Silent Circle Moving Away From NIST Cipher Suites After NSA Revelations 168
Trailrunner7 writes "The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it's in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein."
Re:I thought that AES *was* independetly designed? (Score:5, Informative)
The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security [wikipedia.org]
Madness (Score:5, Informative)
The least I would have expected from the documents about the extensive spying done by NSA was a generalized weakening of cryptography.
While it is true that some algorithms might have been deliberately weakened by the NSA, I doubt this could have been systematic; especially for those which are best investigated by the cryptological community at large.
In particular, NIST mandated cipher suites while definitely amenable to some theoretical attacks in some cases, have been independently investigated and, as of today, no effective practical attack is known against AES. I would never trust a 'homemade' algorithm for anything, nor waste time to try and analyse it (cryptography is actually part of my job) unless there were some really compelling reasons for doing so (e.g. interesting mathematics, peer review requests or unusual attack models being considered).
Skein and twofish are definitely interesting algorithms, and they have also been well regarded in the competitions leading to SHA3 and AES; they are definitely not a bad choice, but to choose them because whatever has been selected by NIST is "tainted" by NSE (and not other architectural or practical considerations) resembles more a form of superstition than anything else.
Re:Marketing (Score:5, Informative)
Another good argument is how many symmetric crypto algorithms have been broken at all, at least known to the public? For example you can take GOST, developed by the Soviet Union as a Top Secret algorithm in the 70s, then later downclassified and eventually made public in 1994. It has a theoretical attack strength of 2^256 that researchers have gotten down to 2^101 but if you have a 1 GHz computer testing 1 key/cycle for 1 year that's still only 2^55. A million such computers running a million years is 2^95. I think you can be quite certain the NSA didn't cooperate with the Soviet Union in the 70s, so the only way it could be cracked is if the NSA did it through cryptanalysis. The rest of the world hardly seem able to crack a single cipher yet the NSA would have the magic to crack everything in a reasonable time? In the land of unicorns...
Same with RSA and public crypto, it's not from the Soviet Union but it's from the 70s and 35 years of public research has come up with nothing to break it. Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy? I don't buy it, I'm quite sure there are things such as secure crypto no matter how much money and manpower you throw at it simply because they are as much chasing ghosts as we are, they may be looking for a solution that doesn't exist. Of course they're absolutely not going to tell you about that, but I find it far more likely they're now exploiting flaws and compromising systems rather than with pure math.
Re:Marketing (Score:2, Informative)
Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy?
Yes, it's unlikely, but it's not entirely unprecedented: https://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html
'It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES. This means that back in the '70s, the National Security Agency was two decades ahead of the state of the art. ... but the rest of us are catching up quickly ... Maybe now we're just a couple of years behind.'
Re:I thought that AES *was* independetly designed? (Score:5, Informative)
Take a look at the open process for fielding candidates for SHA-3, and tell me that all the people that bothered to submit candidates should be permanently suspect just because NIST asked for candidates and they offered them, and also offered critiques and analysis of competing designs. These are career mathematicians and cryptographers and suddenly everything they do is tainted by "guilt by association" in your mind? That's pretty pathetic.
What happened is as the PP described: good algorithms were chosen and then weakened by intentionally bad choices for parameters. When run with good parameters, those algorithms were as secure as the crypto community could develop at the time. They don't always choose the most secure algorithm of the batch because of performance considerations, but they set strength goals and meet them to the extent that they can be analyzed.
So far they have picked Keccak as SHA-3 and the authors have recommended certain parameters to achieve certain cryptographic strengths for drop-in replacement of SHA2 hashes. Given the media attention I imagine NIST will feel obliged to follow those recommendations, which leaves them with only one thing left to specify, that being the format of the padding (which the Keccak authors have also offered some reasonable options for.)