Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Can We Still Trust FIPS?

timothy posted about a year ago | from the just-slide-it-under-my-door dept.

Communications 138

First time accepted submitter someSnarkyBastard writes "It has already been widely reported that the NSA has subverted several major encryption standards but I have not seen any mention of how this affects the FIPS 140-2 standard. Can we still trust these cyphers? They have been cleared for use by the US Government for Top-Secret clearance documents; surely the government wouldn't backdoor itself right?...Right?"

Sorry! There are no comments related to the filter you selected.

surely the government wouldn't backdoor itself... (2, Interesting)

Skiron (735617) | about a year ago | (#44834171)

Depends who runs the Government. Which is always the same people no matter who gets voted in, so the answer is YES.

Re:surely the government wouldn't backdoor itself. (0)

Anonymous Coward | about a year ago | (#44834339)

This really isn't possible without Portal technology.

Re:surely the government wouldn't backdoor itself. (1)

FatdogHaiku (978357) | about a year ago | (#44836565)

Don't be so quick on the trigger, I think there was a xxx vid titled "Hermaphroditic Dreams" or something like that...

Re:surely the government wouldn't backdoor itself. (0)

Anonymous Coward | about a year ago | (#44834467)

nah in Government all the arseholes go in via the front door.

Re:surely the government wouldn't backdoor itself. (1)

Anonymous Coward | about a year ago | (#44834737)

Depends who runs the Government. Which is always the same people no matter who gets voted in, so the answer is YES.

Probably not. The NSA is not just concerned about wiretapping you and foreign governments. They are very concerned about foreign governments getting US government secrets. They would only consider back dooring the methods they use if they could be highly confident that it wouldn't help foreign governments crack their codes.

Re:surely the government wouldn't backdoor itself. (3, Interesting)

cheater512 (783349) | about a year ago | (#44836825)

Yeah but they wouldn't shoot themselves in the foot by giving out unbreakable encryption to the people they are trying to spy upon.

If they got a very secure algorithm, weakened it in a hard to detect way which makes it easier for the NSA and nobody else then that would be perfectly fine to both use for government documents and to give out to other nations.

Re:surely the government wouldn't backdoor itself. (1)

Anonymous Coward | about a year ago | (#44834935)

Depends who runs the Government. Which is always the same people no matter who gets voted in, so the answer is YES.

You're right but not the way you are thinking. The NSA is the boss. It knows enough of elected officials to keep them in check. The NSA allows the three branches of government "run" the country as long as they keep funding the NSA and never interfere with its doings.

Well, ok, even the NSA has a boss. Just a few hours ago it was reported on Slashdot that the NSA offers everything it knows on a silver platter to Israel [slashdot.org] .

Sneakernet, bitches. (2)

Penguinisto (415985) | about a year ago | (#44835637)

Minus physical assault, it's getting to be the only way to transport anything securely.

Re:Sneakernet, bitches. (0)

Anonymous Coward | about a year ago | (#44836145)

as long as you're not going through u.s. customs, a u.s. airport, flying over or near the u.s. on a non-u.s. flight, traveling within 100 miles of a u.s. border, or visiting any federal building or property, sneakernet _should be_ ok.

Re:Sneakernet, bitches. (0)

Anonymous Coward | about a year ago | (#44836581)

just bring a motorhome, a stripper, a homeless kid and a neighbour

How can anyone trust (4, Interesting)

i kan reed (749298) | about a year ago | (#44834175)

How could anyone trust an encryption algorithm provided by an organization whose purpose is decryption and interception? That will always be the craziest part.

Re:How can anyone trust (5, Funny)

Entropius (188861) | about a year ago | (#44834245)

That's not their only purpose. The NSA is supposed to:

1) Make sure the bad guys don't snoop on Americans;
2) Snoop on the bad guys.

I use "bad guys" here with intentional irony, since nobody quite knows how to resolve the dichotomy that happens when the NSA's suspected of being bad guys.

Re:How can anyone trust (0)

SnarfQuest (469614) | about a year ago | (#44834301)

Your two items are inconsistent. These groups assume that Americans are the enemy.

Re:How can anyone trust (2)

Goaway (82658) | about a year ago | (#44834355)

Now, maybe. In the past, not.

Re:How can anyone trust (1)

Entropius (188861) | about a year ago | (#44834435)

That's the point. They're inconsistent now -- perhaps in 1980 they weren't.

Re:How can anyone trust (1)

Jeff Flanagan (2981883) | about a year ago | (#44834991)

re: your sig

I think you mean "Anthony," unless there are two Weiners in politics that like to show off their weiners.

Re:How can anyone trust (3, Insightful)

gl4ss (559668) | about a year ago | (#44834375)

you forgot 3) make sure that they can snoop on the "bad guys". ...where do you think export restrictions on cryptos came from?

do you know what's super silly? some companies selling crypto products internationally proudly tout around their NSA certification.. certification from the same organisation that has a role in making sure that they don't export too good products.

Re:How can anyone trust (1)

mtm_king (99722) | about a year ago | (#44835835)

I am stealing your sig. It is too good for just one person to have. And when I use it the world will only be 5 seconds old and I will have been the first to use it.

Logical Solution (1)

Anonymous Coward | about a year ago | (#44834673)

Exactly and so the logical way to achieve both of these at the same time is to tell everyone to use an encryption standard which only you have the back door to...since "you" are obviously a good guy.

Re:How can anyone trust (2, Interesting)

Anonymous Coward | about a year ago | (#44834861)

Too much enciphering could be a threat to world peace. 0,1% of population must work against 99,9% to ensure 100% survive.

That's why they did not have encrypted radio on the B52s raiding Vietnam. Nuclear weapons (and carriers) with the potential for a sneaky strike are dangerous, so they did not equip them with ciphers.

I would not be surprised to find out the Russian and the American SIGINT service are actually working closely with each other to clamp down on any attempt of modern-day LeMays to destroy humanity. For the 99,9% they put up a good show of antagonism, though. So that you can sleep healthily.

Re:How can anyone trust (3, Insightful)

Anonymous Coward | about a year ago | (#44834255)

That's sort of like asking why anybody would ask the Army for tips on self-defense, given that their role is blowing stuff up and killing people.

Well, the Army's role is also defense. The NSA has dual-roles, just like the Army.

The problem is, they've been turned on us. It's effectively like the Army going house-to-house searching for terrorists. All of a sudden that don't want to teach you self-defense practices, because it makes breaking down your door harder.

But you can imagine that, for a long time, people assumed the best of intentions about NSA, more-or-less.

Re:How can anyone trust (0)

Anonymous Coward | about a year ago | (#44835153)

Their moral corruption was evident when Saudi nationals and Saud-funded/indoctrinated persons hit the word trade center by plane. Did they bomb Mecca as retaliation ? No, they hanged Saddam Hussein and let the Saudis continue their nice activity of sponsoring extreme ideology and jihad in support of that.

What do we have to conclude ? The entire intelligence&security apparatus is oversized and they cultivate the Saudi threat to justify their own oversized budget, careers and existence. After Russia was dead as a military force, they faced massive budget cuts, ended careers and layoffs. So they did something to reverse this "scary" trend.

All the fun of capitalism.

Re:How can anyone trust (3, Interesting)

bill_mcgonigle (4333) | about a year ago | (#44834431)

If there are "good guys" at the NSA, they need to be moved to NIST instead. Nobody will ever trust the NSA to do good work again.

Re:How can anyone trust (3, Insightful)

Lank (19922) | about a year ago | (#44834539)

If by good you mean "for the common good" then yes, I'd agree. I would say they do great work with a terrible purpose.

Re:How can anyone trust (0)

Anonymous Coward | about a year ago | (#44834609)

It's simple, you can't. Well you can, you can trust the algorithm as the organization must be capable of making recommendations that aren't laughed off of the world stage. You can't expect the algorithm to protect you when it's placed in an insecure environment and subjected to a holistic attack. The algorithm is safe, the holistic insecurity of the enemy is assumed to be sufficiently secure that the NSA can get in and few others.

History cuts both ways on that (4, Informative)

Beryllium Sphere(tm) (193358) | about a year ago | (#44834995)

For example, they strengthened DES against differential cryptanalysis when they were the only ones who knew about the technique.

Re:How can anyone trust (0)

Anonymous Coward | about a year ago | (#44835101)

Trust is good, control is better. -- Joseph Stalin?

Right? RIGHT? (-1)

Anonymous Coward | about a year ago | (#44834177)

Yeah, right.

suite b (5, Informative)

Anonymous Coward | about a year ago | (#44834189)

http://www.nsa.gov/ia/programs/suiteb_cryptography/

  AES with 128-bit keys provides adequate protection for classified information up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide adequate protection for classified information up to the SECRET level. Until the conclusion of the transition period defined in CNSSP-15, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.

AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options.

NSA also defined another algorithm suite, Suite A, which contains both classified and unclassified algorithms. Suite A will be used in applications where Suite B may not be appropriate. Both Suite A and Suite B can be used to protect foreign releasable information, US-Only information, and Sensitive Compartmented Information (SCI).

You missed the point... (0)

Anonymous Coward | about a year ago | (#44834311)

With them openly tampering with implementations of things basically using the Suite-B set (IP-Sec, being one of them...), can you even TRUST the stuff? They appear to be of the impression that they can hide stuff so that they can do easy intercepts without disclosing the vulnerabilities. With that mentatlity, are you *SURE* that there's not something deliberately placed in the mix for their benefit within Suite-B?

Re:You missed the point... (0)

Anonymous Coward | about a year ago | (#44834581)

no point missed, just some info on what algorithms we're talking about since the poster brought up Top-Secret like it was some sort of magic incantation

Re:You missed the point... (1)

letherial (1302031) | about a year ago | (#44835581)

can you really trust anyone? until the day i can get in someones head and verify beyond any doubt that they are trustworthy, i am going to stop surfing the web, eating local food, going anywhere public and most certainly not answering the door.

If you need me ill be in my buried bunker, dont bother knocking, ill shoot first and then figure out who you are.

The obvious portion of the answer (1)

stevewahl (311107) | about a year ago | (#44834205)

Given the chance, of course the government would backdoor itself. If the government isn't the origin of the idea that the left hand doesn't know what the right hand is doing, it is at least the poster child. The only real question would be whether they've yet succeeded.

The question is... (1)

brainnolo (688900) | about a year ago | (#44834209)

...what are the alternatives? Rolling your own crypto won't work well. Unfortunately answers to this question can only be speculation. I wouldn't be extremely paranoid, but still it depends what you are trying to protect.

Re:The question is... (1)

DavidClarkeHR (2769805) | about a year ago | (#44834237)

...what are the alternatives? Rolling your own crypto won't work well.

I suppose that depends on the type of information you're trying to protect - now you'll need to decide if it's worth even writing the information down!

Re:The question is... (0)

Anonymous Coward | about a year ago | (#44834483)

You can always ask other countries to have their NIST equivalents come out with crypto algorithms, or try to get a neutral international party for some standards. Of course, the question is, whom do I trust.

Maybe the answer is that multiple countries should have their own standards, and we should assume their version of the NSA has a backdoor. Then, go with the country's specs/standards that would damage the business the least.

Another answer might be combining specs and if two countries have different encryption algorithms, chaining them (although this can cause weaknesses due to "group"s.)

As of now, since FIPS/NIST is the only game in town, and the specs do an OK job at protecting data, I'd go with that. However, this can change if a well known (and well vetted) international body decided to put out their research.

Re:The question is... (1)

davydagger (2566757) | about a year ago | (#44834739)

twofish? MD6? WHIRPOL?

Re:The question is... (2, Interesting)

PolygamousRanchKid (1290638) | about a year ago | (#44835009)

I think we've reached peak encryption. No matter what you come up with, the NSA has more than enough resources to crack your encryption method. And if you're using one-time pads, they or their retinue will just crack one of the holders of the one-time pads. Crack, like the holder's skull, knuckles or testicles.

So we need to dump the idea that encryption can be used to transmit our secrets. And come up with entirely new ideas.

A radical thought? Hell, yeah. Do I myself have any ideas how to do this? Hell, no. And even if I did, I wouldn't dare to talk about it. The first person to publish an idea on this will be taken by the government on a ride with Hans Reiser.

But I think that we're stuck in a rut with encryption. We've been using it for so long, we can't even broaden our horizons to even consider other ways to get secret information from one place to another, without it getting snooped on. At the very least, the message should self destruct if someone tries to snoop on it. As to the rest . . . by my guest, and let your imagination run wild . . .

Re:The question is... (2)

Razgorov Prikazka (1699498) | about a year ago | (#44835027)

>>Rolling your own crypto won't work well.

What if Joan Daemen and Vincent Rijmen kept AES to themselves, wouldn't that work for them and still be considered "roll your own"?
Still, I think that FOSS works best for encryption; many eyes make for shallow backdoors... erhm what was the saying again?
It is one of the reasons I dont really trust bloated distros like ubuntu. Too much code to inspect. (but I might be wrong;-)

Re:The question is... (1)

um... Lucas (13147) | about a year ago | (#44835711)

A) for the rest of us that arent math geniuses, that gives us no help....

B) how many refinements were added during the peer review process?

Re:The question is... (0)

Anonymous Coward | about a year ago | (#44835085)

That's what Schneier tells you. I am telling you here that just a minor modification (5 rotor sets of three rotors instead of one set, each set odometer-cycled) of Enigma will make this an excellent algorithm for short messages with very good security. As long as you use it with your trusted friend only, they stand very little chance to break into this. That's a few lines of Java, actually.

Another option is to take DES and make the s-boxes part of your secret key. Share key by courier. Generate key by hashing mouse movements. Strong enough for all purposes.

Schneier is an ex-NSA employee and does not want to hurt them too much. Encouraging people to roll their own crypto would overwhelm their capabilities, as they would have to break not a few, but tens of thousands of ciphers. That's why he advises against it. Once NSA, always NSA

Re:The question is... (1)

um... Lucas (13147) | about a year ago | (#44835759)

how do you manage key exchange? waiit til you see your trusted friend in person?

i think schneiers main point still stands; its easy to create a crypto system that you cant defeat; much different story to create one that others cant....

Re:The question is... (1)

Anonymous Coward | about a year ago | (#44836167)

This is categorically stupid advice.

I am telling you here that just a minor modification (5 rotor sets of three rotors instead of one set, each set odometer-cycled) of Enigma will make this an excellent algorithm for short messages with very good security. As long as you use it with your trusted friend only, they stand very little chance to break into this. That's a few lines of Java, actually.

Enigma on Java?: Java mostly a broken mess. The most common Java (v6) has been obsoleted by Oracle (no more security patches), and the black hats have looked at the security patches made to v7 and constructed exploits that took advantage of the same security holes on V6... Not that V7 is a model of security either... Enigma? JUSTDONTXUSEXSPACESXANYWHEREX

Another option is to take DES and make the s-boxes part of your secret key. Share key by courier. Generate key by hashing mouse movements. Strong enough for all purposes.

DES-sbox keys: there are only 8 of them which describe a 4-bit output mapping function. Many of the possible sboxes are vunerable to linear and differential attacks. In fact there are apparently only 32 highly resistant s-boxes that can be effectively used by DES (meaning the key can be effectively extended only by approximably 5-bit of strength using this method). Even mucking with the order of the Sboxes can weaken DES. There was an interesting paper that showed that the DES algorithm in fact did NOT pick the most optimal order of Sboxes. Instead of S1-8, it should have been S(2,4,6,7,3,1,5,8). Even worse, random S-boxes generally can be cracked with only 2^29 plain-text cipher-text pairs.

Schneier is an ex-NSA employee...

Okay, not going there ;^) On the other hand, I wonder, whose advice to follow if I want to to enable the NSA to easily snoop on me, yours or his?

Re:The question is... (3, Interesting)

BitZtream (692029) | about a year ago | (#44835697)

As someone who writes cryptography software (I'm not a cryptologist, I just implement known algorithms, and verify they produce was I'm told they should produce), the solution for us is to provide software with multiple algorithms and let the user pick. Our core library supports DES, Blowfish, Twofish, and two separate implementations of AES, one of which is from outside the US. We also support a handful of lesser known algorithms, such as variants of the different Russian GOST standards.

Unless everyone is collaborating, some part of the software is secure. I don't think Russia, the USA, Germany ... and Bruce Schiener are all in cahoots with each other. Maybe one or two of them, but not all of them.

I don't know that, but thats my theory.

Slashvertisement: http://www.rtsz.com/products/cryptolock/ [rtsz.com]

Its years old now and I haven't updated in in at least 5, so its a bit out of date compared to current UIs and updated cryptography features and such, but functionally, it works. When used with properly long keys, you aren't going to crack its AES implementation, I'm confident of that.

Re:The question is... (1)

BitZtream (692029) | about a year ago | (#44835705)

Note: The software can't protect you from a broken OS.

Re:The question is... (0)

Anonymous Coward | about a year ago | (#44836369)

Its called OpenPGP:

http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Security_quality

end-point security (0)

Anonymous Coward | about a year ago | (#44834229)

AES is still safe---even with $1 billion worth of custom chips (think GPUs only much, much faster) the keyspace is still very large.
What is not safe is end-point security, which is the part where you write your password on a post-it note stuck to the back of your monitor,
or choose your password as "12345". They can brute force that. Heck, the guy living next door to you can brute force that with his
video card.

Re:end-point security (1)

Goaway (82658) | about a year ago | (#44834409)

Writing your password on a post-it note is much, much safer than most other things. At least that way you can pick a properly complicated password. If somebody is in your room and looking at the note, you have bigger problems anyway most of the time.

And as for end-point security, you should be worrying far more about whether your decryption software or OS is spying on you after you decrypt.

Re:end-point security (2)

sinij (911942) | about a year ago | (#44834593)

No matter how good your encryption it still can be easily decrypted with a rubber hose.

Trust (0)

Anonymous Coward | about a year ago | (#44834303)

I don't trust anything or anyone anymore. Needless to say I am much happier and feel much safer.

No. (3, Interesting)

Narcocide (102829) | about a year ago | (#44834353)

No, and you never actually should have trusted it. None of us did, we all stopped using it the moment the NSA advocated it, just like we stopped trusting every single crypto standard and favorite security tool they promoted, merely because they promoted it so suspiciously, long long before it was public knowledge the agency had gone rouge.

It still makes me chuckle when I hear people worryingly speculate whether SELinux has backdoors. SELinux doesn't have backdoors, SELinux IS A BACK DOOR!!! *Actually read the instructions* for configuration of this tool and you'll see what I mean. Its security-through-obscurity at its worst. At best you can increase the illusion of security to untrained staff members. Anyone who has read the manual though knows there's one command anyone can use to gain root access more easily than if SELinux had not enabled or installed.

Re:No. (0)

Anonymous Coward | about a year ago | (#44834439)

And that command is?

Re:No. (1)

SecurityTheatre (2427858) | about a year ago | (#44834537)

rm -rf

Re:No. (0)

Anonymous Coward | about a year ago | (#44834543)

fnord.

Re:No. (0)

Anonymous Coward | about a year ago | (#44834731)

It appears the body of your comment was cut off, perhaps by the NSA. Would you repeat it?

Re:No. (1)

Em Adespoton (792954) | about a year ago | (#44835173)

And that command is?

install :D

Really; if you need to ask, you shouldn't be installing SELinux in the first place. The NSA actually provides decent quality documentation that explains most of it. They didn't really hide anything here.

Re:No. (1)

EETech1 (1179269) | about a year ago | (#44836857)

su su suid-O

se linux secret root command (0)

Anonymous Coward | about a year ago | (#44834929)

sudo su
you still need a password though

Re:se linux secret root command (1)

Fred Foobar (756957) | about a year ago | (#44835107)

SELinux is not needed for sudo to work (sudo was created about 18 years before SELinux). And "sudo -i" is preferable to "sudo su", by the way.

Re:No. (0)

Anonymous Coward | about a year ago | (#44834973)

Rouge [wikipedia.org] vs Rogue [wikipedia.org]

Re:No. (1)

Anonymous Coward | about a year ago | (#44835099)

Anyone who has read the manual though knows there's one command anyone can use to gain root access more easily than if SELinux had not enabled or installed.

Dear Mr. Narcocide,

Dropping this without elaborating is not something a gentleman would do.

Sincerely,
The Internet

Re:No. (0)

Anonymous Coward | about a year ago | (#44835433)

Dropping this without elaborating is not something a gentleman would do.

He's an NSA plant. What do you expect?

Re:No. (1)

Em Adespoton (792954) | about a year ago | (#44835151)

No, and you never actually should have trusted it. None of us did, we all stopped using it the moment the NSA advocated it, just like we stopped trusting every single crypto standard and favorite security tool they promoted, merely because they promoted it so suspiciously, long long before it was public knowledge the agency had gone rouge.

Let me know when it goes chartreuse :D

Anyway; SELinux, if taken as a collection of recommendations, has some good stuff in it. I've used a lot of that for securing my BSD boxes. However, just implementing it as a "security package" without understanding what you're doing... well, completely apart from that one command, there are a bunch of other areas where incorrect implementation (which is what people would do by default) is enough to make the entire stack very insecure. But then, people do that just by running wordpress or some fancy php CRM tool; it doesn't take much.

No. (2, Informative)

Anonymous Coward | about a year ago | (#44834381)

Trust was assumed on the basis that the NSA would not unreasonably jeopardise its protection mission by furthering its interception mission. This trust was apparently misplaced: it has.

As you will actually see if you look at the documents, the NSA used the NIST analysis process under FIPS 140-2 certification to find ways to secretly attack and subvert the implementation of submitted cryptographic modules, including standalone modules, cards, hardware tokens, and software cryptographic modules, including both closed-source and open-source software. There are indications that suggestions relayed by NIST from the NSA to "strengthen" such modules may not always have been made in good faith in recent years. Subtle RSA padding mode attacks and random number generators were particular areas chosen to backdoor. Look out for them.

In particular, note that DSA and ECDSA require strong random numbers for every single signature - they are critically weak if the numbers are repeated, and weak if predictable. It may be worth exploring what subtle effects a weaker random number generator might have. The cynic may suggest that those signature schemes were chosen by NSA precisely because of their reliance on strong random numbers for every signature - not all signature schemes have this requirement (RSA does not, neither does Ed25519).

The NSA has definitely suggested weak and backdoored standards, such as MQV (formerly in Suite B) and Dual_EC_DRBG; its personnel, originally via Certicom, were responsible for suggesting the SECP/NIST elliptic curve groups. It is notable that the "verifiably random" curves in fact do NOT have verifiably random seeds - there are no nothing-up-my-sleeve numbers, it seems that the seeds were chosen after a search of some kind. We do not know the criteria of that search, and they may be weak to an obscure, little-known attack, or they may be strong to it. They strengthened DES, but their priorities seem to have shifted since then.

Other elliptic curves, such as Ed25519, have been produced by individuals in the public academic crypto sphere, and as such their origins have been subject to more scrutiny. Schneier suggests (as he always has) that elliptic-curve crypto is still too new to trust - particularly given that the NSA did much of the initial research and it now seems that their integrity cannot be trusted as far as you can throw them, that seems well-founded. RSA is still good for now, but perhaps we should move above 2048 bits soon, to 3072 or 4096.

For hash functions, the prudent may wish to choose Skein, one of the SHA-3 finalists, rather than the NSA/NIST-blessed Keccak. Its software performance is almost twice as fast and it seems more traditionally-designed. One wonders why the NSA chose Keccak. Perhaps their stated reason (that the sponge construction is the most unlike SHA-2) is truthful, perhaps it is a lie. We don't know.

For symmetric crypto, AES-128 is still good and no powerful attacks are known. Maybe the round count is a little lower than we'd like long-term. AES-256 doesn't buy us any more security, in truth, due to a meet-in-the-middle attack - it needs more rounds. TWOFISH-256 might do better, but it's hard to cast a crystal ball into the future...

140 is fine, if... (0)

Anonymous Coward | about a year ago | (#44834407)

oyu-ay eytpea ina igpay atinlay.

What else? (1)

Anonymous Coward | about a year ago | (#44834443)

There isn't really anything better out there. The "standard" cryptographic algorithms like AES, SHA-2 and RSA have received the most public scrutiny by far.
If you think the NSA can break those, you have to ask why they can't break whatever other, less tested primitive you are proposing we use instead.

You probably want to use longer key lengths than the minimum recommendation anyway, especially for public key cryptography - it's cheap.
Specifications with magic numbers are more suspect, but this has been known for a long time. You could use elliptic curves that weren't chosen by the NSA, like Curve25519 [cr.yp.to] .

Betteridge's Law of Headlines (0)

Anonymous Coward | about a year ago | (#44834489)

No

a much better question (2)

slashmydots (2189826) | about a year ago | (#44834535)

For the other 99% of us that aren't encryption specialists, a list of what software, services, and websites use which encryption method and whether or not it's known to be broken/back doored might be more helpful. I'm even a software programmer and I don't know what uses FIPS and what uses AES and what specifically uses the Dual_EC_DRBG algorithm.

Re:a much better question (1)

GoChickenFat (743372) | about a year ago | (#44834677)

Search for FIPS 140-2. It's a paid for government certification for an implementation of an encryption routine. You can implement AES in your software but it's not officially FIPS 140-2 certified until you submit and pay for the certification. So in other words, you will not find any open source encryption certified by the government as FIPS 140-2 since that would require a submission and payment. If you search you will find the official list of software that is certified as FIPS 140-2.

Re:a much better question (1)

nrjyzerbuny (141033) | about a year ago | (#44834893)

Or someone like RedHat could decide that they need certification (required for some FedGov projects), and pay to get something like OpenSSH certified. Red Hat Enterprise Linux 6.2 OpenSSH Server Cryptographic Module, when run in FIPS mode is certificate number 1792.

Re: a much better question (4, Informative)

chill (34294) | about a year ago | (#44835113)

Bzzzt! Wrong! OpenSSL jumped thru the hoops and has a FIPS 140-2 version.

Re: a much better question (1)

Jah-Wren Ryel (80510) | about a year ago | (#44835257)

That is correct. But it's, what, 8 years old now? FIPS certification is a PITA because any changes to the product require re-certification and it is a really long process.

Re: a much better question (1)

chill (34294) | about a year ago | (#44835315)

Uh, no. Cert 1747 was issued originally in June 2012 and renewed as recently as August 23, 2013. It is the latest and greatest.

Re: a much better question (1)

Jah-Wren Ryel (80510) | about a year ago | (#44835585)

Ok, so that's new. I was referring to the Jan 2006 certification which took 5 years. Looks like they certified a couple of versions in 2008 and then it took 4 more years for the 2012 cert. You'll note it is also a very specific part of OpenSSL, not the entire suite.

Re:a much better question (1)

AmiMoJo (196126) | about a year ago | (#44834829)

Pretty much all of it I'm afraid.

I think we have to even consider AES to be dead now. Twofish is probably the best bet to replace it. I'm not sure what we can use to replace Dual_EC_DRBG.

Re:a much better question (1)

nrjyzerbuny (141033) | about a year ago | (#44834933)

Here's the list of software that is FIPS certified. Be aware that most are libraries that are used in other products, which can sometimes make it hard to tell which particular certified bit is being used by end-user software.

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm [nist.gov]

Re:a much better question (2)

wisnoskij (1206448) | about a year ago | (#44835521)

Here is the list of software, you CAN trust:

Yes, but... (4, Informative)

sinij (911942) | about a year ago | (#44834549)

FIPS is a financial and government-facing certification. FIPS guarantees correct implementation of cryptographic protocols according to a set of standards. It does not guarantee that there are no undiscovered (or backdoored) weaknesses in your implementation. This is still useful function to entities that require this certification. Corporate liability and loss due to getting hacked because of incorrect cryptographic implementation is orders of magnitude greater than liability and loss due to getting exposed NSA backdoors. It is all about risk management, and it says FIPS is still good idea.
 
  Now, if you want personal security this equation changes a bit - possibility of personal harm due to hypothetical NSA backdoors goes slightly up and your likelihood of getting targeted to get pwned goes drastically down. FIPS is still likely net benefit, but diminished.
 
  Keep in mind that there is no such thing as perfect security. You have to ask, how likely that this specific implementation was backdoored by NSA and what the worst possible outcome of such occurrence?

Re:Yes, but... (1)

Whorhay (1319089) | about a year ago | (#44834697)

I would wager that the actual encryption protocols, recommended in FIPS, are probably still good enough and not likely sabotaged by the NSA. FIPS is the standard that the military is using and it is highly unlikely that the NSA would tell the military to use something they knew was vulnerable. There are two good reasons for that; first the NSA knows that they are bound to have spies within their agency and so anything like a backdoor to the encyption standard which your entire military is using would certainly end up being known by your enemies. Secondly the NSA would have a trivially easy time getting access to whatever military data they need, wanting to secretly peak at it would be an epically bad compromise to accept for telling them to use a broken encryption protocol.

Re:Yes, but... (0)

Anonymous Coward | about a year ago | (#44834949)

You are naively assuming NSA wants wars to be waged efficiently. Read what they did to the American Admiral who used a strategy of "total radio silence" in a wargame. He was red force and used motorbike couriers, wires and watches instead of wireless command&control.

Said Admiral routed his opposition who were 100% reliant on SIGINT for their decision cycle. As there was no SIGINT, blue force was paralysed. Red mopped up blue.

Higher-ups ruled that red force Admiral was "cheating" and ordered everything to be "re-done with proper radio emissions".

Do we really think SIGINTers want war ? They prefer to control things and wars are the antithesis of control. Strong Crypto->Strong War Capability. Bad.

Re:Yes, but... (1)

iroll (717924) | about a year ago | (#44835969)

I would love to read about this, but you didn't post enough information for me to google it, and you posted as AC, so you're not likely to see this response. If you do, please point me in the right direction, because I'm very interested.

it was General Paul Van Riper (1)

enos (627034) | about a year ago | (#44836435)

A retired General, not Admiral, Paul Van Riper was in charge of the Red Team.

http://en.wikipedia.org/wiki/Millennium_Challenge_2002 [wikipedia.org]

While the military definitely has its head up its ass over this, I read somewhere, I don't remember where now, that the charges of cheating did have some merit. It would be things like that the motorbike couriers would arrive instantly and various other guerrilla tactics would always work and happen faster that was realistic, etc.

TS is not SCI (5, Interesting)

Anonymous Coward | about a year ago | (#44834571)

"Up to Top Secret" does not include Sensitive Compartmented Information (SCI). The ciphers under discussion, backdoored or not, are not suitable for use on SCI.

Re:TS is not SCI (2)

drdread66 (1063396) | about a year ago | (#44834769)

I have no points to mod this up, but would if I did. This is dead on target, at least as far as how the military views this sort of thing. But do remember that TS and SCI are somewhat orthogonal; you can have SECRET/SCI and TS/collateral in addition to the more common SECRET/collateral and TS/SCI.

Also note that typically NSA is comfortable with encryption as long as they know how much effort is required to break it. The only way NSA will believe a difficulty estimate is if they actually break it. They don't like schemes that they don't know how to break because that means that they don't know for sure that other people have not broken it.

That said, if NSA approves it for use in the US government, it means that they probably believe that they are the only people on the planet who can break it.

Re:TS is not SCI (0)

Anonymous Coward | about a year ago | (#44835013)

Maybe NSA has a secret agreement with their Russian opposite number to "have a handle on testosterone-laden air force colonels and marines" ?

Evidence points exactly into this direction. The agreement could be "no ciphers we cannot mutually read.". These people never need to meet physically. There are lots of wires and frequencies to be used for getting into very close and trusting contact. At some point, you can forget all the "good vs evil" bullshit and focus on "keeping the little planet safe for the two of us by controlling our respective ignorants".

Re:TS is not SCI (1)

Anonymous Coward | about a year ago | (#44834881)

http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

Suite B still applies to TS/SCI

FIPS is not for Top Secret (4, Interesting)

Anonymous Coward | about a year ago | (#44834721)

The FIPS 140-2 standard is for "protecting sensitive but unclassified information". It is not for top secret. Also the body of the FIPS 140-2 standard is algorithm agnostic. The part that mandates specific algorithms is Annex A and can be updated to add and remove algorithms without changing the standard.

In terms of how bad the situation actually is.... I refer to Bruce:
The math is good, but math has no agency. Code has agency, and the code has been subverted.

Re:FIPS is not for Top Secret (0)

Anonymous Coward | about a year ago | (#44835691)

Someone mod this -1 Wrong.

The gov is a bunch of fuckups (1)

Mister Liberty (769145) | about a year ago | (#44834891)

They backdoor themselves with increasing frequency (Manning, Snowden).
That's the good news.

The thing makes them awesome is their budgets and power. And weak
dicks that populate politics these days. They are hard to kick out. That's
the bad news.

Now get involved.
Have a nice day.

Re:The gov is a bunch of fuckups (0)

Anonymous Coward | about a year ago | (#44835283)

They backdoor themselves with increasing frequency (Manning, Snowden).

What you should be afraid of are all the Mannings and Snowdens who have their access to all your encrypted bank communications and don't have their morality. How many are enriching themselves quietly because they've decided not to blow the whistle on a good thing?

Strangely enough, it's still probably safer (1)

joeflies (529536) | about a year ago | (#44835083)

Based on what I understand of the FIPS process (which is little, admittedly), the whole exercise to put your crypto under the microscope results in eliminating a number of coding mistakes and implementation problems. So even if the algorithms themeselves are potentially weakened (we don't know ), a FIPS approved product that's had 3rd party scrutiny is probably still better off than one that wasn't, due to cleaning up implementation issues with the keys, random numbers and algorithms.

Of course they would (1)

J'raxis (248192) | about a year ago | (#44835087)

They have been cleared for use by the US Government for Top-Secret clearance documents; surely the government wouldn't backdoor itself right?...Right?

So the NSA most likely knows what kinds of backdoors they could insert that can't be exploited by other nation-states. So yes, they most certainly could backdoor it.

Along the same lines (1)

WOOFYGOOFY (1334993) | about a year ago | (#44835147)

It seems like the encryption of Tor - any version including the latest- cannot be trusted. Anyone know?

Would they backdoor themselves? (1)

Arancaytar (966377) | about a year ago | (#44835205)

As long as they were confident the backdoor remained unusable by anyone else, sure.

Better question? (1)

FuzzNugget (2840687) | about a year ago | (#44835215)

Can you trust anything from the NSA and any number of other three letter agencies?

ASCII probably contains a NSA backdoor as well. (5, Funny)

Anonymous Coward | about a year ago | (#44835305)

ASCII stands for "American Standard Code for Information Interchange". Since this is an American standard, then the whole encoding scheme probably contains a backdoor that allows the NSA to read all information encoded in it. We can't trust EBDIC either as IBM is a contractor for the NSA, they would insert a backdoor as well. I think for maximum online privacy we should be using Unicode which shouldn't contain an NSA backdoor because it is an international standard. The American government has no interest in following or creating international standards.

Unfortunately Slashdot does not support Unicode, so one should now safely assume that Slashdot is an NSA honeypot .

No Doubt (2)

jamander4 (2684679) | about a year ago | (#44835325)

I have no doubt that FIPS 140-2 is fully available to the NSA. The official story is probably so they can monitor or prevent espionage. Also the NSA has political interests in terms of knowing what it's opponents within the government are doing. If the NSA had adequte supervision this wouldn't be allowed but they don't have adequte supervision. So there you are.

A Simple Notion (1)

b4upoo (166390) | about a year ago | (#44835683)

One might build software that divides text into two files with every other bit going to the other file. Two sending units send the material to two addresses from two addresses. On the receiving end the tennis shoe method is used to deliver both halves to the third party who has the software to decode each half and recombine the bits into a coherent message. It might be next to impossible to break but if it is not next to impossible then divide the original into three files and send the bits and receive the bits just as with the two file plan. It should be impossible to break.

Re:A Simple Notion (1)

mikew03 (186778) | about a year ago | (#44836261)

Nice try NSA

FIPS isn't an Algorithm (2)

Archangel (21023) | about a year ago | (#44836785)

The question here doesn't make sense does it? FIPS is a certification not an algorithm. It's like asking if my soundsystem that was THX certified would still be any good if the we found out their CEO was a crook. AES-256, Serpent, Twofish, etc... are all algorithms but only a few got FIPS certification.

On top of that, from all the articles I read, the NSA isn't actually cracking these protocals, they're using passwords and certificates gleamed from other sources as seed for cracking.

Finally, if you wanted to make sure there was no back door, you could always download the source of an open source project like TrueCrypt and compile it yourself after doing a code review.

Just food for thought...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?