On 17/02/2015 15:56 pm, Jerry Leichter wrote:
On Feb 17, 2015, at 6:35 AM, ianG <i...@iang.org> wrote:
Here's an interesting comparison. Most academic cryptographers believe
that the NSA has lost its lead: While for years they were the only ones
doing cryptography, and were decades ahead of anyone on the outside, but
now we have so many good people on the outside that we've caught up to,
and perhaps even surpassed, the NSA. I've always found this reasoning a
bit too pat. But getting actual evidence has been impossible.
I'd rather say it this way: we have circumstantial evidence that we are at
about the same level for all practical purposes and intents. As far as we are
concerned.
What evidence is there for this?
Snowden saying "encryption works." EquationGroup use of RC4-6, AES,
SHAs. FBI complaining about going dark, we need backdoors - they only
ever complain at that level as proxy for NSA, and same complaint is
repeated in rapid succession in UK, DE. Practically all the exploits so
far disclosed are about hacking the software, hardware, nothing we've
seen comes even close to hacking the ciphers. Some of the interventions
are about hacking the RNGs - which typically take the cryptanalysis to
places where we can hack it. Off-the-record comments I've heard.
Analysis of released systems such as Skipjack.
It's all circumstantial.
There's a bit of a difference. I'd say they are still way ahead in
cryptanalysis, but not in ways that seriously damage AES, KECCAK, etc.
Again, do you have any evidence?
There is the story about differential cryptanalysis - they released the
first 4 volumes, but still haven't mentioned the other 4 ;-)
It's not that I have evidence the other way. We just don't know.
At one level, this all comes down to your model of science. Typically
we in the science world like to "know" stuff based on evidence from
experiments, or similar facts that have been built up over time. We are
very careful to not let our imagination run away with us.
But this doesn't work with the spy business. They will never let us run
the experiment, they will not let us read the literature, and if we ever
find enough to put 2+2 together, they'll run a deception campaign to
break that logic. Or lie. Or they will remind us that "you don't know"
or all of the above.
So we have to develop a better approach. We can probably benefit from
thinking of the question as a murder investigation - clues, hypotheses,
correlations, etc. We can't take it to a court of law -- they deny us
that as well -- but we can form a view as to whodunnit.
Many won't accept that view, of course. To them I say, you're dancing
to their tune.
What concerns me is that most of the arguments are "faith-based" - the kind of arguments
that support "open always wins": No matter how big/smart you are, there are more smart
people who *don't* work for you than who *do*, and in the long run the larger number of people,
openly communicating and sharing, will win. And yet Apple sold more phones in the US last quarter
than all Android makers combined - the first time they've been in the lead. It's not even clear
how to compare the number of smart cryptographers inside and outside of NSA - and NSA has more
funding and years of experience they keep to themselves. This is exactly how organizations win
over smart individuals: They build a database of expertise over many years, and they are patient
and can keep at it indefinitely.
Right. I'm surprised Android sells any phones in USA market. Although
I understand that it is the only way to compete with Apple, it is also
the weaker position. Which comes out in a price insensitive market.
OTOH, I'm surprised to see an iPhone in Africa ;)
In contrast, I'd say we are somewhat ahead in protocol work. That is, the push
for eg CAESAR, QUIC, sponge construction, is coming from open community not
from them.
Why would they push for new stuff out in the open world?
Maintenance of protocols is really hard, really expensive. I know, I
manage a 100kloc code base with several hard crypto protocols in it, and
I'm drowning, perpetually. Whatever we can do to get that into the open
source world, the better.
They *should* be pushing for it, because they *should* be putting more emphasis
on defense of non-NSA systems.
Yes. That is the huge mystery. It's pretty clear the NSA is doing the
non-NSA mission huge damage. Yet no movement on the priorities, just
blather about 'sharing' from Obama. That's a mystery.
But what we've seen confirmed repeatedly over the last couple of years is that
they have concentrated on offense - and against everything that *isn't* an NSA
system.
Right. I think that we know, even though they won't release much
evidence of it ;)
(To the point where they've apparently even neglected defense of their own
internal systems: What Snowden did was certainly something they *thought* they
had a defense against.)
No, I think that is unfair.
In the 1990s we infamously blundered by copying their threat model; now no
longer, we have enough of our own knowledge and deep institutional experience
to be able to say that's garbage, our customers are different.
Actually, in that case, I think there's a simpler explanation: Their models
were really the only ones out there, because they'd been dealing with the
problem for many years. Industry hadn't - its needs for security models were,
until the pervasive computerization of information, much simpler and in little
need of formalization.
I absolutely agree. In the day, I also learnt about CIA, and so forth.
Only as time went on did I start digging into the reasons as to why
famous systems weren't doing what we had hoped they did, and find that
the original threat and security modelling wasn't good, was 'borrowerd'
without thought.
There's precedent for this. When large-scale industrial organizations came into being - a fairly recent
development; Engels, Marx's friend, owned what was then one of largest factories in England, employing a
few hundred people - they had to figure out how manage themselves. They copied the only form of
organizational structure for large numbers of people that then existed: Militaries, which followed a
style going back to Roman times. Think about the traditional factory: Large numbers of
"workers" out on the floor; a much smaller number of ex-workers promoted to line management;
and then a hierarchy of "professional managers" - with specialized training; almost never
promoted from among the line workers - above them. It's not coincidence that this looks exactly like
the traditional army, with its privates, non-coms, and a professional officer corps. New models for
large corporations only started to arise in the late 1960's, with the development of so-called
"knowledge organi
z
ations". (The military has had to back-port some of these innovations as it,
too, has become more knowledge/expertise based.)
Good story!
And our needs are pushing the envelope out in ways they can't possibly keep up
with.
They apparently haven't even tried, on the defense side - and I agree that
we're probably out ahead because of this. But they're certainly working hard
on the offense side....
Yeah. And their vested interest, following that priority, is to make
things better for the offense side. Which means dodgy software, dodgy
security... for everyone including them. Go figure.
In sum, I'd say they are ahead in the pure math, but you'd be hard pressed to
find an area where it mattered.
Maybe. It's really impossible to say. Two days ago, I would probably have
agreed with you. Now ... I'm not so sure.
E.g., as Peter & Adi and I are infamously on record for saying [0], the crypto
isn't what is being attacked here. It's the software engineering and the crappy
security systems.
*But attacking these security systems is exactly what they appear to be experts
at!*
Exactly. Forget the crypto, look at the security systems. They are
experts at this and they pay huge numbers of people to be expert at this.
What's the guess -- how many cyber warriors are there in employment in
USA today? 100,000 ?
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
