NSA Announces New Crypto Standards

Proaxiom writes "This week the NSA announced the new US government standard for key agreement and digital signatures, called Suite B. Suite B uses Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Menezes-Qu-Vanstone (ECMQV) for key agreement, and Elliptic Curve Digital Signature Algorithm (ECDSA) for signature generation/verification. This shouldn't be too surprising given that the NSA licensed Certicom's EC patents for $25 million last year. ECMQV is patented by Certicom. ECDH and ECDSA appear to be generally unencumbered."

Re:Good encryption?

[OverlordQ]

OK seriously enough of this tinfoil/conspiracy theorist crap. If the NSA wanted info from Group Foo, they'd say "Hey group foo, we need some info about bar" instead of "Hey group foo, implent algo quux for your security. *waits for how long it gets them to implement*, *waits for important info to get transmitted* *waits even more time to crack cipher*"

Re:Huh?

[Coryoth]

If you really want to read anything meaningful into NSA Information Assurance people throwing their weight behind Elliptic Curve Cryptography, you should consider that maybe that means they consider RSA and standard Diffie-Hellman public key systems to be weak and potentially borken some time in the near future. Now RSA has been looking shaky for the last year or two - it hasn't been broken for key sizes in use, but various improvement and speedups for the Number Field Sieve have made it look a lot more vulnerable. Ordinary Diffie-Hellman possibly being judged a little weak is more interesting.

Jedidiah.

Re:ECMQV broken

[Anonymous Coward]

One presumes that any encryption standard the US is going to reccomend has in fact been broken by the NSA or other security organzation. The US has been very clear that it does nto want its citizens of anyone else in the world to use encyption that the US cannot break.

So i would posit that the standard has already been broken by someone, and, if need be, can be decrypted as needed. Perhaps it won't be cheap, but it will be possible.

I like my encryption broken.

[Anonymous Coward]

If someone with the resources to break ECMQV really wants my info, they probably also have the resources to Abugharab and get me to give them my keys through other means. Having encryption just hard enough that my ISP can't spy; but weak enough that anyone really powerful can still break it _enhanses_ my safety -- because anyone who breaks it will see I have nothing significant to hide anyway.

This is good news

[NemesisStar]

While marking work as a tutor at my university, I was lucky enough to be marking with somebody who has written a thesis on the subject.

The good thing about elliptic curve methods for cryptology is that they have a completely different "hard" function to our current cryptographic methods. Instead of using discrete logarithms, elliptic curves use the fact that you need to know three things to be able to get a curve. Two points in space and formula that describes the curve in reference to these points.

The most important thing about these standards being made official is not that they are unbreakable. It is that there is an alternative cryptographic method out there, that should quantum computers be invented tomorrow, we would still have an effective method of cryptography. (Quantum computers will be very good at solving discrete logarithms)

Re:ECMQV broken

[Coryoth]

Of course, if you had actually opened AC's link, you would have seen a paper describing a weakness in ECMQV. Elliptic curves aren't the best objects on which to base an encryption scheme, as they have far too much structure.

What, may I ask, do you intend to use instead? Elliptic curves are an excellent choice under the circumstances: implementing a Diffie-Hellman (or, in the case of Menezes-Qu-Vanstone, a more complicated variation of Diffie-Hellman) key exchange over a group other than integers mod p. Elliptic curve groups maximise the difficulty of the known algrithms for solving the discrete log problem (breaking Diffie-Hellman).

Besides, with elliptic curve systms you have the benefit of choosing a random curve, and hence, within constraints, a random group, which means structures of the group are a lot harder to predict - beyond very basic elliptic curve group structures.

I would be very interested to hear what you are suggesting should be used instead. Is there a cryptosystem using semi-groups that I've never heard of?

Jedidiah.

Re:ECC: What and Why?

[Lehk228]

The advantage is meant to be that keys can be a lot smaller for an equivalent level of security.

more importantly keys of the same length are even more secure

Re:ECMQV broken

[Coryoth]

The NSA is in the business of breaking encryption, not providing unbreakable encryption.

How did this get modded insightful? The NSA is responsible for Signals Intelligence [nsa.gov], which may involve some breaking of encryption, and Information Assurance [nsa.gov] which most certainly involves the provision of strong security, including encryption.

ECC is already widely available - Certicom, a Canadian company provides good implementations, and owns about 200 patents relating to it. If it is secure and the NSA can't break it, ignoring its existence isn't going to help them: it is already out there - it is too late for the Signals Intelligence people to worry about it. On the other hand, if there is a good secure encryption system available then promoting it to US government and US companies is a positive thing for the Information Assurance role to be engaged in.

The amount of uninformed, random, misinformation in this thread is astounding.

Jedidiah.

Jedidiah.

Re:Good encryption?

[Sycraft-fu]

Well offically and apparantly, the NSA gave up on trying to keep good crypto out of the hands of the public some time ago. The US government even changed offical policy allowing for stronger crypto exports, since you could get the same crypto from non US sources anyhow.

I wouldn't say you should really trust them more than any other crypto group, but look at it this way: These alogrithms are public and known. The NSA, though a big employer, doesn't even begin to have all the math and crypto people in the world. These things get looked at by people from all across the world, and the findings are published.

Basically, I trust that these are strong, because the international crypto community says so. If the NSA also throws in on it, great, I regard their opinon up there with a major university with good researchers in this field.

I mean I suppose it's theoretically possible that the NSA has discovered a break that no one else has, and it's obscure enough they believe that no one ever will discover it. Remember for it to be of value it has to be broken, but people have to think it's not. If someone discovered a break the NSA knew about people would stop using the crypto, and the NSA would take a major reputation hit. So while that's possible, I guess, it's pretty far fetched and sounds like pure AFDB land to me.

I'm betting that yes, it really is good crypto. The NSA and US government seem to have acnowledged the fact that there are smart people all over the world, and they'll develop and distribute good crypto. Nothing the NSA can do to stop it, so they might as well get with the program, make use of it, and recommend it to help protect American assets.

Other countires (which are what the NSA is concerned about, they are for foreign spying, not domestic) will get good crypto, like it or not. So they just have to deal with that, and they might as well make sure Americans have it as well. The answer to dealing with it then comes from the CIA and human intelligence. The NSA captures the encrypted data, the CIA supplies the key.

Re:ECMQV broken

[jericho4.0]

The NSA has a budget larger than the CIA. Yes some of that money may involve some breaking of encryption, or maybe they spend 3 billion plus a year researching how to protect consumers credit card numbers.

Re:ECMQV broken

[Coryoth]

The NSA has a budget larger than the CIA. Yes some of that money may involve some breaking of encryption, or maybe they spend 3 billion plus a year researching how to protect consumers credit card numbers.

The NSA are responsible for Foreign Signals Intelligence. That means intercepting, collecting, collating, and analysing foreign signals of interest. That is going to cost huge sums of money regardless of whether there is any encryption to crack along the way.

The other half of their job is providing secure computing and information systems to the US government and US companies. That includes analysing and advising on proposed cryptographic standards (like DES, AES, SHA-1), creating new cryptosystems, providing secure computing environments (SELinux was what they released to the general public as a demo of "how things should be done", they are undoubtedly doing a lot more themselves), providing secure communications for the US government etc. I expect that all of that doesn't come cheap either.

Given that neither I, nor you, have any idea at all as to how the NSA distributes their funding (though apparently you have very little idea what the NSA actually do), I think making unfounded assumptions about how much money and work goes to breakign encryption is a little silly. I expect they do spend a fair amount of time and money on it. I expect they also spend a fair amount of time and money on information assurance.

Jedidiah.

Re:ECMQV broken

[Coryoth]

One presumes that any encryption standard the US is going to reccomend has in fact been broken by the NSA or other security organzation. The US has been very clear that it does nto want its citizens of anyone else in the world to use encyption that the US cannot break.

And likewise the US has been very clear that it does not want its government, military, businesses using an encryption system that can be broken by other countries. The NSA has 2 roles, Signals Intelligence (which may involve breaking encryption) and Information Assurance (which involves providing secure computing to US government and business). ECC is out there and available, so pretending it doesn't exist just because they can't break it hardly helps them in stopping people using it. That means, from the Signals Intelligence perspective ECC is a moot questions, breakable or no. Export controls make little difference considering the company (Certicom) with all the patents on ECC (hundreds, literally) is Canadian. On the other hand, if it is good, strong, and secure, then it is entirely sensible for the Information Assurance arm to promote it as a standard for US business. Let's be honest, RSA has looked weak the last couple of years. You could just as easily claim that this announcement is an effort to move US government and business to a more secure system. Maybe this announcement means that the NSA knows how to break RSA, and figures other countries either know too, or will figure it out soon.

In short, there is no reason to expect that the NSA can break ECC, and to claim otherwise is just shotting your mouth off with absolutely zero basis. There are other perfectly good explanations, why not consoder them instead/as well?

Jedidiah.

Obvious conclusion: NSA has fast factoring

[ca1v1n]

The obvious conclusion to draw from this is that the NSA is capable of very fast (maybe near-polynomial) factoring. Think about it. They changed the sboxes in DES, and decades later an attack was found against everything but a small class. They rolled out SHA-1 to replace SHA-0, and decades later SHA-0 was found to be very easy to generate collisions for, much more so than SHA-1 is. Now they're pushing elliptic curves for asymmetric crypto, though they've been resisting pushing RSA for a long time. An alternative explanation is that RSA alone is insecure, but if that were the case, they'd probably have suggested an improvement by now.

Re:ECMQV broken

[Taladar]

...but only the NSA can exploit hardware key escrow designed specifically for them.

Remind me not to let you design any security systems. An additional weakness in a "secure" system is an additional weakness, regardless of what is was designed to do.

Re:ECMQV broken

[TheLink]

Key escrow is a feature not a flaw or weakness.

Just because people design such systems does not make them incompetent or malicious.

There are many people or organizations where such an escrow feature is vital.

It is esp useful with key splitting+combining features. e.g. if A is in a coma, B or C can't individually decrypt the stuff. But B and C _together_ can decrypt the stuff. This maps well to real world requirements.

Re:ECMQV broken

[Coryoth]

Sorry but that's a bit naive. Do you really think the NSA isn't capable of publicly recommending encryption that it can break (but most governments can't) and privately using/recommending a really secure system.

I'm suggesting the requirement for the NSA to promote to the US government, military and US businesses a system that they are as certain as possible that other countries can't break is at least as significant as having other people se algorithms they can break. Please note that US business is part of that requirement, so they need to be public about it. If the NSA can break it, then they can reasonably expect that other people might be able to break it. That makes it useless for Information Assurance purposes, and promoting US businesses to use such thing runs contrary to their mandate.

Okay, maybe they have all manner of cunning schemes in perfect secrecy, and have all kinds of extra secret orders from the govenment that we don't know about - but at that point you're haring off in wild paranoia with about as much justfication as claiming Area 51 is stocked with aliens. We just don't know, but there's no good reason to believe it.

Jedidiah.

Re:ECMQV broken

[Simon Garlick]

As Schneier said,

"Algorithms from the NSA are considered a sort of alien technology: they come from a superior race with no explanations."

Re:ECMQV broken

[Martin Blank]

No, they bring in the musicians for the social graces.

This is an eternal quandary, though. If the NSA can't break it easily, then it's considered good. But if the NSA says they approve of it, then it's considered suspicious at best. However, the NSA has to approve of most (all?) of the encryption standards used within the government, and much of the government cannot be trusted to not open their yap at some point, so they have to provide a list of algorithms that they not only approve of, but which are theoretically extremely difficult or impossible to break, even by allies, some of whom have their own incredibly gifted cryptography labs.

What do you do? What do you do?

Re:ECMQV broken

[Anonymous Coward]

The "remind me of not hiring you... etc" is getting old and screams "I am a frustrated geek!!"