 'maintained the upper hand' is in real
life versus ordinary people. The technology of surveillance has
gotten orders of a magnitude better and surrounding laws have been
adapted to make it fully legal to use that technology to the max
against The People (whereever they may be). Who in this discussion
encrypts their e-mails or uses 'sophisticated crypto schemes' as a
matter of course? At best it's maybe SSH here and there and the
occasional SSL site. The vast majority of traffic is plain-text, as
it's been since the days of papyrus. Hell, back in those days at
least only a few people could read it and thus had better privacy
than we mostly have today. Nevermind the ramifications of Facebook
and similar tools.

Mr. Shamir can engage in discussions of who developed Public Key
Cryptography first or not. It's all nonsense, because as brilliant
as the concept is, the PUBLIC has no part in it to 99.99% and
therefore we can consider it a complete FAILURE on grounds of lack
of acceptance and widespread use. Meanwhile the NSA sits back and
laughs, as their electronic tentacles filter through PUBLIC('s)
traffic...any traffic...and mostly doesn't have to bother with
breaking anything. Cuz we 'oh-so-clever' geeks have failed
miserably. If the NSA has any problem, then it's to store and
process/search through the data they get...not the acquisition.

Re:NSA vs. PUBLIC

[EmagGeek]

That's absolutely true. In addition to brute-force decryption and other methods, the NSA has discovered what scammers have known all along. You don't need to decrypt someone's stuff if they'll give you the keys themselves. It's easier to compromise someone's box and keylog their keys than it is to decrupt the information by force.

The NSA spends a tremendous amount of effort on social engineering and subversive key acquisition. Those methods are much faster and easier.

Re:Peer review?

[ServerIrv]

'We cheat. We get to read what [academics] publish. We do not publish what we research,'

That's all well and good for cryptanalysis, which is more or less provable, but for new encryption algorithms the more eyes you have looking at your algorithm the more certain you can be of its strengths. Not letting people look at your encryption algorithms seems to be relying on security through obscurity.

It isn't about security through obscurity. They are cheating because they get ideas from the academics but don't have to return the favor. It becomes a pull relationship and ignores the push.

Think of it this way (with made up stats), NSA has 40% of all available industry resources and ideas, while the academics have the remaining 60%. So, while the NSA only has 40% but gets to view 100%, while academics have 60% but are stuck at 60%. If you use your position of power to use all available resources, even ones that are not yours without allowing others access to your resources, then that is cheating.

Re:they aren't very well going to admit defeat.

[ChaosCon]

You fallaciously assume decryption will *always* require trying *every* possible key -- you could get lucky and get the correct key on the first attempt. You don't "only" need 1.15E70 seconds, you need "at most" 1.15E70 seconds.

Re:they aren't very well going to admit defeat.

[Agripa]

Are you aware that randomly generating a specific protein is much more difficult than that? I've heard a number around 1 in 10^113. That would be just ONE of the proteins we need for life.

So. Either it needs to be rethought what is actually numerically possible, or that the genetic make-up of life was guided by chance.

But that is randomly generating a specific protein without working from an earlier protein. Asimov called that the hemoglobin number and used it as an example of why evolution could not work using blind chance. Hemoglobin is just part of a family of proteins called globins and the actual differences among them are relatively small. The evolution of hemoglobin did not happen by chance all in one step but by accumulating change via many much smaller steps from an existing protein.

Strong cryptographic algorithms are specifically designed to be resistant to the type of analysis which would allow you to derive parts of the key until you have the whole thing. Either you have it all, or you have nothing. Evolution of proteins does not work that way.