21 January 2014 NSA Reputation Is Dirt Date: Tue, 21 Jan 2014 18:30:39 -0500

From: William Allen Simpson <william.allen.simpson[at]gmail.com>

To: Jerry Leichter <leichter[at]lrw.com>, John Kelsey <crypto.jmk[at]gmail.com>

Subject: Re: [Cryptography] RSA is dead. I'm surprised at the sudden interest in my month old December 23 post. On 1/20/14 2:39 PM, Jerry Leichter wrote: On Jan 20, 2014, at 12:49 PM, John Kelsey <crypto.jmk[at]gmail.com> wrote: Perhaps this is the result of living in a government bubble for awhile, but I certainly saw and heard a lot of the bigger community who thought NSA's involvement in domestic crypto standards and companies was intended to improve security. That's why NSA people were and are openly members of a bunch of standards committees, why people invited NSA guys to give talks and take part in competitions, why people were using stuff like SE Linux. People have been using DSA, the NIST curves, SHA1, and SHA2 for many years, believing them secure--because the assumption was that NSA wasn't putting backdoored stuff out there. Absolutely. And it's not just a matter of living inside the government bubble. NSA has had a surprisingly good reputation pretty much until Snodownia. Before their involvement with DES, no one really knew anything about them - but every interaction I've ever heard of with NSA people left the impression that they were extremely bright and extremely competent. (A friend who, many years ago interviewed with both CIA and NSA, thought the interviewers for the former were a bunch of bumbling idiots, while he was very impressed with the latter. He never took a government job, however.) No. NSA had a good reputation in the '60s. I even recommended a friend for a position there in the mid '70s. (AFAIK, he's still there.) By the '90s, its reputation was dirt. Because, other than what was known or suspected about DES, every action they took was to inhibit public use of cryptography. NSA managed to appear not to be much involved in the old crypto wars. Sure, everyone knew that they were the ones who wanted to be able to keep decrypting stuff, but they managed to come across as mere implementers of policies set elsewhere. Their involvement with DES looked bad for a while - why *those* S boxes? Why 56 bits? - but then differential cryptanalysis was re-discovered in public and it turned out that NSA had actually specified S-boxes as strong against it as possible - and that the real strength really was around 56 bits. NSA came out as being ahead of the rest of the world, and using their lead to strengthen publicly available crypto. NSA was *very* involved in the crypto wars! Have we forgotten that the NSA mole in the IETF, Steve Kent, removed the link encryption option from PPP before RFC 1134 publication in 1989? Have we forgotten that Steve Kent had the NSA (via the FBI) investigate me for *treason* for posting the PPP CHAP internet-draft circa 1991? Because that would prevent the security agencies from intercepting passwords and pretending to be somebody else.... So by then we knew they were already wiretapping passwords of US citizens and presumably everybody else. This is one reason I find all the whining about the NSA/RSA business a bit of revisionist history. You can't look at what RSA did in the light of what we know today. You have to look at it based on what was known or reasonably strongly suspected at the time. Hogwash. In addition to the well-known Clipper chip, and the well-known 40-bit key export: (A) Have we forgotten that Steve Kent had my 1994 Cypher Block CheckSum (CBCS) removed from the IETF publication schedule -- because it wasn't compatible with his Null Encryption option? AFAIK, CBCS was the first attempt at integrating encryption with integrity. Had it been adopted, there would have been no Lucky13, et alia. And why the heck did we need a null encryption option anyway! (B) Have we forgotten that Photuris was adopted by acclamation at the Montreal IETF -- and then Cisco announced they were supporting ISAKMP/Oakley/IKE? My guess is forensic accounting would show that Cisco was paid, just as RSA was recently. Whether it was a cash payment or just a promise that they'd be favorably considered in future bids.... I remember meeting with NSA twice at the supposedly neutral NRL. Phil Karn refused to meet with them, even though he grew up in Maryland and it would have been cheaper for him to meet them. But I naively thought that we could come to an agreement. Their biggest complaint was that Photuris concealed the parties, which inhibited traffic analysis. And sure enough, that's still what they still want today! All I could get agreement on was expanding the Group-Index field (renamed Schemes in draft -03) from 8 to 16 bits for them to define their own. That took 2 meetings! (C) Have we forgotten that H-MAC was adopted over IP-MAC, even though we had already shown that H-MAC was formally less secure than IP-MAC (and IP-MAC was older and already had had more analysis)? Why is it that everything NSA supported at NIST (SHA, SHA1, SHA2, ...) was demonstrably less secure than other proposals? On 12/23/13 9:29 PM, Theodore Ts'o wrote: As for the rest, the lesson we should take from this is, moving forward, if any company in the future hears the words, "I'm from the NSA and I'm here to help", they should run away, as fast their legs can carry them. Amen! _______________________________________________ The cryptography mailing list

cryptography[at]metzdowd.com

http://www.metzdowd.com/mailman/listinfo/cryptography