Silent Circle Moving Away From NIST Cipher Suites After NSA Revelations

Trailrunner7 writes "The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it's in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein."

serpent

[johnjones]

mathematics depts are interesting things...

I personally trust in s box's

regards

John Jones

Re:serpent

[aaaaaaargh!]

Why is the parent post modded offtopic?

Serpent is not a bad choice, it has a conventional design with a large safety margin (32 rounds).

Re:serpent

[sjames]

NSA sock puppets with mod points?

Mods didn't know enough about crypto?

Re:serpent

My money's on puppet accounts.

I thought that AES *was* independetly designed?

[K.+S.+Kyosuke]

Or is it the case that NIST has a branch in the Belgium?

Re:I thought that AES *was* independetly designed?

The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security

Re:I thought that AES *was* independetly designed?

I thought you didn't follow the news, seems I was right.

Re:I thought that AES *was* independetly designed?

You're right. TFS sucks.
Also, Skein is not a cipher, but a hash function.

Re:I thought that AES *was* independetly designed?

[Joce640k]

The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.

Not 100% true. The NIST only messed with the 192 and 256 bit versions. Guess what? They turned out to be weak (and everybody knows about it).

If you're truly paranoid you could use Triple-DES instead of AES but there's no good reason not to trust 128-bit AES, it's one of the most analyzed/studied algorithms ever.

Block ciphers like AES can also be used as hash functions. SHA-n isn't really needed except for efficiency reasons (block cyphers are slower).

Re:I thought that AES *was* independetly designed?

[skids]

Take a look at the open process for fielding candidates for SHA-3, and tell me that all the people that bothered to submit candidates should be permanently suspect just because NIST asked for candidates and they offered them, and also offered critiques and analysis of competing designs. These are career mathematicians and cryptographers and suddenly everything they do is tainted by "guilt by association" in your mind? That's pretty pathetic.

What happened is as the PP described: good algorithms were chosen and then weakened by intentionally bad choices for parameters. When run with good parameters, those algorithms were as secure as the crypto community could develop at the time. They don't always choose the most secure algorithm of the batch because of performance considerations, but they set strength goals and meet them to the extent that they can be analyzed.

So far they have picked Keccak as SHA-3 and the authors have recommended certain parameters to achieve certain cryptographic strengths for drop-in replacement of SHA2 hashes. Given the media attention I imagine NIST will feel obliged to follow those recommendations, which leaves them with only one thing left to specify, that being the format of the padding (which the Keccak authors have also offered some reasonable options for.)

Re:I thought that AES *was* independetly designed?

I know for a fact that NIST/NSA had no influence on the number of rounds for AES, having implemented Rijndael myself on an 8-bit microcontroller before it became AES. I used a copy of Rijmen and Daemen's original specification to write my implementation, and later compared it against the published NIST specification that later came out in 2001 after it was approved as AES, and it was exactly the same, including the number of rounds to be used. My implementation from mid-1999 produced the correct results with the NIST test vectors that were published after its approval. The key sizes were part of the specification for the AES contest.

Re:I thought that AES *was* independetly designed?

There are more spies in Belgium than the rest of the known universe.

Re:I thought that AES *was* independetly designed?

[ngc3242]

Don't be fooled by the government! You're discounting the possibility that the NSA used its time machine to travel into the past and implant into the minds of Joan Daemen and Vincent Rijmen with a weakened version of their own algorithm!

Re:I thought that AES *was* independetly designed?

Except they suddenly decided to change parts of the algorithm after the competition ended. So SHA-3 is not the Keccak that was heavily analyzed and verified by career mathematicians and cryptographers.
More on https://www.schneier.com/blog/archives/2013/10/will_keccak_sha-3.html

Re:I thought that AES *was* independetly designed?

[skids]

If you read the algorithm description you'd realize that this is not a change in the algorithm and does not affect the analysis, which was performed for arbitrary parameters, not specific ones. However, the reaction to this move which NIST probably considers a pertty inert move on their part is sure giving NIST a taste of exactly how much their reputation has been soiled. Which is a good thing.

(OT but funny, on the comments section of your link, when I read it the last comment, noting NIST's website is down now due to the government shutdown and asking if that happens often. Some folks need to remember to at least read the daily headlines.)

Re:I thought that AES *was* independetly designed?

[bdwebb]

These are career mathematicians and cryptographers and suddenly everything they do is tainted by "guilt by association" in your mind? That's pretty pathetic.

I think this is less about mistrusting the mathematicians involved and moreso about mistrusting what happened to these algorithms after submittal. As you say, they were weakened by intentionally bad choices for parameters and due to the close relationship between NIST and the NSA, how can you trust that the original submissions actually do achieve the same level of security (and moreover, how can you trust that the submissions were not specifically selected due to the fact that the NSA is already able to reverse engineer them)? It isn't that the mathematicians and cryptographers are tainted - it is that the NSA has herpe-ghonno-syphil-aids coupled with incurable smallpox, H1N1, and the plague and therefore anything that they MAY have touched is likely infested.

It sucks that there is an 'guilt by association' element to it but in my mind it is justifiable to be suspicious so that the disease isn't spread, especially where something like standardized cipher suites (which are supposed to be secure) are concerned.

Re:I thought that AES *was* independetly designed?

[skids]

anything that they MAY have touched is likely infested.

That would pretty much mean everything is infested. I mean, unless you think running into the arms of whatever crypto suite lying around out there that has never had bad press about intelligence agency meddling is a good way to avoid intelligence agency meddling -- I don't.

Re:I thought that AES *was* independetly designed?

Belgium is under effective control of the Imperium. What makes you sure they are not USG assets ?

Re:I thought that AES *was* independetly designed?

Maybe just use the Sigaba or TypeX ciphers. If there is not enough keyspace, concatenate two instances of the cipher.

These two have not been broken to the present day and OKW/Chi gave up then.

Re:I thought that AES *was* independetly designed?

That would pretty much mean everything is infested.

It's okay, I'm a bit slow. Slower than most in fact but by chance I got this one in advance :)

Yes, everything is infested. Everything. Not just computers (although of course that is central to our common outlook here), don't you see the ripples in the water? And at best you can only see so far, just like any fellow human...

Yes, there is no security, there is no trust, and there will be no victory, there is no “undo” or “cancel” or “abort” and “retry” would only be much worse (as hard as that is to imagine), there is no freedom. Will you still fight for freedom regardless? Everything's freedom? If so you will stand and fall alone, although you will stand and fall alone with others who stay to the same choice.

P.S. (and not off topic) in a universe where time is just another dimension (ref.: Einstein) everything is already eternal.

P.P.S captcha: "bugaboo" —LOL!

Compromised hardware

[ArchieBunker]

IMHO at this point we have to assume the hardware is compromised at some level. Not necessarily a backdoor but the hardware random number generator might not be that random.

Re:Compromised hardware

[Thanshin]

IMHO at this point we have to assume the hardware is compromised at some level. Not necessarily a backdoor but the hardware random number generator might not be that random.

We also have to assume that the power sockets are compromised. All computers that are, or have been at any point, attached to any source of power not directly coming from the sun must be considered infected, and shot in the brain.

Re:Compromised hardware

IMHO at this point we have to assume the hardware is compromised at some level.

We also have to assume that the power sockets are compromised.

Even the electromagnetic waves in the atmosphere are compromised. The only safe guard is a strong tinfoil hat.

Re:Compromised hardware

If it ever came to public knowledge that NSA was also tampering hardware crypto modules, it would really be a death blow to the current *everything*.

Seriously, the even the reported MITM attacks are childs play compared to the implications of the aforementioned as it would totally devastate any secure means of digital communication we've had for years.

Re:Compromised hardware

[TheCarp]

Looks like we have ourselves a plant! You think we don't know that tinfoil hats actually help to strengthen the orbital mind control signal? You aren't fooling slashdot that easily AC. Don't think we haven't been watching you, your comments have not gone unnoticed in this community Agent Coward

Re:Compromised hardware

[Hypotensive]

It's probably not that important, as Linus already pointed out.

Re:Compromised hardware

[PopeRatzo]

Of course tinfoil hats are worthless. Everyone knows that the only thing you can put on your head to protect you from the NSA are the plastic bags you get from the dry cleaners.

Re:Compromised hardware

You think we don't know that tinfoil hats actually help to strengthen the orbital mind control signal?

No, you've got it all wrong. Tinfoil is highly effective at blocking the government's mind control signals, as well as avoiding the Illuminati. The problem is that they only sell aluminum foil at the store these days, and all that stuff does is amplify the H.A.A.R.P. based military-industrial-complex signals.

Re:Compromised hardware

[Joce640k]

They offer zero protection against chemtrails though.

Re:Compromised hardware

An interesting comment on selective RDRAND backdooring in silicon:
http://it.slashdot.org/comments.pl?sid=4278751&cid=44985945

I have my doubts, but whether we believe it happened or not, it's certainly feasible in theory.

Re:Compromised hardware

Yea, yea. Go on ridiculing people despite all the reports lately that showed even the most outrageous assumptions weren't even close to the level of shit that's actually going on.

Re:Compromised hardware

Linus has proved to be a government shill many times in the past (remember the whole SELinux thing?).

I don't trust him any further than I can throw him. I am now so distrustful of him and of Linux that I have directed my company to spend up to $50M in the next year doing an extensive internal code review of the Linux kernel looking for obfuscated functionality (and we have already found two instances of "easter-egg" like items - one of which puts "No no no!" in the kernel log if you hold down SysRq and the correct keys), intentional security vulnerabilities, and other possible back-door attack vectors.

Re:Compromised hardware

[flyingfsck]

Only an organically reared Armadillo hat can beat the Feds.

Re:Compromised hardware

[Cid+Highwind]

When, in the course of the NSA revelations, have you gotten the impression that "if X became public knowledge... it would be the death blow to the current Y" was ever a consideration in whether or not they did X?

Re:Compromised hardware

I'm thinking your focus on literacy is making you unable to see the point made there.

Re:Compromised hardware

[TheCarp]

This is a very good point, or at least, we don't think it does and have no reason to think it does. All we really know about chemtrails is that whatever is in them burns HOT! Because whatever it was burns much hotter than jet fuel if it was able to melt steel and bring those towers down.

Re:Compromised hardware

[PopeRatzo]

I've heard that the NSA has built a secret backdoor into all organically reared Armadillo hats.

I've heard it through the signals I pick up in the fillings in my teeth, so YMMV.

Re:Compromised hardware

[Cid+Highwind]

"I have my doubts"

You should. Short-circuiting AES-NI to return the plaintext XORed with the output of (weakened) rdrand would mean that the intended recipient can't decrypt the message. That's a lot of hard engineering work to tap a communication channel that nobody can actually communicate over...

Re:Compromised hardware

Why do you feel it is important to mention you found "easter-eggs" in the kernel code. You get them in all sorts of software, so long as they don't compromise anything I don't see why they would be a problem.

Evolution in action

This is actuallly good. Crypto should be flexible enough to switch to different algorithms.
AES is just an option, and I'd say it's a fine one, but it's cool to get some extra algos some breathing
room.

Re:Evolution in action

I've always liked the idea of using cascades (multiple algorithms.) Not because it gives you more keylength, but because if AES was broken, Twofish would still provide adequate security.

Of course, there is the performance penalty of multiple algorithms, and a lot of hardware barely can handle 128 bit AES with a dedicated ASIC, much less the self-revising algorithm of Twofish. However, maybe in the future, hardware should be designed to not just handle the NIST variations of AES, but to be able to handle the generic Rijndael algorithm.

Re:Evolution in action

If that was all this is about you would be right. Unfortunately it isn't.

Re:Evolution in action

A * B === B * A

A waterfall (cascade) should not fall upwards as easily as downwards.

No.

I trust the Chinese...

I trust the Chinese have already done that to every processor built for export. They'd be negligent if they haven't.

Marketing

[sociocapitalist]

While I think that NIST related crypto algorithms are probably well compromised by the NSA I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

Same thing for 'offshore data havens'. If it's visible it gives the NSA a target of interest and the fact that it's offshore isn't even going to slow them down when they attack it. People moving to such havens might find themselves being looked at all the more closely than someone keeping their data in less interesting places.

I think the best bet of keeping your info private (from the NSA) is going to be to avoid attracting attention to start with.

Re:Marketing

[Phrogman]

Well perhaps the point isn't that any new algorithms are uncrackable so much as they present a more considerable obstacle to being deciphered. If the current NIST-approved cyphers have been deliberately weakened by the NSA, its so that its easier and more importantly faster for them to decipher the text - with their available computing power and budget they can probably do a lot of these on the fly.

If you increase the difficulty of that task, and if its implementation is more widely spread, then they may have to prioritize what they attempt to decipher because it isn't a weakened algorithm, therefore there might be some added security in that even if they *can* crack your ciphertext, its not worth bothering to do so unless some other factor marks you as a person of interest. Not much but better than nothing and we will likely never know the NSA's true capabilities anyways.

Re:Marketing

That's why everyone should move their data to the Crypt, whether they think they have anything to hide or not, and switch to Pontiffex encryption, too.

Re:Marketing

[cryptizard]

I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.

Re:Marketing

Some questions:

Did you read your comment before posting it?
Do you realize how ignorant you sound?
Exactly how do you avoid attracting attention?
Are you aware of the criteria the NSA uses to connect dots?

Go back to sleep, you're fucking boring.

Re:Marketing

I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.

These days, it's hard to crank up the paranoia high enough. They seem to surpass it every day.

I think that they're quite capable of capturing and locking up specialized talent. The only reason I sleep at night is because said talent will ultimately will be controlled by the rest of them. Who, as you said, can be pretty incompetent.

Re:Marketing

[Kjella]

Another good argument is how many symmetric crypto algorithms have been broken at all, at least known to the public? For example you can take GOST, developed by the Soviet Union as a Top Secret algorithm in the 70s, then later downclassified and eventually made public in 1994. It has a theoretical attack strength of 2^256 that researchers have gotten down to 2^101 but if you have a 1 GHz computer testing 1 key/cycle for 1 year that's still only 2^55. A million such computers running a million years is 2^95. I think you can be quite certain the NSA didn't cooperate with the Soviet Union in the 70s, so the only way it could be cracked is if the NSA did it through cryptanalysis. The rest of the world hardly seem able to crack a single cipher yet the NSA would have the magic to crack everything in a reasonable time? In the land of unicorns...

Same with RSA and public crypto, it's not from the Soviet Union but it's from the 70s and 35 years of public research has come up with nothing to break it. Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy? I don't buy it, I'm quite sure there are things such as secure crypto no matter how much money and manpower you throw at it simply because they are as much chasing ghosts as we are, they may be looking for a solution that doesn't exist. Of course they're absolutely not going to tell you about that, but I find it far more likely they're now exploiting flaws and compromising systems rather than with pure math.

Re:Marketing

[cryptizard]

Good point. The only symmetric cipher I know of that was completely "broken" is DES, but that is because the key length was chosen to be too short. Even at the time it was released people said it was too short.

Re:Marketing

[Tom]

They don't have that many smart people working there, in comparison with ALL of the rest of the world.

Actually, the NSA has for decades been the by far largest employer of mathematicians, world-wide.

The do have tons of smart people working for them, and contrary to the rest of the world, those don't work on optimizing Zynga games or production lines or any of the other million other areas, they all work on crypto, surveilance, etc.

In a crypto contest between the NSA and the rest of the world combined, I'd bet on the NSA. Mostly because the rest of the world would break apart in a flame war and uses 20 different languages.

Re:Marketing

Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy?

Yes, it's unlikely, but it's not entirely unprecedented: https://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html

'It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES. This means that back in the '70s, the National Security Agency was two decades ahead of the state of the art. ... but the rest of us are catching up quickly ... Maybe now we're just a couple of years behind.'

Re:Marketing

[Joce640k]

While I think that NIST related crypto algorithms are probably well compromised by the NSA

AES is one of the most independently studied/analyzed algorithms ever.

I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

Triple-DES?

Re:Marketing

[Joce640k]

Well perhaps the point isn't that any new algorithms are uncrackable

There's every reason to believe that they are. The NSA uses AES for its own encryption systems.

If there's a weakness it's in the implementations (are your numbers really random?) and/or compromised PCs that they're running on.

Re:Marketing

"It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science..."

If you dont understand that pretty much everyone is decades ahead of academia in pretty much every area of computer science, you arent getting that pony for your birthday little lady!

Re:Marketing

While I think that NIST related crypto algorithms are probably well compromised by the NSA

AES is one of the most independently studied/analyzed algorithms ever.

It should also be noted that AES can be used for SECRET and even TOP SECRET information. If the NSA is dog fooding the algorithm for their own stuff, then it should be safe for your own.

The key though is to use the entire approved stack. At this point in time (2013), that does not include SHA-1 or RSA:

https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography

Re:Marketing

[mlts]

The funny thing is that can backfire. This was something talked about on the Cypherpunks list when it was on toad.com. One discussion recommended people use a service such as an offshore data haven (when they came about) for everything. The result would be that there would be so much chaff that any spying organization [1] would be spending a lot of time trying to crack stuff just to find that they just wasted a bunch of CPU time on a TrueCrypt volume of someone's MP3 stash.

There are plainer reasons for stashing items in an "offshore data haven". Protection against geographic events, so if something the size of Hurricane Tip slams against part of the US, critical data is still retrievable.

Of course, there is one big issue with offshore data havens... how are they recompensed for the data they store, and what keeps them from deciding to hold data for ransom. If they find that they have an encrypted data blob from a company whose offices are completely demolished, they can demand a price for access and a company would either pay up or close up.

[1]: NSA, ISI, FSS, PLA, etc. The US was outed, but there are numerous other players.

Re:Marketing

[mlts]

Skipjack was pretty thoroughly weakened once it was declassified. DES is still useful in TDES mode, but that is pretty expensive computation-wise compared to a newer algorithm like Twofish.

Of course, there are blocksize issues with the older cyphers...

Re:Marketing

It seems potentially reasonable that the NSA could be sitting on a quantum computer or two, which would not require "new math" in order to break a lot of existing crypto systems.

Re:Marketing

[flyingfsck]

Hmm, I suspect that the NSA isn't nearly as good as people are fearing, but how can we prove it?

Re:Marketing

[flyingfsck]

If the NSA can decrypt everything, then why do they bother to store all encrypted text for 5 years? They would just decrypt, analyze and toss it away same as the plain text.

Re:Marketing

Another good argument is how many symmetric crypto algorithms have been broken at all, at least known to the public?

Quite a few. RC4? A5/1 and A5/2? Several of the AES candidates have known flaws, like LOKI97 and MAGENTA.

And reducing a cipher from 2^256 to 2^101 operations is totally broken. It just happens that 2^256 is a comfortable security margin. An attack of that magnitude would devastate 128-bit security.

Re:Marketing

[tlhIngan]

While I think that NIST related crypto algorithms are probably well compromised by the NSA I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

Same thing for 'offshore data havens'. If it's visible it gives the NSA a target of interest and the fact that it's offshore isn't even going to slow them down when they attack it. People moving to such havens might find themselves being looked at all the more closely than someone keeping their data in less interesting places.

Not to mention if it's offshore, then you're spied on unless the NSA determines you're American in which case they are supposed to discontinue spying on you. (You can argue that they spy on everyone including Americans, but if that's the case, why go offshore? You're data's no safer).

An interesting side effect though - anyone with even the most basic knowledge of cryptography knows that unless you're a mathematician, you never design your own algorithm because they are for the most part going to be way weaker.

One could argue that with this movie away from industry standard and studied algorithms, you're helping the NSA by giving them an easier time to break the encryption.

Re:Marketing

they have an encrypted data blob from a company whose offices are completely demolished, they can demand a price for access and a company would either pay up or close up.

So you put it in two separate havens, at least one of which in a stable jurisdiction. Then the shyster doesn't have a hold on you (plus you have better resilience).

I doubt it's much of a risk to be honest - for the data haven, it's the kind of stunt you can only pull once and then when the publicity hits you find yourself with no customers left and an expensive offshore facility driving you bankrupt.

Re:Marketing

[Joce640k]

Hmm, I suspect that the NSA isn't nearly as good as people are fearing, but how can we prove it?

We can't.

There was a time when the NSA was way ahead of civilians, eg. In the 1970s when they tweaked DES without telling anybody why - turns out they knew about differential cryptanalysis.

Since then the gap has closed. These days there's no reason to suppose they're much ahead of civilians (except in budget,getting people to sign pain-of-death NDAs, install "government approved" black boxes in telephone exchanges, drive around in black SUVs ... etc).

Re:Marketing

These days, it's hard to crank up the paranoia high enough. They seem to surpass it every day.

Nobody said it would be easy!

But set a trap. Stuff a big file full of random numbers. Real random numbers, from sampling white noise. Then encrypt it, and re-encrypt it with all sorts of algorithms. Then just let it sit there.

Sooner or later, the NSA or whatever spy agency will find it. And spend enormous amounts on decrypting using the various known algorithms. They will search and search, but forever fail. There will be no secret content to find, because there is none.

Re:Marketing

I'd bet on russians. They may not have a lot of money but they have top notch mathematicians.

Re:Marketing

They can't hold your data ransom if you have several backups. Such as using a few other data centers as well.And you don't tell them that little fact in advance. If they try anything, you expose them. Then, you (and everybody else) stop using that service.

Re:Marketing

[mlts]

If multiple data havens colluded and knew what the I/O was for customers, they could find out that a customer might have data backed up to where. Then, each data haven could "accidentally" lose the data. The one remaining DH would demand a ransom, then split it among the others.

Of course, this is tinfoil hat territory, as the one thing that will make or break the extortion is a backup somewhere else, but it is something that could happen.

The penalties for being outed for extortion might not be that steep as one might think. For example, there is a lot of anti-US sentiment out there, and an offshore DH stating that they will not help Americans, nor allow them to retrieve stored data might get them positive PR in their country. It might be the case that even extorting money and being public about it might get them accolades.

Re:Marketing

Legal issues.

Re:Marketing

Don't fool yourself. The "budget" allows them to actively recruit at all levels, but particularly universities, top level researchers and anyone who has publications marking them as a leader in their field.

It is very, very likely they are still 20 years ahead of the civilian world, which a) doesn't have a unified recruiting infrastructure, and b) often wastefully overlaps research in competitive efforts / for-profit motives.

Re:Marketing

[firewrought]

It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case.

In 1995, NSA added a single bit-rotation to SHA that made it considerably stronger, but they didn't explain their reasoning at the time. It took several more years before academia found significance weaknesses, with 2004 being the year that SHA-0 (as the original, non-rotated version is now called) was really cracked wide open. That (arguably) puts them about a decade ahead (in a situation where they willingly tipped their hand). These folks employee the most math PhD's in the world and have their own chip fabs... it's not hard to imagine them being two decades ahead on some important cryptographic questions.

Re:Marketing

Not necessarily true. Since the NSA is compartmentalized, one compartment might have the ability to break some encryptions, but if they really really want to keep that ability a secret, they would only use it for important info and not let all parts of their organization use it. This type of situation happened in WW2, where the Allies had broken the German cyphers but still let their own soldiers get killed sometimes so that the Germans did not know they had cracked their encryption.

Re:Marketing

[emt377]

The NSA uses AES for its own encryption systems.

You have to realize that security classifications depend on the time something needs to remain secure. For battlefield comms this might be 6-8 hours, for HQ comms 5-10 days. The classification then is used to select a cipher based on a professional estimate of how long it takes someone with the resources of a major government to break it. Information that needs remain protected indefinitely goes under lock and key, in a cabinet, safe, vault, with or without a guard stationed. Maybe inside a protected facility. Access is registered (so compromises can be tracked down) and based on whitelists. Keys are numbered and tracked. Physical protection is the only way something can be protected indefinitely. So saying something like AES is safe because "the NSA uses AES for its own encryption systems" is meaningless without knowing which security classification it's for - i.e., how long they estimate the cipher can withstand a sophisticated attack by someone with the resources of a major government.

Re:Marketing

And NSA internally developped cipher skipkack which was a candidate for AES was found to be weak against impossible differential cryptanalysis.

Re:Marketing

[Fnord666]

On the other hand, please take a look at the history of differential cryptanalysis. The NSA was quite ahead of academia on that one. My own research back in those days demonstrated that the substitution boxes had been chosen with very specific characteristics. The same holds true for elliptic curves, where the curve chosen must have specific properties. Whether we know what all of those properties are though is still undecided, We know what makes a weak curve, but do we know what makes a strong one?

Re:Marketing

Given the difficulty in making a quantum computer, it seems incredibly unlikely even with the resources the NSA has at its disposal.

Re:Marketing

Theoretically the NSA may have broken many math-based cypher problems simply by using quantum computing. I am not an expert in this area unfortunately, and can't usefully comment on the limits of quantum computing (I.E. energy cost, reliability, which operations it's good and bad at, whether it works at all, etc).

Re:Marketing

[HiThere]

No. Largely right, but No.

A random one-time pad is secure until/unless the decoder gets his hands on a copy (Though you might want to encrypt a prime number of bits at a time. I'm not sure what happens if you encrypt chunks of characters.)

Also, public key encryption (say twofish, or even AES) is probably safe if you have a long enough key barring either a theoretical breakthrough in factorization of decent quantum computers. But you might be wise to not use the default parameters. (What you *should* use, I don't know. I'm not a cryptographer.) But say that it's good for five years as an estimate. Note that without that "theoretical breakthrough" or quantum computers, a decent key length will be safe for the lifetime of the universe...IF decent parameters are used.

If you're using a one-time pad, you don't need to secure the message, only the pad. But you need an out-of-band secure means to transfer the pad.

OTOH, if your computer has WiFi....well, the computer probably isn't secure. If it's connected to the internet, then it probably isn't secure. Etc. Message interception in transit is only one means of interception. Interception when/while/after decoding is another. And a trojan is an excellent way to intercept the message...though it needs to be a bit more targeted than just recording everybody's messages.

Re:Marketing

[HiThere]

Well, it's known that they've ordered one specially designed...but I don't think that's built yet, and it seems more of an experimental "proof of concept" machine than something serious. Which is why I give factorization encryption 5 years. That's probably being a bit conservative, but they ARE looking. Of course, there may be roadblocks such that a decent quantum computer is actually impossible, but that's probably not the way to bet.

Re:Marketing

[sociocapitalist]

I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.

Why would they have to be ahead in every other area of computer science? The key to encryption is cryptography and the NSA was formed to crack code - it is their entire reason to exist.

Yes I think that they have some of the smartest people in the world who do absolutely nothing but break codes and on top of that, yes I think that they have more budget and more computing power than anyone else in the world to do it with.

I know someone who used to work for the NSA and he told me that they are twenty years ahead of the commercial market. That was about ten years ago but I doubt that they've failed to continue to be well ahead.

Re:Marketing

[sociocapitalist]

The funny thing is that can backfire. This was something talked about on the Cypherpunks list when it was on toad.com. One discussion recommended people use a service such as an offshore data haven (when they came about) for everything. The result would be that there would be so much chaff that any spying organization [1] would be spending a lot of time trying to crack stuff just to find that they just wasted a bunch of CPU time on a TrueCrypt volume of someone's MP3 stash.

There are plainer reasons for stashing items in an "offshore data haven". Protection against geographic events, so if something the size of Hurricane Tip slams against part of the US, critical data is still retrievable.

Of course, there is one big issue with offshore data havens... how are they recompensed for the data they store, and what keeps them from deciding to hold data for ransom. If they find that they have an encrypted data blob from a company whose offices are completely demolished, they can demand a price for access and a company would either pay up or close up.

[1]: NSA, ISI, FSS, PLA, etc. The US was outed, but there are numerous other players.

Well...arguably the US is big enough that no single disaster could knock out data centers at the far ends. For the next point, one might keep the data in two different havens in case one of them decides to hold it for ransom (which seems unlikely to me but okay, why not). One might argue that the data haven would sell the data to the US as well, for that matter.

Re:Marketing

[cryptizard]

Think about a widely known encryption with a large enough key (>64 bits) that was "broken" in the last thirty years. It hasn't happened. There have been weaknesses discovered, but the only major encryptions to be broken are DES and A5 which were known to have a short key length even when they were released. They weren't even broken by cryptanalysis but just lots of computation. 3DES (to extend the key length) is still considered secure today. For the NSA to have broken not just one, but every major cipher is just preposterously unlikely.

Re:Marketing

[sociocapitalist]

Well perhaps the point isn't that any new algorithms are uncrackable so much as they present a more considerable obstacle to being deciphered. If the current NIST-approved cyphers have been deliberately weakened by the NSA, its so that its easier and more importantly faster for them to decipher the text - with their available computing power and budget they can probably do a lot of these on the fly.

If you increase the difficulty of that task, and if its implementation is more widely spread, then they may have to prioritize what they attempt to decipher because it isn't a weakened algorithm, therefore there might be some added security in that even if they *can* crack your ciphertext, its not worth bothering to do so unless some other factor marks you as a person of interest. Not much but better than nothing and we will likely never know the NSA's true capabilities anyways.

Agreed - the only comment I would have is that a data haven is automatically going to be a 'person of interest' and thus a target.

Re:Marketing

If a discussion starts by not seeing the forest for a tree (yup a reverse) it's hard to blame them for it if most of everyone else follows suit. Such is the simple power of declaring the context aka “framing the debate” (of which there is none).

No need to break anything you can evade. Windows and non-free commercial software === backdoored by nature.
No need to evade anything you get freely. Facebook and “social” anything === public speech.
No need to steal anything you can get with a nudge and a wink or maybe a little gift. “Secure” company servers and services === PRISM.

No need to care about breaking encryption when you can have as many secret letters as you wish from secret judges using secret laws. In the USA-NSA they are golden and everywhere else they can be and are used as hidden legal justifications or carte blanche “get out of jail free” cards aka international “requests”.

All of this might look worrisome or scary but the terror lies beneath. It's the ramifications that should have people worried, it's the ramifications that have the people “in charge” shitting bricks even if they don't know it. All the ripples in the water do not exist independently and do not limit themselves to encryption or computers or three-letter agencies or the US government. All those things are but water.

Re:Marketing

Scalar illusions are inherent to humans.

It is far more likely that we're forty or eighty years behind (let's stay optimistic).

Have supercomputers grown in ability faster than ordinary computers or not? Of course they've grown faster simply by scale.

Has expertise become more specialized or not? It has become much more specialized.

Has knowledge? Yes.

Does this apply only to cryptography and not to technology in general? Of course it is not restricted to cryptography.

Is it possible that there might be aggregation of factors, emergent properties, surprises, or highly unconventional perhaps even non-deterministic solutions that revoke blatant or hidden assumptions? Such things have a tendency to exist both in science and mathematics. Such things have a tendency to define who's “top dog” in the first place.

Re:Marketing

I still think it will be very unlikely they'll have one useful for cracking encryption in 5 years (though perhaps not impossible), but my comment was referring to what they would have at their disposal right now.

Amazing decission based on gut rather tan brain

So Jon Callas, in his blog post goes about the stupidity of the meta-ramblings about DUAL_EC_DRBG which nobody except the NSA is using, the theoretical weakness of elliptic curve crypto... and therefore replace AES, which doesn't have anything to do with DUAL_EC_DRBG or elliptic curve crypto?

Oh, yeah, they are replacing the proofed AES (as Scheier would say, trust math) and SHA-2 with Skein and maybe Threefish. Thank god he wrote "Full disclosure: I’m a co-author of Skein and Threefish", because now its clear why they are doing this. Seriously, these silent circle guys now how to make PR stunts, like having ex NAVY seals possibly compressing the bits individually for you with macho muscle (facepalm).

Re:Amazing decission based on gut rather tan brain

[LordLimecat]

Skein is / was a NIST candidate for SHA3 and made it through a number of rounds. It isnt a replacement for AES tho, as it does hashing, not encryption.

Marketing!

[tgd]

Or stupidity. One of the two.

Why use algorithms that are standardized on by the federal government and have been looked at exhaustively by experts around the world when you can use an untested crypto system? After all I'm sure the NSA wants to ensure that bad guys have access to everything the government is encrypting by first weakening the encryption standard, then standardizing the US government on the use of them.

Re:Marketing!

[cryptizard]

Yes, this is the part that I can't believe. To think that the NSA, probably some of the most paranoid people in the world, would be arrogant enough to standardize government security on broken cryptographic primitives is just not believable. There are important classified documents encrypted with suite B algorithms.

Re:Marketing!

Von Neumann machines are Turing complete, so why even standardize any algorithms at all when we can just send the bytecode for a cryptographic function in the header of the message, and use permutability to generate new ciphers on the fly? Oh, that's right... Because the risk of falling out of compliance with export regulations required for such a systems (as they change them out from under your feet) is hundreds of thousands of dollars and 20-30 years in jail. With such risk, you'd want confirmation your reporting had been received, eh? Too bad. You submit specially crafted CSV file reports as email attachments... not even digitally signed.

Good luck to those silent circle folks, they're going to need it when they get to git-mo.

No reason to distrust Rijndael

[dido]

I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard. And in the thirteen years since it was thus chosen it has been scrutinised more thoroughly than any algorithm by the best cryptographers in the world, and well, none of the open researchers anyway have found an attack on the cipher capable of breaking it significantly. The NSA might have, but then they approved the cipher for encrypting US government classified documents (a blessing that the NSA notably did not give the original Data Encryption Standard), so I'd consider it highly unlikely that they would have done that. The risk would be too great that their method of breaking the cipher have been obtained by espionage or independently discovered by some other intelligence agency's cryptanalysts. The NSA may be evil, but no one has ever accused them of stupidity.

Given that the best cryptanalysts of the world have had thirteen years to look at it and it remains solid, I'd trust it better than the other AES candidates which have had much less scrutiny, or worse yet, a newly designed cipher that no one who knows anything has bothered to even try analysing.

The other thing is that AES is incredibly efficient even on 8-bit microcontrollers. Around the time the AES contest was ongoing, I implemented Serpent, Twofish, and Rijndael on an 8051-series microcontroller, and Rijndael was consistently the best performing cipher, so I used it in the project, and wasn't surprised to learn that it eventually got selected.

Re:No reason to distrust Rijndael

[drinkypoo]

I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard.

I doubt it too, but the facts combine to suggest that we should be suspicious anyway. NSA has compromised ciphers. NSA chose this cipher. Therefore, it is best to be suspicious of this cipher.

Re:No reason to distrust Rijndael

Agreed. AES (Rijndael) is not compromised. Although if you want the more secure of all AES candidates, you should use Serpent, which is likely to have more resistance against attacks than Rijndael BUT at non-trivial performance costs (i.e. it is a lot more computer-intensive/slower than Rijndael).

The issue really is on the RNGs, and also on the NIST-provided elliptic curves, and none of these have any bearing on AES or SHA-2 (or SHA-3 for that matter).

Re:No reason to distrust Rijndael

[cryptizard]

On the one hand I would like to believe that, if there was a flaw, we would have found it by now. On the other hand, I think people vastly overestimate the reliability of "top cryptanalysts". The unfortunate fact is that only probably 20-30 people in the entire (public) world really, deeply understand what goes into cryptanalyzing a modern block cipher. That is not really a lot of eyes when you think about it.

The one thing the NSA, and other intelligence agencies, have going for them is they can afford to hire and train groups of people specifically for one particular task. In academia nobody wants to work on cryptanalyzing AES, it would be career suicide. In the very best case it would take you years to come up with anything, and in the worst case you would spend all that time and get nothing.

Re:No reason to distrust Rijndael

... none of the open researchers anyway have found an attack on the cipher capable of breaking it significantly. The NSA might have, but then they approved the cipher for encrypting US government classified documents (a blessing that the NSA notably did not give the original Data Encryption Standard), so I'd consider it highly unlikely that they would have done that.

They might have?

I consider it highly unlikely that theUS intelligence agency would have "approved" a cipher that they did not backdoor in some way, or feel bad that they have one that is highly classified.

Making assumptions about the NSA's capability after recent leaks would be demonstrating both stupidity and ignorance on a level equal to PRISMs computing power. Try not to do that again.

Re:No reason to distrust Rijndael

The NSA approved AES for use for encrypting US government documents of the most classified sort in 2003. That means that they would have to use AES themselves as well, if they wanted to exchange classified information with any other branch of the US government! How stupid would they be if they knew how to break the cipher and used it themselves anyway? Their own communications would become insecure as a result!

Snowden said it himself: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." Emphasis added. The problem is that there are way too many brain-dead implementations of otherwise sound cryptographic primitives out there and other insecurities in systems that the NSA can more easily get into rather than breaking the ciphers, which are the strongest link in what is usually a very long chain of weak links.

Re:No reason to distrust Rijndael

[larry+bagina]

Brer rabbit much? The NSA knows Rijndael is unbreakable... so they had Snowden "leak" some files. Make people think the NSA is more dangerous than it is. People worry about Rijndael and switch to something weaker.

TRUST NO ONE.

Re:No reason to distrust Rijndael

Then again, you have no idea and no way to prove which cipher the government actually uses to protect state secrets.

Re:No reason to distrust Rijndael

Well, the US government buys and certifies third-party equipment that implements AES from the open market, for use in protecting classified information. I think that's a big hint as to what cipher they use to protect state secrets.

Re:No reason to distrust Rijndael

[dido]

Good points. But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves if they want to exchange top secret classified information with the rest of the US government! I think it's much more likely that they did apply even more of their vaunted cryptanalytic prowess to it when NIST gave their approval in 2000, and when by 2003 they found no significant weaknesses, they approved it for use with classified information. If they had found a significant weakness in AES and approved it anyway for such use, how arrogant and stupid would that make them? Their own supposedly secure communications with the rest of the government would be compromised as a result! As I said you can accuse the NSA of being many things, but I don't think stupidity is one of them.

Snowden himself said it: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." Emphasis added. The real trouble is there are too many systems out there that use otherwise sound cryptographic primitives in insecure ways, either by incompetence or by design. The NSA has been known to pressure manufacturers of security equipment to do the latter, and naturally they will only certify equipment that hasn't been thus back-doored for government use.

And no, I don't think breaking AES would be career suicide for an academic cryptanalyst. Fermat's Last Theorem would also have been considered career suicide for centuries for the same reasons you cite, but now Andrew Wiles is one of the most famous mathematicians in the world. True, it's a hard problem, but if you manage to publish a workable break of AES you would become the most famous cryptographer in the world.

Re:No reason to distrust Rijndael

But remember the NSA has to use AES themselves, at least when communicating with other branches of the US government. Do you think they would have knowingly approved a broken cipher for their own use? You underestimate the paranoia and intelligence of the NSA then.

Re:No reason to distrust Rijndael

It does have a flaw. It is susceptible to timing attacks.

Re:No reason to distrust Rijndael

[mlts]

You hit the nail on the head. Crypto algorithms are secure enough that the points of attack won't be the bulk encryption. Instead, it will be how keys are negotiated, weakened PRNGs (who would know that a PRNG only is using 8 random bits out of 256 for nonces unless someone looks at every salt produced and only sees 256 different numbers), compromised CAs, or other weaknesses.

Breaking AES would be like winning a lottery for someone who reads sci.crypt. It would give a next generation of algorithms which would be more secure, such as how AES is resistant to differental cryptoanalysis.

Re:No reason to distrust Rijndael

But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves if they want to exchange top secret classified information with the rest of the US government!

No, actually, the NSA uses two suites of cryptographic algorithms. AES, Diffie-Hellman key exchanges, etc. are in Suite B, which is published and available for everyone to use. That's what you're talking about. There's also Suite A, of which even the names of the algorithms are largely unknown. Those algorithms might well never get published. Suite A is for internal use, for encrypting the important secrets.

Re:No reason to distrust Rijndael

[emt377]

Why do you say the NSA "is evil"? They have no operative arm, or actually *do* anything. If they come across criminal activity they can tip off the FBI, but what they have isn't admissible evidence, so the FBI gets to do its own investigative work. Their job is to uncover and watch for activities by people who wish to harm the United States or its people - exactly what we who pay their bills want them to do, as well as to act as an expert advisor to the federal government. Do you think governments shouldn't look after the safety of their nations? Do you think any responsible government doesn't? Maybe after airplanes are flown into skyscapers, or there's a mushroom cloud over Miami, or hoover dam blows up, we go "oops, maybe we should have paid a little more attention to people who wish to harm us?" Problem is, it's a little late then.

Re:No reason to distrust Rijndael

[emt377]

Snowden himself said it: "Encryption works.

Snowden is a clueless kid.

Re:No reason to distrust Rijndael

[emt377]

The key distribution and storage is often, but not always, the weakest point of attack. The exception is if you have plaintext or some pattern to look for (like an http or email header). This is why secure communications frequently are free of keywords and just contain a bunch of fields.

Re:No reason to distrust Rijndael

[aaaaaaargh!]

But it could also be double bluff, designed to cause smart people like you not to switch away from broken Rijndael!

Woaahh.. but wait a minute... what if it's a TRIPLE bluff?

Re:No reason to distrust Rijndael

The elliptic curve pseudo-random number generator they forced into the standard is rather suspicious and allegedly compromised. I imagine if you stay away from that one, and one of the good pseudo-random number generators in the AES standard, then it is okay. If it is only broken when used in a certain way then they can ensure they don't use it in a broken form, and also pressure providers of closed-source crypto solutions to use the broken form, then it is reasonable for them to approve it.

Re:No reason to distrust Rijndael

[VortexCortex]

But remember the NSA has to use AES themselves, at least when communicating with other branches of the US government. Do you think they would have knowingly approved a broken cipher for their own use?

Fool. If they're the only one who can break it, then why the fuck not?

You underestimate the paranoia and intelligence of the NSA then.

What's more paranoid? Selecting a cipher that no one can break, or selecting a cipher you can break who you suspect no one else can break, and to prove to everyone its "safe" you use it yourself, because you know folks spy on you anyway and plant false information as canaries for leaks anyway?

Hello, McFly?! Remember RSA coming out and saying that everyone needed to not use the elliptic curve random number generator they used by default in all of their shit because researchers have proven the parametric constants the NSA pulled out of thin air create a back-door into it and any other cipher using it... No one would even use that damn PRNG because it was so fucking slow, thousands of times slower than the other hash based systems.... Yet NIST pushed it into the standard, and RSA used it by default... The one NO ONE IN THEIR RIGHT MIND would have used by default based on any number of factors, and yet RSA DID -- RSA, The CREATORS OF RIJNDAEL.

Seems like you're the one doing the underestimation. RSA has been under the NSA control for a long fucking time.

Re:No reason to distrust Rijndael

[VortexCortex]

Good points. But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves

Fool. You seriously think that an agency which LIES directly to people who are cleared for the information they ask about, even when those people are SENATORS -- You seriously think this agency HAS TO USE the cipher they tell everyone else to use? I hope that your smarts aren't genetic, you'd be a threat to the gene pool.

Re:No reason to distrust Rijndael

That would be the height of arrogance for them to assume that no one else in the world, not their counterparts in Russia's Spetssvyaz or any other intelligence agency's signals intelligence and cryptanalysis arm would have come up with the same crack independently, or that foreign espionage in the NSA would not also be able to obtain the details of their crack. The Soviet Union managed to obtain the secret of nuclear weapons from the United States by espionage, and a determined intelligence agency would be able to do the same thing with a secret back door the NSA discovered or incorporated into an algorithm widely used by the United States government to protect the vast majority of its most classified secrets.

In 1999-2000, when they designed the cipher that eventually became AES, Vincent Rijmen was a post-doctorate student at the Katholieke Universiteit Leuven's ESAT/COSIC lab in Belgium. Joan Daemen was at the time working at Proton World International, a smart card software company also in Belgium. It's hard to believe from there that they were RSA's stooges.

Also, do remember that RSA itself had its own entry in the AES competition as has been mentioned: RC6, which was designed by Ron Rivest himself, along with several other people from RSA. That cipher was notably NOT selected as the AES.

Keep believing your conspiracy theories if it comforts you. That's what they want you to believe.

Re:No reason to distrust Rijndael

Some people need to please realize they're prancing about butt naked, it would be considerate if they at least tried to put some clothes on but they've redefined clothes into some razor-thin semantic excuse about each layer of skin being two layers of lipids and how they thus cannot technically be naked. Just the same kind of bizarre garbage lies their figurehead uses in the Senate :(

Re:9/11 was an inside job

[tgd]

NIST has in many instances blocked independent investigations into 9/11, as well as lied about its own findings and devised unscientific explanations for the controlled demolitions of WTC 7 and the Twin Towers.
AE911truth

You know, this is probably the first time in the history of 9/11 whackjob posts on Slashdot that the reply is actually relevant to the story. Because they have nearly identical basis in reality.

can you not write, or just not think???

[sribe]

...not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development...

Really? So they are worried about NSA's influence on NIST, but they still trust NIST???

Twofish? Really?

What a terrible cipher, nobody uses for a reason.

THIS IS A GREAT IDEA!

[CajunArson]

Please move to the most obscure and unreviewed encryption algorithms that you can, and do it as fast as possible. By no means should you ever use the exact same encryption standards that are approved for use for securing the big-bad-evil U.S. government's own top-secret data. Remember, the only cryptographic systems with any flaws are the ones that were developed by non-US citizens and reviewed in a public process that might have tangentially involved the NSA. Oh, and nobody, we mean nobody, else could ever weaken or backdoor a cryptographic algorithm.
        -- Your friends at the NSA ... uh .. I mean "anti-government hippy commune"

Re:THIS IS A GREAT IDEA!

Twofish is hardly obscure or unreviewed. It was submitted as an AES candidate along with Rijndael. It's been reviewed plenty. It didn't meet the needs of NIST as well as Rijndael, which is why it wasn't chosen to be AES. But that doesn't make it a BAD cypher. It just makes it not ideal for NIST's purposes, which may well include: being vulnerable to attack by the NSA.

Re:THIS IS A GREAT IDEA!

[mlts]

IIRC, Twofish did not make the AES finalist because it used more CPU than Rijndael. This doesn't mean Twofish is less secure, it just means that crypto ASICs are cheaper to make shifting blocks around than Twofish's split key/algorithm method.

Were I to choose one of the other just for security, I'd choose Twofish over Rijndael, but NIST had other parameters in their design decision.

Madness

[lucag]

The least I would have expected from the documents about the extensive spying done by NSA was a generalized weakening of cryptography.
While it is true that some algorithms might have been deliberately weakened by the NSA, I doubt this could have been systematic; especially for those which are best investigated by the cryptological community at large.
  In particular, NIST mandated cipher suites while definitely amenable to some theoretical attacks in some cases, have been independently investigated and, as of today, no effective practical attack is known against AES. I would never trust a 'homemade' algorithm for anything, nor waste time to try and analyse it (cryptography is actually part of my job) unless there were some really compelling reasons for doing so (e.g. interesting mathematics, peer review requests or unusual attack models being considered).
Skein and twofish are definitely interesting algorithms, and they have also been well regarded in the competitions leading to SHA3 and AES; they are definitely not a bad choice, but to choose them because whatever has been selected by NIST is "tainted" by NSE (and not other architectural or practical considerations) resembles more a form of superstition than anything else.

Re:9/11 was an inside job

[TheCarp]

Even a broken conspiracy is right twice an epoch.

Re:Twofish? Really?

Oh look the NSA astroturf squad has arrived.

Remember who uses NIST crypto transformations

[dubist]

For the record the US government uses the NIST cryptographic transformations as recommended by its own NSA so on a global scale of one to broken they can't be that bad. So for generalist every day encryption they should be fine, if your trying to hide something that might have some sort of national security implications then if your legitimately in possession / generating that kind of information then there will be a different set of protocols and standards to follow. People would shit their pants if the world suddenly turned to using ad-hoc unreviewed transformations because at that point all bets are off, no seriously, all bets are off. Cheers

Re:Remember who uses NIST crypto transformations

From a Guardian article:

The NSA describes strong decryption programs as the "price of admission for the US to maintain unrestricted access to and use of cyberspace"

That may just be the NSA justifying their budget. Or the "price of admission" may be the risk taken by using algorithms with known weaknesses in official US communications, to make the rest of the world trust said algorithms.

Also, for really sensitive stuff the US government does not use the open NIST standards. They use NSA's Suite A, which is classified. All that is known about it is the names of the algorithms and some details like standardised keysizes.

Re:Remember who uses NIST crypto transformations

[mlts]

If I had to use a well studied algorithm that -might- have a backdoor by an agency versus an algorithm that is "secret" that someone pulled out of their derriere, I'd rather have the former.

I've been in those shoes before. My freshman year of college, I made a crypto algorithm that I thought was the cat's meow... plopped it on sci.crypt, and it was shredded by people who actually knew what it was doing in minutes.

We already had those dark days of finding working crypto algorithms when people didn't use DES for much. I'd rather take something that has seen some heavy duty machinery trying to find any weaknesses in it than to use yet another "secret" algorithm that someone pulled out of their ass which is just another implementation of using the random() function with the seed being the passphrase and the output XOR-ed with the input data.

Of course, the encryption algorithm is just half the battle. Using any algo in ECB mode is going to weaken security no matter how good it is.

All the crypto in the world doesn't save you

if provider of whatever solution you've bought has received a secret order from a secret court authorizing/demanding the installation of key-grabbbing malware or an equivalent exploit. (Which is my out-of-my-ass speculation what Ladar Levison was provided with.)

And I seriously doubt the NSA gives a damn whether the government is using an ultimately unsecure encryption *so long as* the NSA are the only ones in possession of the knowledge and/or means to execute the exploit. They *do* care about encryption the government uses being technically and practically unbreakable by others, and they would care if encryption out in the wild is technically or practically unbreakable when used by others they're interested in.

Snake Oil company says don't use medicine

What's really silly about this story, is the Silent Circle context. No service like that, no matter how well-intentioned or what crypto algorithms they use, can ever possibly be trustworthy. If someone points a gun at their heads and tells them to further leak the passphrase that you already deliberately leak (with the hope that the leak is limited) every time you use their service, then they're going to get your key, and you aren't going to know about it.

If there's one group of people who I think we can all confidently totally ignore on the subject of AES-vs-twofish-vs-whatever, it's people who work at snake oil companies like Silent Circle, Lavabit, Hushmail, etc. I feel like a shithead for saying that, because I know some smarter-than-me people work at Silent Circle, but .. something happened to those people, for them to be offering such ridiculous services, services that these people knew couldn't ever be trusted by anyone, before they wrote the first line of code. WTF.

Re:Snake Oil company says don't use medicine

[mlts]

I see Silent Circle going down the same path that Hushmail travelled. Hushmail is a very good service, but when told to either cooperate with Interpol or else, they cooperated.

With SC, they will likely be forced with the same choice. Hand over keys and put in backdoors or face shutdown/prison time.

Instead, the focus should not be on communications, but endpoint security. Maybe PGP needs a revisit?

Buzz and obligatory xkcd

[fuujuhi]

I guess that their intent is to surf on the NSA conspiracy bandwagon, to create the buzz and to attract more customers. Bad taste buzz, but only money is driving the business, isn't it?

The following reference is obligatory tmo:

http://xkcd.com/538/

As security experts, suggesting that using another cipher suite would protect the customers from the NSA is either ridicule or ignorant of NSA's actual powers at best. Again, I've no clue of what these powers could be, but suggesting that they could break into secure systems by brute-forcing or cryptanalysing AES / SHA-2 does not make sense. Doing so would cost an overwhelming amount of energy, even for the NSA, when actually much much cheaper and conventional methods exist, like tapping into back-end systems (often with agreement from operators themselves), installing key logger into end user devices, etc. They certainly control some botnets, and maybe even some underground websites. Knowing that most users uses the same password over several websites, it's really a child game to penetrate systems for an organisation like the NSA. The NSA do not need to guess your secrets, they simply read it over your back.

If Silent Circles feel like doing something, what about playing the card of full transparency and proving to the community that they are indeed beyond any doubts? That would at least have the merit to elevate the current level of discussions and not to throw away the work of dozens if not hundreds of people around the world trying to bring real open peer-reviewed security.

Re:Buzz and obligatory xkcd

As security experts, suggesting that using another cipher suite would protect the customers from the NSA is either ridicule or ignorant of NSA's actual powers at best. Again, I've no clue of what these powers could be, but suggesting that they could break into secure systems by brute-forcing or cryptanalysing AES / SHA-2 does not make sense.

The only part that does not make sense here is your ability to continue to assume you know about the powers and crypto capability of the NSA. If you have no clue, then don't assume , even when it doesn't make sense (as if government agencies are known for common sense)

6 months ago we all thought there would be no way the NSA could have a system online that monitors 300 million people.

Assuming is what got us here today. Stop doing that shit already.

Re:Buzz and obligatory xkcd

If Silent Circles feel like doing something, what about playing the card of full transparency and proving to the community that they are indeed beyond any doubts? That would at least have the merit to elevate the current level of discussions and not to throw away the work of dozens if not hundreds of people around the world trying to bring real open peer-reviewed security.

All the SC code it up on github. Go review it.

Not encrypted enough

And some of those documents *shouldn't* be readable by the NSA, yet they are because the NSA messed with the cryptography.

Ignore the leaks at your peril, NIST algo's *are* compromised, we know that already. It may be that NSA thinks it is the only one that can decrypt them, e.g. substituting a random number generator for the pseudo random output of an encryption to which they know the private key. BUT, if that key is broken then everything based on it is also broken.

So they ARE apparently arrogant enough to do something stupid, (well apart from denying mass surveillance even as you're building your 5th big data center).

Re:Not encrypted enough

[tgd]

e.g. substituting a random number generator for the pseudo random output of an encryption to which they know the private key.

If I hadn't already posted in this discussion, that'd be getting a Funny mod point.

really?

[slashmydots]

"not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades"
So in other words it distrusts NIST.

Re:What does this use?

[ron_ivi]

And instead of move "away" - why not move to *both* AES and another cypher.

If they cascade the one the US recommends wiht the one China recommends with the one Russia recommends, it seems you're safe unless all thre of those governments are conspiring against you. And if that's the case you problably have bigger problems.

Ju-Jitsu

[Tokolosh]

Brute-forcing or otherwise cracking the various algorithms is all well and good. However, I believe the reality is that the NSA (and others) have more success by using other means, combined with metadata. I'm am not sure what the other means are, but could include social engineering, keylogging, reading clues communicated in the clear, false certificates, MITM.

They vacuum up all data, encrypted or not, to be decrypted at leisure, when indicated by the metadata. But the underlying encryption is still (mostly) secure.

Re:What does this use?

It would be nice to hear from this crowd what they think of this platform: Blib: https://register.blib.us/

Seems to use https to encrypt data. Allows self-hosting. Still in pre-alpha it seems.

Re:9/11 was an inside job

what about Zuckerbooger`s secret pact with the akamai founder? would they both be considered "co-conspiritors", "co-defendants", or was Zuckerbooger juST THE BOOGEYMAN STOOGE!

"gosh darn it, Marx was left behind, without the bill of lading, and without Franx Xinatra`s laundered binliner!" El-idiot Spitzer-Ness

Faster, Scalable Factoring

[SpaceLifeForm]

Factoring large semiprimes has a scalable solution. For example, if you have a large semiprime that is expected to take a billion years to factor, you can throw a billion cores at the problem and factor it in one year. I am *not* referring to GNFS.

WIth a billion cores of custom silicon, you can speed it up even more.

Re:Faster, Scalable Factoring

Factoring primes (semi or otherwise) does not have anything to do with breaking a symmetrical cipher like AES.. Which is what this article is about, lah~.

Re:Faster, Scalable Factoring

[SpaceLifeForm]

True. Read post I was replying to again.

Mixing the signals

[WaffleMonster]

I think crypto agility is generally an awesome thing all our encryptions should have ability to swap out algorithms at a moments notice with meaningful process to mutually agree to strong acceptable algorithms.

It is also a double edged sword as practically it means if any of algorithms you trust are compromised AND both parties are still willing to use the algorithm an attacker can normally steer parties to use it.

One thing I never really understood is if your afraid of subversion why not simply chain a series of different algorithms together such that compromise of one could not result in recovery of plaintext? The only downside I can think of you might need a bigger key so jacking input bits of one algorithm does not cascade to the others or otherwise reduce effective entropy of each input.

Re: Mixing the signals

[lucag]

Nope. Two weak ciphers do not make a strong one, just a mess.
This is not to say that a cryptosystem should not be designed from basic (and rather insecure) primitives suitably chained and iterated: this is actually the case for all modern block ciphers from Feistel-style networks to the AES. The point is that it is not sensible to rely for security on the rather unpredictable interactions between different encryptions and the actual risk is indeed a false sense of security.

A different problem is whether it makes sense to consider "replaceable" encryption algorithms as suggested. In the case of public key systems this would not be a good idea, as the properties, security parameters and behavior might be widely different (even in comparable usage scenarios) and unexpected weaknesses might appear. As for block ciphers, they are sort of supposed to be interchangeable (for given block and key length) ; however, it has to be considered that a negotiation protocol might always be fooled by an attacker in order to select the "weakest" (in some sense) algorithm.

In short: in cryptography flexibility might (and usually can) be a liability rather than an advantage. The best course of action is to be able to fully audit a "simple" implementation (and be somehow able to guarantee some security) rather than leave too much room for unsuspected attacks.

Re: Mixing the signals

[david_thornley]

I don't understand. Supposed I have ciphers A and B. I have plaintext, encipher it with A, and encipher it with B using a different key. Why would the cipher be any weaker than the strongest of A and B? If that's the case, if I use AES and Twofish sequentially, I should be safe if either AES or Twofish is safe. ("Safe" in this case means the NSA can't break it in under, say, 2^100 operations.)

If I'm wrong, could somebody explain that in an understandable manner? (The answer to that could well be "no", of course.)

Re: Mixing the signals

[lucag]

The point is not so much that the cipher would be weaker, as that it would be no stronger than using any of them and there are some cases where it could actually be as weak as the weakest of them both. For instance, you do not gain anything under a "known plaintext" scenario.

Consider this case: you have an enciphering machine (say E) and you want to recover the keys being used by probing its behaviour with a series of
texts (which are either `random' or suitably chosen by you).
If E(m,k1|k2)=B(A(m,k1),k2)
where A,B are your original systems and k1,k2 the respective keys, we might try to mount an attack by intercepting the stream between A and B.
There is a slight security advantage, as a chosen plaintext attack for E becomes a known plaintext attack for B (the chosen plaintext is m; the known one is A(m,k1)) but if B is vulnerable the attacker can recover k2 and strip the second layer of encryption. Now we are left with attacks against A under a known plaintext model (which might work or might not). This is a variant of the usual "meet in the middle" approach used against 2DES; if you want a direct parallel, just consider
having to look for collisions (x,y) to
B^(-1)(E(m,?),x)=A(m,y)
where "?" denotes an unknown key.
A particular case is when x=y *as a design decision*. If this turns out to be the case (argued as "256 bits should be enough for anybody!" or the like), then it is actually the weakest cipher which matters (and not the strongest one).

Furthermore, it can well be that there are distinguishers for the first cipher under consideration; if that turns out to be the case an attacker can infer strong statistical properties on the input stream to the second which could be exploited.

Re: Mixing the signals

The following is extremely simplified and thus automagically not true but is hopefully still correctly illustrative. It uses multiplicative factors as a replacement concept for any and all algorithmic operations of the cipher (that might themselves involve actual multiplication).

The bad suggestion is to fully encrypt with A and then fully encrypt the result with B so you get result C.

The result is as if you multiplied set A with set B to get set C (actually much worse but this is already bad enough).

Multiplication increases the amount of factors (just as for prime numbers where multiplication turns them into composite numbers —that's just as an example, it doesn't matter whether the encryption uses primes or not: multiplication always does this).

Factorizing a huge number can be hard however if the huge number has certain properties finding some of the factors is trivially easy. If an infinitely large number ends with an even number one already knows it has at least one factor of 2.

So there are several factors you want to avoid like the plague (the above example is just the simplest of the simple). But with result C you can not know in advance that you have avoided these to a sufficient level or that your pseudo-cipher AB will always avoid them up to an acceptable level of difficulty.

In addition increasing the amount of factors increases the weakness of the encryption because there is a larger group of factors that can be found.

So not only do you not know what kind of factors you've introduced but there are also more of them.

The more factors you can find the less brute force of computation you need.

If all the factors are found you can infer the seed and the algorithm and use trivial force to decrypt.

Trust

[sexconker]

not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades.

If "executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades" then "the company distrusts NIST".

Re:9/11 was an inside job

[arthurpaliden]

9/11 was a low tech attack that was based on human engineering. That is what makes it so scary.

Re:What does this use?

[gomiam]

Adding more cryptosystems doesn't automatically translate into greater security, as double DES showed.

Re: 9/11 was an inside job

Truthers make me lol

No difference...

[Kazoo+the+Clown]

The NSA has figured out that the crypto isn't the weak point no matter what algorythm is used. Change it all you want, it makes no difference.

Re:What does this use?

What about double ROT13? So stealthy you don't even notice.

Re:What does this use?

[HiThere]

Sorry to hash the joke, but that's double ROT128. Unless, of course you're using a 16-bit or 32 bit character.

Re:9/11 was an inside job

here we are, 12 years after the WTC demolition,

the "scientific" organisation meant to have analysed the data flip-flopped. NIST flipflopped.
This article has NIST in it`s title, and throughout my humble reading, I have only twice or thrice seen "NIST" in print. First time (and most impressive), was their flipflopping about the 9/11 investigation, and second time (although slightly less-than-or-equal-to the first flipflop), here on /.

In the 2 hours or so since i saw the "9/11 whackjob" comment, I read half of the comments about meaningless faux-encryption, spending a great deal of time trying to find other comments related to the 9/11 inside job.

NIST (and soooo many diversionary commentators/commentatrices) have lost ALL CREDIBILITY. Now go fetch my quantum keyless-entry keychain, i gotta hit the information superhighway!

Re:What does this use?

But it will certainly not lead to less security. Imagine you could decipher one of those encryptions easily. You still have the other ones to protect the data. All of those transformations are reversible, and they are applied one after the other. It is also much less likely that completely independent encryption schemes (that are supposed to be secure by themselves) have the same vulnerability as 2DES. Remember that the goal of 2/3DES was to increase key size (to protect against brute force attacks), not to eliminate potential holes in the standard.

You have made an assumption

[SpaceLifeForm]

"if they want to exchange..." Keyword: If.

Re:What does this use?

What - you think that encrypting with AES and then (say) TwoFish would give you the plaintext back?

Re:What does this use?

Duh. If DES has a backdoor then so does double DES. If AES has a backdoor and TwoFish doesn't then AES + TwoFish doesn't have a backdoor.

Re:What does this use?

If AES has a backdoor and TwoFish doesn't then AES + TwoFish doesn't have a backdoor.

Errr... you must have meant:
If AES has a backdoor and TwoFish doesn't then AES + TwoFish does have a backdoor.

Don't worry I've had much more embarrassing does/doesn't mistakes like *Mongo does like gay sex* X(

Re:What does this use?

Actually yes for some value of plaintext. The problem is you wouldn't know exactly which plaintext(s) in advance or for what level of brute force.

You would be out fishing for strawberries on a daytrip to lala-land in order to visit the licorice unicorns living in your GPU :)

You also wouldn't know how much weaker all the other soon-to-be-plaintexts are because you've created an "ATwoEFishS" pseudo-encryption with completely unknown aggregate values and traits that next to nobody has had a look at as well as including any and all weaknesses in both ciphers (including backdoors).

Obscure? Yes. Secure? No reason to think so.

Of course you could let the firewood made of jam decide...

(Apologies for any content infringing on the material of Noel Fielding).