Distrustful US Allies Force Spy Agency To Back Down In Encryption Fight

schwit1 shares a report from Reuters: An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies. In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them. The NSA has now agreed to drop all but the most powerful versions of the techniques -- those least likely to be vulnerable to hacks -- to address the concerns.

classic plea bargain

[turkeydance]

we give you the 12 we didn't want to keep the 5 we did.

Re:Dual EC DRBG stuff...old news

[ChumpusRex2003]

New "ciphers". Same trick. However, ISO committee members didn't just approve the new ciphers like they did dual EC DRBG. They keep getting voted down, as not suitable for publication as an ISO standard, but the US keeps pushing ISO to accept them as an international standard.

You reap what you sow

[93+Escort+Wagon]

" In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them."

The NSA is widely believed to have done exactly this when it recommended particular elliptic curve constants quite a few years back.

Once you've betrayed people's trust, you're going to have a hard time convincing them you're worth trusting with anything that matters ever again.

Re:You reap what you sow

[rmdingler]

The trust bunny is a fragile thing. It's seemingly knitted together with gossamer thread and good intentions, yet when it works, it is stronger than unobtainium.

Nevertheless, bust that bunny at your own peril. As easy as it was to forge, once broken, all the monarch's tetrapods cannot reassemble it.

Re:You reap what you sow

[HiThere]

The thing is, I don't know that anyone every actually *proved* that the NSA elliptic cure constants were weak. But everyone suspects that they are because of other things they've done.

This is a point worth remembering. Once you get a bad reputation, people stop trusting you even if they can't prove that you're doing something wrong this time. And when they remember it later they'll remember it as a time they didn't fall into your trap.

And remember, perhaps those constants were good. Have you heard of anyone proving that they weren't? But would you want to trust them?

Re:You reap what you sow

[rtb61]

Even worse, be a really bad actor and call on others to vouch for you and you destroy their reputation as well. Look at the reputation of the other members of the five eyes, the UK, Canada, Australia and even poor little New Zealand, all of their diplomatic reputations have been turned to shite by repeatedly falsely vouching the integrity of what have proven to be US lies. Used again and again, all the US has done is destroyed their reputation and make them worthlessly in pushing US lies on the rest of the world. The US government seen as nothing but tools of Corporations and other governments (especially Israel via control of media corporations and Saudi Arabia via mass bribery), depending upon who pays the most bribes when, nothing can be trusted coming out of the US any more. That rejection of the NSA will play out much worse for US corporations, that shot was a profound warning shot about the enormous damage done to US trust, pretty much non-existent and that means the trust of US corporations will follow suite, they are going to find it harder and harder to do business in foreign markets when high levels of trust are required. Forcing the sale of F35 flying pigs with back doors and they all know the back doors are there, is not helping one little bit (you just know the corporations with those keys will sell them to the highest bidder and those back doors will do huge damage to US reputation, you just know it will happen).

Re:You reap what you sow

[AmiMoJo]

There was the whole Dual_EC_DRBG debacle. RSA appear to have been paid to select a poor, likely backdoored random number generator by the NSA. For further conformation it was discovered that RSA had also adopted the NSA's "extended random" system, which adds zero extra security by does make the Dual_EC_DRBG backdoor tens of thousands of times faster to use.

It would be crazy to carry on trusting any of those people.

Re:"Did IQ's drop sharply while I was away?"

[JohnFen]

How so? The NSA exists to penetrate everyone's informational security. Pushing crypto they can break is exactly in line with their purpose.

Re:"Did IQ's drop sharply while I was away?"

[mhkohne]

From what we can see from outside, the NSA firmly believes it's the smartest one in the room, and that no one else can possibly figure out a backdoor it's put in place. They really believe in the 'NOBUS' (NObody But US) theory about certain things.

Couple that with a dual-mission agency (protect 'our' communications, break everyone else's) and you have a recipe for arrogance and disaster.

Trust is hard to gain and easy to lose

[Opportunist]

To make me trust you, you have to give me a good reason to do so. Unfortunately the NSA has given all sorts of reason to not thrust them with anything. Not as an American, twice not as a foreigner.

Re:Trust is hard to gain and easy to lose

[Lost2Home]

What really needs to happen to regain trust in crypto algorithms generated by the US is to split the NSA into two separate organizations. Move the role of securing US government communications and computer systems into a new agency. Then assign the spy on foreign nationals role to a separate organization under the CIA.

While it would still take a long time to regain the trust of allies, this is a necessary first step.

Re:One time pads

[JohnFen]

Yes. However, given that the key has to be the same length as the cleartext and can never be reused, that makes it an unworkable solution for two-way electronic communications.

It's just barely feasible for things like numbers stations.

Four eyes better than two, but Five Eyes worse...

[MrKevvy]

The U.S. is spearheading Five Eyes which will propose mandatory backdoors in all strong encryption. I don't think that this is a coincidence.

Re:Dual EC DRBG stuff...old news

[swillden]

New "ciphers".

Specifically, two new families of block ciphers called SIMON and SPECK. These ciphers are designed to be extremely fast, which is good because although AES is fairly fast on "big" hardware" or on large quantities of data, it can be a bit sluggish when used in extremely constrained environments on small amounts of data. In particular, its key schedule its heavy, so changing keys is slow. SIMON has been designed to make it particularly cheap in purpose-built hardware while SPECK is designed for very fast software implementations. Both are very, very fast on both hardware and software, though. The 128-bit version (block size and key size) of SPECK, for example, encrypts at about 1.25 cycles per byte on an i5 on long messages, and is almost as good on short messages. That's crazy fast.

Academic cryptanalysis of the ciphers has so far shown them to be quite solid, with a very good margin of security (meaning that cryptanalysts have only been able to break significantly cut-down versions of the ciphers, quite far from full versions).

Same trick.

Possible, but doubtful. In fact, the experience with Dual EC DRBG actually makes it significantly less likely, IMO. They tried to pull the trick with that, but it didn't work because academics discovered the mathematical structure that made the backdoor possible. That has to make them worried that the same thing would happen again, and in fact the trick would be much harder to pull off with symmetric block ciphers. The thing about elliptic curves is that they have rich mathematical structure which can be exploited in clever ways (this is what makes them useful for public key cryptography) by choosing the right curves. But symmetric key block ciphers like SIMON and SPECK don't have that, making it much harder to design back doors in.

It's not impossible that the NSA has some technique that can break these ciphers -- which are actually quite similar to ciphers produced by public cipher designers -- but it really seems unlikely. Nevertheless, once burned twice shy. I don't blame standards bodies for being reluctant and waiting for public cipher designers to produce algorithms with the desirable properties of SIMON and SPECK, but without the concern about origin.

Closed door meetings at ISO?

[TechyImmigrant]

>The dispute, which has played out in a series of closed-door meetings around the world over the past three years and has not been previously reported, turns on whether the International Organization of Standards should approve two NSA data encryption techniques, known as Simon and Speck.

I was in a couple of those meetings in ISO/IES SG27/WG2.

Indeed, the NSA were there and were pushing Simon and Speck.
Indeed a handful of other countries were arguing against Simon and Speck, but not on the merits of the algorithm, but on the history of the USA in crypto standards and SP800-90A in particular.

They couldn't muster any real criticism of Simon and Speck, and that's because they are excellent algorithms. They are 3X more efficient that AES in whatever metric you choose (size, performance, area, power). They are easily extended to 256 bit block sizes (although NIST and the NSA have declined to do that while leaving obvious holes in the spec where the larger block sizes go. The security analysis is aided by the simplicity of the algorithms - a simple round function iterated many more times than for AES.

ISO is a political organization and the arguments are political. Don't let technical considerations muddy the waters.

Re:Closed door meetings at ISO?

[JohnFen]

that's because they are excellent algorithms.

Says you and the NSA.

Here's the thing -- if the algorithms include an intentional weakness, it could take years of study to find it. That nobody's found weakness yet isn't compelling in terms of increasing trust.

Because of this, a large amount of trust is required when accepting them. When the entity that is very eager to get these adopted is one that has clearly demonstrated that it can't be trusted, rejecting the algorithms is completely reasonable.

Perhaps they're fine, I don't know, but it seems prudent to be extraordinarily cautious about them before blessing them as standards. Let everyone study them for a few years to reduce the need to trust the NSA.

Re:Closed door meetings at ISO?

[epine]

Indeed a handful of other countries were arguing against Simon and Speck, but not on the merits of the algorithm, but on the history of the USA in crypto standards and SP800-90A in particular.

The "merits of the algorithm" is communally undefined if the design party is keeping secret the existence of differential cryptography—or any other advanced mode of attack—as IBM and the NSA once did with the DES. It was pretty clear that something fishy had gone into the design of the S-boxes. Whether fair or foul is impossible to decide when you're on the outside looking in (turns out, for DES, it was fair—foul play was confined to mandating a short key length).

What people don't understand is that as much as the Americans would like to read everyone else's traffic, it's far worse if any backdoor leaked to an adversary (your whole financial system is protected by these codes), so they were sensibly reluctant to put one in—until they invented the one-way back door, where only the designers could ever know. Unable to resist the siren call of this new brass ring, the NSA immediately blew their entire history of trust (which had always been more out of enlightened self-interest than gentlemanly) into a giant mushroom cloud.

It remains difficult to decide whether "merit" can be debated in these matters on a level playing field.

On the other side of the coin, while I'm far from a serious cryptographer, Specks' ARX design does not appear to leave many places for newly discovered snookery to hide itself.

That said, banning the runt versions smells like prudence to me, as any covert American attack is probably a combination of a downgrade attack—tricking a cipher to operate at less than full strength (world and dog are not freaking out over the Intel Management Engine for no reason)—perhaps injecting some known plaintext, finished off with a giant can of precomputed whup ass (the mechanism of attack one can best keep confined to your side of the fight is a multimodal attack).

Once you take the downgrade attacks off the table, it's a lot easier to swallow the inequitable debate on merit as a pure cipher.

ISO is a political organization and the arguments are political. Don't let technical considerations muddy the waters.

Not buying it. I really don't see how you performed that neat dissection of history from technology from capabilities, without the use of a white glove and a black hat.
____

Addendum:

Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA — 28 August 2017

Researchers believe Intel has added the ME disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments. ME or any vulnerabilities in its firmware could lead to leaks of highly dangerous information, hence the reason why the NSA did not want to take the risk.

True to form, the NSA's greatest terror is being hoist by their own petard.

They don't advertise this fear, because they prefer to viewed through the do-unto-others side of the lens. Trying to turn these weapons into technological diodes is an enormous practical constraint.

That, and resource saturation (what they can do and what they can afford to do are two different beasts) are in my experience the only reliable external vantage points for 99.999999% of the planet's population incapable of wading into the merit debate at anywhere near eye level.

Re:One time pads

[HiThere]

The key doesn't need to be the same length as the cleartext, it can be considerably shorter. This does weaken the encoding, but not fatally. You just need to encrypt the message before you encode it with the one-time pad with a code that's difficult to recognize. The more you shorten the key, the weaker the encoding, but shortening it by 50% is still quite safe if you use a decent encryption of the cargo.

Perfection isn't impossible, but is hideously expensive.

That said, any code that depends on factoring large primes is weak when used against quantum computers. And they may not be here today, but I wouldn't make strong bets about next year in secret government offices. So if it's worth it to you, by all means use one-time pads. And most of the expense of using them is in the transmission of the info, so you might as well use the most secure version. You can get a pretty good set of random numbers by processing a web cam of a candle flame, but turning that into terabytes of good random numbers could take awhile.

Re:Dual EC DRBG stuff...old news

[swillden]

Even $10 MCU have dedicated AES-256 hardware these days.

Sure, if you can afford such expensive hardware, AES is fine.

Re:Dual EC DRBG stuff...old news

[Maritz]

Your sig is a lie!!! ;)