Slashdot Mirror

← Back to Stories (view on slashdot.org)

Silent Circle Moving Away From NIST Cipher Suites After NSA Revelations

Posted by timothy on from the service-is-a-transitive-noun dept.

Trailrunner7 writes "The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it's in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein."

9 of 168 comments (clear)

  1. Marketing by sociocapitalist · · Score: 3, Interesting

    While I think that NIST related crypto algorithms are probably well compromised by the NSA I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

    Same thing for 'offshore data havens'. If it's visible it gives the NSA a target of interest and the fact that it's offshore isn't even going to slow them down when they attack it. People moving to such havens might find themselves being looked at all the more closely than someone keeping their data in less interesting places.

    I think the best bet of keeping your info private (from the NSA) is going to be to avoid attracting attention to start with.

    --
    blindly antisocialist = antisocial
    1. Re:Marketing by Phrogman · · Score: 3, Interesting

      Well perhaps the point isn't that any new algorithms are uncrackable so much as they present a more considerable obstacle to being deciphered. If the current NIST-approved cyphers have been deliberately weakened by the NSA, its so that its easier and more importantly faster for them to decipher the text - with their available computing power and budget they can probably do a lot of these on the fly.

      If you increase the difficulty of that task, and if its implementation is more widely spread, then they may have to prioritize what they attempt to decipher because it isn't a weakened algorithm, therefore there might be some added security in that even if they *can* crack your ciphertext, its not worth bothering to do so unless some other factor marks you as a person of interest. Not much but better than nothing and we will likely never know the NSA's true capabilities anyways.

      --
      "The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
    2. Re:Marketing by cryptizard · · Score: 3, Interesting

      I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

      I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.

  2. Re:Marketing! by cryptizard · · Score: 4, Interesting

    Yes, this is the part that I can't believe. To think that the NSA, probably some of the most paranoid people in the world, would be arrogant enough to standardize government security on broken cryptographic primitives is just not believable. There are important classified documents encrypted with suite B algorithms.

  3. Re:No reason to distrust Rijndael by cryptizard · · Score: 3, Interesting

    On the one hand I would like to believe that, if there was a flaw, we would have found it by now. On the other hand, I think people vastly overestimate the reliability of "top cryptanalysts". The unfortunate fact is that only probably 20-30 people in the entire (public) world really, deeply understand what goes into cryptanalyzing a modern block cipher. That is not really a lot of eyes when you think about it.

    The one thing the NSA, and other intelligence agencies, have going for them is they can afford to hire and train groups of people specifically for one particular task. In academia nobody wants to work on cryptanalyzing AES, it would be career suicide. In the very best case it would take you years to come up with anything, and in the worst case you would spend all that time and get nothing.

  4. Re:What does this use? by ron_ivi · · Score: 4, Interesting
    And instead of move "away" - why not move to *both* AES and another cypher.

    If they cascade the one the US recommends wiht the one China recommends with the one Russia recommends, it seems you're safe unless all thre of those governments are conspiring against you. And if that's the case you problably have bigger problems.

  5. Re:I thought that AES *was* independetly designed? by Anonymous Coward · · Score: 4, Interesting

    I know for a fact that NIST/NSA had no influence on the number of rounds for AES, having implemented Rijndael myself on an 8-bit microcontroller before it became AES. I used a copy of Rijmen and Daemen's original specification to write my implementation, and later compared it against the published NIST specification that later came out in 2001 after it was approved as AES, and it was exactly the same, including the number of rounds to be used. My implementation from mid-1999 produced the correct results with the NIST test vectors that were published after its approval. The key sizes were part of the specification for the AES contest.

  6. Re:No reason to distrust Rijndael by mlts · · Score: 3, Interesting

    You hit the nail on the head. Crypto algorithms are secure enough that the points of attack won't be the bulk encryption. Instead, it will be how keys are negotiated, weakened PRNGs (who would know that a PRNG only is using 8 random bits out of 256 for nonces unless someone looks at every salt produced and only sees 256 different numbers), compromised CAs, or other weaknesses.

    Breaking AES would be like winning a lottery for someone who reads sci.crypt. It would give a next generation of algorithms which would be more secure, such as how AES is resistant to differental cryptoanalysis.

  7. Re:No reason to distrust Rijndael by Anonymous Coward · · Score: 2, Interesting

    But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves if they want to exchange top secret classified information with the rest of the US government!

    No, actually, the NSA uses two suites of cryptographic algorithms. AES, Diffie-Hellman key exchanges, etc. are in Suite B, which is published and available for everyone to use. That's what you're talking about. There's also Suite A, of which even the names of the algorithms are largely unknown. Those algorithms might well never get published. Suite A is for internal use, for encrypting the important secrets.