Silent Circle Moving Away From NIST Cipher Suites After NSA Revelations

Trailrunner7 writes "The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it's in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein."

serpent

[johnjones]

mathematics depts are interesting things...

I personally trust in s box's

regards

John Jones

Re:serpent

[aaaaaaargh!]

Why is the parent post modded offtopic?

Serpent is not a bad choice, it has a conventional design with a large safety margin (32 rounds).

Re:serpent

[sjames]

NSA sock puppets with mod points?

Mods didn't know enough about crypto?

I thought that AES *was* independetly designed?

[K.+S.+Kyosuke]

Or is it the case that NIST has a branch in the Belgium?

Re:I thought that AES *was* independetly designed?

The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security

Re:I thought that AES *was* independetly designed?

[Joce640k]

The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.

Not 100% true. The NIST only messed with the 192 and 256 bit versions. Guess what? They turned out to be weak (and everybody knows about it).

If you're truly paranoid you could use Triple-DES instead of AES but there's no good reason not to trust 128-bit AES, it's one of the most analyzed/studied algorithms ever.

Block ciphers like AES can also be used as hash functions. SHA-n isn't really needed except for efficiency reasons (block cyphers are slower).

Re:I thought that AES *was* independetly designed?

[skids]

Take a look at the open process for fielding candidates for SHA-3, and tell me that all the people that bothered to submit candidates should be permanently suspect just because NIST asked for candidates and they offered them, and also offered critiques and analysis of competing designs. These are career mathematicians and cryptographers and suddenly everything they do is tainted by "guilt by association" in your mind? That's pretty pathetic.

What happened is as the PP described: good algorithms were chosen and then weakened by intentionally bad choices for parameters. When run with good parameters, those algorithms were as secure as the crypto community could develop at the time. They don't always choose the most secure algorithm of the batch because of performance considerations, but they set strength goals and meet them to the extent that they can be analyzed.

So far they have picked Keccak as SHA-3 and the authors have recommended certain parameters to achieve certain cryptographic strengths for drop-in replacement of SHA2 hashes. Given the media attention I imagine NIST will feel obliged to follow those recommendations, which leaves them with only one thing left to specify, that being the format of the padding (which the Keccak authors have also offered some reasonable options for.)

Re:I thought that AES *was* independetly designed?

I know for a fact that NIST/NSA had no influence on the number of rounds for AES, having implemented Rijndael myself on an 8-bit microcontroller before it became AES. I used a copy of Rijmen and Daemen's original specification to write my implementation, and later compared it against the published NIST specification that later came out in 2001 after it was approved as AES, and it was exactly the same, including the number of rounds to be used. My implementation from mid-1999 produced the correct results with the NIST test vectors that were published after its approval. The key sizes were part of the specification for the AES contest.

Re:I thought that AES *was* independetly designed?

Except they suddenly decided to change parts of the algorithm after the competition ended. So SHA-3 is not the Keccak that was heavily analyzed and verified by career mathematicians and cryptographers.
More on https://www.schneier.com/blog/archives/2013/10/will_keccak_sha-3.html

Re:I thought that AES *was* independetly designed?

[skids]

If you read the algorithm description you'd realize that this is not a change in the algorithm and does not affect the analysis, which was performed for arbitrary parameters, not specific ones. However, the reaction to this move which NIST probably considers a pertty inert move on their part is sure giving NIST a taste of exactly how much their reputation has been soiled. Which is a good thing.

(OT but funny, on the comments section of your link, when I read it the last comment, noting NIST's website is down now due to the government shutdown and asking if that happens often. Some folks need to remember to at least read the daily headlines.)

Re:I thought that AES *was* independetly designed?

[bdwebb]

These are career mathematicians and cryptographers and suddenly everything they do is tainted by "guilt by association" in your mind? That's pretty pathetic.

I think this is less about mistrusting the mathematicians involved and moreso about mistrusting what happened to these algorithms after submittal. As you say, they were weakened by intentionally bad choices for parameters and due to the close relationship between NIST and the NSA, how can you trust that the original submissions actually do achieve the same level of security (and moreover, how can you trust that the submissions were not specifically selected due to the fact that the NSA is already able to reverse engineer them)? It isn't that the mathematicians and cryptographers are tainted - it is that the NSA has herpe-ghonno-syphil-aids coupled with incurable smallpox, H1N1, and the plague and therefore anything that they MAY have touched is likely infested.

It sucks that there is an 'guilt by association' element to it but in my mind it is justifiable to be suspicious so that the disease isn't spread, especially where something like standardized cipher suites (which are supposed to be secure) are concerned.

Re:I thought that AES *was* independetly designed?

[skids]

anything that they MAY have touched is likely infested.

That would pretty much mean everything is infested. I mean, unless you think running into the arms of whatever crypto suite lying around out there that has never had bad press about intelligence agency meddling is a good way to avoid intelligence agency meddling -- I don't.

Compromised hardware

[ArchieBunker]

IMHO at this point we have to assume the hardware is compromised at some level. Not necessarily a backdoor but the hardware random number generator might not be that random.

Re:Compromised hardware

[Thanshin]

IMHO at this point we have to assume the hardware is compromised at some level. Not necessarily a backdoor but the hardware random number generator might not be that random.

We also have to assume that the power sockets are compromised. All computers that are, or have been at any point, attached to any source of power not directly coming from the sun must be considered infected, and shot in the brain.

Re:Compromised hardware

[TheCarp]

Looks like we have ourselves a plant! You think we don't know that tinfoil hats actually help to strengthen the orbital mind control signal? You aren't fooling slashdot that easily AC. Don't think we haven't been watching you, your comments have not gone unnoticed in this community Agent Coward

Re:Compromised hardware

[Hypotensive]

It's probably not that important, as Linus already pointed out.

Re:Compromised hardware

[PopeRatzo]

Of course tinfoil hats are worthless. Everyone knows that the only thing you can put on your head to protect you from the NSA are the plastic bags you get from the dry cleaners.

Re:Compromised hardware

[Joce640k]

They offer zero protection against chemtrails though.

Re:Compromised hardware

[flyingfsck]

Only an organically reared Armadillo hat can beat the Feds.

Re:Compromised hardware

[Cid+Highwind]

When, in the course of the NSA revelations, have you gotten the impression that "if X became public knowledge... it would be the death blow to the current Y" was ever a consideration in whether or not they did X?

Re:Compromised hardware

[TheCarp]

This is a very good point, or at least, we don't think it does and have no reason to think it does. All we really know about chemtrails is that whatever is in them burns HOT! Because whatever it was burns much hotter than jet fuel if it was able to melt steel and bring those towers down.

Re:Compromised hardware

[PopeRatzo]

I've heard that the NSA has built a secret backdoor into all organically reared Armadillo hats.

I've heard it through the signals I pick up in the fillings in my teeth, so YMMV.

Re:Compromised hardware

[Cid+Highwind]

"I have my doubts"

You should. Short-circuiting AES-NI to return the plaintext XORed with the output of (weakened) rdrand would mean that the intended recipient can't decrypt the message. That's a lot of hard engineering work to tap a communication channel that nobody can actually communicate over...

Evolution in action

This is actuallly good. Crypto should be flexible enough to switch to different algorithms.
AES is just an option, and I'd say it's a fine one, but it's cool to get some extra algos some breathing
room.

I trust the Chinese...

I trust the Chinese have already done that to every processor built for export. They'd be negligent if they haven't.

Marketing

[sociocapitalist]

While I think that NIST related crypto algorithms are probably well compromised by the NSA I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

Same thing for 'offshore data havens'. If it's visible it gives the NSA a target of interest and the fact that it's offshore isn't even going to slow them down when they attack it. People moving to such havens might find themselves being looked at all the more closely than someone keeping their data in less interesting places.

I think the best bet of keeping your info private (from the NSA) is going to be to avoid attracting attention to start with.

Re:Marketing

[Phrogman]

Well perhaps the point isn't that any new algorithms are uncrackable so much as they present a more considerable obstacle to being deciphered. If the current NIST-approved cyphers have been deliberately weakened by the NSA, its so that its easier and more importantly faster for them to decipher the text - with their available computing power and budget they can probably do a lot of these on the fly.

If you increase the difficulty of that task, and if its implementation is more widely spread, then they may have to prioritize what they attempt to decipher because it isn't a weakened algorithm, therefore there might be some added security in that even if they *can* crack your ciphertext, its not worth bothering to do so unless some other factor marks you as a person of interest. Not much but better than nothing and we will likely never know the NSA's true capabilities anyways.

Re:Marketing

That's why everyone should move their data to the Crypt, whether they think they have anything to hide or not, and switch to Pontiffex encryption, too.

Re:Marketing

[cryptizard]

I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.

Re:Marketing

[Kjella]

Another good argument is how many symmetric crypto algorithms have been broken at all, at least known to the public? For example you can take GOST, developed by the Soviet Union as a Top Secret algorithm in the 70s, then later downclassified and eventually made public in 1994. It has a theoretical attack strength of 2^256 that researchers have gotten down to 2^101 but if you have a 1 GHz computer testing 1 key/cycle for 1 year that's still only 2^55. A million such computers running a million years is 2^95. I think you can be quite certain the NSA didn't cooperate with the Soviet Union in the 70s, so the only way it could be cracked is if the NSA did it through cryptanalysis. The rest of the world hardly seem able to crack a single cipher yet the NSA would have the magic to crack everything in a reasonable time? In the land of unicorns...

Same with RSA and public crypto, it's not from the Soviet Union but it's from the 70s and 35 years of public research has come up with nothing to break it. Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy? I don't buy it, I'm quite sure there are things such as secure crypto no matter how much money and manpower you throw at it simply because they are as much chasing ghosts as we are, they may be looking for a solution that doesn't exist. Of course they're absolutely not going to tell you about that, but I find it far more likely they're now exploiting flaws and compromising systems rather than with pure math.

Re:Marketing

[cryptizard]

Good point. The only symmetric cipher I know of that was completely "broken" is DES, but that is because the key length was chosen to be too short. Even at the time it was released people said it was too short.

Re:Marketing

[Tom]

They don't have that many smart people working there, in comparison with ALL of the rest of the world.

Actually, the NSA has for decades been the by far largest employer of mathematicians, world-wide.

The do have tons of smart people working for them, and contrary to the rest of the world, those don't work on optimizing Zynga games or production lines or any of the other million other areas, they all work on crypto, surveilance, etc.

In a crypto contest between the NSA and the rest of the world combined, I'd bet on the NSA. Mostly because the rest of the world would break apart in a flame war and uses 20 different languages.

Re:Marketing

Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy?

Yes, it's unlikely, but it's not entirely unprecedented: https://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html

'It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES. This means that back in the '70s, the National Security Agency was two decades ahead of the state of the art. ... but the rest of us are catching up quickly ... Maybe now we're just a couple of years behind.'

Re:Marketing

[Joce640k]

While I think that NIST related crypto algorithms are probably well compromised by the NSA

AES is one of the most independently studied/analyzed algorithms ever.

I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

Triple-DES?

Re:Marketing

[Joce640k]

Well perhaps the point isn't that any new algorithms are uncrackable

There's every reason to believe that they are. The NSA uses AES for its own encryption systems.

If there's a weakness it's in the implementations (are your numbers really random?) and/or compromised PCs that they're running on.

Re:Marketing

[mlts]

The funny thing is that can backfire. This was something talked about on the Cypherpunks list when it was on toad.com. One discussion recommended people use a service such as an offshore data haven (when they came about) for everything. The result would be that there would be so much chaff that any spying organization [1] would be spending a lot of time trying to crack stuff just to find that they just wasted a bunch of CPU time on a TrueCrypt volume of someone's MP3 stash.

There are plainer reasons for stashing items in an "offshore data haven". Protection against geographic events, so if something the size of Hurricane Tip slams against part of the US, critical data is still retrievable.

Of course, there is one big issue with offshore data havens... how are they recompensed for the data they store, and what keeps them from deciding to hold data for ransom. If they find that they have an encrypted data blob from a company whose offices are completely demolished, they can demand a price for access and a company would either pay up or close up.

[1]: NSA, ISI, FSS, PLA, etc. The US was outed, but there are numerous other players.

Re:Marketing

[mlts]

Skipjack was pretty thoroughly weakened once it was declassified. DES is still useful in TDES mode, but that is pretty expensive computation-wise compared to a newer algorithm like Twofish.

Of course, there are blocksize issues with the older cyphers...

Re:Marketing

[flyingfsck]

Hmm, I suspect that the NSA isn't nearly as good as people are fearing, but how can we prove it?

Re:Marketing

[flyingfsck]

If the NSA can decrypt everything, then why do they bother to store all encrypted text for 5 years? They would just decrypt, analyze and toss it away same as the plain text.

Re:Marketing

[tlhIngan]

While I think that NIST related crypto algorithms are probably well compromised by the NSA I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

Same thing for 'offshore data havens'. If it's visible it gives the NSA a target of interest and the fact that it's offshore isn't even going to slow them down when they attack it. People moving to such havens might find themselves being looked at all the more closely than someone keeping their data in less interesting places.

Not to mention if it's offshore, then you're spied on unless the NSA determines you're American in which case they are supposed to discontinue spying on you. (You can argue that they spy on everyone including Americans, but if that's the case, why go offshore? You're data's no safer).

An interesting side effect though - anyone with even the most basic knowledge of cryptography knows that unless you're a mathematician, you never design your own algorithm because they are for the most part going to be way weaker.

One could argue that with this movie away from industry standard and studied algorithms, you're helping the NSA by giving them an easier time to break the encryption.

Re:Marketing

[Joce640k]

Hmm, I suspect that the NSA isn't nearly as good as people are fearing, but how can we prove it?

We can't.

There was a time when the NSA was way ahead of civilians, eg. In the 1970s when they tweaked DES without telling anybody why - turns out they knew about differential cryptanalysis.

Since then the gap has closed. These days there's no reason to suppose they're much ahead of civilians (except in budget,getting people to sign pain-of-death NDAs, install "government approved" black boxes in telephone exchanges, drive around in black SUVs ... etc).

Re:Marketing

[mlts]

If multiple data havens colluded and knew what the I/O was for customers, they could find out that a customer might have data backed up to where. Then, each data haven could "accidentally" lose the data. The one remaining DH would demand a ransom, then split it among the others.

Of course, this is tinfoil hat territory, as the one thing that will make or break the extortion is a backup somewhere else, but it is something that could happen.

The penalties for being outed for extortion might not be that steep as one might think. For example, there is a lot of anti-US sentiment out there, and an offshore DH stating that they will not help Americans, nor allow them to retrieve stored data might get them positive PR in their country. It might be the case that even extorting money and being public about it might get them accolades.

Re:Marketing

[firewrought]

It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case.

In 1995, NSA added a single bit-rotation to SHA that made it considerably stronger, but they didn't explain their reasoning at the time. It took several more years before academia found significance weaknesses, with 2004 being the year that SHA-0 (as the original, non-rotated version is now called) was really cracked wide open. That (arguably) puts them about a decade ahead (in a situation where they willingly tipped their hand). These folks employee the most math PhD's in the world and have their own chip fabs... it's not hard to imagine them being two decades ahead on some important cryptographic questions.

Re:Marketing

[emt377]

The NSA uses AES for its own encryption systems.

You have to realize that security classifications depend on the time something needs to remain secure. For battlefield comms this might be 6-8 hours, for HQ comms 5-10 days. The classification then is used to select a cipher based on a professional estimate of how long it takes someone with the resources of a major government to break it. Information that needs remain protected indefinitely goes under lock and key, in a cabinet, safe, vault, with or without a guard stationed. Maybe inside a protected facility. Access is registered (so compromises can be tracked down) and based on whitelists. Keys are numbered and tracked. Physical protection is the only way something can be protected indefinitely. So saying something like AES is safe because "the NSA uses AES for its own encryption systems" is meaningless without knowing which security classification it's for - i.e., how long they estimate the cipher can withstand a sophisticated attack by someone with the resources of a major government.

Re:Marketing

[Fnord666]

On the other hand, please take a look at the history of differential cryptanalysis. The NSA was quite ahead of academia on that one. My own research back in those days demonstrated that the substitution boxes had been chosen with very specific characteristics. The same holds true for elliptic curves, where the curve chosen must have specific properties. Whether we know what all of those properties are though is still undecided, We know what makes a weak curve, but do we know what makes a strong one?

Re:Marketing

[HiThere]

No. Largely right, but No.

A random one-time pad is secure until/unless the decoder gets his hands on a copy (Though you might want to encrypt a prime number of bits at a time. I'm not sure what happens if you encrypt chunks of characters.)

Also, public key encryption (say twofish, or even AES) is probably safe if you have a long enough key barring either a theoretical breakthrough in factorization of decent quantum computers. But you might be wise to not use the default parameters. (What you *should* use, I don't know. I'm not a cryptographer.) But say that it's good for five years as an estimate. Note that without that "theoretical breakthrough" or quantum computers, a decent key length will be safe for the lifetime of the universe...IF decent parameters are used.

If you're using a one-time pad, you don't need to secure the message, only the pad. But you need an out-of-band secure means to transfer the pad.

OTOH, if your computer has WiFi....well, the computer probably isn't secure. If it's connected to the internet, then it probably isn't secure. Etc. Message interception in transit is only one means of interception. Interception when/while/after decoding is another. And a trojan is an excellent way to intercept the message...though it needs to be a bit more targeted than just recording everybody's messages.

Re:Marketing

[HiThere]

Well, it's known that they've ordered one specially designed...but I don't think that's built yet, and it seems more of an experimental "proof of concept" machine than something serious. Which is why I give factorization encryption 5 years. That's probably being a bit conservative, but they ARE looking. Of course, there may be roadblocks such that a decent quantum computer is actually impossible, but that's probably not the way to bet.

Re:Marketing

[sociocapitalist]

I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.

Why would they have to be ahead in every other area of computer science? The key to encryption is cryptography and the NSA was formed to crack code - it is their entire reason to exist.

Yes I think that they have some of the smartest people in the world who do absolutely nothing but break codes and on top of that, yes I think that they have more budget and more computing power than anyone else in the world to do it with.

I know someone who used to work for the NSA and he told me that they are twenty years ahead of the commercial market. That was about ten years ago but I doubt that they've failed to continue to be well ahead.

Re:Marketing

[sociocapitalist]

The funny thing is that can backfire. This was something talked about on the Cypherpunks list when it was on toad.com. One discussion recommended people use a service such as an offshore data haven (when they came about) for everything. The result would be that there would be so much chaff that any spying organization [1] would be spending a lot of time trying to crack stuff just to find that they just wasted a bunch of CPU time on a TrueCrypt volume of someone's MP3 stash.

There are plainer reasons for stashing items in an "offshore data haven". Protection against geographic events, so if something the size of Hurricane Tip slams against part of the US, critical data is still retrievable.

Of course, there is one big issue with offshore data havens... how are they recompensed for the data they store, and what keeps them from deciding to hold data for ransom. If they find that they have an encrypted data blob from a company whose offices are completely demolished, they can demand a price for access and a company would either pay up or close up.

[1]: NSA, ISI, FSS, PLA, etc. The US was outed, but there are numerous other players.

Well...arguably the US is big enough that no single disaster could knock out data centers at the far ends. For the next point, one might keep the data in two different havens in case one of them decides to hold it for ransom (which seems unlikely to me but okay, why not). One might argue that the data haven would sell the data to the US as well, for that matter.

Re:Marketing

[cryptizard]

Think about a widely known encryption with a large enough key (>64 bits) that was "broken" in the last thirty years. It hasn't happened. There have been weaknesses discovered, but the only major encryptions to be broken are DES and A5 which were known to have a short key length even when they were released. They weren't even broken by cryptanalysis but just lots of computation. 3DES (to extend the key length) is still considered secure today. For the NSA to have broken not just one, but every major cipher is just preposterously unlikely.

Re:Marketing

[sociocapitalist]

Well perhaps the point isn't that any new algorithms are uncrackable so much as they present a more considerable obstacle to being deciphered. If the current NIST-approved cyphers have been deliberately weakened by the NSA, its so that its easier and more importantly faster for them to decipher the text - with their available computing power and budget they can probably do a lot of these on the fly.

If you increase the difficulty of that task, and if its implementation is more widely spread, then they may have to prioritize what they attempt to decipher because it isn't a weakened algorithm, therefore there might be some added security in that even if they *can* crack your ciphertext, its not worth bothering to do so unless some other factor marks you as a person of interest. Not much but better than nothing and we will likely never know the NSA's true capabilities anyways.

Agreed - the only comment I would have is that a data haven is automatically going to be a 'person of interest' and thus a target.

Marketing!

[tgd]

Or stupidity. One of the two.

Why use algorithms that are standardized on by the federal government and have been looked at exhaustively by experts around the world when you can use an untested crypto system? After all I'm sure the NSA wants to ensure that bad guys have access to everything the government is encrypting by first weakening the encryption standard, then standardizing the US government on the use of them.

Re:Marketing!

[cryptizard]

Yes, this is the part that I can't believe. To think that the NSA, probably some of the most paranoid people in the world, would be arrogant enough to standardize government security on broken cryptographic primitives is just not believable. There are important classified documents encrypted with suite B algorithms.

No reason to distrust Rijndael

[dido]

I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard. And in the thirteen years since it was thus chosen it has been scrutinised more thoroughly than any algorithm by the best cryptographers in the world, and well, none of the open researchers anyway have found an attack on the cipher capable of breaking it significantly. The NSA might have, but then they approved the cipher for encrypting US government classified documents (a blessing that the NSA notably did not give the original Data Encryption Standard), so I'd consider it highly unlikely that they would have done that. The risk would be too great that their method of breaking the cipher have been obtained by espionage or independently discovered by some other intelligence agency's cryptanalysts. The NSA may be evil, but no one has ever accused them of stupidity.

Given that the best cryptanalysts of the world have had thirteen years to look at it and it remains solid, I'd trust it better than the other AES candidates which have had much less scrutiny, or worse yet, a newly designed cipher that no one who knows anything has bothered to even try analysing.

The other thing is that AES is incredibly efficient even on 8-bit microcontrollers. Around the time the AES contest was ongoing, I implemented Serpent, Twofish, and Rijndael on an 8051-series microcontroller, and Rijndael was consistently the best performing cipher, so I used it in the project, and wasn't surprised to learn that it eventually got selected.

Re:No reason to distrust Rijndael

[drinkypoo]

I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard.

I doubt it too, but the facts combine to suggest that we should be suspicious anyway. NSA has compromised ciphers. NSA chose this cipher. Therefore, it is best to be suspicious of this cipher.

Re:No reason to distrust Rijndael

[cryptizard]

On the one hand I would like to believe that, if there was a flaw, we would have found it by now. On the other hand, I think people vastly overestimate the reliability of "top cryptanalysts". The unfortunate fact is that only probably 20-30 people in the entire (public) world really, deeply understand what goes into cryptanalyzing a modern block cipher. That is not really a lot of eyes when you think about it.

The one thing the NSA, and other intelligence agencies, have going for them is they can afford to hire and train groups of people specifically for one particular task. In academia nobody wants to work on cryptanalyzing AES, it would be career suicide. In the very best case it would take you years to come up with anything, and in the worst case you would spend all that time and get nothing.

Re:No reason to distrust Rijndael

The NSA approved AES for use for encrypting US government documents of the most classified sort in 2003. That means that they would have to use AES themselves as well, if they wanted to exchange classified information with any other branch of the US government! How stupid would they be if they knew how to break the cipher and used it themselves anyway? Their own communications would become insecure as a result!

Snowden said it himself: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." Emphasis added. The problem is that there are way too many brain-dead implementations of otherwise sound cryptographic primitives out there and other insecurities in systems that the NSA can more easily get into rather than breaking the ciphers, which are the strongest link in what is usually a very long chain of weak links.

Re:No reason to distrust Rijndael

[larry+bagina]

Brer rabbit much? The NSA knows Rijndael is unbreakable... so they had Snowden "leak" some files. Make people think the NSA is more dangerous than it is. People worry about Rijndael and switch to something weaker.

TRUST NO ONE.

Re:No reason to distrust Rijndael

[dido]

Good points. But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves if they want to exchange top secret classified information with the rest of the US government! I think it's much more likely that they did apply even more of their vaunted cryptanalytic prowess to it when NIST gave their approval in 2000, and when by 2003 they found no significant weaknesses, they approved it for use with classified information. If they had found a significant weakness in AES and approved it anyway for such use, how arrogant and stupid would that make them? Their own supposedly secure communications with the rest of the government would be compromised as a result! As I said you can accuse the NSA of being many things, but I don't think stupidity is one of them.

Snowden himself said it: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." Emphasis added. The real trouble is there are too many systems out there that use otherwise sound cryptographic primitives in insecure ways, either by incompetence or by design. The NSA has been known to pressure manufacturers of security equipment to do the latter, and naturally they will only certify equipment that hasn't been thus back-doored for government use.

And no, I don't think breaking AES would be career suicide for an academic cryptanalyst. Fermat's Last Theorem would also have been considered career suicide for centuries for the same reasons you cite, but now Andrew Wiles is one of the most famous mathematicians in the world. True, it's a hard problem, but if you manage to publish a workable break of AES you would become the most famous cryptographer in the world.

Re:No reason to distrust Rijndael

[mlts]

You hit the nail on the head. Crypto algorithms are secure enough that the points of attack won't be the bulk encryption. Instead, it will be how keys are negotiated, weakened PRNGs (who would know that a PRNG only is using 8 random bits out of 256 for nonces unless someone looks at every salt produced and only sees 256 different numbers), compromised CAs, or other weaknesses.

Breaking AES would be like winning a lottery for someone who reads sci.crypt. It would give a next generation of algorithms which would be more secure, such as how AES is resistant to differental cryptoanalysis.

Re:No reason to distrust Rijndael

But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves if they want to exchange top secret classified information with the rest of the US government!

No, actually, the NSA uses two suites of cryptographic algorithms. AES, Diffie-Hellman key exchanges, etc. are in Suite B, which is published and available for everyone to use. That's what you're talking about. There's also Suite A, of which even the names of the algorithms are largely unknown. Those algorithms might well never get published. Suite A is for internal use, for encrypting the important secrets.

Re:No reason to distrust Rijndael

[emt377]

Why do you say the NSA "is evil"? They have no operative arm, or actually *do* anything. If they come across criminal activity they can tip off the FBI, but what they have isn't admissible evidence, so the FBI gets to do its own investigative work. Their job is to uncover and watch for activities by people who wish to harm the United States or its people - exactly what we who pay their bills want them to do, as well as to act as an expert advisor to the federal government. Do you think governments shouldn't look after the safety of their nations? Do you think any responsible government doesn't? Maybe after airplanes are flown into skyscapers, or there's a mushroom cloud over Miami, or hoover dam blows up, we go "oops, maybe we should have paid a little more attention to people who wish to harm us?" Problem is, it's a little late then.

Re:No reason to distrust Rijndael

[emt377]

Snowden himself said it: "Encryption works.

Snowden is a clueless kid.

Re:No reason to distrust Rijndael

[emt377]

The key distribution and storage is often, but not always, the weakest point of attack. The exception is if you have plaintext or some pattern to look for (like an http or email header). This is why secure communications frequently are free of keywords and just contain a bunch of fields.

Re:No reason to distrust Rijndael

[aaaaaaargh!]

But it could also be double bluff, designed to cause smart people like you not to switch away from broken Rijndael!

Woaahh.. but wait a minute... what if it's a TRIPLE bluff?

Re:No reason to distrust Rijndael

[VortexCortex]

But remember the NSA has to use AES themselves, at least when communicating with other branches of the US government. Do you think they would have knowingly approved a broken cipher for their own use?

Fool. If they're the only one who can break it, then why the fuck not?

You underestimate the paranoia and intelligence of the NSA then.

What's more paranoid? Selecting a cipher that no one can break, or selecting a cipher you can break who you suspect no one else can break, and to prove to everyone its "safe" you use it yourself, because you know folks spy on you anyway and plant false information as canaries for leaks anyway?

Hello, McFly?! Remember RSA coming out and saying that everyone needed to not use the elliptic curve random number generator they used by default in all of their shit because researchers have proven the parametric constants the NSA pulled out of thin air create a back-door into it and any other cipher using it... No one would even use that damn PRNG because it was so fucking slow, thousands of times slower than the other hash based systems.... Yet NIST pushed it into the standard, and RSA used it by default... The one NO ONE IN THEIR RIGHT MIND would have used by default based on any number of factors, and yet RSA DID -- RSA, The CREATORS OF RIJNDAEL.

Seems like you're the one doing the underestimation. RSA has been under the NSA control for a long fucking time.

Re:No reason to distrust Rijndael

[VortexCortex]

Good points. But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves

Fool. You seriously think that an agency which LIES directly to people who are cleared for the information they ask about, even when those people are SENATORS -- You seriously think this agency HAS TO USE the cipher they tell everyone else to use? I hope that your smarts aren't genetic, you'd be a threat to the gene pool.

Re:9/11 was an inside job

[tgd]

NIST has in many instances blocked independent investigations into 9/11, as well as lied about its own findings and devised unscientific explanations for the controlled demolitions of WTC 7 and the Twin Towers.
AE911truth

You know, this is probably the first time in the history of 9/11 whackjob posts on Slashdot that the reply is actually relevant to the story. Because they have nearly identical basis in reality.

can you not write, or just not think???

[sribe]

...not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development...

Really? So they are worried about NSA's influence on NIST, but they still trust NIST???

Madness

[lucag]

The least I would have expected from the documents about the extensive spying done by NSA was a generalized weakening of cryptography.
While it is true that some algorithms might have been deliberately weakened by the NSA, I doubt this could have been systematic; especially for those which are best investigated by the cryptological community at large.
  In particular, NIST mandated cipher suites while definitely amenable to some theoretical attacks in some cases, have been independently investigated and, as of today, no effective practical attack is known against AES. I would never trust a 'homemade' algorithm for anything, nor waste time to try and analyse it (cryptography is actually part of my job) unless there were some really compelling reasons for doing so (e.g. interesting mathematics, peer review requests or unusual attack models being considered).
Skein and twofish are definitely interesting algorithms, and they have also been well regarded in the competitions leading to SHA3 and AES; they are definitely not a bad choice, but to choose them because whatever has been selected by NIST is "tainted" by NSE (and not other architectural or practical considerations) resembles more a form of superstition than anything else.

Re:9/11 was an inside job

[TheCarp]

Even a broken conspiracy is right twice an epoch.

Re:THIS IS A GREAT IDEA!

Twofish is hardly obscure or unreviewed. It was submitted as an AES candidate along with Rijndael. It's been reviewed plenty. It didn't meet the needs of NIST as well as Rijndael, which is why it wasn't chosen to be AES. But that doesn't make it a BAD cypher. It just makes it not ideal for NIST's purposes, which may well include: being vulnerable to attack by the NSA.

Remember who uses NIST crypto transformations

[dubist]

For the record the US government uses the NIST cryptographic transformations as recommended by its own NSA so on a global scale of one to broken they can't be that bad. So for generalist every day encryption they should be fine, if your trying to hide something that might have some sort of national security implications then if your legitimately in possession / generating that kind of information then there will be a different set of protocols and standards to follow. People would shit their pants if the world suddenly turned to using ad-hoc unreviewed transformations because at that point all bets are off, no seriously, all bets are off. Cheers

Re:Remember who uses NIST crypto transformations

[mlts]

If I had to use a well studied algorithm that -might- have a backdoor by an agency versus an algorithm that is "secret" that someone pulled out of their derriere, I'd rather have the former.

I've been in those shoes before. My freshman year of college, I made a crypto algorithm that I thought was the cat's meow... plopped it on sci.crypt, and it was shredded by people who actually knew what it was doing in minutes.

We already had those dark days of finding working crypto algorithms when people didn't use DES for much. I'd rather take something that has seen some heavy duty machinery trying to find any weaknesses in it than to use yet another "secret" algorithm that someone pulled out of their ass which is just another implementation of using the random() function with the seed being the passphrase and the output XOR-ed with the input data.

Of course, the encryption algorithm is just half the battle. Using any algo in ECB mode is going to weaken security no matter how good it is.

Re:Amazing decission based on gut rather tan brain

[LordLimecat]

Skein is / was a NIST candidate for SHA3 and made it through a number of rounds. It isnt a replacement for AES tho, as it does hashing, not encryption.

Buzz and obligatory xkcd

[fuujuhi]

I guess that their intent is to surf on the NSA conspiracy bandwagon, to create the buzz and to attract more customers. Bad taste buzz, but only money is driving the business, isn't it?

The following reference is obligatory tmo:

http://xkcd.com/538/

As security experts, suggesting that using another cipher suite would protect the customers from the NSA is either ridicule or ignorant of NSA's actual powers at best. Again, I've no clue of what these powers could be, but suggesting that they could break into secure systems by brute-forcing or cryptanalysing AES / SHA-2 does not make sense. Doing so would cost an overwhelming amount of energy, even for the NSA, when actually much much cheaper and conventional methods exist, like tapping into back-end systems (often with agreement from operators themselves), installing key logger into end user devices, etc. They certainly control some botnets, and maybe even some underground websites. Knowing that most users uses the same password over several websites, it's really a child game to penetrate systems for an organisation like the NSA. The NSA do not need to guess your secrets, they simply read it over your back.

If Silent Circles feel like doing something, what about playing the card of full transparency and proving to the community that they are indeed beyond any doubts? That would at least have the merit to elevate the current level of discussions and not to throw away the work of dozens if not hundreds of people around the world trying to bring real open peer-reviewed security.

really?

[slashmydots]

"not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades"
So in other words it distrusts NIST.

Re:Not encrypted enough

[tgd]

e.g. substituting a random number generator for the pseudo random output of an encryption to which they know the private key.

If I hadn't already posted in this discussion, that'd be getting a Funny mod point.

Re:What does this use?

[ron_ivi]

And instead of move "away" - why not move to *both* AES and another cypher.

If they cascade the one the US recommends wiht the one China recommends with the one Russia recommends, it seems you're safe unless all thre of those governments are conspiring against you. And if that's the case you problably have bigger problems.

Ju-Jitsu

[Tokolosh]

Brute-forcing or otherwise cracking the various algorithms is all well and good. However, I believe the reality is that the NSA (and others) have more success by using other means, combined with metadata. I'm am not sure what the other means are, but could include social engineering, keylogging, reading clues communicated in the clear, false certificates, MITM.

They vacuum up all data, encrypted or not, to be decrypted at leisure, when indicated by the metadata. But the underlying encryption is still (mostly) secure.

Re:THIS IS A GREAT IDEA!

[mlts]

IIRC, Twofish did not make the AES finalist because it used more CPU than Rijndael. This doesn't mean Twofish is less secure, it just means that crypto ASICs are cheaper to make shifting blocks around than Twofish's split key/algorithm method.

Were I to choose one of the other just for security, I'd choose Twofish over Rijndael, but NIST had other parameters in their design decision.

Faster, Scalable Factoring

[SpaceLifeForm]

Factoring large semiprimes has a scalable solution. For example, if you have a large semiprime that is expected to take a billion years to factor, you can throw a billion cores at the problem and factor it in one year. I am *not* referring to GNFS.

WIth a billion cores of custom silicon, you can speed it up even more.

Re:Faster, Scalable Factoring

[SpaceLifeForm]

True. Read post I was replying to again.

Mixing the signals

[WaffleMonster]

I think crypto agility is generally an awesome thing all our encryptions should have ability to swap out algorithms at a moments notice with meaningful process to mutually agree to strong acceptable algorithms.

It is also a double edged sword as practically it means if any of algorithms you trust are compromised AND both parties are still willing to use the algorithm an attacker can normally steer parties to use it.

One thing I never really understood is if your afraid of subversion why not simply chain a series of different algorithms together such that compromise of one could not result in recovery of plaintext? The only downside I can think of you might need a bigger key so jacking input bits of one algorithm does not cascade to the others or otherwise reduce effective entropy of each input.

Re: Mixing the signals

[lucag]

Nope. Two weak ciphers do not make a strong one, just a mess.
This is not to say that a cryptosystem should not be designed from basic (and rather insecure) primitives suitably chained and iterated: this is actually the case for all modern block ciphers from Feistel-style networks to the AES. The point is that it is not sensible to rely for security on the rather unpredictable interactions between different encryptions and the actual risk is indeed a false sense of security.

A different problem is whether it makes sense to consider "replaceable" encryption algorithms as suggested. In the case of public key systems this would not be a good idea, as the properties, security parameters and behavior might be widely different (even in comparable usage scenarios) and unexpected weaknesses might appear. As for block ciphers, they are sort of supposed to be interchangeable (for given block and key length) ; however, it has to be considered that a negotiation protocol might always be fooled by an attacker in order to select the "weakest" (in some sense) algorithm.

In short: in cryptography flexibility might (and usually can) be a liability rather than an advantage. The best course of action is to be able to fully audit a "simple" implementation (and be somehow able to guarantee some security) rather than leave too much room for unsuspected attacks.

Re: Mixing the signals

[david_thornley]

I don't understand. Supposed I have ciphers A and B. I have plaintext, encipher it with A, and encipher it with B using a different key. Why would the cipher be any weaker than the strongest of A and B? If that's the case, if I use AES and Twofish sequentially, I should be safe if either AES or Twofish is safe. ("Safe" in this case means the NSA can't break it in under, say, 2^100 operations.)

If I'm wrong, could somebody explain that in an understandable manner? (The answer to that could well be "no", of course.)

Re: Mixing the signals

[lucag]

The point is not so much that the cipher would be weaker, as that it would be no stronger than using any of them and there are some cases where it could actually be as weak as the weakest of them both. For instance, you do not gain anything under a "known plaintext" scenario.

Consider this case: you have an enciphering machine (say E) and you want to recover the keys being used by probing its behaviour with a series of
texts (which are either `random' or suitably chosen by you).
If E(m,k1|k2)=B(A(m,k1),k2)
where A,B are your original systems and k1,k2 the respective keys, we might try to mount an attack by intercepting the stream between A and B.
There is a slight security advantage, as a chosen plaintext attack for E becomes a known plaintext attack for B (the chosen plaintext is m; the known one is A(m,k1)) but if B is vulnerable the attacker can recover k2 and strip the second layer of encryption. Now we are left with attacks against A under a known plaintext model (which might work or might not). This is a variant of the usual "meet in the middle" approach used against 2DES; if you want a direct parallel, just consider
having to look for collisions (x,y) to
B^(-1)(E(m,?),x)=A(m,y)
where "?" denotes an unknown key.
A particular case is when x=y *as a design decision*. If this turns out to be the case (argued as "256 bits should be enough for anybody!" or the like), then it is actually the weakest cipher which matters (and not the strongest one).

Furthermore, it can well be that there are distinguishers for the first cipher under consideration; if that turns out to be the case an attacker can infer strong statistical properties on the input stream to the second which could be exploited.

Re:Snake Oil company says don't use medicine

[mlts]

I see Silent Circle going down the same path that Hushmail travelled. Hushmail is a very good service, but when told to either cooperate with Interpol or else, they cooperated.

With SC, they will likely be forced with the same choice. Hand over keys and put in backdoors or face shutdown/prison time.

Instead, the focus should not be on communications, but endpoint security. Maybe PGP needs a revisit?

Trust

[sexconker]

not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades.

If "executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades" then "the company distrusts NIST".

Re:9/11 was an inside job

[arthurpaliden]

9/11 was a low tech attack that was based on human engineering. That is what makes it so scary.

Re:What does this use?

[gomiam]

Adding more cryptosystems doesn't automatically translate into greater security, as double DES showed.

No difference...

[Kazoo+the+Clown]

The NSA has figured out that the crypto isn't the weak point no matter what algorythm is used. Change it all you want, it makes no difference.

Re:What does this use?

[HiThere]

Sorry to hash the joke, but that's double ROT128. Unless, of course you're using a 16-bit or 32 bit character.

You have made an assumption

[SpaceLifeForm]

"if they want to exchange..." Keyword: If.