“I know from firsthand communications that a number of people at N.I.S.T. feel betrayed by their colleagues at the N.S.A.,” Mr. Green said in an interview Tuesday.
Thats pretty strong sentiment. Seems to echo the bitterness of Rogaway: http://www.cs.ucdavis.edu/~rogaway/politics/surveillance.pdf
This is an important question of our times, and the cryptography experts should speak up like this. They have the credibility, and the ear of the people and media.
How deeply have our academic institutions been co-opted by the intelligence community?
1. JHU then had a dean apologize, but it was almost certainly only a reaction to the negative publicity that ensued:
With the NSA committing industrial espionage and able to do insider trading in order to fund its operations off the books I am sure they can also most generously "donate" money to Universities.
And of course the quickly retracted notices not to read the Wikileaks cables if we ever wanted a security clearance that went out to all the Ivies, which were not so great. I believe Columbia was even stupid enough to email instructions to their students not to read vital source material if it came from Wikileaks.
That's the understatement of the century. NIST is pissed off. Many of these guys move fluidly back and forth from NSA, and clearly they were kept in the dark.
But it's probably best to just forget about NIST and start from scratch with a new standards body with zero influence from the government - any government(how it should be).
Why would the cryptography community ever again cooperate with NIST while the requirement to consult with the NSA is in place? It's not a question of feeling betrayed, it's simply irrational to try to create a strong cryptography standard when the NSA is in the room. They can do that work outside of NIST.
"Feeling betrayed" implies skulking about with a sad expression. In reality, from what I hear, I imagine it's more like senior NIST officials roaming the halls at Fort Meade looking for somebody at whom to scream strings of obscenities.
This isn't regarded as a problem?
I guess a route that US agencies took is to "we will recommend good standards for you, because you know we also need security, but you shouldnt know all those standards and implementations will be compromised so we still retain the ability to spy on you while you wont be able to spy on us and if you do then you're a traitor".
One interesting way to solve the problem would be to allow differenct mutually hostile entities to define their own standards (US, Russia, China, FSF, Pirate Bay, whoever) and then encrypt using all of them.
That way, even if there is backdoor in each protocol, the only way to decrypt would be all those disparate players to cooperate. It would be like a vault with multiple keys possesed by different people.
echo hello | crypt -usa | crypt -russia | crypt -china
One might say that they instead have a political and economical agenda disguised as war against terror.
If so, they would certainly have conflicts of interest, at least at some point.
A standard from NSA, on the other hand, is guaranteed to have exactly one backdoor. Same goes for KGB etc.
I guess we could get the same effect by encrypting using 3DES, then AES, then blowfish, twofish and then RC4.
* md_gost94 message digest algorithm
* gost89 symmetric encryption algorithm with 256 bit key
* gost94 public key algorithm with 1024 bit public key
* gost94cp public key algorithm with 1024 bit public key (CP mode1)
* gost2001 public key algorithm based on elliptic curves with 512 bit public key
* gost2001cp public key algorithm based on elliptic curves with 512 bit public key (CP mode1)
TrueCrypt supports cascaded encryption in XTS mode, see . AES-Twofish-Serpent, combined with a decent password and Whirlpool hash algorithm (it is used for HMAC and for mixing the RNG) should be pretty secure, IMO. Anyhow, we don't have plenty of really good and checked publicly available alternatives for symmetric encryption.
We still don't know the exact story behind Dual_EC_DRBG. Maybe the NSA carefully crafted the DRBG to contain a backdoor that they knew from the outset. Maybe they didn't notice the backdoor until later (perhaps after cryptographers pointed it out) but ended up discovering the 'key' that allows you to predict the stream, completely breaking the DRBG (this is very unlikely, however). Or maybe they're no better off than the general public.
Annoyingly, there are no concrete details. Internal memos "appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency". In the latest NYT article, the internal memos "suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard". (What "generated" really means here is beyond me; obviously the constants were generated somehow. The question is whether or not they were generated with malicious intent. Is the 'generated' part quoted/paraphrased from the memos?)
Now I'm not saying that the NSA didn't have some malicious intent with Dual_EC_DRBG. But we have a stunning lack of any evidence. Internal memos 'appear to confirm' and 'suggest', but the bits provided from them are... lacking. Things certainly seem fishy, but we don't even know the context of the quotes.
I don't know. It certainly wouldn't surprise me if Dual_EC_DRBG was engineered to have a backdoor, but all of the articles I've read seem to carefully use weasel words when talking about it.
This one sentence is a _remarkably easy way_ to kill a story for the 99.9% of the world who this is news for.
The whole spiel has made several rounds on HN, though , and Ars reported again on the matter about a week ago . But I do acknowledge that doesn't necessarily mean much... not everyone has the time (or the inclination!) to follow such matters.
If you look at this discussions, HN commenters were very skeptical this was an NSA backdoor. The speculative possibility isn't news; the fact very much is.
That is, the article isn't really anything new.
Kind of shocking, N.I.S.T and the C.S.E with their pants down.
How can any government accept a situation where communications are so secure that none of their agencies can break it? Essentially law enforcement do need to investigate crime. That has to be right and good for all. Even this anarchist accepts this.
Such a situation is fine for "us", and great for government, in that it means they them selves can communicate with confidence. But to expect government to accept a situation where there is zero way they can snoop or investigate is asking a lot. Its a huge risk to government. So, I think we have to forget that idea completely, as attractive as it is to the likes of me.
As others have said, its procedural or legal, not technical. What is needed is a rock solid frame work and set of rules that properly limit how the snooping is done. What is needed is a universal bill of online or electronic rights. Not just for the USA, but something that can apply to any country and government. I'd suggest it should be developed by an international group, UN backed, and made part of being a member. Or could it be something that has to be agreed to as part of acquiring IP addresses or domain names. Dunno, but tie it in some how.
Ok, I'm not sure that works totally as I have set it out, Im no lawyer, and others may well want to modify it, but we need something international as the internet is international. We all need protection, not just Americans. We need a base level to work from. Something we can all accept as reasonable, workable and enforceable. Most of all, we need confidence in using communications and those regulating it.
In my opinion, the 4th amendment says the government needs a good reason and a warrant, and then we all agree they can read my gmail. We don't have to agree they can store, search, and use everyone's gmail for fighting crime, terrorism, or gaining economic advantage over other nations.
Forget international committees. Smash the hard drives with my phone data in them that spooks can read at will.
Under UK law the rule isn't to hand over the keys so they can decrypt the ciphertext, but to make the plaintext available.
In a democracy? A system in which (at least in principle) the government is supposed to obey the laws and serve the needs of the people?
> Essentially law enforcement do need to investigate crime.
That logically breaks down to two questions: (1) Can the government listen in on anything it wants, and (2) does the government have that right? I won't presume to offer practical answers, but from a legal and constitutional standpoint, the answers are maybe and no.
> Even this anarchist accepts this.
An anarchist who accepts the government's right to listen in on anything ... isn't an anarchist. An anarchist who assumes that the government is doing that ... is a realist.
The way they accept every other fact of life that they cannot change.
The genie is out of the bottle now. Strong encryption exists; government cannot break it, and "bad actors" will use it. Law enforcement do need to investigate crime, but they need to do it in the real world not in the world of make believe. If that means they have to go back to older, harder investigative methods then life will go on.
The "alternative" that our governments seem to have chosen is unconscionable... They break their own laws, forsake their own principles and corral their own people into virtual concentration camps.
In their desperation they have seized total control, and then "restrained themselves" to simulate the capabilities they might have had in the good old days. Their self-restraint is admirable, but our societies are founded on law and democracy, not built on trust in the good natures of absolute rulers.
Government should be a last-ditch effort to maintain the long-term survivability of our species.... However, so many people (cough Apple) treat laws as a list of the most disrespectful circumstances and violent actions they can do without repercussions.
We can deny the existence of strong crypto no more than we can deny the existence of Plutonium. Any government that can't regulate around that has no justification for our support and any population that can't survive the gifts of Prometheus has no justification for survival.
If we're to levitate above the point we're at now (compromised security, virtual concentration camps, etc.), we've got to develop our culture such that there is no incentive to use strong crypto for gain. We've got to stop pushing ourselves into such dense living quarters. We've got to further lower our reproduction rate. We've got to stop buying into celebrity and corporate culture....
Does the government accept situation where it cannot read your own thoughts? How is that different?
You could make the same argument about crime fighting here. If we could read thoughts, well, then there would be no unsolvable crime really. But is it desirable?
So, no, even anarchists won't agree (neither me, and I am not an anarchist). The privacy comes to moral consideration too. Secret communication has no effect on the real world unless the people communicating actually act. Just like thoughts have no effect on the real world, unless you act. That's why we don't punish thoughts, but acts, and by that extension, we shouldn't punish communication, just acting based on that communication. Since these acts take place in the real world, criminal investigation is not obstructed.
Edit: Maybe a clarification. You could make an argument that if you don't know communication between people, then it's harder to convict a specific person rather than just the group. But the same is true for private communication (it was always a problem, even before electronic communications), and is also true for communication between neurons (we cannot be sure if person acted willingly or is a psychiatric case).
I find it peculiar to see someone call themselves an anarchist yet accept this - unless you're a Proudhonist or other particularly esoteric pre-Bakunin kind that have been out of fashion since the 1870's...
A key feature of anarchism all the way back to when Bakunin was expelled from the first International by Marx over the issue of state authority has explicitly been the rapid destruction of the state as a critical element exactly because of the opportunity for oppression that lies inherent in the state. This is pretty much the dividing line between anarchism and marxist socialism/communism (the marxist standpoint is that a large scale working class uprising would enable the transformation of the state from a tool of oppression by the upper classes against the working class to a temporary tool of oppression by the working class against the upper classes, becoming obsolete as the working class subsumes the previously privileged classes), and also one of the major distinguishing features between anarchism and the various form of liberalism (in the classical sense, not the modern US sense) and libertarianism
The point being that the government does not serve you. It may quite regularly do things that overlap with your interests, but your influence on your government is disproportionally small in any situation where economic power buys you more attention from legislators per head than a vote does.
In that kind of situation, something that makes the government afraid is not something we should forget, but something to embrace and expand to help redress the balance.
Yes, it also helps 'the bad guys'. So does envelopes on your mail, the ability to freely lock your door and expect the police not to wander it at their leisure, or the ability to walk down the street without an id number stamped to your forehead. It would make things a lot easier for law enforcement if we all lived in prison already. Obviously we do not accept these things - it is not enough for something to benefit law enforcement for us to accept it.
> But to expect government to accept a situation where there is zero way they can snoop or investigate is asking a lot.
I see noone expecting government to accept such a situation, and even flawless information security for your communications does not create such a situation. You are setting up a strawman with this sentence.
> What is needed is a rock solid frame work and set of rules that properly limit how the snooping is done.
Rules don't stop people from doing something when the ability to monitor that they are actually complying is nearly non-existent.
> I'd suggest it should be developed by an international group, UN backed, and made part of being a member.
This is a very naive view of how the UN works. The very point of the UN is that it is inclusive - you don't exclude even the worst dictators because then you shut down communication. The upside is that this means there is a forum to make agreements amongst pretty much all the governments of the world. The downside is that you have to deal with these governments even when drafting agreements where "the good guys", if you can even come up with a cohesive list of who they would be, all agree to principles that would substantially improve things. Yes, it is infuriating whenever some dictatorship effectively shuts down some initiative, but it is the reality we have to live in as long as these regimes exist.
In other words, the UN will not do something like this because it goes directly counter to the interests of the governments of a large number of UN countries. And without substantial political upheaval it also goes counter to the interests of the governments of many democratic countries whose populations might prefer much stricter rules.
> Or could it be something that has to be agreed to as part of acquiring IP addresses or domain names. Dunno, but tie it in some how.
The current system for allocation of IP addresses and domain names only works because everyone voluntarily defers to the respective authorities. Even then, nothing but technical skills stops you, your grandma, or your government from setting up its own DNS roots, and nothing stops your ISP or your government from changing routing tables and allocate its own addresses.
They don't because it would break a lot of things, and because the current processes are sufficiently apolitical to not give them a reason to. If that changed, the internet would break into islands where not all parts can talk to all other parts without intermediaries.
This is why nobody has force the issue of tieing non-technical requirements to allocations of IP addresses or domains any more than it is in anyones interest to, say, withhold a country code for phone numbers from a dictatorship.
I'm a thoroughly pragmatic person. I share all of your concerns about abuse of power (which I see very real cases of everywhere). Yet something in my core believes the ultimate theoretical good may not be ultimate secrecy, but no secrets at all. (Yes, I realize the best path there is not a straight line, if there even exists a practical path).
An honest question for anyone who is passionate about secrecy/anonymity: is it something you inherently value or do you value it because you don't trust other parties to not misuse it? Hypothetically, if that were not possible because their abuse would also be known and they would be held accountable, would that alleviate your concerns?
Their friends in the business community can rest assured that foreign competitors, criminals, etc. are not able to eavesdrop on their communications. Spies in foreign countries could use a strong cipher without raising any suspicions. These arguments were made in the 90s you know.
"Essentially law enforcement do need to investigate crime."
Only to a point. If the only evidence of a crime is the plaintext of some encrypted message -- no physical evidence, no witnesses, etc. -- then the benefits of strong cryptography vastly outweigh whatever problem there is with letting the crime go unpunished.
Chief George Earle: Sensors all over the city can zero in on anyone at any time. I can't even conceive of what police officers did before it was developed.
John Spartan: We worked. This fascist crap makes me want to puke.
Well, it seems those manually watched cameras were the least of our worries.
Btw such a strong and capable regulatory framework that is always on, seems useful in regulating corporations and politicians, and if exists it should scare the hell out of them. I could see why they prefer it this way, with. Surveillance staying hidden in the shadows.
one way to do this is strong encryption but medium endpoint security.
A government by and for the people accepts it because the people accept it.
What a government _is_, of course, a philosophical question. The American Constitution treats government as an agreement among people, and structures that agreement to withhold particular powers from that agreement.
It does _not_ withhold these powers in recognition of some divine grant or innate possession of 'rights', but because it anticipates these powers make the government dangerous to the people governed. Given those powers, the people in government would inevitably abuse them, and would over time evolve into a faction or class to themselves, striving to retain control of the government for their own purposes and to the neglect of the people's.
A government that can consistently and without consequence exceed the powers allotted to it by the people governed will inevitably become an aristocracy, and a tyranny, unless those excesses are checked.
(There are other visions of what a government is. vidarh's comment on this subthread is the best account of anarchism I've read -- really smart -- saying that government is necessarily a class instrument that ought to be weakened or destroyed because it inevitably serves the strong economic interest.)
Of course, those limits make it harder for the government to pursue the people's interests. But the point is that those short-term deficiencies are a wise trade over the long-term, over which an unbounded government would transform into tyranny.
Surely the government can do a better job preventing the next 9/11 bombing if it has all these surveillance powers. But I'm not nearly as worried about such bombings as I am about how the government has already transformed beyond our control, and how much further it could go. I am very sure that 99.99% of us opposed to political terrorism can defeat the 0.01% using it, even while we tie our own hands in some ways for our own long-term protection. It's true that the technology of WMD have increased the potential leverage and destructiveness of that 0.01%. It's also true that we haven't hardly started thinking about how we, as a society, meet and check that expanded threat. I'm confident we'll figure it out. And even if we don't, the possibilities of that violent minority aren't nearly so dangerous or likely as those of an unchecked government.
So how can any government accept such limits? Because it is _us_, and we recognize that those limits best ensure our safety and that of our kids.
In exile in Brazil.
And, of course, the non-"Freedom!" countries do this also.
The only difference between the US and all the other countries is the amount of smarts, work, and money the US is putting into subverting privacy. Some of the other countries just seem to be along for the ride.
Of course, as Warren Buffet once said, "You’re looking for three things in a person: intelligence, energy, and integrity. And if they don’t have the last one, don’t even bother with the first two." Because if they don't have integrity, the last thing you want is for them to be smart and driven.
There is no new information, no fresh concerns. Anyone remotely connected to cryptography has been suspect of EC-DRBG for years. The only thing that has changed is that the main stream media has picked this up.
"Very well, if that is the way the winds are blowing, let no one say I don't also blow." - Mayor Quimby October, 1994.
To clarify all that, I'm not arguing your point as I now understand it; I'm just suggesting why you've found some opposition to it as you stated it.
There is a solution, TLS 1.1 and 1.2. Because of slow server-side adoption, clients will have to keep supporting TLS 1.0 for quite a while. Because clients can't drop support for TLS 1.0, there's no strong incentive for server administrators to ensure their servers support TLS 1.1 and 1.2.
I think they'll find it is difficult to "restore confidence" if they are required to "consult" with those responsible for the lack of confidence.
At least, I hope so. Whitewash and time are marvelous.
Committees rulings are a lie. (http://www.textbookleague.org/103feyn.htm)
Even the most seemingly reasonable regulations are a lie. (http://www.amazon.com/The-Truth-About-Drug-Companies/dp/0375...)
The sooner people realize there's no other option other than a direct democracy since governments and companies are untrustworthy, the better.
Right there, our parents outnumber us 2:1. Why should I trust the rest of America, who largely gets their information from media companies designed to optimize for ratings, on matters pertaining to cryptography?
Direct democracy is not a solution. The solution is the thing we're doing now. The system works in the sense that we're righting it by having this kerfuffle about the secrecy. And something will change, and then the issue will be forgotten for awhile and the story will repeat.
That's probably not possible/going to happen but that's what would happen with any other organisation severely breaching confidence like this.
Those are, however, the sort of big actions they need to show to have a chance at regaining trust.
"Government Announces Steps to Restore Confidence"
People must build trust entirely by themselves. If they don't build it themselves, it's not trust. It's persuasion.
And the willingness to be persuaded has been eliminated rather thoroughly, lately.
The moment the needed becomes feasible the new thing needed to calm stuff down becomes politically impossible because the situation has worsened a lot. Typical case was the Euro crisis of 2009-2011.
The USG is caught in weird position right now. The NSA story would have been easy to defuse in June with few bold steps. Now they seem inadequate. And we have a weak presidency and gridlocked congress. And the real fun is Putin just made the rift between them even bigger with a very good diplomatic move. So they cannot move together again to fix the NSA situation for a long time.
This is a huge confidence builder. Huge.
This is like a criminal promising he won't do it again, but only AFTER been caught and having the entire town surround him with pitchforks.
In other words no.
Seems to me that the judicial system needs to get more involved in this. Congressional oversight of NSA, TSA, DOD, etc has not really worked.
There is also a role for technology to play. Out of millions of calls, billions of emails, how do you flag that one bad guy? The implicit assumption in such a problem is that you collect the data on everyone so that you can look for patterns of bad guy behavior. But is there another way?
Anyway anything standardized is going to be relatively well known and therefore more likely to have existing exploits.
But these institutions have proven that they should not be trusted and no amount of PR should change that for prudent individuals or companies.
The first step would be for Government to Announce Steps to Restore Confidence in Government.
That statute needs to be removed.