Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Did NIST Cripple SHA-3?

timothy posted about 10 months ago | from the who-do-you-trust-and-why? dept.

Encryption 169

An anonymous reader writes "In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. 'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."

cancel ×

169 comments

Sorry! There are no comments related to the filter you selected.

Why do we even go to these orgs anymore... (4, Interesting)

Anonymous Coward | about 10 months ago | (#44978193)

I say we just use the algorithms Schneier has invented and nothing else. Why do we even go to these standards approvers in the first place. The open source community should get together and hold they're own competition and forget anyone who's in anyway associated with any org starting with N*. Can someone please make an open source "Scheneier Suite" of cryptography written in C for the world to make use of already please!?

-- stoops

Re:Why do we even go to these orgs anymore... (4, Interesting)

philip.paradis (2580427) | about 10 months ago | (#44978207)

I do most of my work in Perl, and I happen to heavily utilize Blowfish and Twofish. Perhaps you should think about what your application pipeline requirements actually need in terms of crypto and then look into the various modules that interoperate under the umbrella of Crypt::CBC [cpan.org] .

Try taking Blowfish to a manager. Hahahahahahaha! (0, Flamebait)

Anonymous Coward | about 10 months ago | (#44978389)

Try working on real software. I'm not talking about some shitty web app written in Perl. I'm talking about real software, used by corporations, academia and government. The kind of software that these organizations will pay top dollar to use.

Say you find the need to integrate encryption into such a system. You go to your manager and suggest Blowfish. Since he's an MBA with a finance background, and hasn't heard Blowfish mentioned in any webcasts he's watched, he say, "What the fuck is a blowfish?"

You'll try to explain it to him. You'll start talking about Bruce Schneier and the NSA and he'll say, "Fuck, son, you've been listening to too much Hootie and the Blowfish."

Then he'll tell you to the get the hell out of his office with your "hippy" ideas. He can't bring them to his boss, who can't bring them to his boss. He needs standards recognized by official bodies. He doesn't need your "open source crap".

In the real word, what you're proposing just doesn't fly, son.

Re:Try taking Blowfish to a manager. Hahahahahahah (0)

Anonymous Coward | about 10 months ago | (#44978561)

You're cute when you're wrong.

Re:Try taking Blowfish to a manager. Hahahahahahah (0)

Anonymous Coward | about 10 months ago | (#44978611)

That's not the real world you're talking about. That's just deluded kiddie troll dreams.

Re:Try taking Blowfish to a manager. Hahahahahahah (1)

Anonymous Coward | about 10 months ago | (#44978951)

It unfortunately is a very real world that the GP describes, and the one where the most money is to be made when writing software. Somebody like yourself, who has only ever used PHP or Ruby on Rails to make web sites for independent hair salons and wedding photographers, just wouldn't understand how it works. Standards are king, and anyone who doesn't use standards has no chance. It isn't about whether or not Blowfish has technological merit, but instead it's a lot more about politics.

Re:Try taking Blowfish to a manager. Hahahahahahah (2)

VortexCortex (1117377) | about 10 months ago | (#44979473)

What do you think Crypt:CBC is implemented in? Perl? Hahaha. No. It's C you idiot.

Re:Try taking Blowfish to a manager. Hahahahahahah (0)

Anonymous Coward | about 10 months ago | (#44979547)

No, Crypt::CBC is implemented in Perl. The crypto algorithms you'd typically use with it (not that CBC mode is necessarily the best choice) are generally implemented in Perl.

Re:Why do we even go to these orgs anymore... (1)

TeknoHog (164938) | about 10 months ago | (#44978233)

I say we just trust Schneier unconditionally, because he's the good guy.

ALL HAIL CRYPTOTOAD!

Re:Why do we even go to these orgs anymore... (5, Insightful)

smitty_one_each (243267) | about 10 months ago | (#44978241)

Schneier, ever time I read him, seems to be making sense. No need to deify the chap, though.

Re:Why do we even go to these orgs anymore... (4, Insightful)

MikeBabcock (65886) | about 10 months ago | (#44978537)

And he, like everyone else who's reasonable, believes in standards processes to test and check each others' algorithms and pick the best ones. The problem is making sure these standards systems are open and above board.

Re:Why do we even go to these orgs anymore... (2)

LeDopore (898286) | about 10 months ago | (#44979723)

Very prudent. By the way, it's a slim possibility that he's the NSA's Emmanuel Goldstein (https://en.wikipedia.org/wiki/Emmanuel_Goldstein). Not necessarily likely, but the point should be that rather than trusting a person it's better to trust the process of critical examination of all aspects of the crypto. That's not a task any one individual (even the most honest, most intelligent human alive) can do by themselves. In short, we need a large organization of dedicated folks operating transparently, who understand that they may make mistakes (or deliberate, covert sabotage) yet set up their organization in such a way that these mistakes don't result in security breaches. One person can't do that alone.

Re:Why do we even go to these orgs anymore... (1)

Chrisq (894406) | about 10 months ago | (#44978309)

I say we just trust Schneier unconditionally, because he's the good guy.

ALL HAIL CRYPTOTOAD!

I'm sure that if people did that en masse he would be immune to any threats or rewards offered by NIST

Re:Why do we even go to these orgs anymore... (1)

MickLinux (579158) | about 10 months ago | (#44978285)

I think we can get a volunteer to do almost that. But they are insisting on calling the suito of routines the âoeNew Scheneier Algorithms" for some reason.

Seriously, one of the major problems to be surmounted is not just availability, but getting it accepted as a standard. The NSA is going to have Microsoft distributing their brand of protection: Microsoft is organized in the US, and will. Use the oS national standard.

But there are other countries out there. China, while a big producer of goods, is going to want back doors to everything. For all Russia's stance, I am also going to believe that the NSA is doing Putin's bidding before I'll believe that russia wants encryption without back doors.

So that leads to an interesting question: how are you going to get your suite standardized when the big players are corrupt and want back doors?

Re:Why do we even go to these orgs anymore... (2)

bytesex (112972) | about 10 months ago | (#44978341)

IP was standardized, right? I mean, you don't have to have clearance, or be a government rep, to visit the IETF? Well, maybe IP is a bad example as such, but nowadays, there are many networking protocols that come out of the public domain. Why couldn't it be the same for cryptography?

Re:Why do we even go to these orgs anymore... (1)

zippthorne (748122) | about 10 months ago | (#44978439)

But it doesn't have to be a NIST standard. It could be an ISO or ANSI standard (encryption may be used at least as much for communication as for storage, so that might make sense), for instance. ISO probably makes more sense anyway, as NIST is a purely US standards organization.

Then we can be in the weird position where only the NSA uses the NSA-weakened algorithms...

Re:Why do we even go to these orgs anymore... (1)

Nerdfest (867930) | about 10 months ago | (#44979479)

ISO can be bought, as shown so well by Microsoft. They've lost any trust they ever had.

Re:Why do we even go to these orgs anymore... (4, Informative)

pla (258480) | about 10 months ago | (#44978307)

I say we just use the algorithms Schneier has invented and nothing else. Why do we even go to these standards approvers in the first place.

Two reasons.
1) Because having a standard means that everyone using SHA-3 will get the same result, instead of every implementation coming out with a different answer of totally unknown integrity. With a standard, I can verify the integrity of program-X's hashing simply by comparing it to a small sample of know plantexts and hash values.
2) Because most software houses dream of someday getting a government contract - Maybe military, but don't forget about the 14% of Americans that in some way work for the government. Any software they use needs to adhere to the standards issued by the government, or no dice.

And really, simple as that.

Re:Why do we even go to these orgs anymore... (2)

drinkypoo (153816) | about 10 months ago | (#44978363)

I'm against placing one person in charge of anything important but I'd trust a Schneier standard a hell of a lot more than a government standard. If I could believe he hadn't been leaned upon by the government. Can we responsibly believe that?

Re:Why do we even go to these orgs anymore... (2)

pla (258480) | about 10 months ago | (#44978425)

If I could believe he hadn't been leaned upon by the government. Can we responsibly believe that?

Unfortunately, I would have to say conclusively "no". We've already seen quite a few big names on our side tacitly admit that the NSA has pushed on them - Phil Zimmerman, PJ of Groklaw, even Linux Torvalds.

Currently, I'd say we've reached the point where we can't trust any software in the wild. At an absolute minimum, if we didn't personally compile something, it goes in the "likely compromised" pile. And even if we have do have the source code, can we trust that our own compiler hasn't already fallen to a Ken Thompson-style attack, some 50 revisions back?

Re:Why do we even go to these orgs anymore... (1)

CRCulver (715279) | about 10 months ago | (#44979803)

We've already seen quite a few big names on our side tacitly admit that the NSA has pushed on them - Phil Zimmerman, PJ of Groklaw, even Linux Torvalds.

Where has PJ of Groklaw said that the NSA has pushed on him? The Groklaw farewell message underscored the fact that, based on Lavabit's experience, NSA pressure on Groklaw could happen in future, undermining the anonymity that sources need to communicate with the site. Nowhere did I get the message that such pressure had already happened in the past.

Re:Why do we even go to these orgs anymore... (0)

Anonymous Coward | about 10 months ago | (#44980121)

Unfortunately, it would be illegal to make that kind of indication, and it's possible that they needed this environment to avoid legal action if they shut it down rather than comply. I'd guess you're probably right, but we don't know.

Re:Why do we even go to these orgs anymore... (1)

zippthorne (748122) | about 10 months ago | (#44978465)

Why do we have to go with Schneier? Why not have a standardized version of all the final candidate algorithms?

Re:Why do we even go to these orgs anymore... (1)

wisnoskij (1206448) | about 10 months ago | (#44979951)

With a standard you can have confidence that everyone's implementation of SHA-3 has been compromised and crippled by the NSA.

Re:Why do we even go to these orgs anymore... (5, Informative)

ledow (319597) | about 10 months ago | (#44978337)

In case you haven't noticed, the NSA are spies. They do nothing but infiltrate groups of interest all day long.

Such a group of OS programmers would be the perfect target. And why do we trust Schneier more than anyone else such that his involvement means something is acceptable? I love the guy, but no, that's not how trust works for mass-public security systems. If the NSA/GCHQ spies are working at anywhere near the levels they were back in their heyday of WW2, then Bruce would be my prime candidate for "beyond suspicion" and thus my first inclination that - somewhere, somehow - he could be a shill for them. I'm not seriously saying he is or isn't, but the point of security is that NOBODY should hold any special power over anyone else, certainly not the ability to single-handedly "approve" a worldwide security standard.

No, what we do is carry on as normal. Put all the algorithms to public testing. As attacks are found, knock out the vulnerable ones like a game of Guess Who, and only ever use whatever is still standing. You can't defend against attacks that you do not know about and if such agencies really ARE as worried as we think they might be about the world moving to encryption they can't break, then my first thought would be "what are they moving us towards, without trying to look like they are doing so?" - and there you run into Blowfish/Twofish and similar algorithms that they've had the opportunity to analyse for years now. It would be the perfect coup - make people think you are attacking them, then "be involved" with the only alternative of elliptic-curves and thus make everyone think that's your preference and hence subtly move them onto something else of your choice without even MENTIONING it or being involved with it.

Don't try to out-think a bunch of geniuses working with military-level funding and a real interest in keeping you on something broken. Just follow procedure - stay on what you've got until there's actual evidence it's broken. Don't jump ship to new and interesting and relatively untested things for no reason other than you feel uncomfortable.

Re:Why do we even go to these orgs anymore... (0)

Anonymous Coward | about 10 months ago | (#44978523)

And use one time pad!

Re:Why do we even go to these orgs anymore... (3, Interesting)

Alef (605149) | about 10 months ago | (#44979033)

It would be an insanely unlikely coup. Think about what you are suggesting: First they get the entire world to use AES, to the point where leading CPU manufacturers have even included special instructions in the hardware specifically for encoding and decoding AES. They do this only so that an alternative algorithm (Twofish) would get less scrutiny by independent researchers for a number of years. They then orchestrate an elaborate leak indicating that they have attacks against some unnamed publicly used crypto algorithm. Meanwhile, or even before that, they have recruited an established and well known writer and cryptographist, and have him attack them openly in the public debate, only to give an apparent credibility to the algorithms he has designed. The intent of this is to get everyone in the industry to suddenly switch all cryptography to his somewhat less scrutinised algorithm (probably after reading about it on Slashdot), despite the fact that the author, who they had recruited to attack them, still claims that the math behind AES is solid, and despite the fact that replacing AES would now require replacing hardware and software that permeates our entire society at enormous costs.

If there is ever a time for the tinfoil hat metaphor...

Re:Why do we even go to these orgs anymore... (0)

ledow (319597) | about 10 months ago | (#44979319)

Implement AES.

As it becomes weakened and the end is in sight, run a competition for alternatives.

In that competition, find Bruce's algorithms. Analyse the hell out of them because everyone seems to like them. Do not endorse them for your own use, because you've found a weakness.

At the point stories break about how you are listening to the world's communication, and people back off from EVERYTHING you have touched and might be able to use, go through your list of unpublished weaknesses. The biggest, let's say, being in Bruce's algorithms. Nobody else has spotted it. Nobody wants to touch anything that you've touched. Keep schtum. Let the world migrate to an algorithm you can crack. Put up some token resistance but try not to "endorse" it too much so that people think it's safe from you.

It needs no conspiracy theory. All it needs is an unpublished hole in a new algorithm that was submitted to them for testing, and for someone like the NSA to have found it (which is, basically, their job and what they are 10+ years ahead of academia in, like GCHQ inventing PKE long before RSA even thought of it), and nature and the media to then take their course (this doesn't need "planning", don't forget - it's bad that it happened, but why not use it now that it has).

Let everyone run around like headless chickens throwing themselves at anything "non-NSA" while you sit on the fatal flaw in it you found years ago and didn't approve it for internal use for exactly that reason. Now everyone THINKS they are safe, and yet the NSA are better off than ever before just by keeping quiet and doing their job.

Re:Why do we even go to these orgs anymore... (3, Interesting)

Alef (605149) | about 10 months ago | (#44979993)

If they found a weakness in Twofish, and wanted the world to migrate to a crypto algorithm that they have an attack against, then wouldn't it just have been easier to select Twofish instead of Rijndael for the AES specification in the first place? They were both finalists.

Look, it certainly seems like the NSA has tried to meddle with crypto standards in order to have an attack vector, and I can agree that a certain amount of paranoia is in order, but the theories you propose are so convoluted that, of all things the NSA might have cooked up, that has to go far down on the list. What is even to say people switch to Twofish if they switch, and not one of the other AES finalists? Or use both Twofish and Rijndael simultaneously for that matter?

Besides, the weakest part of most crypto systems (disregarding implementation and usage for a moment), is probably the key exchange/management algorithms. And from what I have understood, that is where the indications of standards manipulations have been.

I'm not suggesting that people should necessarily switch from AES to Twofish, or that Twofish is more secure. I don't even think Bruce is saying that. But I find the idea that the NSA would somehow be behind some kind of covert manipulation scheme to get people to switch to Twofish simply extremely unlikely. If nothing else, for the simple reason that I don't see it happening anyway. Could the NSA be sitting quietly on a weakness? Sure. But in that case I would be more worried about EC, and to an extent RSA. That is, if we limit ourselves to the theoretical component, and disregard the obvious target: implementations.

Re:Why do we even go to these orgs anymore... (0)

Anonymous Coward | about 10 months ago | (#44979799)

Problem is, NSA like CIA aren't supposed to be operating on US soil, or spoiling encryption here. I say we push for candidates who will arrest the bastards--bureaucrats or not and following congressional legislation or not--for subversion of the Constitutional government of the US and for violation of the rights of the people. Spread this.

Re:Why do we even go to these orgs anymore... (1)

Anonymous Coward | about 10 months ago | (#44978347)

I prefer Rijndael over Bruce's algorithms any day. That we dont trust the NSA, doesn't mean not to trust the (non-US) cryptographers behind Rijndael/Paccek. Use the original published algorithms, and not the NIST crippled versions.

Government contracts (2)

brunes69 (86786) | about 10 months ago | (#44978405)

Because if your software does not comply with FIPS or whatever other standard of the day is in effect, the government can not purchase it. When hundreds of millions (sometimes billions) of dollars in revenue are on the line, people will make a lot of concessions.

Re:Government contracts (3, Insightful)

Volguus Zildrohar (1618657) | about 10 months ago | (#44978541)

Pfft. A single checkbox is all that's needed:

"Reduce effectiveness to comply with US Government standards."

Re:Why do we even go to these orgs anymore... (2)

vadim_t (324782) | about 10 months ago | (#44978409)

Because the US government has requirements about what it accepts.

You can't just implement whatever algorithm you like, then sell a router with that to the government. It must comply with whatever standard the government decided to adopt. And given that the government buys a lot of things, it wouldn't make economical sense to make equipment you could never sell to them.

This snowballs, and effectively sets a global standard for encryption. Sure, in your home you can do whatever you like, but the important thing is the security of the internet as a whole, and all of that is made of hardware and software that wants to be able to be used by the US government, and as such must support whatever standard it decides to adopt.

Re:Why do we even go to these orgs anymore... (2)

Luke_22 (1296823) | about 10 months ago | (#44978411)

Can someone please make an open source "Scheneier Suite" of cryptography written in C for the world to make use of already please!?

Working on it for my master thesis ;)
Just a "Schneier Suite" would be limiting, though. We need more than just the basic algorithms, and not only from Schneier.

Anyway, I'm developing a new transport/encryption/authentication/federated protocol, which combines ideas from SSL, Kerberos and a lot more, plus some new...
I already have written all the specification, I'm starting to code it now.

Keep your ears open for the "Fenrir" project, I'll probably release something in 3-4 months... Although the stable release will probably wait until I finish my master, around July-October '14... 'sorry for the wait, but I have other things to study, too :(

And yeah, all opensource, a mix of apache2 for the main library and GPL for the auth daemon...

Lk

Re:Why do we even go to these orgs anymore... (0)

game kid (805301) | about 10 months ago | (#44978441)

We're happy to hear about your upcoming protocol. We hope to have...influential...conversations with you as soon as possible.

--NSA

Re:Why do we even go to these orgs anymore... (1)

Luke_22 (1296823) | about 10 months ago | (#44978509)

Good luck with that, it's not like I'm in the U.S.A., and once the project goes public, I doubt you can really influence it without people noticing. :)

Also, as with everything working with encryption, you need a way to distribute keys, a "trust model". And the trust model will not be too different from todays X.509 certificates, so the NSA might still be able to compromise the trust of this protocol (assuming that the NSA has compromised the trust model in X.509 certificate handling).

Still, with my new protocol you should be able to know if someone is compromising the basic trust model, so some protection might be applied...

Cheers,
Lk

Re:Why do we even go to these orgs anymore... (1)

bigfoottoo (2947459) | about 10 months ago | (#44978845)

It appears that the most difficult part of cryptography is key management. One thing that might help is to distribute public keys on social media. As much as I dislike Facebook, they do have "Notes" where you can post text. I tested this, and it looks like the notes will hold at least several hundred bytes of text. I did not try copy and paste editing, but I assume that these would work. The posted key would need to be in hex so that the user could copy and paste it into an application which converts the hex string into raw bytes. I'm sure there are some weaknesses in this, but it seems to me that it would be more trustworthy than depending upon a CA.

Re:Why do we even go to these orgs anymore... (4, Insightful)

JesseMcDonald (536341) | about 10 months ago | (#44980005)

It appears that the most difficult part of cryptography is key management.

You could say that key management is the only really difficult problem in cryptography. If it weren't for the key management problem we'd all be using one-time pads, which are both trivial to implement and provably unbreakable, even by brute force. Unfortunately, to use them each pair of individuals must first securely exchange keys at least as large as all the messages they'll ever want to send.

Symmetric crypto algorithms exist to cut down on the amount of key material which must be exchanged by reusing the key, while asymmetric crypto addresses the N^2 problem by allowing many-to-one communication with a single public/private key pair. Both accept the risk of cryptoanalysis in exchange for more convenient key management.

Re:Why do we even go to these orgs anymore... (0)

Anonymous Coward | about 10 months ago | (#44978433)

Why do we even go to these standards approvers in the first place.

Because unless NIST signs off on it, the US government (and many allies) will not use/purchase a product without the approved algorithms. And they tend to spend a lot of money, so it's a market that many people want a piece of.

There's also the fact that many "compliance" auditors simply look to NIST to see what security checkbox needs to be crossed off, and if a security incident happens you can tell the lawyers that you used the the same math that the people protecting SECRET and TOP SECRET documents used. If you use something else, you have to jump through hoops to justify it instead of simply saying "government approved", and "military grade".

If you develop software you can certainly have other algorithms besides the NIST-approved ones, but if you don't have them, you're going to find a lot of folks aren't going to bother with your work.

Re:Why do we even go to these orgs anymore... (1)

Shavano (2541114) | about 10 months ago | (#44978453)

Because if the NSA points out a cryptographic weakness, it's there.

Re:Why do we even go to these orgs anymore... (1)

dgatwood (11270) | about 10 months ago | (#44979021)

Because if the NSA points out a cryptographic weakness, they put it there.

FTFY.

Re:Why do we even go to these orgs anymore... (1)

memnock (466995) | about 10 months ago | (#44978629)

Probably because with a name like National Institute of Standards and Technology, it sounds like a neutral organization. Some kind of innocuous academic committee or such. Not to mention, when it was first named, there was probably a benevolent view of such government agencies.

Now though, people who seem to be paying attention are distrustful of the government's "national security" policies. And with good reason, considering what the NSA has been doing since (and probably before) 9/11.

Now anything that mentions "NSA" to people who desire liberty sets off alarms and just like the NSA making their (unconstitutional) webs of association of U.S. citizens via (unconstitutional) surveillance, the associations we tie between other orgs and the NSA tell us not to trust previously trusted agencies.

Re: Why do we even go to these orgs anymore... (0)

Anonymous Coward | about 10 months ago | (#44979115)

Mostly off topic, it does seem like you know nothing about sha or even hash.

Turnips. (0)

Anonymous Coward | about 10 months ago | (#44978205)

durr.

Seems to be a recurring theme (1)

mrspoonsi (2955715) | about 10 months ago | (#44978211)

NIST fooled us once (Dual_EC_DRBG), but to fool us twice, that would be a shame on 'us'. (us = everyone who is not NIST and NSA)

Kick them to the touch I say, time for a replacement.

Your reply (2)

smitty_one_each (243267) | about 10 months ago | (#44978247)

Really needs to be read to the tune of The Who [youtube.com] for maximal irony.

In Soviet USA (1)

HansKloss (665474) | about 10 months ago | (#44978213)

Encryption algorithms are created by security forces. Most data in the U.S.A is manipulated to serve government propaganda of success. Just look at unemployment, inflation etc, methods of calculations to see how it changed in the last 20-30 years.

Re:In Soviet USA (1)

loufoque (1400831) | about 10 months ago | (#44978383)

Most of the needs for encryption actually come from the various departments of the government. A lot of software introduces encryption just to be able to be compliant to government regulations and sell on the federal market.

Pathetic. (0)

oo_00 (2595337) | about 10 months ago | (#44978239)

Pathetic.

Avoid eleptic curve algoritms (5, Interesting)

Anonymous Coward | about 10 months ago | (#44978261)

The way I see it, I think its wise to avoid all PKI standards using Elliptic curve cryptography algoritms. In contrast to the mathematical basis of prime based algorithms, these mathematics are relatively recent - and have been pushed by the NSA (who is known to be decenia ahead of publicly known mathematics).

There is no mathematical indication for me to believe that Eleptic curve cryptography is fundamentally broken. But why use 'new mathematics' when hundreds of years of public mathematic geniusses have been thinking about fast factoring of prime numbers?
I don't get that...

The most important argument used is that key length is more manageable. One could also interprete it as an indication that there might be security bit reduction attacks still unknown to us, but known by the NSA. Possibly. Possibly not.

But why take the risk?

Some more info about elliptic-curve-cryptography:

http://www.linuxjournal.com/content/elliptic-curve-cryptography

Re:Avoid eleptic curve algoritms (0)

Anonymous Coward | about 10 months ago | (#44978313)

Wonder who else is modding around here? Parent got modded down nearly instantaneously after I added +1: AC's argument in favour of avoiding ECC algos seemed pretty well put even if you don't agree with it and it came with a citation.

It's almost as though someone with an interest in ECC becoming standardized got in there pretty quick

Tin foil hat time

Cheers
Jon

Re:Avoid eleptic curve algoritms (0)

Anonymous Coward | about 10 months ago | (#44978325)

Something strange is going on. The GP is showing as "3, Insightful" for me right now, and this is only a minute or so after you've made your comment. Maybe your computer and/or browser has been infiltrated, and cracked to show incorrect Slashdot moderations?

Regards,
Tomasz

Re:Avoid eleptic curve algoritms (1)

Pinky's Brain (1158667) | about 10 months ago | (#44978397)

And it's already down again ... any way, I'm inclined to agree, lets stick to discrete logarithms and primes.

Re:Avoid eleptic curve algoritms (1)

Pinky's Brain (1158667) | about 10 months ago | (#44978419)

BTW, even if ECC can be secure, ECC as used in practice seems to suffer from the same problem as Dual_EC_DRBG, magic number coefficients chosen by the NSA ...

http://www.hyperelliptic.org/tanja/vortraege/20130531.pdf [hyperelliptic.org]

Re:Avoid eleptic curve algoritms (3, Informative)

fatphil (181876) | about 10 months ago | (#44978429)

Discrete logarithms are spelt "division" in elliptic curves. They're just as mathematically pure and well studied as finite fields and prime product rings.

Re:Avoid eleptic curve algoritms (0)

Anonymous Coward | about 10 months ago | (#44978625)

Maybe because someone writing "eleptic curve" and talking about "fast factoring of prime numbers" doesn't seem very informed, and the link he gave doesn't support his thesis. (The last paragraph of the linuxjournal article says "RSA still is probably "good enough" for most applications, but ECC is significantly more secure".)

Re:Avoid eleptic curve algoritms (2)

fatphil (181876) | about 10 months ago | (#44978443)

> http://www.linuxjournal.com/content/elliptic-curve-cryptography

"""
They do this by splitting the shared secret key used in traditional cryptography into two parts: a public key for identifying oneself and a secret key for proving an identity electronically.
"""
That's bordering on the "not even wrong" level of fucked-upness. Alas it falls on the side of being woefully incorrect. Possibly dangerounsly misleading too.

Re:Avoid eleptic curve algoritms (0)

Anonymous Coward | about 10 months ago | (#44978495)

Zhang's work on TPC has already weakened RSA. It doesn't lead directly to a skeleton key, but it may as well as the brute force approach is now feasible.

Re:Avoid eleptic curve algoritms (2)

JoshuaZ (1134087) | about 10 months ago | (#44979175)

This is wrong. The density of twin primes has basically nothing to do with RSA or factoring. The vast majority of primes aren't twin primes, and the vast majority of primes don't have a prime near them (that is within o(log p)), and actual RSA keys avoid very close primes anyhow. That's before we get to the fact that work like Zhang's is basically non-constructive. There are possible serious issues with factoring, and some people like Henry Cohn have expressed skepticism about claims that factoring is genuinely hard http://research.microsoft.com/en-us/um/people/cohn/Thoughts/factoring.html [microsoft.com] , but none of this has anything to do with Yitang Zhang's work.

Re:Avoid eleptic curve algoritms (1)

fustakrakich (1673220) | about 10 months ago | (#44978893)

Avoid all publicly available crypto. The invention secrecy act and "born secret" ensures that they all have been compromised.

Re:Avoid eleptic curve algoritms (0)

Anonymous Coward | about 10 months ago | (#44979607)

May be use US encryption inside Russian encryption etc? Don't trust a single country for the encrption standard.
So unless they exchange their backdoor, they would require a lot of work decrypt the traffic.

Re:Avoid eleptic curve algoritms (1)

fustakrakich (1673220) | about 10 months ago | (#44979833)

Nope, if you want your message to stay private and untraceable as to the recipient, use the Sunday classifieds, or write a letter to the editor.

Re:Avoid eleptic curve algoritms (0)

Anonymous Coward | about 10 months ago | (#44979129)

The way I see it, I think its wise to avoid all PKI standards using Elliptic curve cryptography algoritms. In contrast to the mathematical basis of prime based algorithms, these mathematics are relatively recent - and have been pushed by the NSA (who is known to be decenia ahead of publicly known mathematics).

No, elliptic curve cryptography is sound. The attack point was the pseudo random number generator algorithm used to set the initialization of the ECC.

Re:Avoid eleptic curve algoritms (1)

currently_awake (1248758) | about 10 months ago | (#44979199)

Factoring primes is easy if you have massive computer arrays or quantum computers. It's reasonable to assume the NSA has both.

Re:Avoid eleptic curve algoritms (1)

Anonymous Coward | about 10 months ago | (#44979357)

Factoring primes is easy, even without supercomputers. Let P be a prime. Its factors are P and 1. There.

Re:Avoid eleptic curve algoritms (1)

broken_chaos (1188549) | about 10 months ago | (#44979251)

We'll eventually need to move to ECC or something similar to deal with the rapidly-increasing key sizes required in more traditional asymmetric encryption, but as far as we know that need won't be for at least another decade or three.

Sinister (5, Informative)

pterry (100705) | about 10 months ago | (#44978291)

A crippled cipher can be used to read your private data. A crippled hash function can be used to substitute bad data for good.

Re:Sinister (2)

mSparks43 (757109) | about 10 months ago | (#44978861)

actually, it's about assword security. and the "pre image" problem.
more collisions mean it's easier to find a password that gives a stored hash
but it's not crippled, its just that a 512 key gives you n/2 security - 256bit security

afaics, anyway

either they crippled it or put a backdoor in (1)

FudRucker (866063) | about 10 months ago | (#44978301)

and gave a master key to the CIA/FBI/NSA and all the other three letter goons & spooks that are part of the US Govt, and now the blowback for such a breach of trust is nobody trusts the US Govt anymore, i am sure MS_Windows will take a big hit in sales because of this (since it is closed source) at least BSD & Linux can have its code audited and i bet other nations are scrambling to do just that for their systems that they want to keep secured,

i wonder how much data and info the US Govt spys steal to give to their fascist cronies on wallstreet (I bet it was a hell of a lot)

Brother in law works at NIST (2, Informative)

Anonymous Coward | about 10 months ago | (#44978331)

He has told me stories of NSA personnel coming by for meetings. He said he had no idea why they were there, so YYMV.

That said, NSA had indeed been on the NIST campus.

Re:Brother in law works at NIST (1)

sphealey (2855) | about 10 months ago | (#44978875)

NIST is required by law to consult with the NSA before publishing cryptographic standards. What "consult" means is unknown.

More conventionally, it stands to reason that NSA personnel would be participating in NIST projects on computer security, cryptography, and theoretically math, since they [NSA] have a lot of experts in those fields working for them.

sPh

Re:Brother in law works at NIST (1)

mclearn (86140) | about 10 months ago | (#44979169)

NIST and NSA have all sorts of partnerships (look at NIAP as an example). On the whole, however, they are distinct organizations with some overlapping function. NIST, for example validates cryptography implementations through the CMVP and the CAVP. Also of note is that the NSA has two arms: an offensive arm and a defensive arm. I'm somewhat annoyed with the /. crowd for not recognizing this and realizing that it is the offensive NSA arm which is potentially responsible for deliberate cryptographic weakening.

Ringing Endorsement or Reverse Psychology? (1)

Anonymous Coward | about 10 months ago | (#44978339)

If NIST see a need to weaken sha3 for (presumably) kleptographic purposes, should we not assume 512 bit keccak to be secure?

eat THEIR dog food? (5, Interesting)

v1 (525388) | about 10 months ago | (#44978353)

so why don't we just look at what organizations like the US military use to secure and sign their data, and use that? (the methods of course, not their keys) That sounds to me like the only way to make sure they're not suggesting or influencing us to use something they (or their opponents) could easily break?

Re:eat THEIR dog food? (1)

drinkypoo (153816) | about 10 months ago | (#44978381)

Indeed, that's been SOP among cypherphreaks for some time. Even coming down to using "military-strength" encryption keys and the like; if the government says 1024 bits is enough, use 4096. And so on.

Re:eat THEIR dog food? (2)

Shavano (2541114) | about 10 months ago | (#44978517)

Because who says they're using what they tell uncleared opponents they are using? Maybe the wrapper is what they say they're using and underneath there's a more secure method that they have never disclosed to the public.

Re:eat THEIR dog food? (0)

Anonymous Coward | about 10 months ago | (#44978581)

There are two suites of cryptographic functions in American use: the typical ones you hear about, like AES and the Diffie-Hellman key exchange, are in "Suite B," but there's also a "Suite A" that contains algorithms that are not public and likely will never be public.

Re:eat THEIR dog food? (2)

rriven (737681) | about 10 months ago | (#44978793)

The main workhorse to protect the SIPRNET [wikipedia.org] is the KG-175D [gdc4s.com] or Taclane Micro. The next problem you run into is getting one with the same software the military uses.

Re:eat THEIR dog food? (1)

houghi (78078) | about 10 months ago | (#44979005)

You could also use no security. Do you think that what the US military uses will be safe, or just safe enough?
I can imagine that the US military has absolutely no problem if the NSA is reading what they are doing. Perhaps they do not even care if Al Quaida is reading it. As long as it is not life and takes a week/month/year to decrypt.

Re:eat THEIR dog food? (1)

Kjella (173770) | about 10 months ago | (#44979131)

so why don't we just look at what organizations like the US military use to secure and sign their data, and use that? (the methods of course, not their keys)

Well if we're going for the spectacularly evil I'd pick an algorithm that has many subtly flawed weak keys and a small number of secure keys, then secretly implement additional key generation checks in military software. You both use the same cipher, but they can still read your data and you can't read theirs. Vendors can even supply software built on public cipher standards to be used with government-provided keys and be none the wiser. As long as the ones issuing the keys is in on the charade, it could be a masterpiece.

Uninformed nonsense (1, Flamebait)

trifish (826353) | about 10 months ago | (#44978421)

The guy calls himself cryptographer, but he doesn't know what he's talking about.

Hashes, and also any ideal random oracles, have only (n/2) security due to so called birthday paradox limit.

That's why SHA-512 has only 256-bit security. This is not weakening of the hash in any form. It is a property of any hash or RNG.

What the slides show is that they want to reduce clutter in reducing dozen options into two options. One high-security (256-bit security) and another fast, medium-security.

Re:Uninformed nonsense (3, Interesting)

Pinky's Brain (1158667) | about 10 months ago | (#44978479)

Why didn't they think of that before asking for "224, 256, 384, and 512 bits" in the first place?

They included included Dual_EC_DRBG into a standard despite it being slow and obviously backdoored, they have no credibility to make changes to encryption algorithms any more. They have to rebuild their credibility at this point, any changes they make have to be explained, any coefficients they pick have to be shown to be free from NSA meddling, any reduction in hash length from the contest requirements ... well, they just shouldn't even try to do that at this point.

They can try to rebuild their credibility or they can become irrelevant.

Re:Uninformed nonsense (0)

Anonymous Coward | about 10 months ago | (#44978579)

Once shown to be corrupted, their credibility is gone forever. The number 2 represents 'twice for emphasis'. Their first corruption was with Dual_EC_DRBG. Now their second revealed corruption is with the compromise of SHA-3. NIST should NEVER be trusted again.

Re:Uninformed nonsense (1)

dkf (304284) | about 10 months ago | (#44979961)

NIST should NEVER be trusted again.

You need to put your effort into encrypting things with triple ROT-13 encryption. The NSA have never put any effort at all into trying to break that!

Re:Uninformed nonsense (0)

Anonymous Coward | about 10 months ago | (#44978493)

SHA-512 has 511-bit security if we're talking about trying to get a hash collision...

Re:Uninformed nonsense (0)

Anonymous Coward | about 10 months ago | (#44979293)

SHA-512 has 511-bit security if we're talking about trying to get a hash collision...

Citation please. Since well designed hash will require exhaustive search to find a pre-image or a colliding image which for SHA-512 would be 512-bit security.

The expected average time to search through these 2^512 pre-images would be on the order of 2^511, but that is not the complexity, that factor is a constant factor (1/2) less than the complexity representing the expected average exhaustive search time.

If you wanted to be 10% or 90% sure someone didn't get the key during a time interval or some other search strategy changes the exhaustive search (e.g., the pre-image only consists of ascii digits), that number (1/2) would be a different number which is why it isn't generally burned into the "security" number of the cryptographic primitive.

Here's why... (3, Insightful)

Anonymous Coward | about 10 months ago | (#44978473)

When the SHA-3 competition was announced, the pretty much only working method of getting a hash function was using the Merkle-Damgård construction. Bit security limits where set under the assumption that the submitted proposals use MD, since nothing else was known. However, Keccak does not use it and gains better security guarantees. For this reason, NIST had an opportunity to weaken it a bit while still keeping the old security requirements and making the hash function much more efficient in the process.

FAILZORS (-1)

Anonymous Coward | about 10 months ago | (#44978655)

rival distribution, systems. The Gay AAl major surveys the BSD license, host what the house your spare time is dying.Th1ngs I don't want to polite to bring

Implement Keccak, ignore SHA-3 (2)

Reliable Windmill (2932227) | about 10 months ago | (#44978679)

Developers should implement Keccak, and NIST and NSA can have their SHA-3, whatever it becomes, all to themselves.

Re:Implement Keccak, ignore SHA-3 (0)

Anonymous Coward | about 10 months ago | (#44979405)

People should get a clue about crypto before opening their mouth. Keccak is simply a method of getting a hash function. What kind of a hash function we get is based on the parameters chosen. This whole SHA-3 debate is about how we choose the parameters. Frankly, the guy who posted on twitter seems to be a moron too and seems to have misunderstood the way the sponge setup works. The set of block sizes proposed were given, because NIST wants us to be able to use SHA-3 as a drop-in replacement for earlier hash functions. This is good, because it makes it very easy to upgrade software to use a better hash. Therefore, we need sets of parameters that make output sizes etc. match for each SHA-X out there right now.

The way Keccak works, many different sets of parameters provide the same level of security even though number of output bits differ. This has to do with the internal structure of sponge functions. The standard will also include choices of parameters that give a more optimal ratio between the output size, efficiency and security. One would expect new software to implement these.

NSA Helping? (1)

Anonymous Coward | about 10 months ago | (#44978789)

There are lots of allegations but no proof that NSA is actually weakening the primitives they are contributing to. NSA provided the s-boxes for DES and nobody knew why they chose the ones they did. Then Biham and Shamir published their work on differential cryptanalysis and it turned out those s-boxes were ideally resistant. That was when the NSA said "yep, we knew about differential cryptanalysis but we couldn't tell you that we chose those s-boxes to resist it until it was discovered by the open crypto world."

So, until I see some proof that NSA is now actually crippling crypto standards instead of strengthening them I'll remain skeptical.

OP mis-understanding, see slide 48 then 47 (0)

Anonymous Coward | about 10 months ago | (#44978797)

Reading the slides, sounds like they just eliminated some middle capacities that had equivalent strength. They did this by saying if you want 384 bits of output, just run the 512 bit version and truncate the result. This means that they made the 384 more secure, not less.

Slide 48 says SHA3 standard are the two 512 and 256 bits long capacity. On the previous slide the explain that a 512 bit hash has 256 bits of security. This is because all hashes have an upper limit on theire security strenth which is n/2 bits (where n is length of output) of security due the birthday attack. The other tweaks to the padding and other aspects do deserve skepticism, but the original posts is just confusing bits of security with bits of output. They did not reduce the security of the output sizes.

BS (1)

jgreen1024 (975555) | about 10 months ago | (#44978929)

Does the author actually know anything about cryptography? When the slides make reference to 128-bit and 256-bit, they are talking about *strength*, not number of bits. A 512-bit hash produces something with 256 bits of strength. In addition, let's keep in mind that the NSA has zero interest in making crypto weaker. Their interest (speaking of the SIGINT people, not the IAD people) would be in backdoors that allow them, and only them, to decrypt something while nobody else can. Nothing to see here, move along.

Re:BS (0)

Anonymous Coward | about 10 months ago | (#44979037)

Precisely...NIST is saying that out of 4 levels of security (224, 256, 384, 512), they are going to drop the 224 and 384 as they don't offer enough benefit for the added complexity. They are keeping the strongest option (512). The briefer was just stating that this is equivalent to 256 bits of security. Think the hash-equivalent of AES 256.

This is a misunderstanding of the slides (0)

Anonymous Coward | about 10 months ago | (#44979123)

This complaint is based on not understanding the slides. NIST changed size 224, 256, 384, and 512 to sizes 256 and 512. The 128/256 slides are about an internal component, so this entire misunderstanding is based on comparing different things.

See here, for example.

http://bristolcrypto.blogspot.com/2013/08/ches-invited-talk-future-of-sha-3.html

RTFA (NIST Strengthened SHA-3) (1)

Anonymous Coward | about 10 months ago | (#44979703)

The actual NIST Proposal strengthens SHA-3 relative to the authors' most performant proposal (http://eprint.iacr.org/2013/231.pdf section 6.1) by rounding *UP* the capacity of the sponge construction to 256 bits for both SHA3-224 and SHA3-256, and rounding *UP* to 512 bits for both SHA3-384 and SHA3-512 (matching the proposal in section 6.2). This thread is the result of a careless misreading, ignorance or both.

http://crypto.stackexchange.com/questions/10008/why-restricting-sha3-to-have-only-two-possible-capacities

Completely misunderstood and FUD to boot! (1)

Y2K is bogus (7647) | about 10 months ago | (#44979823)

The real truth in the slides is that the algorithms are expected to have a collision and pre-image resistance that is 1 half the digest size. In this case the 128 and 256 numbers mean that the collision resistance is 2^128 and 2^256.

Of course NOT, and please don't blame NIST! (5, Informative)

fuujuhi (2088482) | about 10 months ago | (#44980021)

NIST's proposal (presented at last CHES conference) is NOT reducing the internal strength of Keccak.

NIST proposes some standard values for a parameter called "capacity" in Keccak, and for which Keccak's authors always said that it can be freely chosen by the designers. A high capacity means a higher security, and a lower capacity means a better performance. NIST's current forecast for FIPS202 specifies 2 values for the capacity, namely 256 and 512, that would bring the SHA-3 standard to an equivalent security level as the AES (2^128 operations required to break c=256 and 2^256 operations required to break c=512). One may actually consider that these security levels are the same as the ones in the original submission, because these are the minimum security levels offered by *ALL* finalists (including Keccak). Indeed all candidates for SHA3-256 offers a collision resistance of 2^128 operations, and 2^256 operations for SHA3-512.

The discussion here is that actually choosing c=256 means that the cost to find pre-image is also reduced to 2^128 operation, instead of 2^256 as in say SHA2-256. There are ongoing discussions on the mailing list about the theoretical consequences of this choice, but what strikes me most is why people are so much focusing on the strongest security bound of a primitive (pre-image here) and are completely ignoring the weakest security bound (collision resistance). Of course one may always design an application that would be immune to collision resistance, but if one only looks at the primitive, saying that SHA2-256 offers a security of 2^256 because it has a pre-image resistance of that level is clearly fooling himself. In that sense, NIST proposal was to level the security bound of the primitive to its guaranteed minimum as for block ciphers, and allows a security bound of either 2^128 (c=256) or 2^256 (c=512). Those with an ounce of common sense will observe that 2^128 is completely astronomical, and absolutely out of reach of any thinkable devices in the future, even for the NSA! And if you don't care about performance (you probably don't design products then), and are absolutely paranoïd, there is then still the freedom to chose a capacity c=512, as allowed in current proposal, and probably waste computer cycles for no gain whatsoever.

I of course have no clue on the possible influence of the NSA, but for having attended to SHA-3 and similar conferences, I must say that NIST's work in SHA-3 is remarkable and *unprecedented* in the cryptographic community. NIST ran the most *OPEN* process ever for the evaluation and selection of the new SHA-3 standard. I think that the intention of NIST is to write a standard that will satisfy the majority of the community (hence their openness and presentation at CHES), and that will offer the most of potential of the winner candidate. Keccak is really a "new" object in the cryptographic community, that is quite different from previous proposals, and no wonder to me that its adoption triggers some questions. However the hidden suggestion that NIST would have a secret agenda is clearly participating to current tin-foil propaganda of some would-be security specialists that are trying to acquire attention, and brings zero to the current standardization process.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>