
NSA encryption plan for ‘internet of things’ rejected by ISO - Jerry2
https://www.wikitribune.com/story/2018/04/20/business/exclusive-nsa-encryption-plan-for-internet-of-things-rejected-by-international-body/67004/
======
AdmiralAsshat
Key point:

>According to WikiTribune’s source, experts in the delegations have clashed
over recent weeks and the NSA has not provided the technical detail on the
algorithms that is usual for these processes. The U.S. delegation’s refusal to
provide a “convincing design rationale is a main concern for many countries,”
the source said.

So it's not just "We don't trust anything the NSA puts out." It's "The NSA is
refusing to explain their algorithms in lieu of saying 'Trust us,' and we
don't."

~~~
tptacek
It's worth bearing in mind that the documentation issues here are basically
process concerns more than they are substantive concerns. Both Simon and Speck
are straightforward designs. Cryptographers are capable of evaluating a
deliberately-simple lightweight ARX cipher!

But in real standards competitions, academic cryptographers bundle their
designs with rationale essays and point-by-point explanations of how the
designer mitigated attacks, like differential and linear trails. Standards
groups didn't get that from NSA, and when academic cryptographers poked at the
ciphers and asked questions about linear trails, the NSA designers got
standoffish.

I think there's a subtext to all of this where the NSA is dismissive of, well,
basically all academic cryptanalytic work. The converse of that, of academics
and the NSA, didn't (I think?) used to be true, but might gradually be taking
this shape, so that the two groups are just mutually dismissive of each other.

So, where in the past the NSA got some deference that enabled them to submit
standards proposals that didn't follow process, now the opposite is true, and
academic cryptographers expect deference.

It's no tragedy. NSA brought this on themselves, and really, what we're
"losing" here is kind of a marginal design anyways, right?

(I write this in the hopes that someone better connected to these issues will
correct me on lots of it!)

~~~
cperciva
_I think there 's a subtext to all of this where the NSA is dismissive of,
well, basically all academic cryptanalytic work. The converse of that, of
academics and the NSA, didn't (I think?) used to be true, but might gradually
be taking this shape, so that the two groups are just mutually dismissive of
each other._

This isn't new. My paper about exploiting shared caches in Intel
Hyperthreading as a side channel to steal an RSA key was rejected by the
Cryptology ePrint archive "because it wasn't about cryptology", while some
people in the computer security community dismissed it as "just a theoretical
cryptography thing".

~~~
garmaine
Are you claiming to have prior knowledge and academic precedent for Meltdown?

~~~
girvo
A couple of people do, if I recall correctly.

~~~
Bartweiss
I definitely remember rumblings about "Branch prediction runs code outside
normal execution? There's _got_ to be a security hole there somewhere." That
sentiment was common enough that it's certainly not hard to imagine someone
sketching the shape of an actual attack with it before the detailed proof came
down the line.

------
Jerry2
What's also interesting is how the NSA admonished and personally attacked
three cryptographers (including Daniel J. Bernstein aka djb) and called them
incompetent:

> _the NSA 's behavior was outrageously adversarial to the process. They
> refused to motivate design choices they made such as the choice of matrices
> U, V, and W in Simon's key schedule. Instead, they chose to personally
> attack some of the experts (including @hashbreaker, Orr Dunkelman and
> myself) as incompetent._

> _This is yet another example as to how the NSA 's surveillance program is
> bad for global security. If they had been more trustworthy, or at least more
> cooperative, different alliances would have probably been formed. But
> instead, they chose to try to bully their way into the standards which
> almost worked but eventually backfired._

Rest:
[https://twitter.com/TomerAshur/status/988696306674630656](https://twitter.com/TomerAshur/status/988696306674630656)

~~~
metalliqaz
I wonder how they personally attacked those experts. Was it public?

~~~
tptacek
"Personal attack" is a pretty big stretch here. The NSA is generally
dismissive of academic cryptographers, and was dismissive here.

~~~
metalliqaz
Okay that's what the article says but the tweets specifically say that they
attacked the credibility of some very well respected security experts

~~~
tptacek
If they're talking about what I think they're talking about, they're referring
to a technical argument in which pretty much everyone was dismissive. It was
still more civil than a typical HN thread, which is in turn more civil than a
typical Reddit thread, which in turn is... my point being: outrageous personal
attack is a bit of a stretch.

~~~
metalliqaz
I take it you're referencing a discussion that isn't public?

------
mysterypie
Does anyone who's been following these IoT encryption standards think that new
algorithms are truly needed? Considering that even the most trivial embedded
devices these days get powerful microcontrollers and megabytes of RAM -- often
running a full operating system! -- is there any _perceptible_ gain with one
of these unknown lightweight algorithms compared to using a well-known and
standard algorithm like AES?

I took a look at the performance tests of AES vs NSA's Simon/Speck done by the
CryptoLUX group at the University of Luxembourg[1]. They have so much data
comparing different scenarios, processors, and implementation versions that
it's difficult to summarize the trade-offs. But my brief look at AES vs
Simon/Speck on an 8-bit Atmel AVR processor is that the difference in code
size and RAM are in the hundreds of bytes ( _bytes_ , not megabytes) and AES
performance might be approximately equal (if AES is implemented with large
code size and RAM) or up to 10-15 times slower (if implemented with small code
size and RAM).

Seriously, embedded software these days is so bloated (just like in web
development), and processors and RAM are so over-provisioned, and encryption
is such a minuscule part of the tasks of a system that I wonder if using a
standard algorithm like AES would make a perceptible difference to anybody.

[1]
[https://www.cryptolux.org/index.php/FELICS_Block_Ciphers_Det...](https://www.cryptolux.org/index.php/FELICS_Block_Ciphers_Detailed_Results#AVR)

~~~
metalliqaz
hundreds of bytes is a lot on AVRs. 1 millisecond is a lot on AVRs.

I'd have to go look at their data myself, because AES is slow even compared to
ChaCha20, and these algorithms are significantly more lightweight than that.

~~~
setquk
Why the hell would you use an AVR when there are better resourced and faster
ARM cores for the same power drain.

~~~
metalliqaz
Perhaps there are now, but these algorithms were developed several years ago.

Also AVRs are cheap and very easy to use due to their simplicity.

~~~
setquk
STM32 unit cost is lower than most AVRs. And dev is just C as well. Also NXP
do Cortex M0 parts for $0.45!

AVRs are pretty hard to use when you hit one of the numerous hardware and
peripheral walls. synchronous timers are killing me this week which lead me to
switch to a PIC part.

------
jaboutboul
I see the tin foil hats are out in full swing, but the reality is, far from
what people assume. From someone who has been following this saga, this is
more a fight about how the NSA cooperates (or lack thereof) with ISO and other
standards orgs. Most likely due to their own internal self-conflict.

As others have mentioned Simon and Speck very straightforward. There really
isn't much room for obscuring anything there. On the other hand, when any
group that's a part of a standards org begins to feel so privileged that they
can operate under their own rules and without truly cooperating with the
others and share information in the way that people are asking for it, it's
going to breed further mistrust given the already tense environment due to the
history there.

~~~
nebulous1
I don't know anything of the technical details of Simon and Speck, but
distrusting the NSA hardly entails a tinfoil hat.

~~~
tptacek
"Distrusting" one of the simplest "mainstream" ARX ciphers entails a little
bit of tin foil. That's not really why ISO isn't moving forward with them.

~~~
xansi
That seems to be exactly why ISO isn't moving forward, or at least has been in
the past.

[https://www.reuters.com/article/us-cyber-standards-
insight/d...](https://www.reuters.com/article/us-cyber-standards-
insight/distrustful-u-s-allies-force-spy-agency-to-back-down-in-encryption-
fight-idUSKCN1BW0GV)

~~~
tptacek
Distrust of the NSA has cost it the deference it was given by academic
cryptographers to basically ignore the process norms of public crypto
standards. That's not the same as saying the academic cryptography community
distrusts a simple ARX design.

------
phigcch
Better article from April when this story first broke.
[https://www.theregister.co.uk/2018/04/25/nsa_iot_encryption/](https://www.theregister.co.uk/2018/04/25/nsa_iot_encryption/)

The standardization of Simon and Speck has been an ongoing fight within
ISO/IEC JTC1 SC27 WG2 since 2014 or so, but looks like it's finally game over
for now.

~~~
tptacek
That's not a great article. In reality, nobody thinks Speck and Simon are
backdoored --- they're extremely straightforward block cipher designs with
well-understood components. Unless the NSA knows something that breaks all
modern block cipher designs --- in which case, why tip your hand? --- there's
no place to hide a backdoor in either of these standards.

What happened here seems like a combination of two things: first, a general
statement that the community is skeptical of NSA-related standards after the
Dual EC fiasco, just on principles, and, second, process concerns about the
way NSA interacts with standards bodies --- their work is considered poorly
documented and their engagement with the academic research community (for
instance, to answer concerns about flaws in their designs) is poor.

~~~
baby
I don't see why would any Non-American company would accept any of their
thoughts/designs after their sneaky backdoor prng.

~~~
tedunangst
The back door prng wasn't all that sneaky? I would assess "don't look behind
the curtain" and "nothing up my sleeves because I'm not wearing sleeves" quite
differently.

~~~
frankharv
So true. How about the credibility of RSA.

They should be going out of business because all their customers left in
droves.

But they didn't and RSA is still an esteemed security company.

What happened when Juniper firewalls were outed by Snowden. Did we ever hear
the name of the employee who backdoored their product?

Surely they use revision control and can tell who contributed what. I have to
wonder if the NSA mole still works there too. Zero transparency from these
"Security Companies".

------
spadros
The NSA trying to propose an encryption plan is like letting wolves decide how
to secure sheep. Total conflict of interest, especially after Snowden.

~~~
segmondy
But isn't it the same argument that if you wish to secure your system you
really need to get a whitehat hacker. NSA looks at herself in the same light
as a whitehat.

~~~
colordrops
No one else but the NSA sees the NSA as whitehats.

~~~
stochastic_monk
Nation-State Adversary is my favorite backronym for NSA.

------
mabbo
Here's a weird/fun thought: what if the NSA was trying to lose?

This is the NSA. They're no fools. And they know that no one is going to trust
them, especially if they try to bully their way and not reveal details.

What if the next-best competitor for this encryption is _actually_ something
they've broken? Could be that they got clever and lucky and figured it out,
could be that they planted it with someone secretly working for the NSA. Then
it would be in their interest to loudly lose in such a way that the standards
committee picks the secretly-broken encryption rather than the one the NSA was
pushing.

Fun tinfoil hat ideas, naturally, but it would sure make a better story than
the NSA trying to backdoor an encryption standard again.

~~~
elago
Why would they do that rather than just not submit anything and let the
already broken next-best competitor win?

~~~
Tepix
Where's the conspiracy theory then?

------
olfactory
When we think about what actually matters when it comes to institutions
(public or private) one very important thing is trust.

The NSA has eroded much of the trust it once had. This reduces its
effectiveness as an organization and puts all Americans and American companies
at increased risk.

Those who committed the crimes revealed by Snowden should be brought to
justice, the program dismantled, the hardware auctioned off, and the money
returned to taxpayers.

One does not have to be a privacy zealot or an anarchist to believe that the
NSA should act within the law.

~~~
pdimitar
> _puts all Americans and American companies at increased risk._

Both yes and no.

No, because many startups are just looking for the shortest path to market and
that means they absolutely will go for US cloud storage and computing if it
best serves their initial business plans.

Yes, because there are many ethical businesses (albeit smaller) -- and also in
light with the GDPR -- who have a clear business model that doesn't involve
selling personally identifiable information. And they now would go an extra
mile to ensure they don't use USA-hosted services. I know business owners who
did this and I'd do it as well if I was one.

Post Snowden there were a lot of companies offering secure email hosting in
Europe. Not sure if that really amounted to a big loss for the USA email
hosting market though. Many people are too dependent on Gmail to ever replace
it, for example.

------
trisimix
The NSA has lost an insane amount of credibility for acting like a three
letter agency instead of a security administration. Turns out its pretty hard
to be both.

------
DINKDINK
Remember, the S in IoT is for security.

~~~
garmaine
IoOPT — the Internet of Other People’s Thjngs.

------
clarkmoody
This is the first WikiTribune story I've personally noticed on HN. The story
is not as juicy as the headline makes it out to be, but it's good to see
WikiTribune as a source of news nonetheless. I'm excited to see more from this
site in the future.

~~~
akvadrako
Do you read WikiTribune? I am always hoping to find better sources of news,
but it doesn't appeal to me enough to try.

~~~
clarkmoody
Not at the moment. I'll give it a shot though and see how things go.

------
codedokode
Encryption scheme choice doesn't mean much if the devices send all the data to
US-controlled "clouds". NSA will be able to read everything anyway.

~~~
okmokmz
Only if you're operating under the assumption that the NSA has broken all
modern encryption algorithms

~~~
codedokode
Why do they need to break encryption if they can come to any datacenter and
copy data from the server? Or install a backdoor. Or get a subpoena for the
data?

------
slededit
This is what a loss of soft power looks like. The US has burned its reputation
and is loosing influence in all areas of the world.

------
anfilt
I find this kinda sad since both speck and simon are really nice algorithms.
The analysis that has been done also shows that seem secure. Moreover, they
are simple I have made several implementations, and one that runs simon on a
FPGA. It honestly would be hard to sneak a back door in my opinion.

Also keep this in mind the US government also wants to use these algorithms.
Why would they use a broken symmetric cipher?

------
Drdrdrq
Well, I doubt NSA are stupid. The question is more what their plan is to get
the standards they want to be accepted. Maybe by exposing themselves and thus
creating a better chance for secret allies? We'll need to wait for the next
Snowden to find out I guess, if ever.

------
whois
So happy to see a Wiki Tribune link here. I think the project is super cool, I
hope it stays around.

------
sunstone
Some more suspicious elliptic curves no doubt.

------
jchook
Don’t cryptographers still have concerns about an AES backdoor?

~~~
tptacek
No.

------
peterwwillis
Unrelated:

Has anyone ever not clicked on the "this site uses cookies" button on any
website since they started being introduced? Does anyone even look at them
before clicking them?

~~~
matheusmoreira
That button is just a CYA measure. The idea seems to prevent users from
claiming they didn't know they were being monitored. It solves nothing and
gives users absolutely no control over tracking behavior. I doubt web sites
wait for the user's decision to "accept" the use of cookies: since they
normally travel via HTTP headers, they would already be in the browser's
cookie jar before the page even rendered.

------
subcosmos
Telnet passwords ought to be good enough, right?

~~~
akerro
No one expects anyone to pass sensitive information in plaintext!

~~~
bgongfu
Jedi encryption :)

One of the ideas I've tinkered with along the way is hiding encrypted emails
in content that's markov generated from unencrypted communications with the
same peer. It doesn't have to be perfect, just good enough to not get caught
in the slime squad's algorithms.

~~~
jancsika
Or you could send encrypted texts with a subject line that tells how many
leading zero bits are in your GPG private key. Perhaps start with keysize - 1.

Then for each new message subtract 1 from the number of leading zeros.

Now at some point Eve has to decide for herself when it's no longer worth it
to brute force your messages.

Edit: clarification

------
shawn
Snowden caused this.

That's pretty interesting, one way or the other.

~~~
Tyrannosaur
Interesting way to put the blame on someone exposing the crimes, instead of
those actually doing the crimes.

~~~
OscarCunningham
The parent comment can only be read as assigning blame if you think that ISO
rejecting the NSA's proposal is a bad thing. I'd say it's a good thing since
we know that the NSA's proposals are sometimes backdoored.

~~~
saagarjha
Irrespective of the proposal being backdoored, it was clear that the NSA
refused to follow standard procedure by providing the necessary supporting
materials for their proposal, so it's not difficult to see why the ISO
rejected the proposal.

------
jstanley
> concerns that the U.S. agency could be promoting encryption technology it
> knew how to break, rather than the most secure.

If they were going to do this, wouldn't they submit it under a pseudonym?

~~~
tptacek
How would that even work? Cryptography is a small world. A submission from
someone nobody's heard of would have no chance.

~~~
always_good
NSA has a budget of $12 billion.

Let's not pretend it's some impossible or unheard of feat pushing something
through, like getting someone to publish it.

You'd have to be naive to suggest the NSA hasn't compromised any individuals
in the security community.

~~~
tptacek
The suggestion was that NSA would get someone to submit under a pseudonym, not
that they would bribe Orr Dunkelman.

------
BroadcastSunny
My problem with this link is that anyone can edit it and it looks like anyone
can be an author on the site, so I question the validity of the article.

~~~
pritambaral
Interesting.

Do you also mistrust Wikipedia? Besides, it is not like every reputed
journalist these days maintains basic journalistic standards or integrity.
Case in point, article by Reuters from two days ago:
[https://news.ycombinator.com/item?id=17057700](https://news.ycombinator.com/item?id=17057700)

~~~
BroadcastSunny
The schools won't allow my kids to use Wikipedia as a source - so yeah. (this
is despite the fact that Wikipedia got more strict with allowing people to
comment and that they require references)

You're just mad I didn't trust your article

~~~
pritambaral
> The schools won't allow my kids to use Wikipedia as a source

Would they allow your kids to use Wikipedia's own sources — as long as they're
legitimate — as their sources?

I do not trust traditional journalism as a source either (unlike Wikipedia and
most schools). I try to find their sources; and when I can't, I regard it with
suspicion.

> You're just mad I didn't trust your article.

This is either incredibly childish or too subtly tongue-in-cheek for me.
Neither is the article "mine" in any way, nor was I "mad". I was genuinely
curious.

