[cryptography] Dual_EC_DRBG was cooked, but not AES?
The Snowden revelations describe several methods by which NSA committed kleptography, caused compliance by hardware makers and influenced standards. Why has AES escaped general suspicion? Are we to believe that NIST tested, selected, endorsed and promulgated an algorithm that was immune to NSA's toolset, without NSA participation and approval? NSA involvement in DES is known, but we await cryptanalysis or Snowdenesque revelations before having skepticism about AES? On 17 March 1975, the proposed DES was published in the Federal Register. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was some criticism from various parties, including from public-key cryptography pioneers Martin Hellman and Whitfield Diffie,[2] citing a shortened key length and the mysterious S-boxes as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they — but no-one else — could easily read encrypted messages.[3] Alan Konheim (one of the designers of DES) commented, We sent the S-boxes off to Washington. They came back and were all different.[4] The United States Senate Select Committee on Intelligence reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote: In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.[5] However, it also found that NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended.[6] Source: https://en.wikipedia.org/wiki/Data_Encryption_Standard On September 10 2013, The New York Times wrote that internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a backdoor for the NSA. On September 10 2013, The NIST director released a statement, saying that NIST would not deliberately weaken a cryptographic standard. Source: https://en.wikipedia.org/wiki/Dual_EC_DRBG A major American computer security company has told thousands of customers to stop using an encryption system that relies on a mathematical formula developed by the National Security Agency (NSA). RSA, the security arm of the storage company EMC, sent an email to customers telling them that the default random number generator in a toolkit for developers used a weak formula, and they should switch to one of the other formulas in the product. The abrupt warning is the latest fallout from the huge intelligence disclosures by the whistleblower Edward Snowden about the extent of surveillance and the debasement of encryption by the NSA. Last week, the New York Times reported that Snowden's cache of documents from his time working for an NSA contractor showed that the agency used its public participation in the process for setting voluntary cryptography standards, run by the government's National Institute of Standards (NIST) and Technology, to push for a formula it knew it could break. Soon after that revelation, the NIST began advising against the use of one of its cryptographic standards and, having accepted the NSA proposal in 2006 as one of four systems acceptable for government use, said it would reconsider that inclusion in the wake of questions about its security. Source: http://www.theguardian.com/world/2013/sep/21/rsa-emc-warning-encryption-system-nsa ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Dual_EC_DRBG was cooked, but not AES?
Ed Stone t...@synernet.com at Sunday, September 22, 2013, 3:05:06 PM: Why has AES escaped general suspicion? because it was not created by NIST, nor NSA nor any other US gov org. it was created by the academia, namely two guys, daemen and rijmen (neither of them are americans). the possibility of a backdoor in dual_ec was discovered very soon after its announcement. aes is much older, and despite the 15 years of scrutiny, it stands firm. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Dual_EC_DRBG was cooked, but not AES?
On 22/09/13 16:05 PM, Ed Stone wrote: Why has AES escaped general suspicion? Are we to believe that NIST tested, selected, endorsed and promulgated an algorithm that was immune to NSA's toolset, without NSA participation and approval? NSA involvement in DES is known, but we await cryptanalysis or Snowdenesque revelations before having skepticism about AES? NIST didn't really test, select, endorse and promulgate the AES algorithm, and neither did the NSA. The process was a competition for open cryptographers, not agencies. It was done this way because we strongly suspected DES interference. Some 30 algorithms were accepted in the first round, and subject to a year or so worth of scrutiny by the same submitting teams. This then led to a second round of 5 competitors and another long-ish period of aggressive scrutiny. The scrutiny was quite fierce because the reputations of the winners would be made, so the 5 teams did their darndest to undermine the competition. Many famous names were hoping for the prize. It is the case that NIST (and probably the NSA) selected Rijndael from the 5 finalists. But they did so on the basis of a lot of commentary, and all the critics was agreed that all 5 were secure [0]. So, claiming that the NSA perverted the AES competition faces a much higher burden. They would have had to have done these things: * pervert some of the early teams, * pervert the selection process to enable their stooges through, * and designed something that escaped the aggressive scrutiny of the losers. It's possible, but much harder to get away with. In contrast, with the DRBG adventure, NSA designed the process, and tacked it onto a more internal NIST standards process. Little or minimal scrutiny from outside, and little or minimal perversion of outsiders necessary in the standardisation phase (but that did come later). iang [0] At the time, myself and my team followed it, and we predicted that Rijndael would be the winner ... just by reading all the comments. Note we weren't serious cryptographers, but we provided the Java framework for the competition, so it was a ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Dual_EC_DRBG was cooked, but not AES?
On Sun, Sep 22, 2013 at 7:05 AM, Ed Stone t...@synernet.com wrote: There was some criticism from various parties, including from public-key cryptography pioneers Martin Hellman and Whitfield Diffie,[2] citing a shortened key length and the mysterious S-boxes as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they — but no-one else — could easily read encrypted messages.[3] Alan Konheim (one of the designers of DES) commented, We sent the S-boxes off to Washington. They came back and were all different.[4] It's now known that the NSA selected S-boxes that hardened the algorithm against differential cryptanalysis. Furthermore, 3DES continues to remain a viable cipher. See: http://www.cosic.esat.kuleuven.be/publications/article-2335.pdf -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Dual_EC_DRBG was cooked, but not AES?
2013/9/22 Tony Arcieri basc...@gmail.com Furthermore, 3DES continues to remain a viable cipher. I, personally, find that a most commendable and remarkable fact. To use DES with longer keying (and more rounds) is, to this very day, a solid choice. It makes one wonder why the longer keys weren't used before, doesn't it make you feel safer that your secret will remain that way until long after you die? Performance issues in cryptography are an interesting problem. Both the safety and inconvenience are in it. It is my preposition that the security has been minimized too often, and too much. Longer keys, stronger crypto. This is what I would like to see. I still think simplicity is something largely ignored in the algorithms. DES is a *fairly* simple arrangement, AES definitely doesn't improve upon it. It still seems strange to me that *tricks*, because that's what they are, require so much trickery. A simple purpose, a simple solution. You'd imagine. The simplest algorithm would be the simplest trick to figure out, to undo the trickery of. Anything more complex would be more difficult to undo, but will it be more computationally expensive? Are we increasing human effort or computer effort? Regarding this topic: typically I'm always disappointed in groups by two things. The first is the capacity of the group. The second is the kind of effort being performed to achieve a goal. Usually groups display much lesser capabilities than individuals do. And the groups will not perform outside their parameters, meaning they do much less than you'd think they do to achieve their goals. I doubt AES is subverted through partaking in the contest. But as those at the competition I wonder about the abilities of the immense amounts of cryptographers possibly employed at the NSA. They're careful though. Maybe we won't ever find out. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography