Silent Circle Moving Away From NIST Cipher Suites After NSA Revelations

Trailrunner7 writes "The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it's in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein."

Re:I thought that AES *was* independetly designed?

The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security

No reason to distrust Rijndael

[dido]

I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard. And in the thirteen years since it was thus chosen it has been scrutinised more thoroughly than any algorithm by the best cryptographers in the world, and well, none of the open researchers anyway have found an attack on the cipher capable of breaking it significantly. The NSA might have, but then they approved the cipher for encrypting US government classified documents (a blessing that the NSA notably did not give the original Data Encryption Standard), so I'd consider it highly unlikely that they would have done that. The risk would be too great that their method of breaking the cipher have been obtained by espionage or independently discovered by some other intelligence agency's cryptanalysts. The NSA may be evil, but no one has ever accused them of stupidity.

Given that the best cryptanalysts of the world have had thirteen years to look at it and it remains solid, I'd trust it better than the other AES candidates which have had much less scrutiny, or worse yet, a newly designed cipher that no one who knows anything has bothered to even try analysing.

The other thing is that AES is incredibly efficient even on 8-bit microcontrollers. Around the time the AES contest was ongoing, I implemented Serpent, Twofish, and Rijndael on an 8051-series microcontroller, and Rijndael was consistently the best performing cipher, so I used it in the project, and wasn't surprised to learn that it eventually got selected.

Madness

[lucag]

The least I would have expected from the documents about the extensive spying done by NSA was a generalized weakening of cryptography.
While it is true that some algorithms might have been deliberately weakened by the NSA, I doubt this could have been systematic; especially for those which are best investigated by the cryptological community at large.
  In particular, NIST mandated cipher suites while definitely amenable to some theoretical attacks in some cases, have been independently investigated and, as of today, no effective practical attack is known against AES. I would never trust a 'homemade' algorithm for anything, nor waste time to try and analyse it (cryptography is actually part of my job) unless there were some really compelling reasons for doing so (e.g. interesting mathematics, peer review requests or unusual attack models being considered).
Skein and twofish are definitely interesting algorithms, and they have also been well regarded in the competitions leading to SHA3 and AES; they are definitely not a bad choice, but to choose them because whatever has been selected by NIST is "tainted" by NSE (and not other architectural or practical considerations) resembles more a form of superstition than anything else.

Re:Marketing

[Kjella]

Another good argument is how many symmetric crypto algorithms have been broken at all, at least known to the public? For example you can take GOST, developed by the Soviet Union as a Top Secret algorithm in the 70s, then later downclassified and eventually made public in 1994. It has a theoretical attack strength of 2^256 that researchers have gotten down to 2^101 but if you have a 1 GHz computer testing 1 key/cycle for 1 year that's still only 2^55. A million such computers running a million years is 2^95. I think you can be quite certain the NSA didn't cooperate with the Soviet Union in the 70s, so the only way it could be cracked is if the NSA did it through cryptanalysis. The rest of the world hardly seem able to crack a single cipher yet the NSA would have the magic to crack everything in a reasonable time? In the land of unicorns...

Same with RSA and public crypto, it's not from the Soviet Union but it's from the 70s and 35 years of public research has come up with nothing to break it. Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy? I don't buy it, I'm quite sure there are things such as secure crypto no matter how much money and manpower you throw at it simply because they are as much chasing ghosts as we are, they may be looking for a solution that doesn't exist. Of course they're absolutely not going to tell you about that, but I find it far more likely they're now exploiting flaws and compromising systems rather than with pure math.