×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Silent Circle Moving Away From NIST Cipher Suites After NSA Revelations

timothy posted about 7 months ago | from the service-is-a-transitive-noun dept.

Communications 168

Trailrunner7 writes "The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it's in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

168 comments

What does this use? (-1, Flamebait)

BookScanner (3178527) | about 7 months ago | (#45001307)

It would be nice to hear from this crowd what they think of this platform: Blib: https://register.blib.us/ [register.blib.us]

Re:What does this use? (4, Interesting)

ron_ivi (607351) | about 7 months ago | (#45002767)

And instead of move "away" - why not move to *both* AES and another cypher.

If they cascade the one the US recommends wiht the one China recommends with the one Russia recommends, it seems you're safe unless all thre of those governments are conspiring against you. And if that's the case you problably have bigger problems.

Re:What does this use? (0)

Anonymous Coward | about 7 months ago | (#45002929)

It would be nice to hear from this crowd what they think of this platform: Blib: https://register.blib.us/ [register.blib.us]

Seems to use https to encrypt data. Allows self-hosting. Still in pre-alpha it seems.

I thought that AES *was* independetly designed? (1)

K. S. Kyosuke (729550) | about 7 months ago | (#45001317)

Or is it the case that NIST has a branch in the Belgium?

Re:I thought that AES *was* independetly designed? (5, Informative)

Anonymous Coward | about 7 months ago | (#45001431)

The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security [wikipedia.org]

Re:I thought that AES *was* independetly designed? (-1)

larry bagina (561269) | about 7 months ago | (#45002035)

Nice try, but the NSA is known to have undercover employees working at NIST. They're also known to post false information to wikipedia and slashdot, so you're busted.

Re:I thought that AES *was* independetly designed? (4, Informative)

skids (119237) | about 7 months ago | (#45002737)

Take a look at the open process for fielding candidates for SHA-3, and tell me that all the people that bothered to submit candidates should be permanently suspect just because NIST asked for candidates and they offered them, and also offered critiques and analysis of competing designs. These are career mathematicians and cryptographers and suddenly everything they do is tainted by "guilt by association" in your mind? That's pretty pathetic.

What happened is as the PP described: good algorithms were chosen and then weakened by intentionally bad choices for parameters. When run with good parameters, those algorithms were as secure as the crypto community could develop at the time. They don't always choose the most secure algorithm of the batch because of performance considerations, but they set strength goals and meet them to the extent that they can be analyzed.

So far they have picked Keccak as SHA-3 and the authors have recommended certain parameters to achieve certain cryptographic strengths for drop-in replacement of SHA2 hashes. Given the media attention I imagine NIST will feel obliged to follow those recommendations, which leaves them with only one thing left to specify, that being the format of the padding (which the Keccak authors have also offered some reasonable options for.)

Re:I thought that AES *was* independetly designed? (2)

Joce640k (829181) | about 7 months ago | (#45002409)

The AES/Rijndael algorithm was independently designed. The number of rounds to be used and the key size decisions to make standardized versions of the algorithm for US Government use were made by NIST with input from the NSA.

Not 100% true. The NIST only messed with the 192 and 256 bit versions. Guess what? They turned out to be weak (and everybody knows about it).

If you're truly paranoid you could use Triple-DES instead of AES but there's no good reason not to trust 128-bit AES, it's one of the most analyzed/studied algorithms ever.

Block ciphers like AES can also be used as hash functions. SHA-n isn't really needed except for efficiency reasons (block cyphers are slower).

Re:I thought that AES *was* independetly designed? (4, Interesting)

Anonymous Coward | about 7 months ago | (#45002855)

I know for a fact that NIST/NSA had no influence on the number of rounds for AES, having implemented Rijndael myself on an 8-bit microcontroller before it became AES. I used a copy of Rijmen and Daemen's original specification to write my implementation, and later compared it against the published NIST specification that later came out in 2001 after it was approved as AES, and it was exactly the same, including the number of rounds to be used. My implementation from mid-1999 produced the correct results with the NIST test vectors that were published after its approval. The key sizes were part of the specification for the AES contest.

Re:I thought that AES *was* independetly designed? (0)

ngc3242 (1039950) | about 7 months ago | (#45003391)

Don't be fooled by the government! You're discounting the possibility that the NSA used its time machine to travel into the past and implant into the minds of Joan Daemen and Vincent Rijmen with a weakened version of their own algorithm!

Re:I thought that AES *was* independetly designed? (0)

Anonymous Coward | about 7 months ago | (#45001535)

I thought you didn't follow the news, seems I was right.

Re:I thought that AES *was* independetly designed? (0)

Anonymous Coward | about 7 months ago | (#45001827)

You're right. TFS sucks.
Also, Skein is not a cipher, but a hash function.

Re:I thought that AES *was* independetly designed? (0)

Anonymous Coward | about 7 months ago | (#45003363)

There are more spies in Belgium than the rest of the known universe.

Compromised hardware (2)

ArchieBunker (132337) | about 7 months ago | (#45001337)

IMHO at this point we have to assume the hardware is compromised at some level. Not necessarily a backdoor but the hardware random number generator might not be that random.

Re:Compromised hardware (4, Funny)

Thanshin (1188877) | about 7 months ago | (#45001433)

IMHO at this point we have to assume the hardware is compromised at some level. Not necessarily a backdoor but the hardware random number generator might not be that random.

We also have to assume that the power sockets are compromised. All computers that are, or have been at any point, attached to any source of power not directly coming from the sun must be considered infected, and shot in the brain.

Re:Compromised hardware (0)

Anonymous Coward | about 7 months ago | (#45001473)

IMHO at this point we have to assume the hardware is compromised at some level.

We also have to assume that the power sockets are compromised.

Even the electromagnetic waves in the atmosphere are compromised. The only safe guard is a strong tinfoil hat.

Re:Compromised hardware (4, Funny)

TheCarp (96830) | about 7 months ago | (#45001793)

Looks like we have ourselves a plant! You think we don't know that tinfoil hats actually help to strengthen the orbital mind control signal? You aren't fooling slashdot that easily AC. Don't think we haven't been watching you, your comments have not gone unnoticed in this community Agent Coward

Re:Compromised hardware (4, Funny)

PopeRatzo (965947) | about 7 months ago | (#45001925)

Of course tinfoil hats are worthless. Everyone knows that the only thing you can put on your head to protect you from the NSA are the plastic bags you get from the dry cleaners.

Re:Compromised hardware (0)

Anonymous Coward | about 7 months ago | (#45002193)

You think we don't know that tinfoil hats actually help to strengthen the orbital mind control signal?

No, you've got it all wrong. Tinfoil is highly effective at blocking the government's mind control signals, as well as avoiding the Illuminati. The problem is that they only sell aluminum foil at the store these days, and all that stuff does is amplify the H.A.A.R.P. based military-industrial-complex signals.

Re:Compromised hardware (0)

Anonymous Coward | about 7 months ago | (#45002671)

Yea, yea. Go on ridiculing people despite all the reports lately that showed even the most outrageous assumptions weren't even close to the level of shit that's actually going on.

I trust the Chinese... (2, Insightful)

Anonymous Coward | about 7 months ago | (#45001453)

I trust the Chinese have already done that to every processor built for export. They'd be negligent if they haven't.

Re:Compromised hardware (0)

Anonymous Coward | about 7 months ago | (#45001527)

If it ever came to public knowledge that NSA was also tampering hardware crypto modules, it would really be a death blow to the current *everything*.

Seriously, the even the reported MITM attacks are childs play compared to the implications of the aforementioned as it would totally devastate any secure means of digital communication we've had for years.

Re:Compromised hardware (1)

Cid Highwind (9258) | about 7 months ago | (#45003219)

When, in the course of the NSA revelations, have you gotten the impression that "if X became public knowledge... it would be the death blow to the current Y" was ever a consideration in whether or not they did X?

Re:Compromised hardware (1)

Hypotensive (2836435) | about 7 months ago | (#45001851)

It's probably not that important, as Linus already pointed out [theregister.co.uk] .

Re:Compromised hardware (0)

Anonymous Coward | about 7 months ago | (#45002765)

Linus has proved to be a government shill many times in the past (remember the whole SELinux thing?).

I don't trust him any further than I can throw him. I am now so distrustful of him and of Linux that I have directed my company to spend up to $50M in the next year doing an extensive internal code review of the Linux kernel looking for obfuscated functionality (and we have already found two instances of "easter-egg" like items - one of which puts "No no no!" in the kernel log if you hold down SysRq and the correct keys), intentional security vulnerabilities, and other possible back-door attack vectors.

Evolution in action (1)

Anonymous Coward | about 7 months ago | (#45001343)

This is actuallly good. Crypto should be flexible enough to switch to different algorithms.
AES is just an option, and I'd say it's a fine one, but it's cool to get some extra algos some breathing
room.

Re:Evolution in action (0)

Anonymous Coward | about 7 months ago | (#45002773)

I've always liked the idea of using cascades (multiple algorithms.) Not because it gives you more keylength, but because if AES was broken, Twofish would still provide adequate security.

Of course, there is the performance penalty of multiple algorithms, and a lot of hardware barely can handle 128 bit AES with a dedicated ASIC, much less the self-revising algorithm of Twofish. However, maybe in the future, hardware should be designed to not just handle the NIST variations of AES, but to be able to handle the generic Rijndael algorithm.

9/11 was an inside job (-1)

Anonymous Coward | about 7 months ago | (#45001457)

NIST has in many instances blocked independent investigations into 9/11, as well as lied about its own findings and devised unscientific explanations for the controlled demolitions of WTC 7 and the Twin Towers.
AE911truth [ae911truth.org]

Re:9/11 was an inside job (3, Insightful)

tgd (2822) | about 7 months ago | (#45001537)

NIST has in many instances blocked independent investigations into 9/11, as well as lied about its own findings and devised unscientific explanations for the controlled demolitions of WTC 7 and the Twin Towers.
AE911truth [ae911truth.org]

You know, this is probably the first time in the history of 9/11 whackjob posts on Slashdot that the reply is actually relevant to the story. Because they have nearly identical basis in reality.

Re:9/11 was an inside job (2)

TheCarp (96830) | about 7 months ago | (#45001861)

Even a broken conspiracy is right twice an epoch.

Re:9/11 was an inside job (0)

Anonymous Coward | about 7 months ago | (#45003005)

what about Zuckerbooger`s secret pact with the akamai founder? would they both be considered "co-conspiritors", "co-defendants", or was Zuckerbooger juST THE BOOGEYMAN STOOGE!

"gosh darn it, Marx was left behind, without the bill of lading, and without Franx Xinatra`s laundered binliner!" El-idiot Spitzer-Ness

Marketing (3, Interesting)

sociocapitalist (2471722) | about 7 months ago | (#45001477)

While I think that NIST related crypto algorithms are probably well compromised by the NSA I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

Same thing for 'offshore data havens'. If it's visible it gives the NSA a target of interest and the fact that it's offshore isn't even going to slow them down when they attack it. People moving to such havens might find themselves being looked at all the more closely than someone keeping their data in less interesting places.

I think the best bet of keeping your info private (from the NSA) is going to be to avoid attracting attention to start with.

Re:Marketing (3, Interesting)

Phrogman (80473) | about 7 months ago | (#45001543)

Well perhaps the point isn't that any new algorithms are uncrackable so much as they present a more considerable obstacle to being deciphered. If the current NIST-approved cyphers have been deliberately weakened by the NSA, its so that its easier and more importantly faster for them to decipher the text - with their available computing power and budget they can probably do a lot of these on the fly.

If you increase the difficulty of that task, and if its implementation is more widely spread, then they may have to prioritize what they attempt to decipher because it isn't a weakened algorithm, therefore there might be some added security in that even if they *can* crack your ciphertext, its not worth bothering to do so unless some other factor marks you as a person of interest. Not much but better than nothing and we will likely never know the NSA's true capabilities anyways.

Re:Marketing (2)

Joce640k (829181) | about 7 months ago | (#45002577)

Well perhaps the point isn't that any new algorithms are uncrackable

There's every reason to believe that they are. The NSA uses AES for its own encryption systems.

If there's a weakness it's in the implementations (are your numbers really random?) and/or compromised PCs that they're running on.

Re:Marketing (1)

flyingfsck (986395) | about 7 months ago | (#45003193)

Hmm, I suspect that the NSA isn't nearly as good as people are fearing, but how can we prove it?

Re:Marketing (1)

Joce640k (829181) | about 7 months ago | (#45003613)

Hmm, I suspect that the NSA isn't nearly as good as people are fearing, but how can we prove it?

We can't.

There was a time when the NSA was way ahead of civilians, eg. In the 1970s when they tweaked DES without telling anybody why - turns out they knew about differential cryptanalysis.

Since then the gap has closed. These days there's no reason to suppose they're much ahead of civilians (except in budget,getting people to sign pain-of-death NDAs, install "government approved" black boxes in telephone exchanges, drive around in black SUVs ... etc).

Re:Marketing (1)

Anonymous Coward | about 7 months ago | (#45001553)

That's why everyone should move their data to the Crypt, whether they think they have anything to hide or not, and switch to Pontiffex encryption, too.

Re:Marketing (3, Interesting)

cryptizard (2629853) | about 7 months ago | (#45001583)

I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.

Re:Marketing (0)

Anonymous Coward | about 7 months ago | (#45002055)

I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.

These days, it's hard to crank up the paranoia high enough. They seem to surpass it every day.

I think that they're quite capable of capturing and locking up specialized talent. The only reason I sleep at night is because said talent will ultimately will be controlled by the rest of them. Who, as you said, can be pretty incompetent.

Re:Marketing (0)

Anonymous Coward | about 7 months ago | (#45003679)

These days, it's hard to crank up the paranoia high enough. They seem to surpass it every day.

Nobody said it would be easy!

But set a trap. Stuff a big file full of random numbers. Real random numbers, from sampling white noise. Then encrypt it, and re-encrypt it with all sorts of algorithms. Then just let it sit there.

Sooner or later, the NSA or whatever spy agency will find it. And spend enormous amounts on decrypting using the various known algorithms. They will search and search, but forever fail. There will be no secret content to find, because there is none.

Re:Marketing (5, Informative)

Kjella (173770) | about 7 months ago | (#45002297)

Another good argument is how many symmetric crypto algorithms have been broken at all, at least known to the public? For example you can take GOST, developed by the Soviet Union as a Top Secret algorithm in the 70s, then later downclassified and eventually made public in 1994. It has a theoretical attack strength of 2^256 that researchers have gotten down to 2^101 but if you have a 1 GHz computer testing 1 key/cycle for 1 year that's still only 2^55. A million such computers running a million years is 2^95. I think you can be quite certain the NSA didn't cooperate with the Soviet Union in the 70s, so the only way it could be cracked is if the NSA did it through cryptanalysis. The rest of the world hardly seem able to crack a single cipher yet the NSA would have the magic to crack everything in a reasonable time? In the land of unicorns...

Same with RSA and public crypto, it's not from the Soviet Union but it's from the 70s and 35 years of public research has come up with nothing to break it. Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy? I don't buy it, I'm quite sure there are things such as secure crypto no matter how much money and manpower you throw at it simply because they are as much chasing ghosts as we are, they may be looking for a solution that doesn't exist. Of course they're absolutely not going to tell you about that, but I find it far more likely they're now exploiting flaws and compromising systems rather than with pure math.

Re:Marketing (1)

cryptizard (2629853) | about 7 months ago | (#45002401)

Good point. The only symmetric cipher I know of that was completely "broken" is DES, but that is because the key length was chosen to be too short. Even at the time it was released people said it was too short.

Re:Marketing (1)

mlts (1038732) | about 7 months ago | (#45003041)

Skipjack was pretty thoroughly weakened once it was declassified. DES is still useful in TDES mode, but that is pretty expensive computation-wise compared to a newer algorithm like Twofish.

Of course, there are blocksize issues with the older cyphers...

Re:Marketing (1)

flyingfsck (986395) | about 7 months ago | (#45003269)

If the NSA can decrypt everything, then why do they bother to store all encrypted text for 5 years? They would just decrypt, analyze and toss it away same as the plain text.

Re:Marketing (2, Informative)

Anonymous Coward | about 7 months ago | (#45002489)

Really, do we think that the NSA is sitting on a completely new math in which every hard problem is now easy?

Yes, it's unlikely, but it's not entirely unprecedented: https://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html

'It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES. This means that back in the '70s, the National Security Agency was two decades ahead of the state of the art. ... but the rest of us are catching up quickly ... Maybe now we're just a couple of years behind.'

Re:Marketing (0)

Anonymous Coward | about 7 months ago | (#45003045)

It seems potentially reasonable that the NSA could be sitting on a quantum computer or two, which would not require "new math" in order to break a lot of existing crypto systems.

Re:Marketing (0)

Anonymous Coward | about 7 months ago | (#45003341)

Another good argument is how many symmetric crypto algorithms have been broken at all, at least known to the public?

Quite [wikipedia.org] a few [wikipedia.org] . RC4? A5/1 and A5/2? Several of the AES candidates have known flaws, like LOKI97 and MAGENTA.

And reducing a cipher from 2^256 to 2^101 operations is totally broken. It just happens that 2^256 is a comfortable security margin. An attack of that magnitude would devastate 128-bit security.

Faster, Scalable Factoring (1)

SpaceLifeForm (228190) | about 7 months ago | (#45003447)

Factoring large semiprimes has a scalable solution. For example, if you have a large semiprime that is expected to take a billion years to factor, you can throw a billion cores at the problem and factor it in one year. I am *not* referring to GNFS.

WIth a billion cores of custom silicon, you can speed it up even more.

Re:Faster, Scalable Factoring (0)

Anonymous Coward | about 7 months ago | (#45003637)

Factoring primes (semi or otherwise) does not have anything to do with breaking a symmetrical cipher like AES.. Which is what this article is about, lah~.

Re:Marketing (1)

Tom (822) | about 7 months ago | (#45002421)

They don't have that many smart people working there, in comparison with ALL of the rest of the world.

Actually, the NSA has for decades been the by far largest employer of mathematicians, world-wide.

The do have tons of smart people working for them, and contrary to the rest of the world, those don't work on optimizing Zynga games or production lines or any of the other million other areas, they all work on crypto, surveilance, etc.

In a crypto contest between the NSA and the rest of the world combined, I'd bet on the NSA. Mostly because the rest of the world would break apart in a flame war and uses 20 different languages.

Re:Marketing (0)

Anonymous Coward | about 7 months ago | (#45003835)

I'd bet on russians. They may not have a lot of money but they have top notch mathematicians.

Re:Marketing (0)

Anonymous Coward | about 7 months ago | (#45002729)

"It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science..."

If you dont understand that pretty much everyone is decades ahead of academia in pretty much every area of computer science, you arent getting that pony for your birthday little lady!

Re:Marketing (0)

Anonymous Coward | about 7 months ago | (#45001939)

Some questions:

Did you read your comment before posting it?
Do you realize how ignorant you sound?
Exactly how do you avoid attracting attention?
Are you aware of the criteria the NSA uses to connect dots?

Go back to sleep, you're fucking boring.

Re:Marketing (1)

Joce640k (829181) | about 7 months ago | (#45002523)

While I think that NIST related crypto algorithms are probably well compromised by the NSA

AES is one of the most independently studied/analyzed algorithms ever.

I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

Triple-DES?

Re:Marketing (0)

Anonymous Coward | about 7 months ago | (#45002755)

While I think that NIST related crypto algorithms are probably well compromised by the NSA

AES is one of the most independently studied/analyzed algorithms ever.

It should also be noted that AES can be used for SECRET and even TOP SECRET information. If the NSA is dog fooding the algorithm for their own stuff, then it should be safe for your own.

The key though is to use the entire approved stack. At this point in time (2013), that does not include SHA-1 or RSA:

https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography

Re:Marketing (1)

mlts (1038732) | about 7 months ago | (#45002977)

The funny thing is that can backfire. This was something talked about on the Cypherpunks list when it was on toad.com. One discussion recommended people use a service such as an offshore data haven (when they came about) for everything. The result would be that there would be so much chaff that any spying organization [1] would be spending a lot of time trying to crack stuff just to find that they just wasted a bunch of CPU time on a TrueCrypt volume of someone's MP3 stash.

There are plainer reasons for stashing items in an "offshore data haven". Protection against geographic events, so if something the size of Hurricane Tip slams against part of the US, critical data is still retrievable.

Of course, there is one big issue with offshore data havens... how are they recompensed for the data they store, and what keeps them from deciding to hold data for ransom. If they find that they have an encrypted data blob from a company whose offices are completely demolished, they can demand a price for access and a company would either pay up or close up.

[1]: NSA, ISI, FSS, PLA, etc. The US was outed, but there are numerous other players.

Re:Marketing (0)

Anonymous Coward | about 7 months ago | (#45003515)

they have an encrypted data blob from a company whose offices are completely demolished, they can demand a price for access and a company would either pay up or close up.

So you put it in two separate havens, at least one of which in a stable jurisdiction. Then the shyster doesn't have a hold on you (plus you have better resilience).

I doubt it's much of a risk to be honest - for the data haven, it's the kind of stunt you can only pull once and then when the publicity hits you find yourself with no customers left and an expensive offshore facility driving you bankrupt.

Re:Marketing (1)

tlhIngan (30335) | about 7 months ago | (#45003485)

While I think that NIST related crypto algorithms are probably well compromised by the NSA I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.

Same thing for 'offshore data havens'. If it's visible it gives the NSA a target of interest and the fact that it's offshore isn't even going to slow them down when they attack it. People moving to such havens might find themselves being looked at all the more closely than someone keeping their data in less interesting places.

Not to mention if it's offshore, then you're spied on unless the NSA determines you're American in which case they are supposed to discontinue spying on you. (You can argue that they spy on everyone including Americans, but if that's the case, why go offshore? You're data's no safer).

An interesting side effect though - anyone with even the most basic knowledge of cryptography knows that unless you're a mathematician, you never design your own algorithm because they are for the most part going to be way weaker.

One could argue that with this movie away from industry standard and studied algorithms, you're helping the NSA by giving them an easier time to break the encryption.

Cool but not enough (-1)

Anonymous Coward | about 7 months ago | (#45001501)

What about the PRNG??? If they don't replace the PRNG all their work is futile and the NSA will continue to be able to read whatever they want...

Amazing decission based on gut rather tan brain (0)

Anonymous Coward | about 7 months ago | (#45001515)

So Jon Callas, in his blog post [wordpress.com] goes about the stupidity of the meta-ramblings about DUAL_EC_DRBG which nobody except the NSA is using, the theoretical weakness of elliptic curve crypto... and therefore replace AES, which doesn't have anything to do with DUAL_EC_DRBG or elliptic curve crypto?

Oh, yeah, they are replacing the proofed AES (as Scheier would say, trust math) and SHA-2 with Skein and maybe Threefish. Thank god he wrote "Full disclosure: I’m a co-author of Skein and Threefish", because now its clear why they are doing this. Seriously, these silent circle guys now how to make PR stunts, like having ex NAVY seals [wordpress.com] possibly compressing the bits individually for you with macho muscle (facepalm).

Re:Amazing decission based on gut rather tan brain (1)

LordLimecat (1103839) | about 7 months ago | (#45002313)

Skein is / was a NIST candidate for SHA3 and made it through a number of rounds. It isnt a replacement for AES tho, as it does hashing, not encryption.

Marketing! (4, Insightful)

tgd (2822) | about 7 months ago | (#45001517)

Or stupidity. One of the two.

Why use algorithms that are standardized on by the federal government and have been looked at exhaustively by experts around the world when you can use an untested crypto system? After all I'm sure the NSA wants to ensure that bad guys have access to everything the government is encrypting by first weakening the encryption standard, then standardizing the US government on the use of them.

Re:Marketing! (4, Interesting)

cryptizard (2629853) | about 7 months ago | (#45001611)

Yes, this is the part that I can't believe. To think that the NSA, probably some of the most paranoid people in the world, would be arrogant enough to standardize government security on broken cryptographic primitives is just not believable. There are important classified documents encrypted with suite B algorithms.

Not encrypted enough (0)

Anonymous Coward | about 7 months ago | (#45002665)

And some of those documents *shouldn't* be readable by the NSA, yet they are because the NSA messed with the cryptography.

Ignore the leaks at your peril, NIST algo's *are* compromised, we know that already. It may be that NSA thinks it is the only one that can decrypt them, e.g. substituting a random number generator for the pseudo random output of an encryption to which they know the private key. BUT, if that key is broken then everything based on it is also broken.

So they ARE apparently arrogant enough to do something stupid, (well apart from denying mass surveillance even as you're building your 5th big data center).

Re:Not encrypted enough (1)

tgd (2822) | about 7 months ago | (#45002759)

e.g. substituting a random number generator for the pseudo random output of an encryption to which they know the private key.

If I hadn't already posted in this discussion, that'd be getting a Funny mod point.

No reason to distrust Rijndael (5, Insightful)

dido (9125) | about 7 months ago | (#45001519)

I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard. And in the thirteen years since it was thus chosen it has been scrutinised more thoroughly than any algorithm by the best cryptographers in the world, and well, none of the open researchers anyway have found an attack on the cipher capable of breaking it significantly. The NSA might have, but then they approved the cipher for encrypting US government classified documents (a blessing that the NSA notably did not give the original Data Encryption Standard), so I'd consider it highly unlikely that they would have done that. The risk would be too great that their method of breaking the cipher have been obtained by espionage or independently discovered by some other intelligence agency's cryptanalysts. The NSA may be evil, but no one has ever accused them of stupidity.

Given that the best cryptanalysts of the world have had thirteen years to look at it and it remains solid, I'd trust it better than the other AES candidates which have had much less scrutiny, or worse yet, a newly designed cipher that no one who knows anything has bothered to even try analysing.

The other thing is that AES is incredibly efficient even on 8-bit microcontrollers. Around the time the AES contest was ongoing, I implemented Serpent, Twofish, and Rijndael on an 8051-series microcontroller, and Rijndael was consistently the best performing cipher, so I used it in the project, and wasn't surprised to learn that it eventually got selected.

Re:No reason to distrust Rijndael (1)

drinkypoo (153816) | about 7 months ago | (#45001621)

I highly doubt that Vincent Rijmen and Joan Daemen themselves were influenced by the NSA in any way in the design of Rijndael, unless you believe that they influenced all the AES entrants, including Ronald Rivest (RC6) and Bruce Schneier (Twofish). I think the only influence the NSA might have had was in perhaps influencing the NIST selection process that chose Rijndael as the Advanced Encryption Standard.

I doubt it too, but the facts combine to suggest that we should be suspicious anyway. NSA has compromised ciphers. NSA chose this cipher. Therefore, it is best to be suspicious of this cipher.

Re:No reason to distrust Rijndael (2)

larry bagina (561269) | about 7 months ago | (#45002137)

Brer rabbit much? The NSA knows Rijndael is unbreakable... so they had Snowden "leak" some files. Make people think the NSA is more dangerous than it is. People worry about Rijndael and switch to something weaker.

TRUST NO ONE.

Re:No reason to distrust Rijndael (0)

Anonymous Coward | about 7 months ago | (#45002623)

But remember the NSA has to use AES themselves, at least when communicating with other branches of the US government. Do you think they would have knowingly approved a broken cipher for their own use? You underestimate the paranoia and intelligence of the NSA then.

Re:No reason to distrust Rijndael (0)

Anonymous Coward | about 7 months ago | (#45001629)

Agreed. AES (Rijndael) is not compromised. Although if you want the more secure of all AES candidates, you should use Serpent, which is likely to have more resistance against attacks than Rijndael BUT at non-trivial performance costs (i.e. it is a lot more computer-intensive/slower than Rijndael).

The issue really is on the RNGs, and also on the NIST-provided elliptic curves, and none of these have any bearing on AES or SHA-2 (or SHA-3 for that matter).

Re:No reason to distrust Rijndael (3, Interesting)

cryptizard (2629853) | about 7 months ago | (#45001663)

On the one hand I would like to believe that, if there was a flaw, we would have found it by now. On the other hand, I think people vastly overestimate the reliability of "top cryptanalysts". The unfortunate fact is that only probably 20-30 people in the entire (public) world really, deeply understand what goes into cryptanalyzing a modern block cipher. That is not really a lot of eyes when you think about it.

The one thing the NSA, and other intelligence agencies, have going for them is they can afford to hire and train groups of people specifically for one particular task. In academia nobody wants to work on cryptanalyzing AES, it would be career suicide. In the very best case it would take you years to come up with anything, and in the worst case you would spend all that time and get nothing.

Re:No reason to distrust Rijndael (3, Insightful)

dido (9125) | about 7 months ago | (#45002507)

Good points. But then again remember that the NSA, having approved the cipher for use with classified documents, now has to use it themselves if they want to exchange top secret classified information with the rest of the US government! I think it's much more likely that they did apply even more of their vaunted cryptanalytic prowess to it when NIST gave their approval in 2000, and when by 2003 they found no significant weaknesses, they approved it for use with classified information. If they had found a significant weakness in AES and approved it anyway for such use, how arrogant and stupid would that make them? Their own supposedly secure communications with the rest of the government would be compromised as a result! As I said you can accuse the NSA of being many things, but I don't think stupidity is one of them.

Snowden himself said it: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." Emphasis added. The real trouble is there are too many systems out there that use otherwise sound cryptographic primitives in insecure ways, either by incompetence or by design. The NSA has been known to pressure manufacturers of security equipment to do the latter, and naturally they will only certify equipment that hasn't been thus back-doored for government use.

And no, I don't think breaking AES would be career suicide for an academic cryptanalyst. Fermat's Last Theorem would also have been considered career suicide for centuries for the same reasons you cite, but now Andrew Wiles is one of the most famous mathematicians in the world. True, it's a hard problem, but if you manage to publish a workable break of AES you would become the most famous cryptographer in the world.

Re:No reason to distrust Rijndael (3, Interesting)

mlts (1038732) | about 7 months ago | (#45003237)

You hit the nail on the head. Crypto algorithms are secure enough that the points of attack won't be the bulk encryption. Instead, it will be how keys are negotiated, weakened PRNGs (who would know that a PRNG only is using 8 random bits out of 256 for nonces unless someone looks at every salt produced and only sees 256 different numbers), compromised CAs, or other weaknesses.

Breaking AES would be like winning a lottery for someone who reads sci.crypt. It would give a next generation of algorithms which would be more secure, such as how AES is resistant to differental cryptoanalysis.

Re:No reason to distrust Rijndael (0)

Anonymous Coward | about 7 months ago | (#45003085)

It does have a flaw. It is susceptible to timing attacks.

Re:No reason to distrust Rijndael (0)

Anonymous Coward | about 7 months ago | (#45001797)

... none of the open researchers anyway have found an attack on the cipher capable of breaking it significantly. The NSA might have, but then they approved the cipher for encrypting US government classified documents (a blessing that the NSA notably did not give the original Data Encryption Standard), so I'd consider it highly unlikely that they would have done that.

They might have?

I consider it highly unlikely that theUS intelligence agency would have "approved" a cipher that they did not backdoor in some way, or feel bad that they have one that is highly classified.

Making assumptions about the NSA's capability after recent leaks would be demonstrating both stupidity and ignorance on a level equal to PRISMs computing power. Try not to do that again.

Re:No reason to distrust Rijndael (1)

Anonymous Coward | about 7 months ago | (#45002057)

The NSA approved AES for use for encrypting US government documents of the most classified sort in 2003. That means that they would have to use AES themselves as well, if they wanted to exchange classified information with any other branch of the US government! How stupid would they be if they knew how to break the cipher and used it themselves anyway? Their own communications would become insecure as a result!

Snowden said it himself: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." Emphasis added. The problem is that there are way too many brain-dead implementations of otherwise sound cryptographic primitives out there and other insecurities in systems that the NSA can more easily get into rather than breaking the ciphers, which are the strongest link in what is usually a very long chain of weak links.

Re:No reason to distrust Rijndael (0)

Anonymous Coward | about 7 months ago | (#45002155)

Then again, you have no idea and no way to prove which cipher the government actually uses to protect state secrets.

Re:No reason to distrust Rijndael (0)

Anonymous Coward | about 7 months ago | (#45002223)

Well, the US government buys and certifies third-party equipment that implements AES from the open market, for use in protecting classified information. I think that's a big hint as to what cipher they use to protect state secrets.

can you not write, or just not think??? (1)

sribe (304414) | about 7 months ago | (#45001571)

...not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development...

Really? So they are worried about NSA's influence on NIST, but they still trust NIST???

Twofish? Really? (0)

Anonymous Coward | about 7 months ago | (#45001597)

What a terrible cipher, nobody uses for a reason.

Re:Twofish? Really? (0)

Anonymous Coward | about 7 months ago | (#45001897)

Oh look the NSA astroturf squad has arrived.

THIS IS A GREAT IDEA! (0, Flamebait)

CajunArson (465943) | about 7 months ago | (#45001607)

Please move to the most obscure and unreviewed encryption algorithms that you can, and do it as fast as possible. By no means should you ever use the exact same encryption standards that are approved for use for securing the big-bad-evil U.S. government's own top-secret data. Remember, the only cryptographic systems with any flaws are the ones that were developed by non-US citizens and reviewed in a public process that might have tangentially involved the NSA. Oh, and nobody, we mean nobody, else could ever weaken or backdoor a cryptographic algorithm.
        -- Your friends at the NSA ... uh .. I mean "anti-government hippy commune"

Re:THIS IS A GREAT IDEA! (1)

Anonymous Coward | about 7 months ago | (#45001873)

Twofish is hardly obscure or unreviewed. It was submitted as an AES candidate along with Rijndael. It's been reviewed plenty. It didn't meet the needs of NIST as well as Rijndael, which is why it wasn't chosen to be AES. But that doesn't make it a BAD cypher. It just makes it not ideal for NIST's purposes, which may well include: being vulnerable to attack by the NSA.

Re:THIS IS A GREAT IDEA! (1)

mlts (1038732) | about 7 months ago | (#45003405)

IIRC, Twofish did not make the AES finalist because it used more CPU than Rijndael. This doesn't mean Twofish is less secure, it just means that crypto ASICs are cheaper to make shifting blocks around than Twofish's split key/algorithm method.

Were I to choose one of the other just for security, I'd choose Twofish over Rijndael, but NIST had other parameters in their design decision.

Madness (5, Informative)

lucag (24231) | about 7 months ago | (#45001655)

The least I would have expected from the documents about the extensive spying done by NSA was a generalized weakening of cryptography.
While it is true that some algorithms might have been deliberately weakened by the NSA, I doubt this could have been systematic; especially for those which are best investigated by the cryptological community at large.
  In particular, NIST mandated cipher suites while definitely amenable to some theoretical attacks in some cases, have been independently investigated and, as of today, no effective practical attack is known against AES. I would never trust a 'homemade' algorithm for anything, nor waste time to try and analyse it (cryptography is actually part of my job) unless there were some really compelling reasons for doing so (e.g. interesting mathematics, peer review requests or unusual attack models being considered).
Skein and twofish are definitely interesting algorithms, and they have also been well regarded in the competitions leading to SHA3 and AES; they are definitely not a bad choice, but to choose them because whatever has been selected by NIST is "tainted" by NSE (and not other architectural or practical considerations) resembles more a form of superstition than anything else.

Remember who uses NIST crypto transformations (1)

dubist (2893961) | about 7 months ago | (#45001953)

For the record the US government uses the NIST cryptographic transformations as recommended by its own NSA so on a global scale of one to broken they can't be that bad. So for generalist every day encryption they should be fine, if your trying to hide something that might have some sort of national security implications then if your legitimately in possession / generating that kind of information then there will be a different set of protocols and standards to follow. People would shit their pants if the world suddenly turned to using ad-hoc unreviewed transformations because at that point all bets are off, no seriously, all bets are off. Cheers

Re:Remember who uses NIST crypto transformations (0)

Anonymous Coward | about 7 months ago | (#45002433)

From a Guardian article:

The NSA describes strong decryption programs as the "price of admission for the US to maintain unrestricted access to and use of cyberspace"

That may just be the NSA justifying their budget. Or the "price of admission" may be the risk taken by using algorithms with known weaknesses in official US communications, to make the rest of the world trust said algorithms.

Also, for really sensitive stuff the US government does not use the open NIST standards. They use NSA's Suite A, which is classified. All that is known about it is the names of the algorithms and some details like standardised keysizes.

Re:Remember who uses NIST crypto transformations (1)

mlts (1038732) | about 7 months ago | (#45003597)

If I had to use a well studied algorithm that -might- have a backdoor by an agency versus an algorithm that is "secret" that someone pulled out of their derriere, I'd rather have the former.

I've been in those shoes before. My freshman year of college, I made a crypto algorithm that I thought was the cat's meow... plopped it on sci.crypt, and it was shredded by people who actually knew what it was doing in minutes.

We already had those dark days of finding working crypto algorithms when people didn't use DES for much. I'd rather take something that has seen some heavy duty machinery trying to find any weaknesses in it than to use yet another "secret" algorithm that someone pulled out of their ass which is just another implementation of using the random() function with the seed being the passphrase and the output XOR-ed with the input data.

Of course, the encryption algorithm is just half the battle. Using any algo in ECB mode is going to weaken security no matter how good it is.

All the crypto in the world doesn't save you (0)

Anonymous Coward | about 7 months ago | (#45002279)

if provider of whatever solution you've bought has received a secret order from a secret court authorizing/demanding the installation of key-grabbbing malware or an equivalent exploit. (Which is my out-of-my-ass speculation what Ladar Levison was provided with.)

And I seriously doubt the NSA gives a damn whether the government is using an ultimately unsecure encryption *so long as* the NSA are the only ones in possession of the knowledge and/or means to execute the exploit. They *do* care about encryption the government uses being technically and practically unbreakable by others, and they would care if encryption out in the wild is technically or practically unbreakable when used by others they're interested in.

Snake Oil company says don't use medicine (0)

Anonymous Coward | about 7 months ago | (#45002527)

What's really silly about this story, is the Silent Circle context. No service like that, no matter how well-intentioned or what crypto algorithms they use, can ever possibly be trustworthy. If someone points a gun at their heads and tells them to further leak the passphrase that you already deliberately leak (with the hope that the leak is limited) every time you use their service, then they're going to get your key, and you aren't going to know about it.

If there's one group of people who I think we can all confidently totally ignore on the subject of AES-vs-twofish-vs-whatever, it's people who work at snake oil companies like Silent Circle, Lavabit, Hushmail, etc. I feel like a shithead for saying that, because I know some smarter-than-me people work at Silent Circle, but .. something happened to those people, for them to be offering such ridiculous services, services that these people knew couldn't ever be trusted by anyone, before they wrote the first line of code. WTF.

Re:Snake Oil company says don't use medicine (1)

mlts (1038732) | about 7 months ago | (#45003631)

I see Silent Circle going down the same path that Hushmail travelled. Hushmail is a very good service, but when told to either cooperate with Interpol or else, they cooperated.

With SC, they will likely be forced with the same choice. Hand over keys and put in backdoors or face shutdown/prison time.

Instead, the focus should not be on communications, but endpoint security. Maybe PGP needs a revisit?

Buzz and obligatory xkcd (1)

fuujuhi (2088482) | about 7 months ago | (#45002547)

I guess that their intent is to surf on the NSA conspiracy bandwagon, to create the buzz and to attract more customers. Bad taste buzz, but only money is driving the business, isn't it?

The following reference is obligatory tmo:

http://xkcd.com/538/ [xkcd.com]

As security experts, suggesting that using another cipher suite would protect the customers from the NSA is either ridicule or ignorant of NSA's actual powers at best. Again, I've no clue of what these powers could be, but suggesting that they could break into secure systems by brute-forcing or cryptanalysing AES / SHA-2 does not make sense. Doing so would cost an overwhelming amount of energy, even for the NSA, when actually much much cheaper and conventional methods exist, like tapping into back-end systems (often with agreement from operators themselves), installing key logger into end user devices, etc. They certainly control some botnets, and maybe even some underground websites. Knowing that most users uses the same password over several websites, it's really a child game to penetrate systems for an organisation like the NSA. The NSA do not need to guess your secrets, they simply read it over your back.

If Silent Circles feel like doing something, what about playing the card of full transparency and proving to the community that they are indeed beyond any doubts? That would at least have the merit to elevate the current level of discussions and not to throw away the work of dozens if not hundreds of people around the world trying to bring real open peer-reviewed security.

really? (1)

slashmydots (2189826) | about 7 months ago | (#45002669)

"not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades"
So in other words it distrusts NIST.

Ju-Jitsu (2)

Tokolosh (1256448) | about 7 months ago | (#45002771)

Brute-forcing or otherwise cracking the various algorithms is all well and good. However, I believe the reality is that the NSA (and others) have more success by using other means, combined with metadata. I'm am not sure what the other means are, but could include social engineering, keylogging, reading clues communicated in the clear, false certificates, MITM.

They vacuum up all data, encrypted or not, to be decrypted at leisure, when indicated by the metadata. But the underlying encryption is still (mostly) secure.

Mixing the signals (1)

WaffleMonster (969671) | about 7 months ago | (#45003525)

I think crypto agility is generally an awesome thing all our encryptions should have ability to swap out algorithms at a moments notice with meaningful process to mutually agree to strong acceptable algorithms.

It is also a double edged sword as practically it means if any of algorithms you trust are compromised AND both parties are still willing to use the algorithm an attacker can normally steer parties to use it.

One thing I never really understood is if your afraid of subversion why not simply chain a series of different algorithms together such that compromise of one could not result in recovery of plaintext? The only downside I can think of you might need a bigger key so jacking input bits of one algorithm does not cascade to the others or otherwise reduce effective entropy of each input.

Trust (1)

sexconker (1179573) | about 7 months ago | (#45003823)

not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades.

If "executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades" then "the company distrusts NIST".

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...