Slashdot Mirror
Ask Slashdot: Can We Still Trust FIPS?
First time accepted submitter someSnarkyBastard writes "It has already been widely reported that the NSA has subverted several major encryption standards but I have not seen any mention of how this affects the FIPS 140-2 standard. Can we still trust these cyphers? They have been cleared for use by the US Government for Top-Secret clearance documents; surely the government wouldn't backdoor itself right?...Right?"
Depends who runs the Government. Which is always the same people no matter who gets voted in, so the answer is YES.
How could anyone trust an encryption algorithm provided by an organization whose purpose is decryption and interception? That will always be the craziest part.
http://www.nsa.gov/ia/programs/suiteb_cryptography/
AES with 128-bit keys provides adequate protection for classified information up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide adequate protection for classified information up to the SECRET level. Until the conclusion of the transition period defined in CNSSP-15, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.
AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options.
NSA also defined another algorithm suite, Suite A, which contains both classified and unclassified algorithms. Suite A will be used in applications where Suite B may not be appropriate. Both Suite A and Suite B can be used to protect foreign releasable information, US-Only information, and Sensitive Compartmented Information (SCI).
Given the chance, of course the government would backdoor itself. If the government isn't the origin of the idea that the left hand doesn't know what the right hand is doing, it is at least the poster child. The only real question would be whether they've yet succeeded.
...what are the alternatives? Rolling your own crypto won't work well. Unfortunately answers to this question can only be speculation. I wouldn't be extremely paranoid, but still it depends what you are trying to protect.
AES is still safe---even with $1 billion worth of custom chips (think GPUs only much, much faster) the keyspace is still very large.
What is not safe is end-point security, which is the part where you write your password on a post-it note stuck to the back of your monitor,
or choose your password as "12345". They can brute force that. Heck, the guy living next door to you can brute force that with his
video card.
I don't trust anything or anyone anymore. Needless to say I am much happier and feel much safer.
With them openly tampering with implementations of things basically using the Suite-B set (IP-Sec, being one of them...), can you even TRUST the stuff? They appear to be of the impression that they can hide stuff so that they can do easy intercepts without disclosing the vulnerabilities. With that mentatlity, are you *SURE* that there's not something deliberately placed in the mix for their benefit within Suite-B?
This really isn't possible without Portal technology.
No, and you never actually should have trusted it. None of us did, we all stopped using it the moment the NSA advocated it, just like we stopped trusting every single crypto standard and favorite security tool they promoted, merely because they promoted it so suspiciously, long long before it was public knowledge the agency had gone rouge.
It still makes me chuckle when I hear people worryingly speculate whether SELinux has backdoors. SELinux doesn't have backdoors, SELinux IS A BACK DOOR!!! *Actually read the instructions* for configuration of this tool and you'll see what I mean. Its security-through-obscurity at its worst. At best you can increase the illusion of security to untrained staff members. Anyone who has read the manual though knows there's one command anyone can use to gain root access more easily than if SELinux had not enabled or installed.
Trust was assumed on the basis that the NSA would not unreasonably jeopardise its protection mission by furthering its interception mission. This trust was apparently misplaced: it has.
As you will actually see if you look at the documents, the NSA used the NIST analysis process under FIPS 140-2 certification to find ways to secretly attack and subvert the implementation of submitted cryptographic modules, including standalone modules, cards, hardware tokens, and software cryptographic modules, including both closed-source and open-source software. There are indications that suggestions relayed by NIST from the NSA to "strengthen" such modules may not always have been made in good faith in recent years. Subtle RSA padding mode attacks and random number generators were particular areas chosen to backdoor. Look out for them.
In particular, note that DSA and ECDSA require strong random numbers for every single signature - they are critically weak if the numbers are repeated, and weak if predictable. It may be worth exploring what subtle effects a weaker random number generator might have. The cynic may suggest that those signature schemes were chosen by NSA precisely because of their reliance on strong random numbers for every signature - not all signature schemes have this requirement (RSA does not, neither does Ed25519).
The NSA has definitely suggested weak and backdoored standards, such as MQV (formerly in Suite B) and Dual_EC_DRBG; its personnel, originally via Certicom, were responsible for suggesting the SECP/NIST elliptic curve groups. It is notable that the "verifiably random" curves in fact do NOT have verifiably random seeds - there are no nothing-up-my-sleeve numbers, it seems that the seeds were chosen after a search of some kind. We do not know the criteria of that search, and they may be weak to an obscure, little-known attack, or they may be strong to it. They strengthened DES, but their priorities seem to have shifted since then.
Other elliptic curves, such as Ed25519, have been produced by individuals in the public academic crypto sphere, and as such their origins have been subject to more scrutiny. Schneier suggests (as he always has) that elliptic-curve crypto is still too new to trust - particularly given that the NSA did much of the initial research and it now seems that their integrity cannot be trusted as far as you can throw them, that seems well-founded. RSA is still good for now, but perhaps we should move above 2048 bits soon, to 3072 or 4096.
For hash functions, the prudent may wish to choose Skein, one of the SHA-3 finalists, rather than the NSA/NIST-blessed Keccak. Its software performance is almost twice as fast and it seems more traditionally-designed. One wonders why the NSA chose Keccak. Perhaps their stated reason (that the sponge construction is the most unlike SHA-2) is truthful, perhaps it is a lie. We don't know.
For symmetric crypto, AES-128 is still good and no powerful attacks are known. Maybe the round count is a little lower than we'd like long-term. AES-256 doesn't buy us any more security, in truth, due to a meet-in-the-middle attack - it needs more rounds. TWOFISH-256 might do better, but it's hard to cast a crystal ball into the future...
oyu-ay eytpea ina igpay atinlay.
There isn't really anything better out there. The "standard" cryptographic algorithms like AES, SHA-2 and RSA have received the most public scrutiny by far.
If you think the NSA can break those, you have to ask why they can't break whatever other, less tested primitive you are proposing we use instead.
You probably want to use longer key lengths than the minimum recommendation anyway, especially for public key cryptography - it's cheap.
Specifications with magic numbers are more suspect, but this has been known for a long time. You could use elliptic curves that weren't chosen by the NSA, like Curve25519.
nah in Government all the arseholes go in via the front door.
No
For the other 99% of us that aren't encryption specialists, a list of what software, services, and websites use which encryption method and whether or not it's known to be broken/back doored might be more helpful. I'm even a software programmer and I don't know what uses FIPS and what uses AES and what specifically uses the Dual_EC_DRBG algorithm.
FIPS is a financial and government-facing certification. FIPS guarantees correct implementation of cryptographic protocols according to a set of standards. It does not guarantee that there are no undiscovered (or backdoored) weaknesses in your implementation. This is still useful function to entities that require this certification. Corporate liability and loss due to getting hacked because of incorrect cryptographic implementation is orders of magnitude greater than liability and loss due to getting exposed NSA backdoors. It is all about risk management, and it says FIPS is still good idea.
Now, if you want personal security this equation changes a bit - possibility of personal harm due to hypothetical NSA backdoors goes slightly up and your likelihood of getting targeted to get pwned goes drastically down. FIPS is still likely net benefit, but diminished.
Keep in mind that there is no such thing as perfect security. You have to ask, how likely that this specific implementation was backdoored by NSA and what the worst possible outcome of such occurrence?
"Up to Top Secret" does not include Sensitive Compartmented Information (SCI). The ciphers under discussion, backdoored or not, are not suitable for use on SCI.
Exactly and so the logical way to achieve both of these at the same time is to tell everyone to use an encryption standard which only you have the back door to...since "you" are obviously a good guy.
The FIPS 140-2 standard is for "protecting sensitive but unclassified information". It is not for top secret. Also the body of the FIPS 140-2 standard is algorithm agnostic. The part that mandates specific algorithms is Annex A and can be updated to add and remove algorithms without changing the standard.
In terms of how bad the situation actually is.... I refer to Bruce:
The math is good, but math has no agency. Code has agency, and the code has been subverted.
Depends who runs the Government. Which is always the same people no matter who gets voted in, so the answer is YES.
Probably not. The NSA is not just concerned about wiretapping you and foreign governments. They are very concerned about foreign governments getting US government secrets. They would only consider back dooring the methods they use if they could be highly confident that it wouldn't help foreign governments crack their codes.
They backdoor themselves with increasing frequency (Manning, Snowden).
That's the good news.
The thing makes them awesome is their budgets and power. And weak
dicks that populate politics these days. They are hard to kick out. That's
the bad news.
Now get involved.
Have a nice day.
sudo su
you still need a password though
Depends who runs the Government. Which is always the same people no matter who gets voted in, so the answer is YES.
You're right but not the way you are thinking. The NSA is the boss. It knows enough of elected officials to keep them in check. The NSA allows the three branches of government "run" the country as long as they keep funding the NSA and never interfere with its doings.
Well, ok, even the NSA has a boss. Just a few hours ago it was reported on Slashdot that the NSA offers everything it knows on a silver platter to Israel.
For example, they strengthened DES against differential cryptanalysis when they were the only ones who knew about the technique.
Based on what I understand of the FIPS process (which is little, admittedly), the whole exercise to put your crypto under the microscope results in eliminating a number of coding mistakes and implementation problems. So even if the algorithms themeselves are potentially weakened (we don't know ), a FIPS approved product that's had 3rd party scrutiny is probably still better off than one that wasn't, due to cleaning up implementation issues with the keys, random numbers and algorithms.
So the NSA most likely knows what kinds of backdoors they could insert that can't be exploited by other nation-states. So yes, they most certainly could backdoor it.
Liberty in your lifetime
It seems like the encryption of Tor - any version including the latest- cannot be trusted. Anyone know?
As long as they were confident the backdoor remained unusable by anyone else, sure.
Can you trust anything from the NSA and any number of other three letter agencies?
ASCII stands for "American Standard Code for Information Interchange". Since this is an American standard, then the whole encoding scheme probably contains a backdoor that allows the NSA to read all information encoded in it. We can't trust EBDIC either as IBM is a contractor for the NSA, they would insert a backdoor as well. I think for maximum online privacy we should be using Unicode which shouldn't contain an NSA backdoor because it is an international standard. The American government has no interest in following or creating international standards.
Unfortunately Slashdot does not support Unicode, so one should now safely assume that Slashdot is an NSA honeypot .
I have no doubt that FIPS 140-2 is fully available to the NSA. The official story is probably so they can monitor or prevent espionage. Also the NSA has political interests in terms of knowing what it's opponents within the government are doing. If the NSA had adequte supervision this wouldn't be allowed but they don't have adequte supervision. So there you are.
Minus physical assault, it's getting to be the only way to transport anything securely.
Quo usque tandem abutere, Nimbus, patientia nostra?
One might build software that divides text into two files with every other bit going to the other file. Two sending units send the material to two addresses from two addresses. On the receiving end the tennis shoe method is used to deliver both halves to the third party who has the software to decode each half and recombine the bits into a coherent message. It might be next to impossible to break but if it is not next to impossible then divide the original into three files and send the bits and receive the bits just as with the two file plan. It should be impossible to break.
A retired General, not Admiral, Paul Van Riper was in charge of the Red Team.
http://en.wikipedia.org/wiki/Millennium_Challenge_2002
While the military definitely has its head up its ass over this, I read somewhere, I don't remember where now, that the charges of cheating did have some merit. It would be things like that the motorbike couriers would arrive instantly and various other guerrilla tactics would always work and happen faster that was realistic, etc.
boldly going forward, 'cause we can't find reverse
Don't be so quick on the trigger, I think there was a xxx vid titled "Hermaphroditic Dreams" or something like that...
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
The question here doesn't make sense does it? FIPS is a certification not an algorithm. It's like asking if my soundsystem that was THX certified would still be any good if the we found out their CEO was a crook. AES-256, Serpent, Twofish, etc... are all algorithms but only a few got FIPS certification.
On top of that, from all the articles I read, the NSA isn't actually cracking these protocals, they're using passwords and certificates gleamed from other sources as seed for cracking.
Finally, if you wanted to make sure there was no back door, you could always download the source of an open source project like TrueCrypt and compile it yourself after doing a code review.
Just food for thought...
Yeah but they wouldn't shoot themselves in the foot by giving out unbreakable encryption to the people they are trying to spy upon.
If they got a very secure algorithm, weakened it in a hard to detect way which makes it easier for the NSA and nobody else then that would be perfectly fine to both use for government documents and to give out to other nations.
If they got a very secure algorithm, weakened it in a hard to detect way which makes it easier for the NSA and nobody else then that would be perfectly fine to both use for government documents and to give out to other nations.
We've seen the level of "thought" that goes into these decisions. I doubt anyone with decision-making authority ever considered that weakening encryption so the NSA could get in more easily would also make it easier for criminals to get at the same information.
#DeleteChrome
This is the wrong place to ask, "ask slashdot" is also controlled by the NSA. ./
They have been spending years building cover identities and collecting karma, so they can control
And that's why this post is going to be modded down, see, I told you so!
As of Postgres v6.2, time travel is no longer supported.
FIPS certification is only available for systems that implement modest key lengths. Many of the approved algorithms are designed to support much greater key length, but longer keys are not allowed by the specs. FIPS won't certify 'em. It's a pretty safe guess that the allowed key lengths are such that the NSA can break them if needed using custom hardware or whatever else quasi-unlimited money can buy. Remember 20+ years ago when the gov't regulated all crypto as a munition? They still allowed low-bit encryption because they knew they could break it. They're still playing that game, except now it's done with standards and certifications instead of laws.
You really don't want to start making up your own ad hoc crypto. Approved algorithms have been extensively vetted by honest experts; any possible weaknesses would be very, very subtle. Using approved algorithms with non-standard "ridiculous" key lengths is probably the safest workaround to suspected weaknesses until... on second thought, key lengths much greater than the gov't "recommends" will always be a good idea! Keep in mind that any weaknesses in crypto algorithms would merely make them easier to break, but breaking still requires huge resources and takes time. Longer keys kick up that effort exponentially to the point that very probably nobody can break them in a useful time frame, provided that implementations are reliable and trustworthy.
As close as you can come to trusting something like the NSA, but yes.
Most people see the NSA as a pure spy agency, but that's not true. It has two jobs. One, to spy on everything else and two, to make sure nobody spies on the US.
They employ enough smart people to understand that if they can break it, so can someone else.
If you are really concerned, you should check the implementation. Past experiences show us clearly that it is a lot easier to put backdoors there. And it has the advantage that if the enemy finds them, you can fix them.
Or, more likely, you use a different, backdoor-free implementation internally.
Assorted stuff I do sometimes: Lemuria.org
You carry all the keys to your own house. The US considers the Internet to be its own house, but it lets the other kids in the global village play there, even the ones it thinks are smelly, that way it can keep an eye on them. So of course it has backdoors. The US State Security has nothing to fear from the US State and vice versa. But woe betide the people if they wish to change the State. That is NOT allowed. The State Security will find you and stop you. That is its job, to protect the State from the people, wherever they might come from.
As far as the State is concerned, Everyone (including all Americans) is a potential "bad guy". The NSA is there to protect the US State, NOT the US people. They get included in this "protection" only because they are baggage the State needs to exist, a bit like a pack of sandwiches. People are the consumables that the State runs on.
the algorithms have a lot of peer review independent of the NSA and the NSA had little input in their design (though may have
significant input in the slection of those algorithms that got standardized).
Though the NSA probably has better methods for attacking common cryptographic algorithms either using undisclosed weaknesses or more likely
custom hardware, it seems likely the NSA can not easily crack these algorithms.
The simplest thing to do is to pick a larger key length which will give you more of a security margin.
Some implementations have also been peer reviewed, and though one can probably hide a side channel leakage in a peer reviewed implementation
hiding something more sinister may be difficult for the algorithm to still be operating per the spec.
They are another arm of the US State:
NIST asserted that its purpose was to protect the federal government first: “NIST’s mandate is to develop standards and guidelines to protect federal information and information systems..."
It is an agency of the US Department of Commerce.
There have been significant (and classified) breakthroughs with elliptic curve cryptography, via advances wrt Weil pairings. Don't trust it. It will not stand up to analysis like the RSA / discrete logarithm / factoring based cryptosystems have over 30 years.
They weakened Lotus Notes by allowing the the NSA to know some of the bits of secrets: http://www.heise.de/tp/artikel/2/2898/1.html
So yeah they could backdoor US stuff.
So trusting ANYTHING which has to do with the US government is
a mistake.
Frankly anyone who even _asks_ such a question as "can the government
be trusted" is a fool.
If they got a very secure algorithm, weakened it in a hard to detect way which makes it easier for the NSA and nobody else then that would be perfectly fine to both use for government documents and to give out to other nations.
It's "nobody else" part which is very hard: the NSA are not the only one playing this game. In fact, the FSB (formely KGB, formely Tcheka) has been at this game (mass surveillance including on own's population) for much longer than the NSA.
Even get real known example: NSA has discovered differential analysis as a method to help breaking ciphers. They kept it as a secret. What happened:
- First they developed ciphers resistant to it (DES). They made a part, the controversial S-Box, to specially make the cypher resistant to differential analysis, but didn't gave any explanation about why this part was there (because they wanted to keep the analysis secret). It might show a tendency for the NSA to try to keep things secure.
- Second, differential analysis was latter independently discovered by academics. If big brains at the NSA can discover a method, the same method is available to discover for any other similar big brain (except maybe the academia has less money and thus propbably hires a smaller number of sufficient bright research, thus is a but slower to make their own independent discovery).
Now to go back to your example of "weak point that we're the only one knowing about it":
- If this weak point has been discovered, that means that there is enough knowledge accumulated in the field of cryptology to make this discovery possible, provided that bright enough researcher put their efforts at it. The "adversaries" have access to the same knowledge at the beginning. They can (and probably will) make the same chain of discoveries that lead to discover the weak point. Maybe academia can't afford having the necessary geniuses on their payroll. But what about the FSB and the MSS which are known have massive ressource thrown at them by their respective governments? What make you think that they won't also hire similarily intelligent people? They will and these researcher will eventually discover the same weakness.
- So probably the maths behind the current crypto technology is more or less sound. If it wasn't, the NSA would be at risk at not being the only service with knowledge about it. In fact a given weakness could even have been discovered even before by another entity, and the US could have been already eavesdropped.
- Even so, breaking maths is hard. There are much more low hanging fruits in the form of social engineering. Gain confidence of a company (by planting undercover agent working as security experts at critical positions), and plant hidden bugs that could be exploited. The crypto method should be secure, but the actual implementation is botched in a way that could be exploited by the NSA, while at the same time the can use a "fixed" version. Most of the current snowden & co revelations tend to show that this is the dominant strategy adopted until know.
So to get back at the current ask slashdot:
Be confident in the algo themselves. If most security expert (the kind which have a good understanding of the maths involved) agree that a method seems still secure, chances are, the method *IS* secure.
Be suspicious of the implementation you're running. If you're running some proprietary binary code, or worse a hardware blackbox implementation (the suspicion about some random number generators), its very hard to know if the thing is doing exactly what it should or if there isn't a exploitable bug or tweaked constant (the suspicion about some ellipcitc curve) or the thing outright containing a backdoor because it has to comply with local wiretaping law (as the Skype EULA is indirectly telling).
Opensource is slightly less likely because the code is in the open, and someone would eventually end up discovering the bug (See the debian key generation bugs in the recent past). Even the theoretical attack against the compiler could end up being spotted.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]