Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Can We Still Trust FIPS?

Posted by timothy on from the just-slide-it-under-my-door dept.

First time accepted submitter someSnarkyBastard writes "It has already been widely reported that the NSA has subverted several major encryption standards but I have not seen any mention of how this affects the FIPS 140-2 standard. Can we still trust these cyphers? They have been cleared for use by the US Government for Top-Secret clearance documents; surely the government wouldn't backdoor itself right?...Right?"

5 of 138 comments (clear)

  1. suite b by Anonymous Coward · · Score: 5, Informative

    http://www.nsa.gov/ia/programs/suiteb_cryptography/

      AES with 128-bit keys provides adequate protection for classified information up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide adequate protection for classified information up to the SECRET level. Until the conclusion of the transition period defined in CNSSP-15, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.

    AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options.

    NSA also defined another algorithm suite, Suite A, which contains both classified and unclassified algorithms. Suite A will be used in applications where Suite B may not be appropriate. Both Suite A and Suite B can be used to protect foreign releasable information, US-Only information, and Sensitive Compartmented Information (SCI).

  2. No. by Anonymous Coward · · Score: 2, Informative

    Trust was assumed on the basis that the NSA would not unreasonably jeopardise its protection mission by furthering its interception mission. This trust was apparently misplaced: it has.

    As you will actually see if you look at the documents, the NSA used the NIST analysis process under FIPS 140-2 certification to find ways to secretly attack and subvert the implementation of submitted cryptographic modules, including standalone modules, cards, hardware tokens, and software cryptographic modules, including both closed-source and open-source software. There are indications that suggestions relayed by NIST from the NSA to "strengthen" such modules may not always have been made in good faith in recent years. Subtle RSA padding mode attacks and random number generators were particular areas chosen to backdoor. Look out for them.

    In particular, note that DSA and ECDSA require strong random numbers for every single signature - they are critically weak if the numbers are repeated, and weak if predictable. It may be worth exploring what subtle effects a weaker random number generator might have. The cynic may suggest that those signature schemes were chosen by NSA precisely because of their reliance on strong random numbers for every signature - not all signature schemes have this requirement (RSA does not, neither does Ed25519).

    The NSA has definitely suggested weak and backdoored standards, such as MQV (formerly in Suite B) and Dual_EC_DRBG; its personnel, originally via Certicom, were responsible for suggesting the SECP/NIST elliptic curve groups. It is notable that the "verifiably random" curves in fact do NOT have verifiably random seeds - there are no nothing-up-my-sleeve numbers, it seems that the seeds were chosen after a search of some kind. We do not know the criteria of that search, and they may be weak to an obscure, little-known attack, or they may be strong to it. They strengthened DES, but their priorities seem to have shifted since then.

    Other elliptic curves, such as Ed25519, have been produced by individuals in the public academic crypto sphere, and as such their origins have been subject to more scrutiny. Schneier suggests (as he always has) that elliptic-curve crypto is still too new to trust - particularly given that the NSA did much of the initial research and it now seems that their integrity cannot be trusted as far as you can throw them, that seems well-founded. RSA is still good for now, but perhaps we should move above 2048 bits soon, to 3072 or 4096.

    For hash functions, the prudent may wish to choose Skein, one of the SHA-3 finalists, rather than the NSA/NIST-blessed Keccak. Its software performance is almost twice as fast and it seems more traditionally-designed. One wonders why the NSA chose Keccak. Perhaps their stated reason (that the sponge construction is the most unlike SHA-2) is truthful, perhaps it is a lie. We don't know.

    For symmetric crypto, AES-128 is still good and no powerful attacks are known. Maybe the round count is a little lower than we'd like long-term. AES-256 doesn't buy us any more security, in truth, due to a meet-in-the-middle attack - it needs more rounds. TWOFISH-256 might do better, but it's hard to cast a crystal ball into the future...

  3. Yes, but... by sinij · · Score: 4, Informative

    FIPS is a financial and government-facing certification. FIPS guarantees correct implementation of cryptographic protocols according to a set of standards. It does not guarantee that there are no undiscovered (or backdoored) weaknesses in your implementation. This is still useful function to entities that require this certification. Corporate liability and loss due to getting hacked because of incorrect cryptographic implementation is orders of magnitude greater than liability and loss due to getting exposed NSA backdoors. It is all about risk management, and it says FIPS is still good idea.
     
      Now, if you want personal security this equation changes a bit - possibility of personal harm due to hypothetical NSA backdoors goes slightly up and your likelihood of getting targeted to get pwned goes drastically down. FIPS is still likely net benefit, but diminished.
     
      Keep in mind that there is no such thing as perfect security. You have to ask, how likely that this specific implementation was backdoored by NSA and what the worst possible outcome of such occurrence?

  4. History cuts both ways on that by Beryllium+Sphere(tm) · · Score: 4, Informative

    For example, they strengthened DES against differential cryptanalysis when they were the only ones who knew about the technique.

  5. Re: a much better question by chill · · Score: 4, Informative

    Bzzzt! Wrong! OpenSSL jumped thru the hoops and has a FIPS 140-2 version.

    --
    Learning HOW to think is more important than learning WHAT to think.