Forgot your password?
typodupeerror
Communications Encryption Government Privacy

Silent Circle Moving Away From NIST Cipher Suites After NSA Revelations 168

Posted by timothy
from the service-is-a-transitive-noun dept.
Trailrunner7 writes "The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it's in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein."
This discussion has been archived. No new comments can be posted.

Silent Circle Moving Away From NIST Cipher Suites After NSA Revelations

Comments Filter:
  • serpent (Score:2, Insightful)

    by johnjones (14274)

    mathematics depts are interesting things...

    I personally trust in s box's

    regards

    John Jones

    • Why is the parent post modded offtopic?

      Serpent is not a bad choice, it has a conventional design with a large safety margin (32 rounds).

      • by sjames (1099)

        NSA sock puppets with mod points?

        Mods didn't know enough about crypto?

  • Or is it the case that NIST has a branch in the Belgium?
    • by Anonymous Coward on Tuesday October 01, 2013 @09:03AM (#45001431)

      The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.

      https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security [wikipedia.org]

      • by Joce640k (829181)

        The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.

        Not 100% true. The NIST only messed with the 192 and 256 bit versions. Guess what? They turned out to be weak (and everybody knows about it).

        If you're truly paranoid you could use Triple-DES instead of AES but there's no good reason not to trust 128-bit AES, it's one of the most analyzed/studied algorithms ever.

        Block ciphers like AES can also be used as hash functions. SHA-n isn't really needed except for efficiency reasons (block cyphers are slower).

      • by Anonymous Coward on Tuesday October 01, 2013 @10:59AM (#45002855)

        I know for a fact that NIST/NSA had no influence on the number of rounds for AES, having implemented Rijndael myself on an 8-bit microcontroller before it became AES. I used a copy of Rijmen and Daemen's original specification to write my implementation, and later compared it against the published NIST specification that later came out in 2001 after it was approved as AES, and it was exactly the same, including the number of rounds to be used. My implementation from mid-1999 produced the correct results with the NIST test vectors that were published after its approval. The key sizes were part of the specification for the AES contest.

  • by ArchieBunker (132337) on Tuesday October 01, 2013 @08:53AM (#45001337) Homepage

    IMHO at this point we have to assume the hardware is compromised at some level. Not necessarily a backdoor but the hardware random number generator might not be that random.

    • by Thanshin (1188877) on Tuesday October 01, 2013 @09:03AM (#45001433)

      IMHO at this point we have to assume the hardware is compromised at some level. Not necessarily a backdoor but the hardware random number generator might not be that random.

      We also have to assume that the power sockets are compromised. All computers that are, or have been at any point, attached to any source of power not directly coming from the sun must be considered infected, and shot in the brain.

    • by Anonymous Coward

      I trust the Chinese have already done that to every processor built for export. They'd be negligent if they haven't.

    • It's probably not that important, as Linus already pointed out [theregister.co.uk].
  • by Anonymous Coward

    This is actuallly good. Crypto should be flexible enough to switch to different algorithms.
    AES is just an option, and I'd say it's a fine one, but it's cool to get some extra algos some breathing
    room.

  • Marketing (Score:4, Interesting)

    by sociocapitalist (2471722) on Tuesday October 01, 2013 @09:08AM (#45001477)

    While I think that NIST related crypto algorithms are probably well compromised by the NSA I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

    Same thing for 'offshore data havens'. If it's visible it gives the NSA a target of interest and the fact that it's offshore isn't even going to slow them down when they attack it. People moving to such havens might find themselves being looked at all the more closely than someone keeping their data in less interesting places.

    I think the best bet of keeping your info private (from the NSA) is going to be to avoid attracting attention to start with.

    • Re:Marketing (Score:4, Interesting)

      by Phrogman (80473) on Tuesday October 01, 2013 @09:14AM (#45001543) Homepage

      Well perhaps the point isn't that any new algorithms are uncrackable so much as they present a more considerable obstacle to being deciphered. If the current NIST-approved cyphers have been deliberately weakened by the NSA, its so that its easier and more importantly faster for them to decipher the text - with their available computing power and budget they can probably do a lot of these on the fly.

      If you increase the difficulty of that task, and if its implementation is more widely spread, then they may have to prioritize what they attempt to decipher because it isn't a weakened algorithm, therefore there might be some added security in that even if they *can* crack your ciphertext, its not worth bothering to do so unless some other factor marks you as a person of interest. Not much but better than nothing and we will likely never know the NSA's true capabilities anyways.

      • by Joce640k (829181)

        Well perhaps the point isn't that any new algorithms are uncrackable

        There's every reason to believe that they are. The NSA uses AES for its own encryption systems.

        If there's a weakness it's in the implementations (are your numbers really random?) and/or compromised PCs that they're running on.

        • Hmm, I suspect that the NSA isn't nearly as good as people are fearing, but how can we prove it?
          • by Joce640k (829181)

            Hmm, I suspect that the NSA isn't nearly as good as people are fearing, but how can we prove it?

            We can't.

            There was a time when the NSA was way ahead of civilians, eg. In the 1970s when they tweaked DES without telling anybody why - turns out they knew about differential cryptanalysis.

            Since then the gap has closed. These days there's no reason to suppose they're much ahead of civilians (except in budget,getting people to sign pain-of-death NDAs, install "government approved" black boxes in telephone exchanges, drive around in black SUVs ... etc).

        • by emt377 (610337)

          The NSA uses AES for its own encryption systems.

          You have to realize that security classifications depend on the time something needs to remain secure. For battlefield comms this might be 6-8 hours, for HQ comms 5-10 days. The classification then is used to select a cipher based on a professional estimate of how long it takes someone with the resources of a major government to break it. Information that needs remain protected indefinitely goes under lock and key, in a cabinet, safe, vault, with or without a guard stationed. Maybe inside a protected fa

          • by HiThere (15173)

            No. Largely right, but No.

            A random one-time pad is secure until/unless the decoder gets his hands on a copy (Though you might want to encrypt a prime number of bits at a time. I'm not sure what happens if you encrypt chunks of characters.)

            Also, public key encryption (say twofish, or even AES) is probably safe if you have a long enough key barring either a theoretical breakthrough in factorization of decent quantum computers. But you might be wise to not use the default parameters. (What you *should* us

      • Well perhaps the point isn't that any new algorithms are uncrackable so much as they present a more considerable obstacle to being deciphered. If the current NIST-approved cyphers have been deliberately weakened by the NSA, its so that its easier and more importantly faster for them to decipher the text - with their available computing power and budget they can probably do a lot of these on the fly.

        If you increase the difficulty of that task, and if its implementation is more widely spread, then they may have to prioritize what they attempt to decipher because it isn't a weakened algorithm, therefore there might be some added security in that even if they *can* crack your ciphertext, its not worth bothering to do so unless some other factor marks you as a person of interest. Not much but better than nothing and we will likely never know the NSA's true capabilities anyways.

        Agreed - the only comment I would have is that a data haven is automatically going to be a 'person of interest' and thus a target.

    • by Anonymous Coward

      That's why everyone should move their data to the Crypt, whether they think they have anything to hide or not, and switch to Pontiffex encryption, too.

    • Re:Marketing (Score:4, Interesting)

      by cryptizard (2629853) on Tuesday October 01, 2013 @09:19AM (#45001583) Homepage

      I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

      I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.

      • Re:Marketing (Score:5, Informative)

        by Kjella (173770) on Tuesday October 01, 2013 @10:16AM (#45002297) Homepage

        Another good argument is how many symmetric crypto algorithms have been broken at all, at least known to the public? For example you can take GOST, developed by the Soviet Union as a Top Secret algorithm in the 70s, then later downclassified and eventually made public in 1994. It has a theoretical attack strength of 2^256 that researchers have gotten down to 2^101 but if you have a 1 GHz computer testing 1 key/cycle for 1 year that's still only 2^55. A million such computers running a million years is 2^95. I think you can be quite certain the NSA didn't cooperate with the Soviet Union in the 70s, so the only way it could be cracked is if the NSA did it through cryptanalysis. The rest of the world hardly seem able to crack a single cipher yet the NSA would have the magic to crack everything in a reasonable time? In the land of unicorns...

        Same with RSA and public crypto, it's not from the Soviet Union but it's from the 70s and 35 years of public research has come up with nothing to break it. Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy? I don't buy it, I'm quite sure there are things such as secure crypto no matter how much money and manpower you throw at it simply because they are as much chasing ghosts as we are, they may be looking for a solution that doesn't exist. Of course they're absolutely not going to tell you about that, but I find it far more likely they're now exploiting flaws and compromising systems rather than with pure math.

        • Good point. The only symmetric cipher I know of that was completely "broken" is DES, but that is because the key length was chosen to be too short. Even at the time it was released people said it was too short.
          • by mlts (1038732) *

            Skipjack was pretty thoroughly weakened once it was declassified. DES is still useful in TDES mode, but that is pretty expensive computation-wise compared to a newer algorithm like Twofish.

            Of course, there are blocksize issues with the older cyphers...

            • If the NSA can decrypt everything, then why do they bother to store all encrypted text for 5 years? They would just decrypt, analyze and toss it away same as the plain text.
        • Re: (Score:2, Informative)

          by Anonymous Coward

          Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy?

          Yes, it's unlikely, but it's not entirely unprecedented: https://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html

          'It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES. This means that back in the '70s, the National Security Agency was two decades ahead of the state of the art. ... but the rest of us are catching up quickly ... Maybe now we're just a couple of years behind.'

        • Factoring large semiprimes has a scalable solution. For example, if you have a large semiprime that is expected to take a billion years to factor, you can throw a billion cores at the problem and factor it in one year. I am *not* referring to GNFS.

          WIth a billion cores of custom silicon, you can speed it up even more.

        • by Fnord666 (889225)
          On the other hand, please take a look at the history of differential cryptanalysis. [wikipedia.org] The NSA was quite ahead of academia on that one. My own research back in those days demonstrated that the substitution boxes had been chosen with very specific characteristics. The same holds true for elliptic curves, where the curve chosen must have specific properties. Whether we know what all of those properties are though is still undecided, We know what makes a weak curve, but do we know what makes a strong one?
      • by Tom (822)

        They don't have that many smart people working there, in comparison with ALL of the rest of the world.

        Actually, the NSA has for decades been the by far largest employer of mathematicians, world-wide.

        The do have tons of smart people working for them, and contrary to the rest of the world, those don't work on optimizing Zynga games or production lines or any of the other million other areas, they all work on crypto, surveilance, etc.

        In a crypto contest between the NSA and the rest of the world combined, I'd bet on the NSA. Mostly because the rest of the world would break apart in a flame war and uses 20 diffe

      • It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case.

        In 1995, NSA added a single bit-rotation to SHA that made it considerably stronger, but they didn't explain their reasoning at the time. It took several more years before academia found significance weaknesses, with 2004 being the year that SHA-0 (as the original, non-rotated version is now called) was really cracked wide open. That (arguably) puts them about a decade ahead (in a situation where they willingly tipped their hand). These folks employee the most math PhD's in the world and have their own chip

      • I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

        I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.

        Why would they have to be ahead in every other area of computer science? The key to encryption is cryptography and the NSA was formed to crack code - it is their entire reason to exist.

        Yes I think that they have some of the smartest people in the world who do absolutely nothing but break codes and on top of that, yes I think that they have more budget and more computing power than anyone else in the world to do it with.

        I know someone who used to work for the NSA and he told me that they are twenty years ah

        • Think about a widely known encryption with a large enough key (>64 bits) that was "broken" in the last thirty years. It hasn't happened. There have been weaknesses discovered, but the only major encryptions to be broken are DES and A5 which were known to have a short key length even when they were released. They weren't even broken by cryptanalysis but just lots of computation. 3DES (to extend the key length) is still considered secure today. For the NSA to have broken not just one, but every major
    • by Joce640k (829181)

      While I think that NIST related crypto algorithms are probably well compromised by the NSA

      AES is one of the most independently studied/analyzed algorithms ever.

      I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

      Triple-DES?

    • by mlts (1038732) *

      The funny thing is that can backfire. This was something talked about on the Cypherpunks list when it was on toad.com. One discussion recommended people use a service such as an offshore data haven (when they came about) for everything. The result would be that there would be so much chaff that any spying organization [1] would be spending a lot of time trying to crack stuff just to find that they just wasted a bunch of CPU time on a TrueCrypt volume of someone's MP3 stash.

      There are plainer reasons for s

      • The funny thing is that can backfire. This was something talked about on the Cypherpunks list when it was on toad.com. One discussion recommended people use a service such as an offshore data haven (when they came about) for everything. The result would be that there would be so much chaff that any spying organization [1] would be spending a lot of time trying to crack stuff just to find that they just wasted a bunch of CPU time on a TrueCrypt volume of someone's MP3 stash.

        There are plainer reasons for stashing items in an "offshore data haven". Protection against geographic events, so if something the size of Hurricane Tip slams against part of the US, critical data is still retrievable.

        Of course, there is one big issue with offshore data havens... how are they recompensed for the data they store, and what keeps them from deciding to hold data for ransom. If they find that they have an encrypted data blob from a company whose offices are completely demolished, they can demand a price for access and a company would either pay up or close up.

        [1]: NSA, ISI, FSS, PLA, etc. The US was outed, but there are numerous other players.

        Well...arguably the US is big enough that no single disaster could knock out data centers at the far ends. For the next point, one might keep the data in two different havens in case one of them decides to hold it for ransom (which seems unlikely to me but okay, why not). One might argue that the data haven would sell the data to the US as well, for that matter.

    • by tlhIngan (30335)

      While I think that NIST related crypto algorithms are probably well compromised by the NSA I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

      Same thing for 'offshore data havens'. If it's visible it gives the NSA a target of interest and the fact that it's offshore isn't even going to slow them down when they attack it. People moving to such havens might find themselves being looked at all the more closely than s

  • Marketing! (Score:5, Insightful)

    by tgd (2822) on Tuesday October 01, 2013 @09:13AM (#45001517)

    Or stupidity. One of the two.

    Why use algorithms that are standardized on by the federal government and have been looked at exhaustively by experts around the world when you can use an untested crypto system? After all I'm sure the NSA wants to ensure that bad guys have access to everything the government is encrypting by first weakening the encryption standard, then standardizing the US government on the use of them.

    • Re:Marketing! (Score:5, Interesting)

      by cryptizard (2629853) on Tuesday October 01, 2013 @09:21AM (#45001611) Homepage
      Yes, this is the part that I can't believe. To think that the NSA, probably some of the most paranoid people in the world, would be arrogant enough to standardize government security on broken cryptographic primitives is just not believable. There are important classified documents encrypted with suite B algorithms.
  • by dido (9125) <dido@i[ ]rium.ph ['mpe' in gap]> on Tuesday October 01, 2013 @09:13AM (#45001519)

    I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard. And in the thirteen years since it was thus chosen it has been scrutinised more thoroughly than any algorithm by the best cryptographers in the world, and well, none of the open researchers anyway have found an attack on the cipher capable of breaking it significantly. The NSA might have, but then they approved the cipher for encrypting US government classified documents (a blessing that the NSA notably did not give the original Data Encryption Standard), so I'd consider it highly unlikely that they would have done that. The risk would be too great that their method of breaking the cipher have been obtained by espionage or independently discovered by some other intelligence agency's cryptanalysts. The NSA may be evil, but no one has ever accused them of stupidity.

    Given that the best cryptanalysts of the world have had thirteen years to look at it and it remains solid, I'd trust it better than the other AES candidates which have had much less scrutiny, or worse yet, a newly designed cipher that no one who knows anything has bothered to even try analysing.

    The other thing is that AES is incredibly efficient even on 8-bit microcontrollers. Around the time the AES contest was ongoing, I implemented Serpent, Twofish, and Rijndael on an 8051-series microcontroller, and Rijndael was consistently the best performing cipher, so I used it in the project, and wasn't surprised to learn that it eventually got selected.

    • by drinkypoo (153816)

      I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard.

      I doubt it too, but the facts combine to suggest that we should be suspicious anyway. NSA has compromised ciphers. NSA chose this cipher. Therefore, it is best to be suspicious of this cipher.

      • Brer rabbit much? The NSA knows Rijndael is unbreakable... so they had Snowden "leak" some files. Make people think the NSA is more dangerous than it is. People worry about Rijndael and switch to something weaker.

        TRUST NO ONE.

        • But it could also be double bluff, designed to cause smart people like you not to switch away from broken Rijndael!

          Woaahh.. but wait a minute... what if it's a TRIPLE bluff?

    • by cryptizard (2629853) on Tuesday October 01, 2013 @09:26AM (#45001663) Homepage
      On the one hand I would like to believe that, if there was a flaw, we would have found it by now. On the other hand, I think people vastly overestimate the reliability of "top cryptanalysts". The unfortunate fact is that only probably 20-30 people in the entire (public) world really, deeply understand what goes into cryptanalyzing a modern block cipher. That is not really a lot of eyes when you think about it.

      The one thing the NSA, and other intelligence agencies, have going for them is they can afford to hire and train groups of people specifically for one particular task. In academia nobody wants to work on cryptanalyzing AES, it would be career suicide. In the very best case it would take you years to come up with anything, and in the worst case you would spend all that time and get nothing.
      • by dido (9125) <dido@i[ ]rium.ph ['mpe' in gap]> on Tuesday October 01, 2013 @10:32AM (#45002507)

        Good points. But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves if they want to exchange top secret classified information with the rest of the US government! I think it's much more likely that they did apply even more of their vaunted cryptanalytic prowess to it when NIST gave their approval in 2000, and when by 2003 they found no significant weaknesses, they approved it for use with classified information. If they had found a significant weakness in AES and approved it anyway for such use, how arrogant and stupid would that make them? Their own supposedly secure communications with the rest of the government would be compromised as a result! As I said you can accuse the NSA of being many things, but I don't think stupidity is one of them.

        Snowden himself said it: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." Emphasis added. The real trouble is there are too many systems out there that use otherwise sound cryptographic primitives in insecure ways, either by incompetence or by design. The NSA has been known to pressure manufacturers of security equipment to do the latter, and naturally they will only certify equipment that hasn't been thus back-doored for government use.

        And no, I don't think breaking AES would be career suicide for an academic cryptanalyst. Fermat's Last Theorem would also have been considered career suicide for centuries for the same reasons you cite, but now Andrew Wiles is one of the most famous mathematicians in the world. True, it's a hard problem, but if you manage to publish a workable break of AES you would become the most famous cryptographer in the world.

        • by mlts (1038732) * on Tuesday October 01, 2013 @11:29AM (#45003237)

          You hit the nail on the head. Crypto algorithms are secure enough that the points of attack won't be the bulk encryption. Instead, it will be how keys are negotiated, weakened PRNGs (who would know that a PRNG only is using 8 random bits out of 256 for nonces unless someone looks at every salt produced and only sees 256 different numbers), compromised CAs, or other weaknesses.

          Breaking AES would be like winning a lottery for someone who reads sci.crypt. It would give a next generation of algorithms which would be more secure, such as how AES is resistant to differental cryptoanalysis.

          • by emt377 (610337)

            The key distribution and storage is often, but not always, the weakest point of attack. The exception is if you have plaintext or some pattern to look for (like an http or email header). This is why secure communications frequently are free of keywords and just contain a bunch of fields.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves if they want to exchange top secret classified information with the rest of the US government!

          No, actually, the NSA uses two suites of cryptographic algorithms. AES, Diffie-Hellman key exchanges, etc. are in Suite B, which is published and available for everyone to use. That's what you're talking about. There's also Suite A, of which even the names of the algorithms are largely unknown. Those algorithms might well never get published. Suite A is for internal use, for encrypting the important secrets.

        • by emt377 (610337)

          Snowden himself said it: "Encryption works.

          Snowden is a clueless kid.

        • Good points. But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves

          Fool. You seriously think that an agency which LIES directly to people who are cleared for the information they ask about, even when those people are SENATORS -- You seriously think this agency HAS TO USE the cipher they tell everyone else to use? I hope that your smarts aren't genetic, you'd be a threat to the gene pool.

        • "if they want to exchange..." Keyword: If.
    • by emt377 (610337)

      Why do you say the NSA "is evil"? They have no operative arm, or actually *do* anything. If they come across criminal activity they can tip off the FBI, but what they have isn't admissible evidence, so the FBI gets to do its own investigative work. Their job is to uncover and watch for activities by people who wish to harm the United States or its people - exactly what we who pay their bills want them to do, as well as to act as an expert advisor to the federal government. Do you think governments shoul

  • ...not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development...

    Really? So they are worried about NSA's influence on NIST, but they still trust NIST???

  • Please move to the most obscure and unreviewed encryption algorithms that you can, and do it as fast as possible. By no means should you ever use the exact same encryption standards that are approved for use for securing the big-bad-evil U.S. government's own top-secret data. Remember, the only cryptographic systems with any flaws are the ones that were developed by non-US citizens and reviewed in a public process that might have tangentially involved the NSA. Oh, and nobody, we mean nobody, else could ever

    • by Anonymous Coward

      Twofish is hardly obscure or unreviewed. It was submitted as an AES candidate along with Rijndael. It's been reviewed plenty. It didn't meet the needs of NIST as well as Rijndael, which is why it wasn't chosen to be AES. But that doesn't make it a BAD cypher. It just makes it not ideal for NIST's purposes, which may well include: being vulnerable to attack by the NSA.

      • by mlts (1038732) *

        IIRC, Twofish did not make the AES finalist because it used more CPU than Rijndael. This doesn't mean Twofish is less secure, it just means that crypto ASICs are cheaper to make shifting blocks around than Twofish's split key/algorithm method.

        Were I to choose one of the other just for security, I'd choose Twofish over Rijndael, but NIST had other parameters in their design decision.

  • Madness (Score:5, Informative)

    by lucag (24231) on Tuesday October 01, 2013 @09:25AM (#45001655) Homepage

    The least I would have expected from the documents about the extensive spying done by NSA was a generalized weakening of cryptography.
    While it is true that some algorithms might have been deliberately weakened by the NSA, I doubt this could have been systematic; especially for those which are best investigated by the cryptological community at large.
      In particular, NIST mandated cipher suites while definitely amenable to some theoretical attacks in some cases, have been independently investigated and, as of today, no effective practical attack is known against AES. I would never trust a 'homemade' algorithm for anything, nor waste time to try and analyse it (cryptography is actually part of my job) unless there were some really compelling reasons for doing so (e.g. interesting mathematics, peer review requests or unusual attack models being considered).
    Skein and twofish are definitely interesting algorithms, and they have also been well regarded in the competitions leading to SHA3 and AES; they are definitely not a bad choice, but to choose them because whatever has been selected by NIST is "tainted" by NSE (and not other architectural or practical considerations) resembles more a form of superstition than anything else.

  • For the record the US government uses the NIST cryptographic transformations as recommended by its own NSA so on a global scale of one to broken they can't be that bad. So for generalist every day encryption they should be fine, if your trying to hide something that might have some sort of national security implications then if your legitimately in possession / generating that kind of information then there will be a different set of protocols and standards to follow. People would shit their pants if the
    • by mlts (1038732) *

      If I had to use a well studied algorithm that -might- have a backdoor by an agency versus an algorithm that is "secret" that someone pulled out of their derriere, I'd rather have the former.

      I've been in those shoes before. My freshman year of college, I made a crypto algorithm that I thought was the cat's meow... plopped it on sci.crypt, and it was shredded by people who actually knew what it was doing in minutes.

      We already had those dark days of finding working crypto algorithms when people didn't use DES

  • I guess that their intent is to surf on the NSA conspiracy bandwagon, to create the buzz and to attract more customers. Bad taste buzz, but only money is driving the business, isn't it?

    The following reference is obligatory tmo:

    http://xkcd.com/538/ [xkcd.com]

    As security experts, suggesting that using another cipher suite would protect the customers from the NSA is either ridicule or ignorant of NSA's actual powers at best. Again, I've no clue of what these powers could be, but suggesting that they could break into secu

  • "not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades"
    So in other words it distrusts NIST.
  • by Tokolosh (1256448) on Tuesday October 01, 2013 @10:52AM (#45002771)

    Brute-forcing or otherwise cracking the various algorithms is all well and good. However, I believe the reality is that the NSA (and others) have more success by using other means, combined with metadata. I'm am not sure what the other means are, but could include social engineering, keylogging, reading clues communicated in the clear, false certificates, MITM.

    They vacuum up all data, encrypted or not, to be decrypted at leisure, when indicated by the metadata. But the underlying encryption is still (mostly) secure.

  • I think crypto agility is generally an awesome thing all our encryptions should have ability to swap out algorithms at a moments notice with meaningful process to mutually agree to strong acceptable algorithms.

    It is also a double edged sword as practically it means if any of algorithms you trust are compromised AND both parties are still willing to use the algorithm an attacker can normally steer parties to use it.

    One thing I never really understood is if your afraid of subversion why not simply chain a ser

    • Nope. Two weak ciphers do not make a strong one, just a mess.
      This is not to say that a cryptosystem should not be designed from basic (and rather insecure) primitives suitably chained and iterated: this is actually the case for all modern block ciphers from Feistel-style networks to the AES. The point is that it is not sensible to rely for security on the rather unpredictable interactions between different encryptions and the actual risk is indeed a false sense of security.

      A different problem is whether it

      • I don't understand. Supposed I have ciphers A and B. I have plaintext, encipher it with A, and encipher it with B using a different key. Why would the cipher be any weaker than the strongest of A and B? If that's the case, if I use AES and Twofish sequentially, I should be safe if either AES or Twofish is safe. ("Safe" in this case means the NSA can't break it in under, say, 2^100 operations.)

        If I'm wrong, could somebody explain that in an understandable manner? (The answer to that could well be "n

        • by lucag (24231)

          The point is not so much that the cipher would be weaker, as that it would be no stronger than using any of them and there are some cases where it could actually be as weak as the weakest of them both. For instance, you do not gain anything under a "known plaintext" scenario.

          Consider this case: you have an enciphering machine (say E) and you want to recover the keys being used by probing its behaviour with a series of
          texts (which are either `random' or suitably chosen by you).
          If E(m,k1|k2)=B(A(m,k1),k2)
          wher

  • not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades.

    If "executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades" then "the company distrusts NIST".

  • The NSA has figured out that the crypto isn't the weak point no matter what algorythm is used. Change it all you want, it makes no difference.

Aren't you glad you're not getting all the government you pay for now?

Working...