Silent Circle Moving Away From NIST Cipher Suites After NSA Revelations 168
Trailrunner7 writes "The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it's in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein."
serpent (Score:2, Insightful)
mathematics depts are interesting things...
I personally trust in s box's
regards
John Jones
Re: (Score:2)
Why is the parent post modded offtopic?
Serpent is not a bad choice, it has a conventional design with a large safety margin (32 rounds).
Re: (Score:2)
NSA sock puppets with mod points?
Mods didn't know enough about crypto?
I thought that AES *was* independetly designed? (Score:2)
Re:I thought that AES *was* independetly designed? (Score:5, Informative)
The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security [wikipedia.org]
Re: (Score:3)
The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.
Not 100% true. The NIST only messed with the 192 and 256 bit versions. Guess what? They turned out to be weak (and everybody knows about it).
If you're truly paranoid you could use Triple-DES instead of AES but there's no good reason not to trust 128-bit AES, it's one of the most analyzed/studied algorithms ever.
Block ciphers like AES can also be used as hash functions. SHA-n isn't really needed except for efficiency reasons (block cyphers are slower).
Re:I thought that AES *was* independetly designed? (Score:4, Interesting)
I know for a fact that NIST/NSA had no influence on the number of rounds for AES, having implemented Rijndael myself on an 8-bit microcontroller before it became AES. I used a copy of Rijmen and Daemen's original specification to write my implementation, and later compared it against the published NIST specification that later came out in 2001 after it was approved as AES, and it was exactly the same, including the number of rounds to be used. My implementation from mid-1999 produced the correct results with the NIST test vectors that were published after its approval. The key sizes were part of the specification for the AES contest.
Re:I thought that AES *was* independetly designed? (Score:5, Informative)
Take a look at the open process for fielding candidates for SHA-3, and tell me that all the people that bothered to submit candidates should be permanently suspect just because NIST asked for candidates and they offered them, and also offered critiques and analysis of competing designs. These are career mathematicians and cryptographers and suddenly everything they do is tainted by "guilt by association" in your mind? That's pretty pathetic.
What happened is as the PP described: good algorithms were chosen and then weakened by intentionally bad choices for parameters. When run with good parameters, those algorithms were as secure as the crypto community could develop at the time. They don't always choose the most secure algorithm of the batch because of performance considerations, but they set strength goals and meet them to the extent that they can be analyzed.
So far they have picked Keccak as SHA-3 and the authors have recommended certain parameters to achieve certain cryptographic strengths for drop-in replacement of SHA2 hashes. Given the media attention I imagine NIST will feel obliged to follow those recommendations, which leaves them with only one thing left to specify, that being the format of the padding (which the Keccak authors have also offered some reasonable options for.)
Re: (Score:1)
Except they suddenly decided to change parts of the algorithm after the competition ended. So SHA-3 is not the Keccak that was heavily analyzed and verified by career mathematicians and cryptographers.
More on https://www.schneier.com/blog/archives/2013/10/will_keccak_sha-3.html
Re: (Score:2)
If you read the algorithm description you'd realize that this is not a change in the algorithm and does not affect the analysis, which was performed for arbitrary parameters, not specific ones. However, the reaction to this move which NIST probably considers a pertty inert move on their part is sure giving NIST a taste of exactly how much their reputation has been soiled. Which is a good thing.
(OT but funny, on the comments section of your link, when I read it the last comment, noting NIST's website is do
Re: (Score:2)
These are career mathematicians and cryptographers and suddenly everything they do is tainted by "guilt by association" in your mind? That's pretty pathetic.
I think this is less about mistrusting the mathematicians involved and moreso about mistrusting what happened to these algorithms after submittal. As you say, they were weakened by intentionally bad choices for parameters and due to the close relationship between NIST and the NSA, how can you trust that the original submissions actually do achieve the same level of security (and moreover, how can you trust that the submissions were not specifically selected due to the fact that the NSA is already able to r
Re: (Score:2)
anything that they MAY have touched is likely infested.
That would pretty much mean everything is infested. I mean, unless you think running into the arms of whatever crypto suite lying around out there that has never had bad press about intelligence agency meddling is a good way to avoid intelligence agency meddling -- I don't.
Compromised hardware (Score:3)
IMHO at this point we have to assume the hardware is compromised at some level. Not necessarily a backdoor but the hardware random number generator might not be that random.
Re:Compromised hardware (Score:5, Funny)
IMHO at this point we have to assume the hardware is compromised at some level. Not necessarily a backdoor but the hardware random number generator might not be that random.
We also have to assume that the power sockets are compromised. All computers that are, or have been at any point, attached to any source of power not directly coming from the sun must be considered infected, and shot in the brain.
Re:Compromised hardware (Score:5, Funny)
Looks like we have ourselves a plant! You think we don't know that tinfoil hats actually help to strengthen the orbital mind control signal? You aren't fooling slashdot that easily AC. Don't think we haven't been watching you, your comments have not gone unnoticed in this community Agent Coward
Re:Compromised hardware (Score:5, Funny)
Of course tinfoil hats are worthless. Everyone knows that the only thing you can put on your head to protect you from the NSA are the plastic bags you get from the dry cleaners.
Re:Compromised hardware (Score:4, Funny)
Re: (Score:2)
I've heard that the NSA has built a secret backdoor into all organically reared Armadillo hats.
I've heard it through the signals I pick up in the fillings in my teeth, so YMMV.
Re: (Score:2)
They offer zero protection against chemtrails though.
Re: (Score:2)
This is a very good point, or at least, we don't think it does and have no reason to think it does. All we really know about chemtrails is that whatever is in them burns HOT! Because whatever it was burns much hotter than jet fuel if it was able to melt steel and bring those towers down.
I trust the Chinese... (Score:2, Insightful)
I trust the Chinese have already done that to every processor built for export. They'd be negligent if they haven't.
Re: (Score:2)
When, in the course of the NSA revelations, have you gotten the impression that "if X became public knowledge... it would be the death blow to the current Y" was ever a consideration in whether or not they did X?
Re: (Score:1)
Re: (Score:2)
"I have my doubts"
You should. Short-circuiting AES-NI to return the plaintext XORed with the output of (weakened) rdrand would mean that the intended recipient can't decrypt the message. That's a lot of hard engineering work to tap a communication channel that nobody can actually communicate over...
Evolution in action (Score:1)
This is actuallly good. Crypto should be flexible enough to switch to different algorithms.
AES is just an option, and I'd say it's a fine one, but it's cool to get some extra algos some breathing
room.
Marketing (Score:4, Interesting)
While I think that NIST related crypto algorithms are probably well compromised by the NSA I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.
Same thing for 'offshore data havens'. If it's visible it gives the NSA a target of interest and the fact that it's offshore isn't even going to slow them down when they attack it. People moving to such havens might find themselves being looked at all the more closely than someone keeping their data in less interesting places.
I think the best bet of keeping your info private (from the NSA) is going to be to avoid attracting attention to start with.
Re:Marketing (Score:4, Interesting)
Well perhaps the point isn't that any new algorithms are uncrackable so much as they present a more considerable obstacle to being deciphered. If the current NIST-approved cyphers have been deliberately weakened by the NSA, its so that its easier and more importantly faster for them to decipher the text - with their available computing power and budget they can probably do a lot of these on the fly.
If you increase the difficulty of that task, and if its implementation is more widely spread, then they may have to prioritize what they attempt to decipher because it isn't a weakened algorithm, therefore there might be some added security in that even if they *can* crack your ciphertext, its not worth bothering to do so unless some other factor marks you as a person of interest. Not much but better than nothing and we will likely never know the NSA's true capabilities anyways.
Re: (Score:3)
Well perhaps the point isn't that any new algorithms are uncrackable
There's every reason to believe that they are. The NSA uses AES for its own encryption systems.
If there's a weakness it's in the implementations (are your numbers really random?) and/or compromised PCs that they're running on.
Re: (Score:2)
Re: (Score:2)
Hmm, I suspect that the NSA isn't nearly as good as people are fearing, but how can we prove it?
We can't.
There was a time when the NSA was way ahead of civilians, eg. In the 1970s when they tweaked DES without telling anybody why - turns out they knew about differential cryptanalysis.
Since then the gap has closed. These days there's no reason to suppose they're much ahead of civilians (except in budget,getting people to sign pain-of-death NDAs, install "government approved" black boxes in telephone exchanges, drive around in black SUVs ... etc).
Re: (Score:2)
The NSA uses AES for its own encryption systems.
You have to realize that security classifications depend on the time something needs to remain secure. For battlefield comms this might be 6-8 hours, for HQ comms 5-10 days. The classification then is used to select a cipher based on a professional estimate of how long it takes someone with the resources of a major government to break it. Information that needs remain protected indefinitely goes under lock and key, in a cabinet, safe, vault, with or without a guard stationed. Maybe inside a protected fa
Re: (Score:2)
No. Largely right, but No.
A random one-time pad is secure until/unless the decoder gets his hands on a copy (Though you might want to encrypt a prime number of bits at a time. I'm not sure what happens if you encrypt chunks of characters.)
Also, public key encryption (say twofish, or even AES) is probably safe if you have a long enough key barring either a theoretical breakthrough in factorization of decent quantum computers. But you might be wise to not use the default parameters. (What you *should* us
Re: (Score:2)
Well perhaps the point isn't that any new algorithms are uncrackable so much as they present a more considerable obstacle to being deciphered. If the current NIST-approved cyphers have been deliberately weakened by the NSA, its so that its easier and more importantly faster for them to decipher the text - with their available computing power and budget they can probably do a lot of these on the fly.
If you increase the difficulty of that task, and if its implementation is more widely spread, then they may have to prioritize what they attempt to decipher because it isn't a weakened algorithm, therefore there might be some added security in that even if they *can* crack your ciphertext, its not worth bothering to do so unless some other factor marks you as a person of interest. Not much but better than nothing and we will likely never know the NSA's true capabilities anyways.
Agreed - the only comment I would have is that a data haven is automatically going to be a 'person of interest' and thus a target.
Re: (Score:1)
That's why everyone should move their data to the Crypt, whether they think they have anything to hide or not, and switch to Pontiffex encryption, too.
Re:Marketing (Score:4, Interesting)
I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.
I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.
Re:Marketing (Score:5, Informative)
Another good argument is how many symmetric crypto algorithms have been broken at all, at least known to the public? For example you can take GOST, developed by the Soviet Union as a Top Secret algorithm in the 70s, then later downclassified and eventually made public in 1994. It has a theoretical attack strength of 2^256 that researchers have gotten down to 2^101 but if you have a 1 GHz computer testing 1 key/cycle for 1 year that's still only 2^55. A million such computers running a million years is 2^95. I think you can be quite certain the NSA didn't cooperate with the Soviet Union in the 70s, so the only way it could be cracked is if the NSA did it through cryptanalysis. The rest of the world hardly seem able to crack a single cipher yet the NSA would have the magic to crack everything in a reasonable time? In the land of unicorns...
Same with RSA and public crypto, it's not from the Soviet Union but it's from the 70s and 35 years of public research has come up with nothing to break it. Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy? I don't buy it, I'm quite sure there are things such as secure crypto no matter how much money and manpower you throw at it simply because they are as much chasing ghosts as we are, they may be looking for a solution that doesn't exist. Of course they're absolutely not going to tell you about that, but I find it far more likely they're now exploiting flaws and compromising systems rather than with pure math.
Re: (Score:2)
Re: (Score:2)
Skipjack was pretty thoroughly weakened once it was declassified. DES is still useful in TDES mode, but that is pretty expensive computation-wise compared to a newer algorithm like Twofish.
Of course, there are blocksize issues with the older cyphers...
Re: (Score:2)
Re: (Score:2, Informative)
Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy?
Yes, it's unlikely, but it's not entirely unprecedented: https://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html
'It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES. This means that back in the '70s, the National Security Agency was two decades ahead of the state of the art. ... but the rest of us are catching up quickly ... Maybe now we're just a couple of years behind.'
Faster, Scalable Factoring (Score:2)
WIth a billion cores of custom silicon, you can speed it up even more.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, it's known that they've ordered one specially designed...but I don't think that's built yet, and it seems more of an experimental "proof of concept" machine than something serious. Which is why I give factorization encryption 5 years. That's probably being a bit conservative, but they ARE looking. Of course, there may be roadblocks such that a decent quantum computer is actually impossible, but that's probably not the way to bet.
Re: (Score:2)
They don't have that many smart people working there, in comparison with ALL of the rest of the world.
Actually, the NSA has for decades been the by far largest employer of mathematicians, world-wide.
The do have tons of smart people working for them, and contrary to the rest of the world, those don't work on optimizing Zynga games or production lines or any of the other million other areas, they all work on crypto, surveilance, etc.
In a crypto contest between the NSA and the rest of the world combined, I'd bet on the NSA. Mostly because the rest of the world would break apart in a flame war and uses 20 diffe
Re: (Score:1)
It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case.
In 1995, NSA added a single bit-rotation to SHA that made it considerably stronger, but they didn't explain their reasoning at the time. It took several more years before academia found significance weaknesses, with 2004 being the year that SHA-0 (as the original, non-rotated version is now called) was really cracked wide open. That (arguably) puts them about a decade ahead (in a situation where they willingly tipped their hand). These folks employee the most math PhD's in the world and have their own chip
Re: (Score:2)
I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.
I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.
Why would they have to be ahead in every other area of computer science? The key to encryption is cryptography and the NSA was formed to crack code - it is their entire reason to exist.
Yes I think that they have some of the smartest people in the world who do absolutely nothing but break codes and on top of that, yes I think that they have more budget and more computing power than anyone else in the world to do it with.
I know someone who used to work for the NSA and he told me that they are twenty years ah
Re: (Score:2)
Re: (Score:2)
While I think that NIST related crypto algorithms are probably well compromised by the NSA
AES is one of the most independently studied/analyzed algorithms ever.
I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.
Triple-DES?
Re: (Score:2)
The funny thing is that can backfire. This was something talked about on the Cypherpunks list when it was on toad.com. One discussion recommended people use a service such as an offshore data haven (when they came about) for everything. The result would be that there would be so much chaff that any spying organization [1] would be spending a lot of time trying to crack stuff just to find that they just wasted a bunch of CPU time on a TrueCrypt volume of someone's MP3 stash.
There are plainer reasons for s
Re: (Score:2)
The funny thing is that can backfire. This was something talked about on the Cypherpunks list when it was on toad.com. One discussion recommended people use a service such as an offshore data haven (when they came about) for everything. The result would be that there would be so much chaff that any spying organization [1] would be spending a lot of time trying to crack stuff just to find that they just wasted a bunch of CPU time on a TrueCrypt volume of someone's MP3 stash.
There are plainer reasons for stashing items in an "offshore data haven". Protection against geographic events, so if something the size of Hurricane Tip slams against part of the US, critical data is still retrievable.
Of course, there is one big issue with offshore data havens... how are they recompensed for the data they store, and what keeps them from deciding to hold data for ransom. If they find that they have an encrypted data blob from a company whose offices are completely demolished, they can demand a price for access and a company would either pay up or close up.
[1]: NSA, ISI, FSS, PLA, etc. The US was outed, but there are numerous other players.
Well...arguably the US is big enough that no single disaster could knock out data centers at the far ends. For the next point, one might keep the data in two different havens in case one of them decides to hold it for ransom (which seems unlikely to me but okay, why not). One might argue that the data haven would sell the data to the US as well, for that matter.
Re: (Score:2)
If multiple data havens colluded and knew what the I/O was for customers, they could find out that a customer might have data backed up to where. Then, each data haven could "accidentally" lose the data. The one remaining DH would demand a ransom, then split it among the others.
Of course, this is tinfoil hat territory, as the one thing that will make or break the extortion is a backup somewhere else, but it is something that could happen.
The penalties for being outed for extortion might not be that steep
Re: (Score:2)
Re: (Score:2)
Skein is / was a NIST candidate for SHA3 and made it through a number of rounds. It isnt a replacement for AES tho, as it does hashing, not encryption.
Marketing! (Score:5, Insightful)
Or stupidity. One of the two.
Why use algorithms that are standardized on by the federal government and have been looked at exhaustively by experts around the world when you can use an untested crypto system? After all I'm sure the NSA wants to ensure that bad guys have access to everything the government is encrypting by first weakening the encryption standard, then standardizing the US government on the use of them.
Re:Marketing! (Score:5, Interesting)
Re: (Score:2)
e.g. substituting a random number generator for the pseudo random output of an encryption to which they know the private key.
If I hadn't already posted in this discussion, that'd be getting a Funny mod point.
No reason to distrust Rijndael (Score:5, Insightful)
I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard. And in the thirteen years since it was thus chosen it has been scrutinised more thoroughly than any algorithm by the best cryptographers in the world, and well, none of the open researchers anyway have found an attack on the cipher capable of breaking it significantly. The NSA might have, but then they approved the cipher for encrypting US government classified documents (a blessing that the NSA notably did not give the original Data Encryption Standard), so I'd consider it highly unlikely that they would have done that. The risk would be too great that their method of breaking the cipher have been obtained by espionage or independently discovered by some other intelligence agency's cryptanalysts. The NSA may be evil, but no one has ever accused them of stupidity.
Given that the best cryptanalysts of the world have had thirteen years to look at it and it remains solid, I'd trust it better than the other AES candidates which have had much less scrutiny, or worse yet, a newly designed cipher that no one who knows anything has bothered to even try analysing.
The other thing is that AES is incredibly efficient even on 8-bit microcontrollers. Around the time the AES contest was ongoing, I implemented Serpent, Twofish, and Rijndael on an 8051-series microcontroller, and Rijndael was consistently the best performing cipher, so I used it in the project, and wasn't surprised to learn that it eventually got selected.
Re: (Score:2)
I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard.
I doubt it too, but the facts combine to suggest that we should be suspicious anyway. NSA has compromised ciphers. NSA chose this cipher. Therefore, it is best to be suspicious of this cipher.
Re: (Score:2)
TRUST NO ONE.
Re: (Score:2)
But it could also be double bluff, designed to cause smart people like you not to switch away from broken Rijndael!
Woaahh.. but wait a minute... what if it's a TRIPLE bluff?
Re: (Score:2)
But remember the NSA has to use AES themselves, at least when communicating with other branches of the US government. Do you think they would have knowingly approved a broken cipher for their own use?
Fool. If they're the only one who can break it, then why the fuck not?
You underestimate the paranoia and intelligence of the NSA then.
What's more paranoid? Selecting a cipher that no one can break, or selecting a cipher you can break who you suspect no one else can break, and to prove to everyone its "safe" you use it yourself, because you know folks spy on you anyway and plant false information as canaries for leaks anyway?
Hello, McFly?! Remember RSA coming out and saying that everyone needed to not use the elliptic curve random number generator they used by de
Re:No reason to distrust Rijndael (Score:4, Interesting)
The one thing the NSA, and other intelligence agencies, have going for them is they can afford to hire and train groups of people specifically for one particular task. In academia nobody wants to work on cryptanalyzing AES, it would be career suicide. In the very best case it would take you years to come up with anything, and in the worst case you would spend all that time and get nothing.
Re:No reason to distrust Rijndael (Score:4, Insightful)
Good points. But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves if they want to exchange top secret classified information with the rest of the US government! I think it's much more likely that they did apply even more of their vaunted cryptanalytic prowess to it when NIST gave their approval in 2000, and when by 2003 they found no significant weaknesses, they approved it for use with classified information. If they had found a significant weakness in AES and approved it anyway for such use, how arrogant and stupid would that make them? Their own supposedly secure communications with the rest of the government would be compromised as a result! As I said you can accuse the NSA of being many things, but I don't think stupidity is one of them.
Snowden himself said it: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." Emphasis added. The real trouble is there are too many systems out there that use otherwise sound cryptographic primitives in insecure ways, either by incompetence or by design. The NSA has been known to pressure manufacturers of security equipment to do the latter, and naturally they will only certify equipment that hasn't been thus back-doored for government use.
And no, I don't think breaking AES would be career suicide for an academic cryptanalyst. Fermat's Last Theorem would also have been considered career suicide for centuries for the same reasons you cite, but now Andrew Wiles is one of the most famous mathematicians in the world. True, it's a hard problem, but if you manage to publish a workable break of AES you would become the most famous cryptographer in the world.
Re:No reason to distrust Rijndael (Score:4, Interesting)
You hit the nail on the head. Crypto algorithms are secure enough that the points of attack won't be the bulk encryption. Instead, it will be how keys are negotiated, weakened PRNGs (who would know that a PRNG only is using 8 random bits out of 256 for nonces unless someone looks at every salt produced and only sees 256 different numbers), compromised CAs, or other weaknesses.
Breaking AES would be like winning a lottery for someone who reads sci.crypt. It would give a next generation of algorithms which would be more secure, such as how AES is resistant to differental cryptoanalysis.
Re: (Score:2)
The key distribution and storage is often, but not always, the weakest point of attack. The exception is if you have plaintext or some pattern to look for (like an http or email header). This is why secure communications frequently are free of keywords and just contain a bunch of fields.
Re: (Score:2, Interesting)
But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves if they want to exchange top secret classified information with the rest of the US government!
No, actually, the NSA uses two suites of cryptographic algorithms. AES, Diffie-Hellman key exchanges, etc. are in Suite B, which is published and available for everyone to use. That's what you're talking about. There's also Suite A, of which even the names of the algorithms are largely unknown. Those algorithms might well never get published. Suite A is for internal use, for encrypting the important secrets.
Re: (Score:2)
Snowden himself said it: "Encryption works.
Snowden is a clueless kid.
Re: (Score:2)
Good points. But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves
Fool. You seriously think that an agency which LIES directly to people who are cleared for the information they ask about, even when those people are SENATORS -- You seriously think this agency HAS TO USE the cipher they tell everyone else to use? I hope that your smarts aren't genetic, you'd be a threat to the gene pool.
You have made an assumption (Score:2)
Re: (Score:2)
Why do you say the NSA "is evil"? They have no operative arm, or actually *do* anything. If they come across criminal activity they can tip off the FBI, but what they have isn't admissible evidence, so the FBI gets to do its own investigative work. Their job is to uncover and watch for activities by people who wish to harm the United States or its people - exactly what we who pay their bills want them to do, as well as to act as an expert advisor to the federal government. Do you think governments shoul
Re: (Score:1)
The NSA approved AES for use for encrypting US government documents of the most classified sort in 2003. That means that they would have to use AES themselves as well, if they wanted to exchange classified information with any other branch of the US government! How stupid would they be if they knew how to break the cipher and used it themselves anyway? Their own communications would become insecure as a result!
Snowden said it himself: "Encryption works. Properly implemented strong crypto systems are one of
can you not write, or just not think??? (Score:2)
...not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development...
Really? So they are worried about NSA's influence on NIST, but they still trust NIST???
THIS IS A GREAT IDEA! (Score:1, Flamebait)
Please move to the most obscure and unreviewed encryption algorithms that you can, and do it as fast as possible. By no means should you ever use the exact same encryption standards that are approved for use for securing the big-bad-evil U.S. government's own top-secret data. Remember, the only cryptographic systems with any flaws are the ones that were developed by non-US citizens and reviewed in a public process that might have tangentially involved the NSA. Oh, and nobody, we mean nobody, else could ever
Re: (Score:1)
Twofish is hardly obscure or unreviewed. It was submitted as an AES candidate along with Rijndael. It's been reviewed plenty. It didn't meet the needs of NIST as well as Rijndael, which is why it wasn't chosen to be AES. But that doesn't make it a BAD cypher. It just makes it not ideal for NIST's purposes, which may well include: being vulnerable to attack by the NSA.
Re: (Score:2)
IIRC, Twofish did not make the AES finalist because it used more CPU than Rijndael. This doesn't mean Twofish is less secure, it just means that crypto ASICs are cheaper to make shifting blocks around than Twofish's split key/algorithm method.
Were I to choose one of the other just for security, I'd choose Twofish over Rijndael, but NIST had other parameters in their design decision.
Madness (Score:5, Informative)
The least I would have expected from the documents about the extensive spying done by NSA was a generalized weakening of cryptography.
While it is true that some algorithms might have been deliberately weakened by the NSA, I doubt this could have been systematic; especially for those which are best investigated by the cryptological community at large.
In particular, NIST mandated cipher suites while definitely amenable to some theoretical attacks in some cases, have been independently investigated and, as of today, no effective practical attack is known against AES. I would never trust a 'homemade' algorithm for anything, nor waste time to try and analyse it (cryptography is actually part of my job) unless there were some really compelling reasons for doing so (e.g. interesting mathematics, peer review requests or unusual attack models being considered).
Skein and twofish are definitely interesting algorithms, and they have also been well regarded in the competitions leading to SHA3 and AES; they are definitely not a bad choice, but to choose them because whatever has been selected by NIST is "tainted" by NSE (and not other architectural or practical considerations) resembles more a form of superstition than anything else.
Remember who uses NIST crypto transformations (Score:1)
Re: (Score:2)
If I had to use a well studied algorithm that -might- have a backdoor by an agency versus an algorithm that is "secret" that someone pulled out of their derriere, I'd rather have the former.
I've been in those shoes before. My freshman year of college, I made a crypto algorithm that I thought was the cat's meow... plopped it on sci.crypt, and it was shredded by people who actually knew what it was doing in minutes.
We already had those dark days of finding working crypto algorithms when people didn't use DES
Buzz and obligatory xkcd (Score:1)
I guess that their intent is to surf on the NSA conspiracy bandwagon, to create the buzz and to attract more customers. Bad taste buzz, but only money is driving the business, isn't it?
The following reference is obligatory tmo:
http://xkcd.com/538/ [xkcd.com]
As security experts, suggesting that using another cipher suite would protect the customers from the NSA is either ridicule or ignorant of NSA's actual powers at best. Again, I've no clue of what these powers could be, but suggesting that they could break into secu
really? (Score:2)
So in other words it distrusts NIST.
Ju-Jitsu (Score:3)
Brute-forcing or otherwise cracking the various algorithms is all well and good. However, I believe the reality is that the NSA (and others) have more success by using other means, combined with metadata. I'm am not sure what the other means are, but could include social engineering, keylogging, reading clues communicated in the clear, false certificates, MITM.
They vacuum up all data, encrypted or not, to be decrypted at leisure, when indicated by the metadata. But the underlying encryption is still (mostly) secure.
Mixing the signals (Score:2)
I think crypto agility is generally an awesome thing all our encryptions should have ability to swap out algorithms at a moments notice with meaningful process to mutually agree to strong acceptable algorithms.
It is also a double edged sword as practically it means if any of algorithms you trust are compromised AND both parties are still willing to use the algorithm an attacker can normally steer parties to use it.
One thing I never really understood is if your afraid of subversion why not simply chain a ser
Re: Mixing the signals (Score:1)
Nope. Two weak ciphers do not make a strong one, just a mess.
This is not to say that a cryptosystem should not be designed from basic (and rather insecure) primitives suitably chained and iterated: this is actually the case for all modern block ciphers from Feistel-style networks to the AES. The point is that it is not sensible to rely for security on the rather unpredictable interactions between different encryptions and the actual risk is indeed a false sense of security.
A different problem is whether it
Re: (Score:2)
I don't understand. Supposed I have ciphers A and B. I have plaintext, encipher it with A, and encipher it with B using a different key. Why would the cipher be any weaker than the strongest of A and B? If that's the case, if I use AES and Twofish sequentially, I should be safe if either AES or Twofish is safe. ("Safe" in this case means the NSA can't break it in under, say, 2^100 operations.)
If I'm wrong, could somebody explain that in an understandable manner? (The answer to that could well be "n
Re: (Score:1)
The point is not so much that the cipher would be weaker, as that it would be no stronger than using any of them and there are some cases where it could actually be as weak as the weakest of them both. For instance, you do not gain anything under a "known plaintext" scenario.
Consider this case: you have an enciphering machine (say E) and you want to recover the keys being used by probing its behaviour with a series of
texts (which are either `random' or suitably chosen by you).
If E(m,k1|k2)=B(A(m,k1),k2)
wher
Trust (Score:1)
not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades.
If "executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades" then "the company distrusts NIST".
No difference... (Score:2)
Re:9/11 was an inside job (Score:4, Insightful)
NIST has in many instances blocked independent investigations into 9/11, as well as lied about its own findings and devised unscientific explanations for the controlled demolitions of WTC 7 and the Twin Towers.
AE911truth [ae911truth.org]
You know, this is probably the first time in the history of 9/11 whackjob posts on Slashdot that the reply is actually relevant to the story. Because they have nearly identical basis in reality.
Re: (Score:3)
Even a broken conspiracy is right twice an epoch.
Re: (Score:2)
Re:What does this use? (Score:5, Interesting)
If they cascade the one the US recommends wiht the one China recommends with the one Russia recommends, it seems you're safe unless all thre of those governments are conspiring against you. And if that's the case you problably have bigger problems.
Re: (Score:2)
Re: (Score:2)
Sorry to hash the joke, but that's double ROT128. Unless, of course you're using a 16-bit or 32 bit character.
Re: (Score:2)
I see Silent Circle going down the same path that Hushmail travelled. Hushmail is a very good service, but when told to either cooperate with Interpol or else, they cooperated.
With SC, they will likely be forced with the same choice. Hand over keys and put in backdoors or face shutdown/prison time.
Instead, the focus should not be on communications, but endpoint security. Maybe PGP needs a revisit?