Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NSA Announces New Crypto Standards

Zonk posted more than 9 years ago | from the less-tasty-crackers dept.

Security 220

Proaxiom writes "This week the NSA announced the new US government standard for key agreement and digital signatures, called Suite B. Suite B uses Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Menezes-Qu-Vanstone (ECMQV) for key agreement, and Elliptic Curve Digital Signature Algorithm (ECDSA) for signature generation/verification. This shouldn't be too surprising given that the NSA licensed Certicom's EC patents for $25 million last year. ECMQV is patented by Certicom. ECDH and ECDSA appear to be generally unencumbered."

cancel ×

220 comments

Sorry! There are no comments related to the filter you selected.

WTF? (4, Funny)

Kesh (65890) | more than 9 years ago | (#11861151)

That's a helluva lot of acronyms. Talk about encoding!

Re:WTF? (0)

Anonymous Coward | more than 9 years ago | (#11861162)

they forgot one: sp

Its not that complicated really.. (-1)

PopeAlien (164869) | more than 9 years ago | (#11861194)

aoodall Eddd (ESLOA) combining (sl) + (MBOA) is the new (gibberish gibberish gibberish) loam cloaking flaherty.

perhaps the key to extremely strong encryption is to encode nothing but nonsense. How would you ever know it was broken?

yeah, yeah, the real world.. whatever, I'm going to go play video games.

Not to mention... (1)

game kid (805301) | more than 9 years ago | (#11861207)

...that it uses Elliptic Curve Menezes-Qu-Vanstone for the encryption. I can't even say that five times fast without encrypting it, so it's got to be good.

Re:WTF? (2, Funny)

Kesh (65890) | more than 9 years ago | (#11861662)

... I got first post and it got modded 5, Funny?

I need a life. n.n

ECMQV broken (5, Interesting)

Anonymous Coward | more than 9 years ago | (#11861163)

ECMQV has been partially broken [bris.ac.uk] -- I'd be wary of using it in any standards.

Would any cryptographers here care to comment?

Yes (0)

Anonymous Coward | more than 9 years ago | (#11861265)

fsdfvc443y67KHF/sdfdsfsfrwer423RY#/(WT XBZCBIA

Re:ECMQV broken (-1, Flamebait)

caluml (551744) | more than 9 years ago | (#11861272)

Riiiight. The NSA say it's OK, but an Anonymous Coward blurting out some shit to get a first post gets +4, Interesting.

Re:ECMQV broken (1)

Foxxz (106642) | more than 9 years ago | (#11861287)

He's not anonymous, he's just using encryption!

-Foxxz

Re:ECMQV broken (0)

Anonymous Coward | more than 9 years ago | (#11861501)

Pretty like a pony.

Regards,

-Foxxz

Re:ECMQV broken (1, Informative)

poopdeville (841677) | more than 9 years ago | (#11861329)

The NSA is a political organization, not a scientific institution. They have vested interests in promoting standards 5-10 years behind their current technologies.

Of course, if you had actually opened AC's link, you would have seen a paper describing a weakness in ECMQV. Elliptic curves aren't the best objects on which to base an encryption scheme, as they have far too much structure.

Re:ECMQV broken (0)

Anonymous Coward | more than 9 years ago | (#11861338)

What about an Elliptic Banana ?

Re:ECMQV broken (1)

caluml (551744) | more than 9 years ago | (#11861398)

I am not doubting that there is a weakness in ECMQV.

Re:ECMQV broken (0)

Anonymous Coward | more than 9 years ago | (#11861417)

> Elliptic curves aren't the best objects on
> which to base an encryption scheme, as
> they have far too much structure.

As opposed to what? The integers? Come on, give me a break. You're clueless.

Re:ECMQV broken (4, Insightful)

Coryoth (254751) | more than 9 years ago | (#11861473)

Of course, if you had actually opened AC's link, you would have seen a paper describing a weakness in ECMQV. Elliptic curves aren't the best objects on which to base an encryption scheme, as they have far too much structure.

What, may I ask, do you intend to use instead? Elliptic curves are an excellent choice under the circumstances: implementing a Diffie-Hellman (or, in the case of Menezes-Qu-Vanstone, a more complicated variation of Diffie-Hellman) key exchange over a group other than integers mod p. Elliptic curve groups maximise the difficulty of the known algrithms for solving the discrete log problem (breaking Diffie-Hellman).

Besides, with elliptic curve systms you have the benefit of choosing a random curve, and hence, within constraints, a random group, which means structures of the group are a lot harder to predict - beyond very basic elliptic curve group structures.

I would be very interested to hear what you are suggesting should be used instead. Is there a cryptosystem using semi-groups that I've never heard of?

Jedidiah.

Re:ECMQV broken (0, Troll)

jericho4.0 (565125) | more than 9 years ago | (#11861367)

The NSA is in the business of breaking encryption, not providing unbreakable encryption.

Re:ECMQV broken (1)

GileadGreene (539584) | more than 9 years ago | (#11861506)

Actually, they're in the business of doing both.

Re:ECMQV broken (2, Informative)

Anonymous Coward | more than 9 years ago | (#11861522)

I hate to burst your bubble, but NSA has two primary missions.
Breaking into stuff Signals Intelligence [nsa.gov]
and providing good encryption Information Assurance [nsa.gov]

Re:ECMQV broken (4, Insightful)

Coryoth (254751) | more than 9 years ago | (#11861727)

The NSA is in the business of breaking encryption, not providing unbreakable encryption.

How did this get modded insightful? The NSA is responsible for Signals Intelligence [nsa.gov] , which may involve some breaking of encryption, and Information Assurance [nsa.gov] which most certainly involves the provision of strong security, including encryption.

ECC is already widely available - Certicom, a Canadian company provides good implementations, and owns about 200 patents relating to it. If it is secure and the NSA can't break it, ignoring its existence isn't going to help them: it is already out there - it is too late for the Signals Intelligence people to worry about it. On the other hand, if there is a good secure encryption system available then promoting it to US government and US companies is a positive thing for the Information Assurance role to be engaged in.

The amount of uninformed, random, misinformation in this thread is astounding.

Jedidiah.

Jedidiah.

Canadian (3, Interesting)

cameldrv (53081) | more than 9 years ago | (#11861831)

The fact that they are foreign doesn't really provide any real assurance. Do a search for Crypto AG sometime. The NSA has set up front companies in the past to sell comprimised crypto equipment.

Re:ECMQV broken (2, Insightful)

jericho4.0 (565125) | more than 9 years ago | (#11861883)

The NSA has a budget larger than the CIA. Yes some of that money may involve some breaking of encryption, or maybe they spend 3 billion plus a year researching how to protect consumers credit card numbers.

Re:ECMQV broken (2, Insightful)

Coryoth (254751) | more than 9 years ago | (#11861947)

The NSA has a budget larger than the CIA. Yes some of that money may involve some breaking of encryption, or maybe they spend 3 billion plus a year researching how to protect consumers credit card numbers.

The NSA are responsible for Foreign Signals Intelligence. That means intercepting, collecting, collating, and analysing foreign signals of interest. That is going to cost huge sums of money regardless of whether there is any encryption to crack along the way.

The other half of their job is providing secure computing and information systems to the US government and US companies. That includes analysing and advising on proposed cryptographic standards (like DES, AES, SHA-1), creating new cryptosystems, providing secure computing environments (SELinux was what they released to the general public as a demo of "how things should be done", they are undoubtedly doing a lot more themselves), providing secure communications for the US government etc. I expect that all of that doesn't come cheap either.

Given that neither I, nor you, have any idea at all as to how the NSA distributes their funding (though apparently you have very little idea what the NSA actually do), I think making unfounded assumptions about how much money and work goes to breakign encryption is a little silly. I expect they do spend a fair amount of time and money on it. I expect they also spend a fair amount of time and money on information assurance.

Jedidiah.

Re:ECMQV broken (1)

GileadGreene (539584) | more than 9 years ago | (#11862011)

The amount of uninformed, random, misinformation in this thread is astounding.

You must be new here ;)

It's not just this thread. In my experience pretty much every Slashdot thread involving an area in which I have any knowledge is filled with the kind of misinformed crap that you are complaining about. The difference in this case is that you actually have enough knowledge to sort the wheat from the chaff, while in many other threads you may not. Caveat Emptor when it comes to any information derived from a Slashdot thread...

Re:ECMQV broken (5, Insightful)

Anonymous Coward | more than 9 years ago | (#11861326)

One presumes that any encryption standard the US is going to reccomend has in fact been broken by the NSA or other security organzation. The US has been very clear that it does nto want its citizens of anyone else in the world to use encyption that the US cannot break.

So i would posit that the standard has already been broken by someone, and, if need be, can be decrypted as needed. Perhaps it won't be cheap, but it will be possible.

Re:ECMQV broken (1)

CammieCrookston (865194) | more than 9 years ago | (#11861692)

That about sums it up. I think it would be wise to assume that whatever the NSA is recommending is not something they are above taking control of if need be.

Re:ECMQV broken (4, Interesting)

bluGill (862) | more than 9 years ago | (#11861833)

You would presume that. However it is important to recall that the NSA made changes to the original DES standard that made it more resistant to differential attacks, something that the rest of the cryptography world wouldn't "invent" for 15 years or so.

I know for a fact that several government agencies (Those three letter names before homeland security) used DES encryption for a lot of stuff 10 years ago, because I worked for a company selling it. (We couldn't tell you who they were, but there are only so many places where you can tell someone what city you are going to but not what organization[1]) I also can't tell you what level of security our products were trusted to.

Course the NSA also shortened the key to 56 bits. So this isn't a clear case of them helping against their interests.

[1]Not the IRS, we sold the IRS some stuff too, but AFAIK no encryption. Several engineers "regretted" not putting a backdoor in after they learned the IRS was sending tax data with our equipment.

Re:ECMQV broken (2, Informative)

cynic10508 (785816) | more than 9 years ago | (#11861989)

You would presume that. However it is important to recall that the NSA made changes to the original DES standard that made it more resistant to differential attacks, something that the rest of the cryptography world wouldn't "invent" for 15 years or so. Course the NSA also shortened the key to 56 bits. So this isn't a clear case of them helping against their interests.

Well, yes and no. The actual key is 56 but the entire length is 64 with the 8 bits of parity. That parity was important back in the day of noisy communications channels and costly retransmissions.

The DES changes suggested by NSA to IBM resulted in DES's resistance to differential cryptanalysis attacks, which were unknown to the public for at least another decade. Rest assured they know of techniques that others don't. They don't hire all those mathematicians for their social graces.

Re:ECMQV broken (4, Interesting)

Coryoth (254751) | more than 9 years ago | (#11861381)

ECMQV has been partially broken -- I'd be wary of using it in any standards.

Would any cryptographers here care to comment?


The paper itself isn't online, so I can only judge from the abstract. It does sound like a reasonable approach (on a completely cursory inspection), but there are a lot of details there, and I am a little unfamiliar with some of the stuff they reference.

As to how severe the break is: they claim they've reduced the complexity from O(q^{1/2}) down to O(q^{1/4}). Now I presume that q here is referring to the characteristic of the finite field that the curve group is over (I'm guessing, I would have to read the paper to know for sure - they don't say - but this is the logical choice). That is, of course, in cryptographic terms fairly significant. In practical terms most serious ECC implementations are using q in the order of 2^200 or more, so it doesn't necessarily represent a serious compromise.

As I say, with only the abstract to go on I really can't comment much. It does look interesting, but I would have to see more.

Jedidiah.

Re:ECMQV broken (0)

Anonymous Coward | more than 9 years ago | (#11861994)

Now I presume that q here is referring to the characteristic of the finite field that the curve group is over (I'm guessing, I would have to read the paper to know for sure - they don't say - but this is the logical choice).

WTF did you just say? In English man! In English!

Ciphers are so much easier to understand: more bits = more better. :)

I like my encryption broken. (2, Insightful)

Anonymous Coward | more than 9 years ago | (#11861449)

If someone with the resources to break ECMQV really wants my info, they probably also have the resources to Abugharab and get me to give them my keys through other means. Having encryption just hard enough that my ISP can't spy; but weak enough that anyone really powerful can still break it _enhanses_ my safety -- because anyone who breaks it will see I have nothing significant to hide anyway.

Re:I like my encryption broken. (5, Interesting)

Dwonis (52652) | more than 9 years ago | (#11861533)

Are you aware that any above-average worm-writing criminal has more computational resources at his/her disposal than an an average government agency? Criminals are able to leverage the computing power of zillions of vulnerable Windows machines to break your data. White-hats and spooks typically aren't.

Tits (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11861166)

I like titties so much!!! They are so soft and nice. I LOVE THEM!!!!

Re:Tits (-1, Troll)

ZeroExistenZ (721849) | more than 9 years ago | (#11861203)

I'm not sure if it's the elyptic curve <-> titties relation that this got modded "insightful"

Re:Tits (0)

Anonymous Coward | more than 9 years ago | (#11861223)

no it was just the gnaa trolls

Re:Tits (0, Flamebait)

Datamonstar (845886) | more than 9 years ago | (#11861234)

No way! GNAA don't know what tits feel like.

Re:Tits (0)

Anonymous Coward | more than 9 years ago | (#11861589)

fucking hilarious that got modded flamebait, guess the GNAA have mod points again.

Huh? (3, Funny)

FiReaNGeL (312636) | more than 9 years ago | (#11861167)

Does this mean that we're more secure? Or our data? Or theirs? Or something? Does it means anything at all? Do we really exist? What will I eat for supper?

I JUST DON'T KNOW!

Re:Huh? (2, Informative)

nkh (750837) | more than 9 years ago | (#11861202)

Your data will be OK (well, I hope). But the article forgot to say that SHA and AES were also included in this "Suite B."

Re:Huh? (0)

Anonymous Coward | more than 9 years ago | (#11861294)

there is a point to what you said, even though you might just have meant irony...

Lets think of the meaning of secure. Do they really mean our private data to be secure?

Secure can be many things. Perhaps in their view "secure" means national security, and so they need to be able to hack in and read every email, "secure" transmission etc... Didn't NSA have a backdoor into Windows NT or something like that?

Re:Huh? (3, Interesting)

iabervon (1971) | more than 9 years ago | (#11861483)

The NSA is responsible for advising the government and critical private-sector infrastructure on how to protect data. If there's a backdoor in an NSA-recommended standard, heads will roll (only figuratively, of course; they use the electric chair). Academic cryptography research is not believed to be too far behind the NSA, and it is reasonable to guess that the Chinese government is about even with the NSA. So a backdoor inserted by the NSA would probably be discovered by the Chinese within a year and academics worldwide within 5 years, at which point terrorists destroy the US economy and wipe out military deployments.

The NSA may not really want our private data to be kept secure, but they do want the banking network to be kept secure. In general, they prefer to get data by finding plaintext or keys on seized equipment, rather than breaking encryption, because anybody can break encryption about equally well, but the government has an advantage in seizing things. That's not to say that they don't insert backdoors in things they don't intend to be secure (like consumer operating systems), particularly in implementations (where the hole can easily involve use of a secret key). But such things don't get this sort of announcement.

Re:Huh? (0)

Anonymous Coward | more than 9 years ago | (#11861804)

You can go a google for it and see there was a hidden crypto in NT... It isn't a big seecret, and you could verify it yourself by hacking the right dll in Windows...

Re:Huh? (1)

kurt555gs (309278) | more than 9 years ago | (#11861846)

Yeah, which is why the Chinese are using Red Flag Linux

Cheers

Re:Huh? (4, Insightful)

Coryoth (254751) | more than 9 years ago | (#11861304)

If you really want to read anything meaningful into NSA Information Assurance people throwing their weight behind Elliptic Curve Cryptography, you should consider that maybe that means they consider RSA and standard Diffie-Hellman public key systems to be weak and potentially borken some time in the near future. Now RSA has been looking shaky for the last year or two - it hasn't been broken for key sizes in use, but various improvement and speedups for the Number Field Sieve have made it look a lot more vulnerable. Ordinary Diffie-Hellman possibly being judged a little weak is more interesting.

Jedidiah.

Re: Huh? (1)

Alwin Henseler (640539) | more than 9 years ago | (#11861319)

Does this mean that we're more secure?

Ofcourse not, silly. Everybody can still be run over by a garbage truck, any day of the week.

Or our data?

Ofcourse not, silly. People just aren't careful with their data. Super-duper crypto methods don't do squat about that.

Or theirs?

Our data = their data. See "Echelon" & co.

Or something? Does it means anything at all?

Sure: that social engineering remains an effective method for getting access to other people's porn collection.

Do we really exist? What will I eat for supper?

That's a hard one. Maybe your local supermarket can tell you what's on sale today.

Re:Huh? (4, Funny)

bcmm (768152) | more than 9 years ago | (#11861350)

The NSA is secure. You are not secure, the NSA ()\/\/|\|Z your computer, and possibly your mind. I exist, but I can't prove it. You might not exist, you might be a highly unlikely bug in Slashcode. My advice to you, if you exist, or even if you are just a bug, is to eat lots of cheese for supper, possibly in a pizza, unless you are lactose intolerant.

I hope life makes more sense now. I can hear digeredoo music.

I just re-read that. I need sleep.

Re:Huh? (2, Funny)

Anonymous Coward | more than 9 years ago | (#11861442)

You should start a religion!

Wow... (4, Funny)

nuclear305 (674185) | more than 9 years ago | (#11861168)

"ECDH and ECDSA appear to be generally unencumbered."

Except for their names, of course...

Re:Wow... (1)

game kid (805301) | more than 9 years ago | (#11861380)

As a Math Professor once said to me and the class about some techniques, "Only the names are changed to confuse the impressionable."

In this case, of course, I am quite impressionable with all these elliptical curves, foreign names...sounds more like porn to me.

Not unencumbered =( (4, Funny)

mg2 (823681) | more than 9 years ago | (#11861169)

All elliptical curve math, unfortunately, falls under Microsoft's patent on all things curvy or mildly resembling a circle. =\

Re:Not unencumbered =( (1, Funny)

LiquidCoooled (634315) | more than 9 years ago | (#11861219)

I thought goatse had worldwide patent rights to anything resembling a cirle?

Re:Not unencumbered =( (1)

northcat (827059) | more than 9 years ago | (#11861250)

And including the most important curve - the straight line.

No, NO. (0, Offtopic)

game kid (805301) | more than 9 years ago | (#11861320)

God owns that patent. You have seen Lindsay [taod.com] or [insert woman's name here] have you? (Unless you are one, in which case you should get some of God's patent tab. God bless 'em.)

EEE! (0, Redundant)

The Amazing Fish Boy (863897) | more than 9 years ago | (#11861190)

Nice summary. I haven't seen that many Es in my life since... well, that rave I went to. But then, I can't remember much from before that rave, so I may once have read a summary with more Es. Stay in school.

Re:EEE! (0, Offtopic)

The Amazing Fish Boy (863897) | more than 9 years ago | (#11861368)

My Karma! Noooooo!

How nice... and irrelivant. (-1, Flamebait)

Duncan3 (10537) | more than 9 years ago | (#11861193)

Well that's nice and all, we already have completely unencombered ways of doing crypto.

Now the bad guys will have to license the patents before they install a key logger, oh no!

Nothing to see here, move along.

Re:How nice... and irrelivant. (0)

Anonymous Coward | more than 9 years ago | (#11861333)

hi, you're a moron

Re:How nice... and irrelivant. (1)

peasleer (806038) | more than 9 years ago | (#11861702)

Just another slashdot post making a statement,
Well that's nice and all, we already have completely unencombered ways of doing crypto.
refusing to back it with evidence, then proclaiming dominance over the subject,
Nothing to see here, move along.
after muttering a 'the sky is falling' sentence.
Now the bad guys will have to license the patents before they install a key logger, oh no!

Nothing to see here, move along.

Wait, what? (3, Interesting)

FireballX301 (766274) | more than 9 years ago | (#11861198)

AES and Secure Hashing Algorithm also are included in Suite B.

Weren't the SHA algorithms broken? Or, at least, SHA-1?

Re:Wait, what? (5, Informative)

clap_hands (320732) | more than 9 years ago | (#11861313)

You can find collisions for SHA-0 faster than expected, and it's claimed that you can do the same for SHA-1 (the attack hasn't yet been published, but it's pretty certain to be genuine). The SHA-2 algorithms (that is, any of SHA-224, SHA-256, SHA-384, or SHA-512) remain uncompromised. See: SHA article on Wikipedia [wikipedia.org] .

Ok, there's a lot of misunderstanding on this (4, Informative)

Sycraft-fu (314770) | more than 9 years ago | (#11861440)

People keep using the term "broken", as though SHA is no longer useful, that's not the case. SHA-0 and 1 are still perfectly useful hashing systems. The fact that there are collisions means nothing, that is a known property of hashes.

Finding a hash collision, is a bitch however. Hash functions, by their nature, aren't reversable, so that means that you have to sit and try and brute force a collision. You take the value you want, and just keep hashing data until finally after a number of tries that needs exponential notation to express, you find a collision.

What has happened is that a group has shown how to find a collision in the hash faster than just by brute force for SHA 0 (and also 1 they claim). So it takes a lot less work to find a collision. Now that's a relitive term, it's still a ton of processing time. What's more, just finding a collision does you no good in most cases, a bunch of random garbage won't be mistaken for a genuine message even if the hashes match. You need to generate a message that has the same hash, and is also a plausable replacement. That's a hell of a lot harder to do and requires a LOT more computation.

So SHA hasn't been broken in that it's not usable, it's just been shown to be not as strong as previously thought, you can find a collision faster than by straight brute force. It still takes a long time, it's just not as long as you'd predict based on hash size.

However, in this case, they are talking about the new SHA-2 standards, which remain unbroken.

Re:Ok, there's a lot of misunderstanding on this (1)

rbarreira (836272) | more than 9 years ago | (#11861513)

The fact that the chinese researchers have brought down the time needed for finding collisions, means that the algorithm is broken indeed, since it was supposed to require brute force.

It's true that the attack is still on the "far edge of feasibility" (as someone put it - Schneier maybe). But it's also true that the attack hasn't even been revealed yet, so many people haven't yet had the chance to improve on this result, basing their work on the weaknesses found...

I'm not a cryptographer or standards-setter, but I agree with the grandparent - algorithms based on SHA shouldn't be used on new standards...

Good encryption? (4, Interesting)

Husgaard (858362) | more than 9 years ago | (#11861200)

What they are now recommending is believed to be state-of-the-art, and practically unbreakable.

If this really is the case, this would cause them problems eavesdropping.

So the question remains: Have they found a successful attach on ecliptic curves, or have they finally seen the light and realized that strong encryption is good for society?

Re:Good encryption? (2, Insightful)

OverlordQ (264228) | more than 9 years ago | (#11861226)

OK seriously enough of this tinfoil/conspiracy theorist crap. If the NSA wanted info from Group Foo, they'd say "Hey group foo, we need some info about bar" instead of "Hey group foo, implent algo quux for your security. *waits for how long it gets them to implement*, *waits for important info to get transmitted* *waits even more time to crack cipher*"

Re:Good encryption? (0)

Anonymous Coward | more than 9 years ago | (#11861270)

"OK seriously enough of this tinfoil/conspiracy theorist crap."

Why?

Re:Good encryption? (0)

Anonymous Coward | more than 9 years ago | (#11861377)

because you distracting your self from the real 'conspiracy' all those people setting themselves up for when the oil runs dry. Who needs eliptic encryption when there ain't any network traffic to encrypt.

Re:Good encryption? (1)

Husgaard (858362) | more than 9 years ago | (#11861385)

OK seriously enough of this tinfoil/conspiracy theorist crap.

I don't think that somebody deserves this label just because they are realizing that the interests of a government agency is different from the interests of the general public.

Think about the past of NSA.

They kept recommending DES until somebody else (amateurs in this regard) demonstrated that it was possible - and relatively cheap - to break DES by brute force.

And their intent to be able to eavesdrop was even more obvious with the Clipper chip.

Re:Good encryption? (0)

Anonymous Coward | more than 9 years ago | (#11861227)

Haaaaaa Ha-ha-ha-ha ha ha Haaaaaaah!

....

What...you were serious???

->adjusts foil shroud

Re:Good encryption? (4, Informative)

Coryoth (254751) | more than 9 years ago | (#11861271)

So the question remains: Have they found a successful attach on ecliptic curves, or have they finally seen the light and realized that strong encryption is good for society?

Technically fully half the NSA's job is Information Assurance, which is to say providing strong crypto and information security solutions to US governemnt and US companies. It was the Information Assurance people that provided us with SELinux as a demo of how a secure system could easily be achieved just working from a commodity OS. They are supposed to believe that strong encryption is good for society - US society anyway.

Jedidiah.

Re:Good encryption? (1)

oliverthered (187439) | more than 9 years ago | (#11861363)

So the question remains: Does the Government pick off all the geniuses when they are children and send them to the NSA, or do they work in the commercial world? Why assume that the NSA is any 'better' than anyone else.

Re:Good encryption? (3, Interesting)

xquark (649804) | more than 9 years ago | (#11861497)

Because they are the worlds largest employer of mathematicians. Lets say out of every 1000
mathematicians they have working for them only 1 or 2 of them turn out to be real geniuses,
thats still more than enough to do the work they need...

Its all about playing the numbers :D

Arash
_________________________________________ _________
Be one who knows what they don't know,
Instead of being one who knows not what they don't know,
Thinking they know everything about all things.
http://www.partow.net

Re:Good encryption? (4, Informative)

Alsee (515537) | more than 9 years ago | (#11861397)

I'm generally about the last person who would say "trust the government", but the NSA has a proven track record of giving GOOD encryption advice in their public announcements. They have recommended minor changes to encryption and hashing algorithm standards that, several years later, were discovered to make them signifigantly harder to crack.

-

Re:Good encryption? (3, Insightful)

Sycraft-fu (314770) | more than 9 years ago | (#11861819)

Well offically and apparantly, the NSA gave up on trying to keep good crypto out of the hands of the public some time ago. The US government even changed offical policy allowing for stronger crypto exports, since you could get the same crypto from non US sources anyhow.

I wouldn't say you should really trust them more than any other crypto group, but look at it this way: These alogrithms are public and known. The NSA, though a big employer, doesn't even begin to have all the math and crypto people in the world. These things get looked at by people from all across the world, and the findings are published.

Basically, I trust that these are strong, because the international crypto community says so. If the NSA also throws in on it, great, I regard their opinon up there with a major university with good researchers in this field.

I mean I suppose it's theoretically possible that the NSA has discovered a break that no one else has, and it's obscure enough they believe that no one ever will discover it. Remember for it to be of value it has to be broken, but people have to think it's not. If someone discovered a break the NSA knew about people would stop using the crypto, and the NSA would take a major reputation hit. So while that's possible, I guess, it's pretty far fetched and sounds like pure AFDB land to me.

I'm betting that yes, it really is good crypto. The NSA and US government seem to have acnowledged the fact that there are smart people all over the world, and they'll develop and distribute good crypto. Nothing the NSA can do to stop it, so they might as well get with the program, make use of it, and recommend it to help protect American assets.

Other countires (which are what the NSA is concerned about, they are for foreign spying, not domestic) will get good crypto, like it or not. So they just have to deal with that, and they might as well make sure Americans have it as well. The answer to dealing with it then comes from the CIA and human intelligence. The NSA captures the encrypted data, the CIA supplies the key.

Obligatory Wikipedia Link (5, Informative)

Brock Lee (648954) | more than 9 years ago | (#11861216)

Re:Obligatory Wikipedia Link (4, Informative)

Coryoth (254751) | more than 9 years ago | (#11861535)

As it isn't included in the Wikipedia article, and I had to look up the details myself:

Menezes-Qu-Vanstone key agreement is essentially a varation/extension of Diffie-Hellman using a combination of a "static" and "ephemeral" public keys to compute the shared secret. The extra wrinkles in the procedure eliminate the possibility of a couple of subtle man in the middle attacks that can be made against EC Diffie-Hellman for certain parameters.

Jedidiah.

Goverment is slow (2, Informative)

KingOfTheNerds (706852) | more than 9 years ago | (#11861217)

It's about time, the Government is so slow to announce standards. Suite B has been in the works for years now. ECDH and ECMQV were invented and refined in the 90's. Maybe they were waiting on the ECDSA? Certicom licensed it to the NSA last year, but they waited this long to ratify the standard. Now that they have the standard how long will it be before they employ the technology.

Re:Goverment is slow (1)

teknomage1 (854522) | more than 9 years ago | (#11861430)

Do you have any idea how many commitees have to come to a consensus to ratify anything? Beauracracy is like molassas. A year is crazy quick turn-around.

Re:Goverment is slow (0)

Anonymous Coward | more than 9 years ago | (#11861761)

Paying for a Licence/ uncontested patent - which is to be a standard?

That a private concern beat the experts to patent?- unlikely. As said, these protocols/foumulas publically kicked about in the 90's, and are either expired, or should expire soon - or were known about prior to that. Seems someone has a strong dislike about about big key sizes. Thankfully Open Source software, means there is a rich choice of alternatives, and hopefully the ancestory of the past will be revealed, assuming patents on mathematics is doable.

Surprising Announcement (3, Funny)

MrAsstastic (851637) | more than 9 years ago | (#11861224)

"In a surprise announcement the RNC has announced it is bankrupt, but not everyone is going begging. Greenpeace, The United Negro College Fund, Amnesty International, and other charities announced *record* earnings this week. Due mostly to large, anonymous donations." NO MORE SECRETS

Oh, come on, mods (0)

Anonymous Coward | more than 9 years ago | (#11861375)

Quote from "Sneakers". If you didn't get it, stop moderating now.

ECC: What and Why? (5, Informative)

clap_hands (320732) | more than 9 years ago | (#11861258)

Elliptic curve cryptography [wikipedia.org] is (if you squint your eyes) a translation of older crypto techniques onto slightly more exotic mathematical objects. Rather than (say) integers modulo a prime, ECC uses a group of an elliptic curve [wikipedia.org] over some finite field. But the new techniques are analogous to the old: Diffie-Hellman, ElGamal, DSA. The advantage is meant to be that keys can be a lot smaller for an equivalent level of security.

Re:ECC: What and Why? (4, Insightful)

Lehk228 (705449) | more than 9 years ago | (#11861551)

The advantage is meant to be that keys can be a lot smaller for an equivalent level of security.

more importantly keys of the same length are even more secure

I suppose I have to get rid of enigma now (5, Funny)

multi-flavor-geek (586005) | more than 9 years ago | (#11861262)

And I was just getting the kinks out of a usb powered enigma machine to provide encryption for online banking. I mean damn? Who could ever crack enigma?

Re:I suppose I have to get rid of enigma now (1)

clap_hands (320732) | more than 9 years ago | (#11861347)

So you're the guy who commissioned this Enigma [tatjavanvark.nl] ? Nice!

Re:I suppose I have to get rid of enigma now (1)

multi-flavor-geek (586005) | more than 9 years ago | (#11861516)

That wasn't me, but I wish it was, that would be fun to have.
And it looks so nice and professionally built!

Re:I suppose I have to get rid of enigma now (1, Informative)

Anonymous Coward | more than 9 years ago | (#11861431)

Who could ever crack enigma?

Well, this Polish fellow [wikipedia.org] and his buddies did.

HAH! (2, Funny)

Tufriast (824996) | more than 9 years ago | (#11861364)

1. Steal half-broken encryption process that has an impossibly hard name to say. 2. ???? 3. Profit!

Makes you wonder... (2, Interesting)

chill (34294) | more than 9 years ago | (#11861394)

Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.

-Charles

Re:Makes you wonder... (1)

Lehk228 (705449) | more than 9 years ago | (#11861577)

either they know a new way, or they have some CPU cluster hard wired to be Really Freaking Good(TM) at prime factorization.

I'd guess the latter (2, Interesting)

Lifewish (724999) | more than 9 years ago | (#11862007)

If I recall correctly (please, someone tell me if I'm wrong), easy prime factorisation is a problem of a specific class - the P=NP problems.

Basically, the P=NP conjecture says that, if it's easy to prove, it's easy to solve. So, for example, it's easy to check that a jigsaw has been completed correctly, but jigsaws seem hard to solve. A proof of the conjecture would imply that there is in fact an easy (mathematically speaking) way of solving jigsaws.

The interesting thing about the conjecture is that a proof of it for any one instance (prime factorisation, jigsaws, whatever) would instantly give a proof for every other instance. It would be one of the major mathematical discoveries of the century, and would instantly render dodgy every form of public-key encryption currently known to man.

As such I severely doubt that the NSA has solved the problem of easy prime factorisation. Even with their renowned culture of secrecy, word would have leaked out. They may have found a way of making it slightly less tough though, or, as the parent says, built a bloody big computer cluster.

Who knows?

Someone always says it (2, Funny)

cryptor3 (572787) | more than 9 years ago | (#11861626)

Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.

Yeah I can do large prime factorization in my head. But I'm sure as hell not telling anyone else how to do it.

Re:Makes you wonder... (4, Informative)

Coryoth (254751) | more than 9 years ago | (#11861667)

Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.

Actually factorization has been looking a little weak for the last couple of years. There hasn't been any big breakthrough, and 1024-bit (and up) RSA isn't exactly broken right now, but there have been a steady number of papers that have offered various improvements to the basic Number Field Sieve algorithm (such as Dan Bernstein's facorization circuit [cr.yp.to] ) that it is beginning to look as if it is merely a matter of time before at least 1024-but RSA is considered insecure.

Certainly if you have enough compute power the present NFS with improvements will be good enough to break RSA keys out. The NSA is not exactly lacking in potentially dedicated compute power.

Jedidiah.

This is good news (4, Insightful)

NemesisStar (619232) | more than 9 years ago | (#11861460)

While marking work as a tutor at my university, I was lucky enough to be marking with somebody who has written a thesis on the subject.

The good thing about elliptic curve methods for cryptology is that they have a completely different "hard" function to our current cryptographic methods. Instead of using discrete logarithms, elliptic curves use the fact that you need to know three things to be able to get a curve. Two points in space and formula that describes the curve in reference to these points.

The most important thing about these standards being made official is not that they are unbreakable. It is that there is an alternative cryptographic method out there, that should quantum computers be invented tomorrow, we would still have an effective method of cryptography. (Quantum computers will be very good at solving discrete logarithms)

Re:This is good news (4, Interesting)

Coryoth (254751) | more than 9 years ago | (#11861585)

The good thing about elliptic curve methods for cryptology is that they have a completely different "hard" function to our current cryptographic methods.

I'm not sure what you mean here. ECC protocols and standard Diffie-Hellman both rely on the hardness of solving the Discrete Log Problem over a finite group. All ECC buys you over standard Diffie-Hellman is a different group (the group formed by the set of points of the curve over some finite field), for which known methods for the discrete log problem are extremely (maximally, in theory) inefficient.

It is that there is an alternative cryptographic method out there, that should quantum computers be invented tomorrow, we would still have an effective method of cryptography.

Not true in the least. The protocols in Suite B are Elliptic Curve Diffie-Hellman, and Elliptic Curve Menezes-Qu-Vanstone (which is essentially a extended/more complicated version of Diffie-Hellman). Both are entirely useless in a situation where the Discrete Log Problem is easy. As there exists a quantum computing algorithm than solves DLP incredibly efficiently it is safe to say that in the advent of Quantum Computing these protocols will be rendered completely useless.

While marking work as a tutor at my university, I was lucky enough to be marking with somebody who has written a thesis on the subject.

I think perhaps he's been having some fun at your expense.

Jedidiah.

Question about quantum computing (1)

cryptor3 (572787) | more than 9 years ago | (#11861652)

It's been a while since I've read up on quantum computing. You mentioned that there is a 'quantum computing algorithm that solves DLP incredibly efficiently.' Is this Shor's algorithm? My gut instinct was that Shor's algorithm factors integers quickly, but I never thought of it as a DLP solver. Or is this just a case of mapping factoring to a DLP problem?

Re:Question about quantum computing (1)

Coryoth (254751) | more than 9 years ago | (#11861748)

Shor's algorithm is indeed for factoring. There is another algorithm for the DLP. I don't know too much about it, as Quantum computing isn't my field. I just pay attention when told things like "DLP is not secure under Quantum Computing". Sorry I couldn't be more informative.

Jedidiah.

Re:This is good news (1)

Coryoth (254751) | more than 9 years ago | (#11861634)

There seems to be a lot of misinformation being moderated up in this thread. How exactly did this get moderated to +4 Insightful? This is about the fourth comment I've seen that's been moderated up for spouting what amounts to complete and utter drivel.

Someone further up provided a good link to the ECC page on Wikipedia. Perhaps a few of the mods could go and read that before using up their points. It might save us from swimming in uninformed bullshit.

Jedidiah.

Certicom is a Canuckistani company... (1, Funny)

ABeowulfCluster (854634) | more than 9 years ago | (#11861461)

And now that Soviet Canuckistan is controlling all the NSA computers, I'd like to be the first to say

'PWNED!!"

Alfred Menezes and Scott Vanstone (5, Interesting)

Anonymous Coward | more than 9 years ago | (#11861666)

When I was an undergrad at the University of Waterloo (located in Waterloo, Ontario [Canada]), I had the benefit of having both Alfred and Scott as professors.

Alfred [uwaterloo.ca] taught C&O 487, which is Applied Crytography. He is an excellent lecturer and actively involved in the crypto community. His level of intelligence, professionalism, and kindness never cease to amaze me.

Scott "taught" C&O 331, which is Coding Theory. He's a down-to-Earth kind of guy, who really didn't know how to teach a class, but boy did he sure know how to simplify tough concepts. His trademark is that he's what we called a "celebrity professor". He never used his office (located at St. Jerome's on campus) to the point where if you looked through his window, you'd never see him there, and everything would be packed up in boxes. His computer was never hooked up and chairs were stacked up such that no one could actually sit down with him and have a conversation :).

He was a celebrity professor because he worked at Certicom, and was one the company's original founders [certicom.com] . He was paid the highest amount out of any C&O professor at the University, and barely ever made it to teach class. He'd spend the day at Certicom instead, and send one of his grad students over from Toronto to Waterloo (despite the weather, since Coding Theory is only available in the Winter term) to teach the class. Sometimes, when there were no grads available to do his teaching duties, he'd ask Alfred (who wrote his PhD under the supervision of Mr. Vanstone) to fill in. Whenever Alfred taught the class I learned 200% more than if Scott were to teach the exact same material.

All that aside, it's nice to see these two fellows get their name in bright lights after all of their hard work throughout the years.

New Encryption: (2, Funny)

tommyth (848039) | more than 9 years ago | (#11861785)

The new standard is 129 bit encryption. Takes twice as long to crack.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>