Back when DES was being designed, IBM had a bunch of values in their S-boxes. NSA told them "don't use those values; use these values instead." People freaked that it was a backdoor the NSA put in.
About 15 years later, differential cryptoanalysis was publicly discovered. The original S-box values would have been very vulnerable to the attack, but the ones the NSA used were resistant, suggesting that NSA knew about differential cryptoanalysis way ahead of time and were suggesting ways to protect the public against its eventual discovery.
It is possible that there is still some magic in there to let the NSA magically defeat DES, but we still haven't found it. Similarly, it's possible that this random number generator exists for some nefarious purpose, but we have no evidence for it.
Also, this article is 5 years old (the headline didn't say so when I first read this). Schneier was in pretty big self-promotion mode at that time.
I can't find the citation right now, so treat this as apocryphal, but...
I've read an explanation that the USA's focus on security has changed in the days since 9/11/2001. At one time, the philosophy was that the country was more secure when we could all be assured that the privacy of our communications was intact.
But in the last decade we've changed that philosophy. The government's security philosophy now is that the most important thing is for the government to be able to tell what's going on.
So it may be that the parent post's anecdote is quite correct, and reflects the policy of that time. But in the days of the War On Terror, we can't trust that anymore.
(And OT, I believe it reflects a fundamental change in the philosophy of governance that is against the founding principles of the country, and a pretty bad thing. I believe that our strength derives from ... us -- we the people. And so strengthening the government by weakening us in fact weakens the nation.)
> At one time, the philosophy was that the country was more secure when we could all be assured that the privacy of our communications was intact.
That's never really been the view of the U.S. government. It's always been the view that you should be able to have communications with your neighbor that are secure from everyone except the US government, who obviously need to snoop in order to protect us all.
The security agencies and the police agencies have always pushed for more comprehensive and more invasive surveillance. We've had wiretapping for as long as we've had wires to tap. We crippled Internet security for years. I remember the days of separate US and international Netscape releases, due to crypto export restrictions. It wasn't until 2000 that the restrictions were truly relaxed.
US and international Netscape releases (as well as Windows and various other tools) rather indicate that the US govt was interested in secure communication for US citizens and corporations, while being able to snoop on the rest of the world.
If you need an example, pick the Clipper chip - and even that doesn't _quite_ work out, given how publically that proposal was shot down.
I think it's rather an example of how the Judicial branch keeps the other branches in check. If the NSA had its way, they'd be able to listen in on every conversation you ever have, track every site you visit, record every communication you ever make. They would do the same for everyone internationally as well. The difference is that we have the Supreme Court protecting US citizens to some extent, so the NSA cannot legally wiretap your phone just for kicks, but the Supreme Court doesn't extend the same protection to citizens of other countries.
And you believe the NSA when you can't see the warrants, know who issued them, what they contain, etc.? How would we know they weren't tapping domestic communication? You wouldn't. Any whistleblowers would be roughed-up or locked-up... much like Thomas Drake.
I said that the judicial branch keeps the other branches is check. I didn't say that are completely effective or that their checks are sufficient. And I certainly didn't say that the NSA wasn't engaging in any domestic wiretapping.
The thing is that they can not bring the result of this warrantless wiretapping into court. But they probably don't want to.
From what I've seen the FBI is a lot more vocal in complaining about the impact of encryption because their mandate involves bringing cases to court so they want a formalized, legitimate way of breaking encryption when they have warrants. They would also love to have the dragnet that the NSA has to know who to watch, and I don't know to what extent they do, but the bigger difference that I see is that the NSA is not interested in launching court battles (any more) whereas that is the primary endgame for the FBI.
The problem of course is that an encryption system which can be broken in a formalized way is open to the possibility of being broken by the wrong people. You can't have your cake and eat it too by having strong encryption that can be broken by the "right" people because there is no way to theoretically describe who the "right" people are. The encryption has to work the same for everyone.
Like all big issues in society there are competing rights; the need for law enforcement bumps up against the freedom of the individual. I believe that we are comfortable enough pushing this balance more heavily towards the freedom of the individual in America that a policy of embracing strong encryption is in the best interests of everyone, but I am aware that I don't have as much knowledge about this issue as some others.
You can have an encryption system that can only be broken by the 'right' people. We already have crypto systems where any 1 of n people can decrypt the message. If you embed a public key into the algorithm, then only the algorithm's designers would know the private key needed for decryption.
Doing this in a non-obvious way seems much more difficult, but if the NSA did have a weakness to DES, it could very possibly require knowing a secret key.
Actually it is a reflection of the law. The US government had the authority to prohibit export of crypto (at the time), but did not have the authority to limit it domestically.
If they had been given that authority things may have been different.
I always thought that the clipper chip died in the court of public opinion and not in a court of law. However, I do not understand your interpretation of circular reasoning.
Lets look at the case where X is regulate the sale of switchblades. The federal government has the authority to regulate the sale (commerce) of switchblade knives between states, the federal government does not have the authority to regulate the sale of a switchblade within a state.
> The federal government has the authority to regulate the sale (commerce) of switchblade knives between states, the federal government does not have the authority to regulate the sale of a switchblade within a state.
Let's look at the case of guns. Do you really think that Montana could say "you can sell Montana-made machineguns in Montan without satisfying federal law"? (The feds don't much care about switchblades. They care about guns.)
Well the feds did care about switchblades, that is why they passed a law banning the interstate sale of switchblades, "the Switchblade Knife Act, (Pub.L. 85-623, 72 Stat. 562, enacted on August 12, 1958, and codified in 15 U.S.C. §§ 1241–1245), prohibits the manufacture, importation, distribution, transportation, and sale of switchblade knives in commercial transactions substantially affecting interstate commerce[56] between any state."[1] Evidence for a continued interest in switchblades can be found in the recent exemption carved out for assisted opening knives in 5 USC § 1244.[2] (I think the exemptions in 1244 were passed within the last 5 years as part of a Homeland Security appropriations bill, but I'm fuzzy on the exact date.)
Wickard was 70 years ago, interstate commerce doctrine has evolved a lot in the intervening years. In fact I'm a little surprised that you used it as an example. It has been a while since ConLaw I, but I think Wickard is often used as an example of the height of the broad interpretation of the commerce clause. Are you arguing that there is no limit on the power of the the commerce clause? Or that Wickard is the controlling case? Lopez is one of many cases since Wickard where the Supremes walked back such a broad interpretation of the commerce clause.
> Wickard was 70 years ago, interstate commerce doctrine has evolved a lot in the intervening years.
The Supremes haven't overturned Wickard.
Yes, they did decide that the first version of the Gun Free School Zones Act didn't have a commerce nexus, but they seem quite content with the current version, which affects only those guns that have gone interstate.
However, the relevant question is whether the Supremes have ever decided that something sold can be exempt from the federal power to regulate interstate commerce.
Take machine guns. A Montana statute that allows unrestricted sale of machine guns made in Montana clearly affects "commerce" (in Montana at the very least) of guns not made in Montana, aka "interstate guns".
Do you really think that the Supremes would reject that argument? On what basis?
And, if they accept that argument wrt guns, why wouldn't they accept it wrt cantalope?
"Today...they simply pass a law that puts you in jail for its sale"
Today? They have always done that. Which is why the USC reads as follows:
"Whoever knowingly introduces, or manufactures for introduction, into interstate commerce, or transports or distributes in interstate commerce, any switchblade knife, shall be fined not more than $2,000 or imprisoned not more than five years, or both."
It is not circular. Interest and authority are two very different things. For example, the Federal government has the authority to wage war -- this has no bearing on a discussion as to whether they are philosophically correct in doing so.
The suggestion that policy is justified merely because it subsists upon formal authority is nonsense.
The point is that the government may not have the authority to do X or to create a law to do X. They may have the ability, but the supreme court decides if the authority exists.
The United States Constitution is the highest law, and provides for different treatment of foreign and domestic matters, so your statement is obviously false even under the most broad interpretation of "the government".
The President/Executive (closest to what many other countries would consider "the government") is also limited in most matters by the laws passed by Congress, so even assuming domestic regulation of cryptography were Constitutional (and I don't personally believe it would be), if Congress has not passed a law giving the Executive the authority to regulate it, the Executive cannot do so.
And? Cryptography is much easier to build, test, ship, and even export after 9/11 than it was before it. I shipped commercial security products before 9/11 and it was a nightmare. A huge portion of all desktops ran insecure crypto simply because it was too logistically challenging to ensure that they had good crypto and were easy to sell in Europe and Japan.
There is simply nothing to this analysis. The crypto policy fight happened in the late '90s, and crypto won.
Yes, the crypto fight was fought and seems to have been won by the people. But crypto is only one facet of a broader communications security policy.
It should be clear from recent controversies about "how private is your cellphone"; warrantless wiretapping and retro-active legalization of the same; various proposals for granting government authorities over the Internet (including a "kill switch" and a rumored upcoming Executive Order since he can't get it through Congress); that in the broader context, the US government is very much interested in monitoring communications.
We're talking about crypto on this thread. I see the controversies over government access to communications differently than you do, but I'm not particularly interested in litigating the issue. The federal government has not subverted cryptography in any meaningful way; industry does a perfectly great job of doing that job for them.
You have a lot more to fear from the Linux devs "cleaning up" OpenSSL's CSPRNG than you do from the NSA.
But this is not true. David Wagner and Ian Goldberg (the cryptographers who cracked GSM) have documented that the encryption used was purposefully weakened to enable realtime software decryption of voice calls.
That happened in the 1990s. At the same time, the US Government tried to directly criminalize unregulated sales of encryption. They lost both fights: in 2012, it is easier than it has ever been to encrypt phone calls in a manner that prevents LEOs from eavesdropping on them.
That's true for phone calls for people that know how to do this. However:
1. Most people are unable to do this technically.
2. The fact that you do it may constitute prima facie evidence of being a person of interest.
3. The government is trying very hard to get the means to wiretap VoIP.
4. It doesn't address traffic analysis at all. I know you said you aren't concerned about this, but there are plenty of people who are, and the government is going like gangbusters (literally, I guess) toward this.
What does "prima facie evidence of being a person of interest" even mean? You can be a person of interest simply by virtue of build and hair color.
The US Government hasn't restricted traffic analysis, and indeed nothing they have ever proposed W.R.T. encryption could have controlled traffic analysis.
Just correcting the parent, they said 2011 not 2001.
As to pure software crypto it's not really that important vs securing the endpoints. Consider WoW uses encryption when logging in, but a significant % of accounts are hacked before they add an authentication either as a key-chain or on your cellphone. I suspect if it ever became mainstream pure client side bitcoins would be DOA for more or less the same reasons.
To expand a little, the NSA also required the initial permutation of plaintext bits. This was done before the first 16 rounds of DES, and looked like this:
Which meant "put the 58th bit of the plaintext into the first position, put the 50th bit into the second position, etc, and THEN run through the encryption algorithm."
At the time, it was totally unclear why you had rearrange the bits in this very exact way. After all, you were about to encrypt it (and obliterate any plaintext patterns) anyway. And would it be as strong if you started with the 57th bit, instead of the 58th? The whole thing seemed so arbitrary.
Now it's true that this is robust to differential cryptanalysis, but it's also true that these bit permutations significantly slow down software implentations of DES. But it's trivial to implement the initial permutation in hardware.
In the 1970s, the hardware required to crack DES costed $20,000,000 US dollars [1] (about $120 million in today's dollar [2]). The general tinfoil-theory at the time was that 1) only the NSA had the resources to build such a machine and 2) by forcing DES to use this initial permutation, the NSA was giving themselves a significant "head-start" over everybody else using software to crack DES.
The permutations in DES have nothing to do with security; there is an excellent explanation by Thomas Pornin on what their purpose was: http://crypto.stackexchange.com/a/6/592
What was altered were the 8 S-boxes, seemingly random lookup tables that map 6- to 4-bit values. More details by Don Coppersmith himself at: http://simson.net/ref/1994/coppersmith94.pdf
I phrased that poorly (and just edited my first sentence to reflect your correction). What I was trying to add was that the NSA made some other modifications to DES that were also seen as dubious at the time.
"In 1994, a member of the original IBM DES team, Don Coppersmith, published a paper stating that differential cryptanalysis was known to IBM as early as 1974, and that defending against differential cryptanalysis had been a design goal."
Don't forget that IBM actually designed Lucifer which was 128bits but it was the (edit:s/NSA/NHIS) that truncated it to 56bits and named it DES. So maybe this is an example of "6 of one or half a dozen of the other"?
And don't forget that Eli Biham smote Lucifer with differential cryptanalysis, found more than half of the keys insecure, reduced its security to 235, and published a journal article concluding that NSA strengthened the cipher design; DES was better than Lucifer.
Maybe 3 decades after it was released according to this paper; http://scholar.google.ca/scholar_url?hl=en&q=http://59.1...
Even if the NSA appointed S-Boxes did improve Lucifer then decreasing the block size does not really improve on your point.
suggesting that NSA knew about differential cryptoanalysis way ahead of time and were suggesting ways to protect the public against its eventual discovery
The NSA may also have know who else knew about differential cryptoanalysis, and didn't want it to be weak in ways that others could break it, but left it weak in ways that they could.
You would think that after this many decades any such built-in weakness to DES would have been discovered. Do you think the NSA crypto knowledge (or rather, IBM crypto knowledge, since that's where differential cryptanalysis was developed) back in the 1970s was better than the modern crypto knowledge?
To give one small example: Clifford Cocks invented RSA about 3 years before RSA did. But he did it by himself, and he did it in his head. Cocks' version was revealed 25 years after he created it; 22 years after RSA was revealed.
They're only just released some of the stuff that Turing did.
They keep things secret, and they use things hard. There's not really anyway to know what they know about your system, which is why cryptography likes systems that seem secure even when you know everything about that system.
The point is that even though PKI had been independently developed, and made public, 3 years after Cocks did it they still kept it secret for 22 years.
So imagine what they do with the secrets that are still secret - the secrets not independently developed and made public.
I think of all the public crypto that we know duplicated intelligence-agency crypto, the public was only behind by a handful of years. We haven't heard of anything that was like "Oh yeah, the NSA had this twenty years ago." (Differential cryptanalysis is probably the biggest of these gaps, and its timeframe is something of an outlier.)
So either the public is doing a decent job of keeping up with the spooks, there's a massive misinformation campaign where intelligence agencies only admit to having discovered things that the public discovered soon afterwards, or there's a strange bimodal property where the public replicates private results either five years later or fifty.
Also, the NSA is not _fundamentally smarter_ than the rest of the world; they're just possibly more focused on it. So exactly how a clever idea would occur to them in the 1970s and 1980 and have occurred to nobody in academia since then needs some explanation.
Spot on. You have to realize that the government buys software and systems that rely on encryption from the private sector. It is in their own interest to have the strongest crypto in government hardware and software. So while they know a lot of exploits they also know that it is quite plausible that our enemies know the same exploits (i.e China, Russia) and using government hardware that uses a poor standard is not a great idea.
If I remember Schneider's applied cryptography correctly, the NSA s-boxes were among the worst 7% possible.
I wonder what we would be saying about the NSA if we (publicly) discovered linear crypto-analysys before differential. However, I suspect the vulnerabilty to linear analysys is the result of how structured they made it to resist differential.
Well, the NSA is building that data center in Utah to store and process all the data they're hoovering up. That data would be much more useful if it weren't encrypted. So they do at least have a motive, even if the ability can't be proved.
If I'm not mistaken, they've sort of tweaked the definition of "interception" too. The game plan is to capture everything and then it's 'intercepted' when they actually listen and analyze it.
That was the talk at Defcon, I didn't do enough follow up to find out but it's pretty open that the new Utah data center can store every American's phone calls, emails, .. everything for a century.
If you can slip that through whoever it is that protects us, there are some corner cases. Say we do rub out a terrorist cell that does a successful attack (20 years after this database is running,) could you then mine that database to determine if your AI that finds terrorists works? If I was training up voice finger printing algorithms and such, you have an incredible dataset and there are likely other signals coming in to help populate it (maybe the census? say you're training something that detects Arab accents)
Never mind the fact that it's so huge and so much data that 1) is has to be online and 2) all intelligent queries will be given to AI/Google like software agents to find. Could a future president query the database to dig up dirt on an upcoming election opponent? (He's the president right?)
It is possible that the NSA modified this RNG for perfectly good reasons, but, in my opinion, even the slight possibility of an attack existing is too high when other better RNGs exist.
This isn't a controversy. Nobody would have used that RNG anyways. There's probably no bignum math in any commonly used RNG, let alone elliptic curve math. Not only that, but Dual EC had problems even before Furguson pointed out the parameter weirdness.
You do not need to be on guard against secret NSA Dual EC backdoors.
About 15 years later, differential cryptoanalysis was publicly discovered. The original S-box values would have been very vulnerable to the attack, but the ones the NSA used were resistant, suggesting that NSA knew about differential cryptoanalysis way ahead of time and were suggesting ways to protect the public against its eventual discovery.
It is possible that there is still some magic in there to let the NSA magically defeat DES, but we still haven't found it. Similarly, it's possible that this random number generator exists for some nefarious purpose, but we have no evidence for it.
Also, this article is 5 years old (the headline didn't say so when I first read this). Schneier was in pretty big self-promotion mode at that time.