Comment by fossuser
3 years ago
I remember reading about this in Steven Levy's crypto and elsewhere, there was a lot of internal arguing about lots of this stuff at the time and people had different opinions. I remember that some of the suggested changes from NSA shared with IBM were actually stronger against a cryptanalysis attack on DES that was not yet publicly known (though at the the time people suspected they were suggesting this because it was weaker, the attack only became publicly known later). I tried to find the specific info about this, but can't remember the details well enough. Edit: I think it was this: https://en.wikipedia.org/wiki/Differential_cryptanalysis
They also did intentionally weaken a standard separately from that and all the arguing about 'munitions export' intentionally requiring weak keys etc. - all the 90s cryptowar stuff that mostly ended after the clipper chip failure. They also worked with IBM on DES, but some people internally at NSA were upset that they shared this after the fact. The history is a lot more mixed with a lot of people arguing about what the right thing to do is and no general consensus on a lot of this stuff.
You are not accurately reflecting the history that is presented in the very blog post we are discussing.
NSA made DES weaker for everyone by reducing the key size. IBM happily went along. The history of IBM is dark. NSA credited tweaks to DES can be understood as ensuring that a weakened DES stayed deployed longer which was to their advantage. They clearly explain this in the history quoted by the author:
“Narrowing the encryption problem to a single, influential algorithm might drive out competitors, and that would reduce the field that NSA had to be concerned about. Could a public encryption standard be made secure enough to protect against everything but a massive brute force attack, but weak enough to still permit an attack of some nature using very sophisticated (and expensive) techniques?”
They’re not internally conflicted. They’re strategic saboteurs.
>IBM happily went along. The history of IBM is dark.
Then, as of now, I'm confused why people expect these kinds of problems to be solved by corporations "doing the right thing" rather than demanding some kind of real legislative reform.
Agreed. It can be both but historically companies generally do the sabotage upon request, if not preemptively. This hasn’t changed much at all in favor of protecting regular users, except maybe with the expansion of HTTPS, and a few other exceptions.
Libertarian and capitalist propaganda. The answer is always a variation of “if you don’t like it, don’t buy it/let the market decide.” Even if the “market” heads towards apocalypse.
Is there a third option beyond government and corporations?
> "NSA credited tweaks to DES can be understood as ensuring that a weakened DES stayed deployed longer which was to their advantage. They clearly explain this in the history quoted by the author"
I'm not sure I buy that this follows, wouldn't the weakened key size also make people not want to deploy it given that known weakness? To me it reads more that some people wanted a weak key so NSA could still break it, but other people wanted it to be stronger against differential cryptanalysis attacks and that they're not really related. It also came across that way in Levy's book where they were arguing about whether they should or should not engage with IBM at all.
It follows: entire industries were required to deploy DES and the goal was to create one thing that was “strong enough” to narrow the field.
Read the blog post carefully about the role of NBS, IBM, and NSA in the development of DES.
It’s hard to accept because the implications are upsetting and profound. The evidence is clear and convincing. Lots of people try to muddy the waters, don’t help them please.
3 replies →
> I remember that some of the suggested changes from NSA shared with IBM were actually stronger against a cryptanalysis attack on DES that was not yet publicly known
So we have that and other examples of NSA apparently strengthening crypto, then we have the dual-EC debacle and some of the info in the Snowden leaks showing that they've tried to weaken it.
I feel like any talk about NSA influence on NIST PQ or other current algorithm development is just speculation unless someone can turn up actual evidence one way or another. I can think of reasons the NSA would try to strengthen it and reasons they might try to weaken it, and they've done both in the past. You can drive yourself nuts constructing infinitely recursive what-if theories.
The NSA wants "NOBUS" (NObody-But-US) backdoors. It is in their interest to make a good show of fixing easily-detected vulnerabilities while keeping their own intentional ones a secret. The fantasy they are trying to sell to politicians is that people can keep secrets from other people but not from the government; that they can make uncrackable safes that still open when presented with a court warrant.
This isn't speculation either; Dual_EC_DRBG and its role as a NOBUS backdoor was part of the Snowden document dump.
Here's the counter-argument that I've seen in cryptography circles:
Dual EC, a PRNG built on an asymmetric crypto template, was kind of a ham fisted and obvious NOBUS back door. The math behind it made such a backdoor entirely plausible.
That's less obvious in other cases.
Take the NIST ECC curves. If they're backdoored it means the NSA knows something about ECC we don't know and haven't discovered in the 20+ years since those curves were developed. It also means the NSA was able to search all ECC curves to find vulnerable curves using 1990s technology. Multiple cryptographers have argued that if this is true we should really consider leaving ECC altogether. It means a significant proportion of ECC curves may be problematic. It means for all we know Curve25519 is a vulnerable curve given the fact that this hypothetical vulnerability is based on math we don't understand.
The same argument could apply to Speck:
https://en.wikipedia.org/wiki/Speck_(cipher)
Speck is incredibly simple with very few places a "mystery constant" or other back door could be hidden. If Speck is backdoored it means the NSA knows something about ARX constructions that we don't know, and we have no idea whether this mystery math also applies to ChaCha or Blake or any of the other popular ARX construction gaining so much usage right now. That means if we (hypothetically) knew for a fact that Speck was backdoored but not how it's backdoored it might make sense to move away from ARX ciphers entirely. It might mean many or all of them are not as secure as we think.
4 replies →
NSA doesn’t want NOBUS, they’re not a person.
NSA leadership has policies to propose and promote the NOBUS dream. Even with Dual_EC_DRBG, the claims of NOBUS were incredibly arrogant. Just ask Juniper and OPM how that NOBUS business worked out. The NSA leadership wants privileged access and data at nearly any cost. The leadership additionally want you to believe that they want NOBUS for special, even exceptional cases. In reality they want bulk data, and they want it even if the NOBUS promises can fail open.
Don’t believe the hype, security is hard enough, NOBUS relies on so many assumptions that it’s a comedy. We know about Snowden because he went public, does anyone think we, the public, would learn if important keys were compromised to their backdoors? It seems extremely doubtful that even the IG would learn, even if NSA themselves could discover it in all cases.
I think it's just both. It's a giant organization of people arguing in favor of different things at different times over its history, I'd guess there's disagreement internally. Some arguing it's critical to secure encryption (I agree with this camp), others wanting to be able to break it for offense reasons despite the problems that causes.
Since we only see the occasional stuff that's unclassified we don't really know the details and those who do can't share them.
There are plenty of leaked classified documents from NSA (and others) that have been verified as legitimate. Many people working in public know stuff that hasn’t been published in full.
Here is one example with documents: https://www.spiegel.de/international/world/the-nsa-uses-powe...
Here is another: https://www.spiegel.de/international/germany/inside-the-nsa-...
Please read each and every classified document published alongside those two stories. I think you may revise your comments afterwards.