21 January 2014
NSA Reputation Is Dirt
Date: Tue, 21 Jan 2014 18:30:39 -0500
From: William Allen Simpson
To: Jerry Leichter <leichter[at]lrw.com>, John Kelsey
Subject: Re: [Cryptography] RSA is dead.
I'm surprised at the sudden interest in my month old December 23 post.
On 1/20/14 2:39 PM, Jerry Leichter wrote:
On Jan 20, 2014, at 12:49 PM, John Kelsey <crypto.jmk[at]gmail.com>
Perhaps this is the result of living in a government bubble for awhile, but
I certainly saw and heard a lot of the bigger community who thought NSA's
involvement in domestic crypto standards and companies was intended to improve
security. That's why NSA people were and are openly members of a bunch of
standards committees, why people invited NSA guys to give talks and take
part in competitions, why people were using stuff like SE Linux. People have
been using DSA, the NIST curves, SHA1, and SHA2 for many years, believing
them secure--because the assumption was that NSA wasn't putting backdoored
stuff out there.
Absolutely. And it's not just a matter of living inside the government bubble.
NSA has had a surprisingly good reputation pretty much until Snodownia. Before
their involvement with DES, no one really knew anything about them - but
every interaction I've ever heard of with NSA people left the impression
that they were extremely bright and extremely competent. (A friend who, many
years ago interviewed with both CIA and NSA, thought the interviewers for
the former were a bunch of bumbling idiots, while he was very impressed with
the latter. He never took a government job, however.)
No. NSA had a good reputation in the '60s. I even recommended a friend for
a position there in the mid '70s. (AFAIK, he's still there.)
By the '90s, its reputation was dirt. Because, other than what was known
or suspected about DES, every action they took was to inhibit public use
NSA managed to appear not to be much involved in the old crypto wars. Sure,
everyone knew that they were the ones who wanted to be able to keep decrypting
stuff, but they managed to come across as mere implementers of policies set
elsewhere. Their involvement with DES looked bad for a while - why *those*
S boxes? Why 56 bits? - but then differential cryptanalysis was re-discovered
in public and it turned out that NSA had actually specified S-boxes as strong
against it as possible - and that the real strength really was around 56
bits. NSA came out as being ahead of the rest of the world, and using their
lead to strengthen publicly available crypto.
NSA was *very* involved in the crypto wars!
Have we forgotten that the NSA mole in the IETF, Steve Kent, removed the
link encryption option from PPP before RFC 1134 publication in 1989?
Have we forgotten that Steve Kent had the NSA (via the FBI) investigate me
for *treason* for posting the PPP CHAP internet-draft circa 1991?
Because that would prevent the security agencies from intercepting passwords
and pretending to be somebody else.... So by then we knew they were already
wiretapping passwords of US citizens and presumably everybody else.
This is one reason I find all the whining about the NSA/RSA business a bit
of revisionist history. You can't look at what RSA did in the light of what
we know today. You have to look at it based on what was known or reasonably
strongly suspected at the time.
Hogwash. In addition to the well-known Clipper chip, and the well-known 40-bit
(A) Have we forgotten that Steve Kent had my 1994 Cypher Block CheckSum (CBCS)
removed from the IETF publication schedule -- because it wasn't compatible
with his Null Encryption option?
AFAIK, CBCS was the first attempt at integrating encryption with integrity.
Had it been adopted, there would have been no Lucky13, et alia.
And why the heck did we need a null encryption option anyway!
(B) Have we forgotten that Photuris was adopted by acclamation at the Montreal
IETF -- and then Cisco announced they were supporting ISAKMP/Oakley/IKE?
My guess is forensic accounting would show that Cisco was paid, just as RSA
was recently. Whether it was a cash payment or just a promise that they'd
be favorably considered in future bids....
I remember meeting with NSA twice at the supposedly neutral NRL. Phil Karn
refused to meet with them, even though he grew up in Maryland and it would
have been cheaper for him to meet them. But I naively thought that we could
come to an agreement.
Their biggest complaint was that Photuris concealed the parties, which inhibited
traffic analysis. And sure enough, that's still what they still want today!
All I could get agreement on was expanding the Group-Index field (renamed
Schemes in draft -03) from 8 to 16 bits for them to define their own. That
took 2 meetings!
(C) Have we forgotten that H-MAC was adopted over IP-MAC, even though we
had already shown that H-MAC was formally less secure than IP-MAC (and IP-MAC
was older and already had had more analysis)?
Why is it that everything NSA supported at NIST (SHA, SHA1, SHA2, ...) was
demonstrably less secure than other proposals?
On 12/23/13 9:29 PM, Theodore Ts'o wrote:
As for the rest, the lesson we should take from this is, moving forward,
if any company in the future hears the words, "I'm from the NSA and I'm here
to help", they should run away, as fast their legs can carry them.
The cryptography mailing