Distrustful US Allies Force Spy Agency To Back Down In Encryption Fight

schwit1 shares a report from Reuters: An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies. In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them. The NSA has now agreed to drop all but the most powerful versions of the techniques -- those least likely to be vulnerable to hacks -- to address the concerns.

classic plea bargain

[turkeydance]

we give you the 12 we didn't want to keep the 5 we did.

Re:classic plea bargain

That's not going to work here. The NSA burned it's bridges a long time ago. The US, in general, is currently advocating bugs and secret backdoors in pretty much everything for "lawful access". Anyone something from any US agency should assume it's bugged and act accordingly. If you're a standards body, you reject ALL of the proposals for security software from them. They simply cannot be trusted.

Disclaimer: I am a US citizen. Even I wouldn't trust crap from them.

Dual EC DRBG stuff...old news

This is the same crap about the Dual EC DRBG. Really NOTHING new to see here. Everybody knows not to use this, most software has already had it removed. Yawn.

Re:Dual EC DRBG stuff...old news

[ChumpusRex2003]

New "ciphers". Same trick. However, ISO committee members didn't just approve the new ciphers like they did dual EC DRBG. They keep getting voted down, as not suitable for publication as an ISO standard, but the US keeps pushing ISO to accept them as an international standard.

Re:Dual EC DRBG stuff...old news

Or actually not quite the same old news. This is about a newer cipher suite...yet the damn article barely mentions the Simon and Speck stuff and that they're NSA designed block ciphers....

Still nearly the same old news.

Re:Dual EC DRBG stuff...old news

[swillden]

New "ciphers".

Specifically, two new families of block ciphers called SIMON and SPECK. These ciphers are designed to be extremely fast, which is good because although AES is fairly fast on "big" hardware" or on large quantities of data, it can be a bit sluggish when used in extremely constrained environments on small amounts of data. In particular, its key schedule its heavy, so changing keys is slow. SIMON has been designed to make it particularly cheap in purpose-built hardware while SPECK is designed for very fast software implementations. Both are very, very fast on both hardware and software, though. The 128-bit version (block size and key size) of SPECK, for example, encrypts at about 1.25 cycles per byte on an i5 on long messages, and is almost as good on short messages. That's crazy fast.

Academic cryptanalysis of the ciphers has so far shown them to be quite solid, with a very good margin of security (meaning that cryptanalysts have only been able to break significantly cut-down versions of the ciphers, quite far from full versions).

Same trick.

Possible, but doubtful. In fact, the experience with Dual EC DRBG actually makes it significantly less likely, IMO. They tried to pull the trick with that, but it didn't work because academics discovered the mathematical structure that made the backdoor possible. That has to make them worried that the same thing would happen again, and in fact the trick would be much harder to pull off with symmetric block ciphers. The thing about elliptic curves is that they have rich mathematical structure which can be exploited in clever ways (this is what makes them useful for public key cryptography) by choosing the right curves. But symmetric key block ciphers like SIMON and SPECK don't have that, making it much harder to design back doors in.

It's not impossible that the NSA has some technique that can break these ciphers -- which are actually quite similar to ciphers produced by public cipher designers -- but it really seems unlikely. Nevertheless, once burned twice shy. I don't blame standards bodies for being reluctant and waiting for public cipher designers to produce algorithms with the desirable properties of SIMON and SPECK, but without the concern about origin.

Re:Dual EC DRBG stuff...old news

[swillden]

Even $10 MCU have dedicated AES-256 hardware these days.

Sure, if you can afford such expensive hardware, AES is fine.

Re:Dual EC DRBG stuff...old news

[Maritz]

Your sig is a lie!!! ;)

Re:Dual EC DRBG stuff...old news

[swillden]

Your sig is a lie!!! ;)

Heh. Sometimes I happen to see an AC comment and can't help myself :-)

However, when I get notified of AC replies, I delete them without looking. It's a policy that has made my slashdot commenting much more pleasant. I highly recommend it.

Re:Dual EC DRBG stuff...old news

[plover]

It could be that "crazy fast" is the main goal they're looking for. The NSA has an immense amount of compute that they can throw at cryptographic problems to try to brute force them. Reducing the amount of CPU it would take to test each guess increases their capacity by the same factor.

Now, all they have to do is make sure people use crappy PRNGs, and the NSA will be picking up the bar tab at the next FIVE EYES conference.

Re:Dual EC DRBG stuff...old news

[swillden]

It could be that "crazy fast" is the main goal they're looking for. The NSA has an immense amount of compute that they can throw at cryptographic problems to try to brute force them. Reducing the amount of CPU it would take to test each guess increases their capacity by the same factor.

Now, all they have to do is make sure people use crappy PRNGs, and the NSA will be picking up the bar tab at the next FIVE EYES conference.

Hmm. I suppose. Seems like a stretch to me, but assuming they can get people to use crappy RNGs, making the algorithms X times faster would be the same as buying X times as much brute forcing hardware, so it could be worth doing.

But if that's what they're doing, there's no reason for people to avoid SIMON and SPECK. You may as well benefit from their high performance -- just make sure you have good randomness sources, which you need to do regardless.

Re:Dual EC DRBG stuff...old news

[Maritz]

It's OK my sig is also a lie.

You reap what you sow

[93+Escort+Wagon]

" In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them."

The NSA is widely believed to have done exactly this when it recommended particular elliptic curve constants quite a few years back.

Once you've betrayed people's trust, you're going to have a hard time convincing them you're worth trusting with anything that matters ever again.

Re:You reap what you sow

lol-k, to plainly trust ANYTHING in this modern world is just plain foolish

Trust but verify is about as close as we can get these days

Re:You reap what you sow

[rmdingler]

The trust bunny is a fragile thing. It's seemingly knitted together with gossamer thread and good intentions, yet when it works, it is stronger than unobtainium.

Nevertheless, bust that bunny at your own peril. As easy as it was to forge, once broken, all the monarch's tetrapods cannot reassemble it.

Re:You reap what you sow

[HiThere]

The thing is, I don't know that anyone every actually *proved* that the NSA elliptic cure constants were weak. But everyone suspects that they are because of other things they've done.

This is a point worth remembering. Once you get a bad reputation, people stop trusting you even if they can't prove that you're doing something wrong this time. And when they remember it later they'll remember it as a time they didn't fall into your trap.

And remember, perhaps those constants were good. Have you heard of anyone proving that they weren't? But would you want to trust them?

Re:You reap what you sow

[rtb61]

Even worse, be a really bad actor and call on others to vouch for you and you destroy their reputation as well. Look at the reputation of the other members of the five eyes, the UK, Canada, Australia and even poor little New Zealand, all of their diplomatic reputations have been turned to shite by repeatedly falsely vouching the integrity of what have proven to be US lies. Used again and again, all the US has done is destroyed their reputation and make them worthlessly in pushing US lies on the rest of the world. The US government seen as nothing but tools of Corporations and other governments (especially Israel via control of media corporations and Saudi Arabia via mass bribery), depending upon who pays the most bribes when, nothing can be trusted coming out of the US any more. That rejection of the NSA will play out much worse for US corporations, that shot was a profound warning shot about the enormous damage done to US trust, pretty much non-existent and that means the trust of US corporations will follow suite, they are going to find it harder and harder to do business in foreign markets when high levels of trust are required. Forcing the sale of F35 flying pigs with back doors and they all know the back doors are there, is not helping one little bit (you just know the corporations with those keys will sell them to the highest bidder and those back doors will do huge damage to US reputation, you just know it will happen).

Re:You reap what you sow

[AmiMoJo]

There was the whole Dual_EC_DRBG debacle. RSA appear to have been paid to select a poor, likely backdoored random number generator by the NSA. For further conformation it was discovered that RSA had also adopted the NSA's "extended random" system, which adds zero extra security by does make the Dual_EC_DRBG backdoor tens of thousands of times faster to use.

It would be crazy to carry on trusting any of those people.

Re: You reap what you sow

Dang it, you use your tongue prettier than a twenty dollar whore.

Re:You reap what you sow

[rmdingler]

I assume there is a two-way relationship between large corporations and powerful central governments, regardless of the flag that flies over headquarters. The influence-peddling companies lobby governments to do their will, and governments wield huge contracts and favorable legislation to exert some reciprocal control, probably under the guise of national security.

The toothpaste is out of the tube with regards to electronic surveillance. Governments will not relinquish the ability to eavesdrop, and indeed, believe it is useful in that part of their job is to protect citizens.

That said, the World is a lonely place, even as a Superpower, without trusted allies. If governments allow this to fracture bonds between nations, we will rapidly return to industrial protectionism based on WW2 borders.

The US has a moral duty to act better, but the World will always have a single (or few) preeminent nation(s) running roughshod over the others. Who would you prefer wielding global power?

Re:You reap what you sow

[bill_mcgonigle]

Correct. The RSA paycheck is the smoking gun. The benefit of the doubt ended with it.

Re:You reap what you sow

[rtb61]

Governments will relinquish anything we insist upon, end of story. Don't believe me, you know once our nations used to be ruled be monarchies. Those mad insane homicidal maniacs would publicly torture to death anyone who disagreed with them, our not so distant ancestors forced change upon a bunch of completely unwilling homicidal maniacs (keep in mind publicly torturing people to death as an acceptable to them practice). How much fear were those arse holes able to instil in to the public, in the most insanely Stockholm syndrome way, people still celebrate those who to this day, are still unashamed of how essentially evilly they became. How that fear still forces worship to this day and how in this day, it is still demonstrably evil as exemplified by the House of Saud, is crazy. The only difference between the kings and queens in insane asylums and the ones on public show, is the quality of their public relations and of course their history of brutality ingrained into the public psyche. Compared to that the scum, the ones running our corrupt democracy in their personal favour is pretty much nothing and all down to crazy things people believe and will accept.

Look at politicians as used car salespersons, not as who they pretend to be, the best experts in government in the country. Not only are they not experts in government, they are not even experts in getting elected, professional campaign managers can get any show dog elected and that is all they are dogs that sell out to the highest bidder. Why the hell be afraid of that, as easy as saying no loud enough and often enough, just like they were toddles and they will stop. Compared to the homicidal mania of monarchy, these corrupt sellouts are pushovers, just have to keep saying NO don't do that, loud enough and often enough and they will stop. Like toddlers, they just pretend they don't have to listen.

"most powerful" relative to what?

an algorithm with a novel quantum solution, or some other machine that the NSA already has functioning, would make any "version" of the techniques just as susceptible to cracking.

perhaps the quantum machine is actually made easier as the encryption becomes "more powerful".

you're all idiots.

Re:"most powerful" relative to what?

[AHuxley]

Relative to real time over years of use for any system, network.
Enigma, DES should have been the warning from history.
Revealed: how US and UK spy agencies defeat internet privacy and security (6 September 2013)
https://www.theguardian.com/wo...
"..to have cracked the codes used by 15 major internet companies, and 300 VPNs."
Microsoft handed the NSA access to encrypted messages (12 July 2013)
https://www.theguardian.com/wo...
".. agency already had pre-encryption stage access.."
"..helped the NSA to circumvent its encryption to address concerns .."
US allies should have learned from
SISMI-Telecom scandal https://en.wikipedia.org/wiki/...
https://en.wikipedia.org/wiki/...–05

Re:"most powerful" relative to what?

No, I just don't fuck with state actors... except russian trolls, it is fun to sucker punch those pussies

Re:"most powerful" relative to what?

[Maritz]

an algorithm with a novel quantum solution, or some other machine that the NSA already has functioning, would make any "version" of the techniques just as susceptible to cracking.

perhaps the quantum machine is actually made easier as the encryption becomes "more powerful".

you're all idiots.

Gotta love the guy who comes out with a load of fucking gibberish and proceeds to call everybody else idiots.

"Did IQ's drop sharply while I was away?"

[freeze128]

OK, if the NSA is pushing encryption techniques that are easy to break, or have known vulnerabilities, then they lose the "S" in their Acronym.

Re:"Did IQ's drop sharply while I was away?"

[DontBeAMoran]

Nope, they just changed it internally from "Security" to "Spying". Still NSA to the outsiders.

Re:"Did IQ's drop sharply while I was away?"

[JohnFen]

How so? The NSA exists to penetrate everyone's informational security. Pushing crypto they can break is exactly in line with their purpose.

Re:"Did IQ's drop sharply while I was away?"

[mhkohne]

From what we can see from outside, the NSA firmly believes it's the smartest one in the room, and that no one else can possibly figure out a backdoor it's put in place. They really believe in the 'NOBUS' (NObody But US) theory about certain things.

Couple that with a dual-mission agency (protect 'our' communications, break everyone else's) and you have a recipe for arrogance and disaster.

Re:"Did IQ's drop sharply while I was away?"

Pushing crypto "others don't know" they can break is exactly in line with their purpose. You shouldn't alienate your allies...

Re:"Did IQ's drop sharply while I was away?"

[JohnFen]

(protect 'our' communications, break everyone else's)

That's not too much of a conflict, really, when you consider that by "our" communications, they mean the US government's, not the citizenry's.

Re:"Did IQ's drop sharply while I was away?"

[omnichad]

No Such Acronym

Re:"Did IQ's drop sharply while I was away?"

[HiThere]

While there is suggestive evidence that the US spying agencies knew that 9-11 was going to happen and intentionally didn't act to prevent it (suggestive, not proof) I know of no credible evidence that it was an inside job. Being paranoid doesn't count as proof.

Re: "Did IQ's drop sharply while I was away?"

Given the administration at the time, all signs point to arrogance and/or ignorance as to why the intelligence was ignored.

Re:"Did IQ's drop sharply while I was away?"

Having Building 7 come down, without being "hit", and then refusing to "talk" about it is as close as possible to "evidence" of something untoward occurring !

Re:"Did IQ's drop sharply while I was away?"

[Maritz]

Yawn.

Re:"Did IQ's drop sharply while I was away?"

[slashrio]

Then try being observant.
Watch a few videos of the WTCs coming down and compare that to controlled demolition jobs.
And to any *uncontrolled destruction of a building.
There is no doubt explosives must have been placed on beforehand. Especially in WTC 7.
Firemen testimonies about a sequence of explosions while WTC 1 and 2 came down is also indicative.
Or the testimonies about huge explosions in the basements as a preparation, a characteristic of controlled demolition.
Check prof. Steven Jones who found remains of thermate in the building's dust.
Good luck with your research, no need to be paranoid. Just use your eyes and brains.

Good

diversity is good, everyone using the same technology means there is just less technological development and less local development.
The more types of encryption or encryption techniques there exist the better for the economy etc...

Re:Good

There is a dutch phrase which is "unity sausage" which basically translated to a bad post-ww2 sausage, all the NSA crap the US has been pushing is exactly THAT...

Re:Good

[Impy+the+Impiuos+Imp]

There is a dutch phrase which is "unity sausage" which basically translated to a bad post-ww2 sausage, all the NSA crap the US has been pushing is exactly THAT...

And what does that translate to?

Re: Good

After World War 2, there was a lack of food in the ravaged areas of Europe, so people were forced to eat what they could regardless of quality. Difficult for an American to understand perhaps.

Trust is hard to gain and easy to lose

[Opportunist]

To make me trust you, you have to give me a good reason to do so. Unfortunately the NSA has given all sorts of reason to not thrust them with anything. Not as an American, twice not as a foreigner.

Re:Trust is hard to gain and easy to lose

I'm pretty sure they'll insist it was all Snowden's fault, certainly not theirs. Just ask Mr. James "least untruthful" Clapper.

Re:Trust is hard to gain and easy to lose

Personally, I think they have given us many reasons to thrust them with something.

Re:Trust is hard to gain and easy to lose

[Lost2Home]

What really needs to happen to regain trust in crypto algorithms generated by the US is to split the NSA into two separate organizations. Move the role of securing US government communications and computer systems into a new agency. Then assign the spy on foreign nationals role to a separate organization under the CIA.

While it would still take a long time to regain the trust of allies, this is a necessary first step.

Re:Trust is hard to gain and easy to lose

[Opportunist]

A necessary first step would be to understand that screwing over your allies again and again has a negative impact on your trustworthiness.

Re:Trust is hard to gain and easy to lose

[slashrio]

That new agency for 'securing US government communications and computer systems' will still be a government organization.
Useless.

Re:Trust is hard to gain and easy to lose

[JohnFen]

What really needs to happen to regain trust in crypto algorithms generated by the US is to split the NSA into two separate organizations.

I disagree. Doing so would be a necessary precursor to developing trust, but there would be exactly zero reason to trust the new "defensive" agency any more than the NSA as it exists now.

Trust is earned, and the way people or entities earn trust is to demonstrate trustworthiness over time.

Fear is the only reason we have allies

Considering that the US has finally outed itself as a fascist oppressor out to rape murder and enslave all non-white and non-Christian people, the US is a nation to be feared and never trusted

The world would do well to unite and destroy it

Re: Fear is the only reason we have allies

I have a sneaking suspicion you don't know what half the words you wrote mean.

Re:Fear is the only reason we have allies

Considering that the US has finally outed itself as a fascist oppressor out to rape murder and enslave all non-white and non-Christian people, the US is a nation to be feared and never trusted

The world would do well to unite and destroy it

Don't leave out white and or Christian people the point of authoritarian governments is to control everyone

One time pads

Fuck algorithm based encryption. If you want to secure your data use massively long one time pads.

There's a reason numbers stations exist and will continue to exist.

Re:One time pads

[JohnFen]

I'm a huge fan of properly-done one-time pads. They're the only actually unbreakable crypto out there.

But I'm curious about how you would solve the problem that limits their utility: key exchange.

Re:One time pads

[bobbied]

Hand carried in tamper proof containers?

Expensive, but effective, high bandwidth and secure..

Re:One time pads

Sneaker nets.

Re:One time pads

One time pads aren't really encryption though. They are just a way of splitting data into pieces and putting them in physically separate locations. You can use them for some of the same applications as cryptography (where they are unbreakable, given some assumptions), but never all.

Re:One time pads

[JohnFen]

One time pads are absolutely a form of encryption. They mathematically transform the cleartext. They don't just "move things around" (they don't move things around at all).

Re:One time pads

[JohnFen]

Yes. However, given that the key has to be the same length as the cleartext and can never be reused, that makes it an unworkable solution for two-way electronic communications.

It's just barely feasible for things like numbers stations.

Re:One time pads

[bobbied]

Like I said, hand currier is a high bandwidth (and high latency) option. It's expensive, but with some pre-planning you can have enough key material in place to send whatever messages or data you want. You can put a whole bunch of one-time pads in a brief case if you can store them securely in small enough packages. Personally, I'm envisioning a large batch of USB keys or SS Drives with pads on them. Once you transmit the message, you destroy the pad by grinding the device into dust or overwriting it enough times to be sure it's not recoverable.

I don't suppose that you'd use it for everything, due to it's cost, but that's not the point. You encrypt the less critical stuff using less secure and cheaper techniques and reserve your one-time pads for the really sensitive stuff you never want cracked. But you *could* do the one time pad for everything if you had enough key materials hand transferred to do so.

Or are you looking for a *cheap* option that's convenient? In which case the expense of key exchange is your issue, not what kind or size of keys you are exchanging and you are going to sacrifice security in some way. In the end, the issue is how much risk are you willing to take with that data? That's your call not mine.

Re:One time pads

[HeckRuler]

It's not really just splitting data. You can generate a one-time pad, distribute it to everyone you want, and then at a later point use the pad to encrypt an arbitrary message to them.

Re:One time pads

[godel_56]

Yes. However, given that the key has to be the same length as the cleartext and can never be reused, that makes it an unworkable solution for two-way electronic communications.

It's just barely feasible for things like numbers stations.

These days you can fit 256GB on a microSD card. For point to point communication that's quite a lot. You could also smuggle two or more separate versions by different routes and XOR them together at the destination to guard against a single courier being intercepted.

Re:One time pads

[HiThere]

The key doesn't need to be the same length as the cleartext, it can be considerably shorter. This does weaken the encoding, but not fatally. You just need to encrypt the message before you encode it with the one-time pad with a code that's difficult to recognize. The more you shorten the key, the weaker the encoding, but shortening it by 50% is still quite safe if you use a decent encryption of the cargo.

Perfection isn't impossible, but is hideously expensive.

That said, any code that depends on factoring large primes is weak when used against quantum computers. And they may not be here today, but I wouldn't make strong bets about next year in secret government offices. So if it's worth it to you, by all means use one-time pads. And most of the expense of using them is in the transmission of the info, so you might as well use the most secure version. You can get a pretty good set of random numbers by processing a web cam of a candle flame, but turning that into terabytes of good random numbers could take awhile.

Re:One time pads

[AvitarX]

Wouldn't that be a terrible way to distribute pads?

You'd simple need to listen to them, and then try various alignments until decrypted.

Also, 1 byte a second isn't much throughput.

Re:One time pads

> These days you can fit 256GB on a microSD card. For point to point communication that's quite a lot.

And *that's*, how you get Grandma to use encryption.
'Here Grandma, I'm gonna put this card into your computer, ok?'. Granny's MUA then uses the pads for background encryption for mails to you. She doesn't know and, more importantly, doesn't *have* to know anything. She simply writes her mails and attaches pictures of the grandkids' visit. The MUA then wipes off the used random pads off the drive. Rinse, repeat. When the time comes, you simply make a new card full of random data. Should last months or years. Not completely secure, but secure enough for such uses.

Re:One time pads

> The key doesn't need to be the same length as the cleartext, it can be considerably shorter.

Then it's not a One-Time Pad!

> This does weaken the encoding, but not fatally.

Then it's not a One-Time Pad!

> You just need to encrypt the message before you encode it with the one-time pad with a code that's difficult to recognize.

Why would you encrypt something before, again, encrypting it with a One-Time Pad? Compression ok, but prior 'encryption' is absolutely unnecessary.

Re:One time pads

[slashrio]

Ever heard of 'pre-encryption intercept'?
Grandma is using a Windows computer, and the pictures on her Hard Disk *are* already in the possession of the NSA.

Re:One time pads

> Ever heard of 'pre-encryption intercept'?

So what? It's always an issue, even if you have paper-pads in your home-security safe. You don't know, if a secret entry has taken place, unless you take extreme precautions. We're talking transport security here and possibilities for the masses. I have no illusions about home PC's, but instead of definitely insecure I'd go for the 'maybe'. ;-)

Re:One time pads

[bigpat]

Yes. However, given that the key has to be the same length as the cleartext and can never be reused, that makes it an unworkable solution for two-way electronic communications.

It's just barely feasible for things like numbers stations.

These days you can fit 256GB on a microSD card. For point to point communication that's quite a lot. You could also smuggle two or more separate versions by different routes and XOR them together at the destination to guard against a single courier being intercepted.

It would be less secure, but easier to do say among a team that gets together every week or once a day in the morning (for a bit of coffee, a status update and a pad exchange) ... if you periodically see people, then just have an app running in the background that does a one time pad swap in the background while you are in direct wireless communications range. Say transfer 300 Mb per person... ten people that is 3 Gb... which is doable.

Sure, people can be listening in on the pad exchange (or have a network of monitors in place to hoover all the wireless data up around a city or populated area) but if you are under that kind of intense surveillance already then there are already twenty different ways your communications are going to be intercepted almost regardless of what you do.

But yes, exchange of one time pads via a physical connection through removable media is very practical for gigabytes or even multiple terabytes of high value data as long as you can predict about how much data you will need in a given period of time before the next pad exchange.

It wasn't so long ago that gigabytes of data were best transferred on physical media anyway just due to physical limitations of network bandwidth and cost constraints.

Shipping data via delivery truck or hand delivery is still very much a current best practice for one time transfers of very large amounts of data. It probably should be considered best practice for high value one time exchanges of data too.

One time pads aren't unbreakable from a practical standpoint though, just theoretically unbreakable if you have perfectly random pad generation and perfect pad exchange. Would be good to see one time pad based encryption used more and then we can properly flesh out all those practical implementation issues.

Re:One time pads

[JohnFen]

The key doesn't need to be the same length as the cleartext, it can be considerably shorter. This does weaken the encoding, but not fatally.

I suppose that we may differ on the definition of "fatally", but by my thinking, it weakens it fatally. (I count something as "fatally" weakened if it can be broken in a reasonable amount of time using readily available resources).

Even using a source of random numbers that isn't close to being complete random fatally weakens it, as several entities discovered during WWII.

Re:One time pads

[JohnFen]

Yes, everything you've said here is correct!

But perhaps we should reset. The comment I was replying to was asserting that algorithmic encryption shouldn't be used, and OTPs should be used instead. My assertion is that's not right, because OTPs cannot be used for most of the things we use algorithmic encryption for without eliminating the good part of OTPs -- that they're unbreakable.

Re:One time pads

[bobbied]

True.. Using bruit force crackable cyphers is common for one reason, it's cheap and easy to set up. If you use large keys and change them often, you will deny the adversary access to your communications for enough time to make it safe.

If it's going to take 80 years on average to find your key by bruit force attacks, and there are no back doors in your encryption algorithm, then you can be pretty sure that your adversary won't be able to read it for a couple of years. If you rotate your keys regularly, even if they do crack one key, they will only be able to read your communications for a short time, years after the fact.

In the end, it's all about risk management. How much risk are you willing to take with that message? What kind of damage would it do if somebody could read it in 5 years, 10, 20, 50. Encrypt with long enough keys and rotate them often enough to keep that information safe for enough time to make it useless and you've done your job.

Re:One time pads

[slashrio]

And then there are the home PCs running Windows, to add to your list of security risks of increasing concern.
And *that* is why it has no use for Grandma to use encryption.

Unaware

[jlgreer1]

I was unaware of anyone that trusts the NSA.

Re:Unaware

[JohnFen]

The NSA trusts the NSA.

No one trusts the USA

No one inside or outside of the USA trusts america anymore, you don't have any friends you have allies that are compliant out of fear and nothing else. ask anyone in Canada or the UK, your closest allies, and closest cultural parallels how they feel about the united states, and you'll find that it is almost invariably, disgust.

Re:No one trusts the USA

We live for tomorrow, not yesterday.

Re:No one trusts the USA

[Maritz]

Your horizon of happy tomorrows is shrinking rapidly. Electing a fucking moron doesn't appear to be helping much.

Re:No one trusts the USA

[slashrio]

Electing a fucking moron doesn't appear to be helping much.

Right. Am I glad we didn't elect that fucking moron...

How did the NSA become the decider of "good"?

[Snotnose]

I first ran across them in the early 80s when I needed a clearance. Back then they were "No Such Agency". Given that, why would they and their research be deemed the golden standard? They're a spy agency ffs!

How is it there wasn't a community of, I dunno, open source crypto developers, paid for by, I dunno, college research grants across the globe to figure this stuff out?

tl;dr You rely on a spy agency for 30 years for your crypto protocols, don't be surprised they cheated. One word: Sucker!

Re:How did the NSA become the decider of "good"?

[JohnFen]

How is it there wasn't a community of, I dunno, open source crypto developers, paid for by, I dunno, college research grants across the globe to figure this stuff out?

There was (not open source, but not secret either). It just wasn't in the US.

The laws in those days presented a very strong disincentive to engage in crypto work within US borders.

Four eyes better than two, but Five Eyes worse...

[MrKevvy]

The U.S. is spearheading Five Eyes which will propose mandatory backdoors in all strong encryption. I don't think that this is a coincidence.

ISO?

[campuscodi]

SIMON and SPECK are simple block cipher designs. You don't need an ISO for that. What's next? An ISO for HTML header tags?

Re:ISO?

[TechyImmigrant]

SIMON and SPECK are simple block cipher designs. You don't need an ISO for that. What's next? An ISO for HTML header tags?

You need ISO for getting WTO protection for selling your implementation internationally.

Closed door meetings at ISO?

[TechyImmigrant]

>The dispute, which has played out in a series of closed-door meetings around the world over the past three years and has not been previously reported, turns on whether the International Organization of Standards should approve two NSA data encryption techniques, known as Simon and Speck.

I was in a couple of those meetings in ISO/IES SG27/WG2.

Indeed, the NSA were there and were pushing Simon and Speck.
Indeed a handful of other countries were arguing against Simon and Speck, but not on the merits of the algorithm, but on the history of the USA in crypto standards and SP800-90A in particular.

They couldn't muster any real criticism of Simon and Speck, and that's because they are excellent algorithms. They are 3X more efficient that AES in whatever metric you choose (size, performance, area, power). They are easily extended to 256 bit block sizes (although NIST and the NSA have declined to do that while leaving obvious holes in the spec where the larger block sizes go. The security analysis is aided by the simplicity of the algorithms - a simple round function iterated many more times than for AES.

ISO is a political organization and the arguments are political. Don't let technical considerations muddy the waters.

Re:Closed door meetings at ISO?

[JohnFen]

that's because they are excellent algorithms.

Says you and the NSA.

Here's the thing -- if the algorithms include an intentional weakness, it could take years of study to find it. That nobody's found weakness yet isn't compelling in terms of increasing trust.

Because of this, a large amount of trust is required when accepting them. When the entity that is very eager to get these adopted is one that has clearly demonstrated that it can't be trusted, rejecting the algorithms is completely reasonable.

Perhaps they're fine, I don't know, but it seems prudent to be extraordinarily cautious about them before blessing them as standards. Let everyone study them for a few years to reduce the need to trust the NSA.

Re:Closed door meetings at ISO?

[PPH]

that's because they are excellent algorithms.

Says you and the NSA.

Perhaps they are good. And the NSA doesn't want them adopted. But playing upon the suspicions of the rest of the world that they are a bunch of lying scum, they promoted them. Knowing that this would call the algorithms' security into question and get them rejected.

Re:Closed door meetings at ISO?

[TechyImmigrant]

>Let everyone study them for a few years to reduce the need to trust the NSA.

How many more years would you like? It's been 4 and a half so far and it's been very well studied.

I don't think the number of years of study is actually something you care about or you would know how much is enough. If you don't know how much is enough, then asking for more years is just a way of trying to make it go away by delaying it.

Who else other than the people who have published all the papers in IACR journals would you have study them? Are there more qualified people about?

When you dispense with the technical arguments, all you have left are arguments about parentage, which don't really help with understanding the worth of algorithms.

Re:Closed door meetings at ISO?

[HiThere]

The problem is that people won't find out what's wrong with those proposals until awhile after they start depending on them. Saying "study them" doesn't convince. I've tried to debug too much code that everyone said was bug free...until they found it wasn't.

Re:Closed door meetings at ISO?

[epine]

Indeed a handful of other countries were arguing against Simon and Speck, but not on the merits of the algorithm, but on the history of the USA in crypto standards and SP800-90A in particular.

The "merits of the algorithm" is communally undefined if the design party is keeping secret the existence of differential cryptography—or any other advanced mode of attack—as IBM and the NSA once did with the DES. It was pretty clear that something fishy had gone into the design of the S-boxes. Whether fair or foul is impossible to decide when you're on the outside looking in (turns out, for DES, it was fair—foul play was confined to mandating a short key length).

What people don't understand is that as much as the Americans would like to read everyone else's traffic, it's far worse if any backdoor leaked to an adversary (your whole financial system is protected by these codes), so they were sensibly reluctant to put one in—until they invented the one-way back door, where only the designers could ever know. Unable to resist the siren call of this new brass ring, the NSA immediately blew their entire history of trust (which had always been more out of enlightened self-interest than gentlemanly) into a giant mushroom cloud.

It remains difficult to decide whether "merit" can be debated in these matters on a level playing field.

On the other side of the coin, while I'm far from a serious cryptographer, Specks' ARX design does not appear to leave many places for newly discovered snookery to hide itself.

That said, banning the runt versions smells like prudence to me, as any covert American attack is probably a combination of a downgrade attack—tricking a cipher to operate at less than full strength (world and dog are not freaking out over the Intel Management Engine for no reason)—perhaps injecting some known plaintext, finished off with a giant can of precomputed whup ass (the mechanism of attack one can best keep confined to your side of the fight is a multimodal attack).

Once you take the downgrade attacks off the table, it's a lot easier to swallow the inequitable debate on merit as a pure cipher.

ISO is a political organization and the arguments are political. Don't let technical considerations muddy the waters.

Not buying it. I really don't see how you performed that neat dissection of history from technology from capabilities, without the use of a white glove and a black hat.
____

Addendum:

Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA — 28 August 2017

Researchers believe Intel has added the ME disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments. ME or any vulnerabilities in its firmware could lead to leaks of highly dangerous information, hence the reason why the NSA did not want to take the risk.

True to form, the NSA's greatest terror is being hoist by their own petard.

They don't advertise this fear, because they prefer to viewed through the do-unto-others side of the lens. Trying to turn these weapons into technological diodes is an enormous practical constraint.

That, and resource saturation (what they can do and what they can afford to do are two different beasts) are in my experience the only reliable external vantage points for 99.999999% of the planet's population incapable of wading into the merit debate at anywhere near eye level.

Re:Closed door meetings at ISO?

[JohnFen]

When you dispense with the technical arguments, all you have left are arguments about parentage, which don't really help with understanding the worth of algorithms.

This is true -- and pretty much the point I was making. There is no set amount of study that can guarantee the algorithms, but the more study, the better the chance that they're OK. So the amount "required" depends in large part on how much you trust where they came from. The parentage of these is not trustworthy, so it's not unreasonable to avoid them. In fact, it's the smartest thing to do from a security standpoint.

Re:Closed door meetings at ISO?

[TechyImmigrant]

>That said, banning the runt versions smells like prudence to me,

This part is sound. At the NIST lightweight crypto workshop, there was a clear consensus among cryptographers that we didn't want weak algorithms with small block sizes and small keys. We wanted strong algorithms that were more efficient than current standardized algorithms like AES.

So Simon and Speck were reasonable examples of such algorithms, provided you stuck with 128+ key sizes and block sizes.

However my primary criticism is the lack of a 256 bit block size. I have the same criticism of AES. In Simon, it's clear how to set the parameters for a 256 bit block size and I did some work to find out the appropriate number of rounds for 256 bit blocks. The key schedule has three lfsr generated sequences u, v an w. These are doubled by xoring with a 010101 sequence to we have six sequences in total. These are used in the different configurations. But those configurations only use 5 of the 6 sequences. So there is a clear hole in the spec where the 256 bit block size should sit and a clear hole in the key schedule where the right sequence for use with the 256 bit block size sits.

Re:Closed door meetings at ISO?

[TechyImmigrant]

that's because they are excellent algorithms.

Says you and the NSA.

Perhaps they are good. And the NSA doesn't want them adopted. But playing upon the suspicions of the rest of the world that they are a bunch of lying scum, they promoted them. Knowing that this would call the algorithms' security into question and get them rejected.

Do you have an interest in turtles?

Solution:

[HalAtWork]

Use all encryption methods from all countries on top of each other. That way no one entity can unwrap the whole thing. Only the person with all 190+ keys.

Nope!

Not so. Their name is the "National Security Agency". Their purpose is "National Security", not "Pushing crypto they can break". The latter is a policy that the NSA has adopted, an interpretation of their purpose. It is not the purpose itself.

Why does this matter? I mean, if the NSA believes their interpretation of their purpose is correct, what difference does it make? The difference is, policy can change.

This issue is not changed even when you account for the fact that the NSA is the signals intelligence branch. Sure, they'd like to break all crypto. But if unbreakable crypto was the norm and that regime provides national security, then the NSA is still meeting their mandate.

Isn't this just intellectual navel gazing though? Well, not really. Unbreakable crypto is, in fact, becoming the norm. Intelligence agencies all over are bemoaning the fact of the "dark web", which in this context means crypto they cannot break.

The NSA got addicted to easy signals intelligence. They don't want that system to change but honestly, it's not up to them. I expect them to keep trying to penetrate cryptographic communications, asking for back doors, asking for iPhone hacks and all the rest. However I don't equate "the NSA can read all of my communications, and everyone else's," with "security for me." Instead that's just one step forward on a 20 step march towards 1984.

Re:Nope!

[JohnFen]

Not so. Their name is the "National Security Agency". Their purpose is "National Security", not "Pushing crypto they can break".

Not so, at least not according to the NSA. Yes, their purpose is to be a part of the national security framework. Their role in that is informational security: mostly, subverting the informational security of other nations. Also, protecting domestic informational security. However, they don't consider being vulnerable to the NSA as counting as "vulnerable" in terms of domestic security.

The latter is a policy that the NSA has adopted, an interpretation of their purpose.

No, it is part of their mandate.

Unbreakable crypto is, in fact, becoming the norm.

It is? Where is all this unbreakable crypto? I'm only aware of one (one-time pads), but it's not in common use outside of spy agencies.

Ambiguous

An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies.

The first sentence is already ambiguous. Which "it" refers to in this case? An international group of cryptography experts OR the U.S. National Security Agency?

Re:"Yawn"

[slashrio]

Denial to prevent cognitive dissonance.

E-521 is not weak...

[emil]

...at least, according to DJB.

To be fair I should mention that there's one standard NIST curve using a nice prime, namely 2 ^ 521 - 1; but the sheer size of this prime makes it much slower than NIST P-256.

I do understand, however, that it is difficult to produce an implementation of any of the NIST curves that are invulnerable to side-channel exploits.

NTRU Prime

[emil]

I am betting that NTRU Prime will likely be the post-quantum asymmetric winner of the NIST competition.