> I have a small amount of raised eyebrow because the greatest bulwark
> we have against the SIGINT capabilities of any intelligence agency are
> that agency's IA cousins. I don't think that the Suite B curves would
> have been intentionally weak. That would be a shock.

Then be "shocked, shocked" that the muscular exploitation side of an
intelligence agency would overrule the weak Information Assurance
side.  It happens over and over.

It even happens in companies that have no SIGINT side, like Crypto AG,
when somebody near the top is corrupted or blackmailed into submission.

As late as 1996, the National Academy of Sciences CRISIS panel was
tasked by the US Congress with coming up with a US crypto policy that
would be good for the whole nation, updating the previous policy that
was driven by spy agency and law enforcement excesses to sacrifice the
privacy and security of both people and companies.  After taking a
large variety of classified and unclassified input, the panel's
unanimous consensus suggested that everybody standardize on 56-bit
DES, which they KNEW was breakable.

Diffie, Hellman and Baran persuasively argued in the 1970s when DES
was up for standardization that a brute force DES cracker was
practical; they recommended longer keys than 56 bits.  See for example
this contemporaneous 1976 cassette recording / transcript:


Subsequent papers in 1993 (Weiner, "Efficient DES Key Search") and in
1996 (Goldberg & Wagner, "Architectural Considerations for
Cryptanalytic Hardware") provided solid designs for brute-force DES
key crackers.  Numerous cryptographers and cypherpunks provided input
to the CRISIS panel as well.  They even cited these papers and input
on page 288 of their report.

I have never seen a subsequent accounting by the CRISIS panel members
for this obviously flawed recommendation.  It was rapidly obsoleted by
subsequent developments when in June 1997 Rocke Verser coordinated a
team to publicly crack DES by brute force in months; when in 1998 EFF
revealed its DES Cracker hardware that cost $250K and could crack DES
in a week; and when in 2000 the export regs were effectively removed
on any strength encryption in mass market and free software, a change
forced upon them by EFF's success in Dan Bernstein's First Amendment

The panel members included substantial information-assurance folks
like Marty Hellman and Peter Neumann, Lotus Notes creator Ray Ozzie,
and Willis Ware (an engineer on WW2 radars and the Johnniac, who later
spread computers throughout aviation design and the Air Force, ended
up at RAND, and served on the 1974 Privacy Act's Privacy Protection
Study Commission).  But several of those people (and others on the
panel such as Ann Caracristi, long-term NSA employee and 2-year deputy
director of NSA) also have a long history involved with classified
military work, which makes their publicly-uttered statements unlikely
to reflect their actual beliefs.


PS: The CRISIS panel also recommended that encryption of any strength
be exportable "if the proposed product user is willing to provide
access to decrypted information upon a legally authorized request".
They assumed the ongoing existence of a democratic civilian government
and a functioning independent court system in the United States -- an
assumption that is currently questionable.  I don't think the panel
foresaw that a single "legally authorized request" would come with a
gag order from a secret court, would purport to "target" a single
unnamed individual, but would nevertheless require that information
about every person making a phone call in the United States be turned
over to a classified government agency for permanent storage and
exploitation.  Nor did they see that the government they were part of
would be committing serious international war crimes including political
assassination, torture, indefinite detention without trial, and wars
of aggression, on an ongoing basis.  Either that, or maybe NSA
blackmailed the committee members into these recommendations, just as
J. Edgar Hoover blackmailed his way through 40 years of unchecked
power.  Trouble is, Hoover eventually had to die; NSA, not being
human, does not have that natural limit.
The cryptography mailing list

Reply via email to