Academics Should Not Remain Silent On Government Hacking

ananyo writes "The Guardian's technology editor, Charles Arthur, asks why researchers have remained largely silent in the wake of the revelation that the U.S. National Institute of Standards and Technology's standard for random numbers used for cryptography had been weakened by the NSA: 'The nature of the subversions sounds abstruse: the random-number generator, the 'Dual EC DRBG' standard, had been hacked by the NSA and the UK's GCHQ so that its output would not be as random as it should have been. That might not sound like much, but if you are trying to break an encrypted message, the knowledge that it is hundreds or thousands of times weaker than advertised is a great encouragement.' Arthur attributes the silence of UK academics, at least, to pressure from GCHQ. He goes on to say: 'For those who do care, White and Matthew Green, who teaches cryptography at Johns Hopkins University in Baltimore, Maryland, have embarked on an ambitious effort to clean up the mess — one that needs help. They have created a non-profit organization called OpenAudit.org, which aims to recruit experts to provide technical assistance for security projects in the public interest, especially open-source security software.'"

Grants. (Period)

[xxxJonBoyxxx]

>> why researchers have remained largely silent in the wake of the revelation that (US gov does bad thing)

Just follow the money to...federal research grants. Even if an individual professor decided to rock the boat, their local university would do their best to shut them up.

Related: http://www.aipg.org/students/pdf/So%20you%20want%20to%20be%20a%20professor.pdf [aipg.org]
George D. Klein - former professor: " A professor is viewed as a profit center by university administrators...Faculty members will survive as
a professor if she/he is awarded lots of grants with lots of over-head for the university coffers..."

Also: http://www.academicmatters.ca/2012/11/the-quiet-campus-the-anatomy-of-dissent-at-canadian-universities/ [academicmatters.ca]
 

Re:They're living on the government teat.

[Petron]

Actually, it would.

The problem comes from bankruptcy laws. Banks were having a fit because students would get loans, and when they graduate, declare bankruptcy and have the loans forgiven. The showboat case for this was people graduating as medical doctors, declaring bankruptcy, then getting a high paying job. Banks went to the government to 'fix' this problem and the fix was: Student loans are immune to bankruptcy. If you get a student loan, you will pay it back, even if that means you will have your McPaycheck garnished.

This now means that banks have little to no risk to their loans. Why would they refuse any loan? If the student is successful or not, either way, they get paid. A kid that gets straight D's in school and wants to major in "Classical Nintendo" Sure! Here's money with a nice interest rate.

Now we have banks giving money anybody who wants it, demand for higher education goes up. When demand goes up and supply stays the same... prices go up. Prices go up? Get a loan!

It's a self-feeding model that all started with crony-capitalism. Banks and Government got in bed together. Now I don't blame the banks for complaining... it is a problem. If I lent off a ton of money for students to become doctors, and they kept stiffing me, I'd be pissed. But the Government gave the Banks too sweet of a deal. They gave them a win-win.

What if the banks had a 10 year probation window on student loan bankruptcies instead? If a student declares bankruptcy, the loan is put on hold for 10 years with no interest. If during that 10 year time, the student finds a job that could may payments, the loan sticks. If they can't after 10 years, the loan is forgiven. Banks are protected from those "evil doctors" getting hefty loans then dumping them... Students are protected from not being able to find a job afterwards. The loan (and cost of the education) must reflect the job that is received in the end. Students with poor grades, and majors that aren't in demand are less likely to get loans, as they are now risky to the bank. All of this should lower costs of education.

Not silent.

[Anonymous Coward]

Not silent: drafting. Planning. Analysing. Discussing. Coding. Working.

There's a lot more to it than Dual_EC_DRBG: that's just the most obvious, neon-sign "HEY LOOK AT ME I'M A BACKDOOR" backdoor. Funding document leaked by Snowden specifically states public key algorithms. I can match that directly: The NIST/SecP curves were generated by Jerry Solinas of the NSA from SHA-1 hashes with no known source. Yeah, they're totally dodgy, although not perhaps in the obvious ways (it may be that they're specified in ways that make them excruciatingly hard to implement correctly without fucking up: timing attacks; random source; curve point validation; perhaps unknown attacks associated with discriminants? NSA do have a head-start on EC). ECDSA and DSA too; the big hole is very simply that pesky random number thing - as Sony know to their cost. Makes me wonder about a couple of other things too.

djb and Tanja Lange are working on new algorithms to replace them, which are 100% non-NSA and actually also really really fast. http://safecurves.cr.yp.to/ - EdDSA with Ed25519 (aka Curve25519 - same Montgomery curve, more efficient/useful Twisted Edwards representation) and/or Curve3617 (pure Edwards, 414-bit size, 200-bit security) are absolutely top contenders to replace ECDSA and ECDHE and are better in every single way. Tanja's even come up with a way to turn encode curve points, on the safecurves, in a way that the output looks truly random, if we need that (explicitly stated use case: censorship/protocol fingerprinting evasion, could see uses in other areas too).

AES-128-GCM seems okay, if you have hardware implementations, but has difficulties running in O(1) free of timing attacks in software. ChaCha20_Poly1305 is a djb ciphersuite proposed by Adam Langley which does much better - it's a replacement for RC4 (which is definitely 100% no contest broken in realtime by Nation State Adversaries, we're quite sure about that now) and is probably a better AEAD, to be honest, than GCM, in my opinion. Live on Google servers, and in Chrome dev builds, right now. Draft in consideration. ChaCha20's Salsa20's successor, an eSTREAM finalist; ChaCha20 was used to build the SHA-3 finalist BLAKE and got a lot of cryptanalytic attention through that. Best attack (truncated differential cryptanalysis) 6 of 20 rounds, surprisingly simple ARX construct easy to analyse with no nasty surprises, fast as hell especially with any kind of SIMD, great differential and linear resistance: can't say fairer than that!

These are among the algorithms we're going to use to rebuild all this. We have trust models to fix, too, which are closer to the root of the Big Problem - more transparent auditing, pinning with DANE and DNSSEC, there's a lot of possible things we could do to harden all that, and we're going to do all that. And the protocols can be improved significantly too, and we're working on that: things like encrypting the ClientHello from the very beginning WILL be part of TLS 1.3, flying pigs be damned.

We have a lot of work ahead of us rebuilding all this, and it's going to take a long time. Needs to be done very carefully, openly, and transparently. Feel free to come and help (if you know what the fuck you're doing).

I'm not pulling my punches. (I haven't so far, as you might see if you look me up.) I want to make sure the right choices are made for the right reasons, and GCHQ and NSA can kiss my ass. As engineers, we try to be non-political, but that doesn't mean we can't be really pissed at literally being double-crossed and lied to, and attacked by the people (ostensibly) whose job it is to protect us. I am very, very bitterly angry with them for fucking up their COMSEC mission to further their SIGINT mission: it's nothing less than a billion-dollar funded betrayal of national and international security, from a technical perspective, and one that we have to go and fix - because they won't, and we could never trust them to anyway.

We're not silent. We're busy. Other people can talk about political ramifications. We'll work to solve the technical ones. We'll meet in the middle. /akr