-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 5, 2013, at 8:24 PM, Jerry Leichter <leich...@lrw.com> wrote:
>>> Another interesting goal: "Shape worldwide commercial cryptography
>>> marketplace to make it more tractable to advanced cryptanalytic
>>> capabilities being developed by NSA/CSS." ... This makes any NSA
>>> recommendation *extremely* suspect. As far as I can see, the bit push NSA
>>> is making these days is toward ECC with some particular curves. Makes you
>>> wonder.
>> Yes, but. The reason we are using those curves is because they want them for
>> products they buy.
> They want to buy COTS because it's much cheap, and COTS is based on
> standards. So they have two contradictory constraints: They want the stuff
> they buy secure, but they want to be able to break in to exactly the same
> stuff when anyone else buys it. The time-honored way to do that is to embed
> some secret in the design of the system. NSA, knowing the secret, can break
> in; no one else can. There have been claims in this direction since NSA
> changed the S-boxes in DES. For DES, we now know that was to protect against
> differential cryptanalysis. No one's ever shown a really convincing case of
> such an embedded secret hack being done ... but now if you claim it can't
> happen, you have to explain how the goal in NSA's budget could be carried out
> in a way consistent with the two constraints. Damned if I know....
>
>>> (I know for a fact that NSA has been interested in this area of mathematics
>>> for a *very* long time: A mathematician I knew working in the area of
>>> algebraic curves (of which elliptic curves are an example) was recruited by
>>> - and went to - NSA in about 1975....
>> I think it might even go deeper than that. ECC was invented in the civilian
>> world by Victor Miller and Neal Koblitz (independently) in 1985, so they've
>> been planning for breaking it even a decade before its invention.
> I'm not sure exactly what you're trying to say. Yes, Miller and Koblitz are
> the inventors of publicly known ECC, and a number of people (Diffie, Hellman,
> Merkle, Rivest, Shamir, Adelman) are the inventors of publicly known
> public-key cryptography. But in fact we now know that Ellis, Cocks, and
> Williamson at GCHQ anticipated their public key cryptography work by several
> years - but in secret.
>
> I think the odds are extremely high that NSA was looking at cryptography
> based on algebraic curves well before Miller and Koblitz. Exactly what they
> had developed, there's no way to know. But of course if you want to do good
> cryptography, you also have to do cryptanalysis. So, yes, it's quite
> possible that NSA was breaking ECC a decade before its (public) invention.
> :-)
What am I trying to say?
I'm being a bit of a smartass. I'm sorry, it's a character flaw, but it's one
that amuses me. I'll be blunt, instead.
There is a lot of discussion here -- not really so much from you but in general
-- that in my opinion is fighting the last war. Sometimes that last war is the
crypto wars of the 1990s, but sometimes it's WWII. Yeah, yeah, if you don't
remember history you'll repeat it, but we need to look through the windshield,
not the rear view mirror.
My smartassedness was saying that by looking at the past, gawrsh, maybe we're
seeing a time machine!
The present war is not the previous one. This one is not about crypto. It
involves crypto, but it's not *about* it. The bright young things of 1975 who
went to work for the NSA wrote theorems and got lifetime employment. The bright
young things of 2010 write shellcode and are BAH contractors.
There are two major trends that are happening. One is that they're hitting the
network, not the crypto. Look at Dave Aitel's career, not your mathematician
friend. Aitel is one of the ones that got away, and what he talks about is what
we're seeing that they are doing. If you have to listen to one of the old
school mathematicians, listen to Shamir -- they go around crypto. (And
actually, we need to look not at Aitel as he left in 2002, but the bright young
thing who left last year, but I think I'm making my point.)
The other major trend is that outsourcing, contracting and other things ruined
the social contract between them and the people who work there. (This reflects
the other other problem which is that the social contract between them and us
seems to be void.) Nonetheless, Aitel and others left and are leaving because
no longer do they tap you on the shoulder in college and then there's the
mutual backscratching of a lifelong career. Now a contractor knows that when
the contract is over, they're out of a job. And when the contractor sees
malfeasance that goes all the way up to the Commander-in-Chief, they look at
what their employment agreement said, as well as the laws that apply to them.
If you're in that environment and you see malfeasance, you go to your superior
and it's a felony not to. If your superior is part of the malfeasance, you go
to your superior's superior. If it goes all the way up to the CiC, then some
sharp, principled kid who is just a contract sysadmin just might put a lot of
files on a laptop and decide they have to go to We The People, who are, after
all, the ultimate superior.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSKVscsTedWZOD3gYRAhILAJ4gPKVB8GS4eO3PUQ8YZu0HSDjLgwCeK9fd
STar4MPePQhjOFNK/xvIry0=
=2h6K
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
