NSA Announces New Crypto Standards

Proaxiom writes "This week the NSA announced the new US government standard for key agreement and digital signatures, called Suite B. Suite B uses Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Menezes-Qu-Vanstone (ECMQV) for key agreement, and Elliptic Curve Digital Signature Algorithm (ECDSA) for signature generation/verification. This shouldn't be too surprising given that the NSA licensed Certicom's EC patents for $25 million last year. ECMQV is patented by Certicom. ECDH and ECDSA appear to be generally unencumbered."

WTF?

[Kesh]

That's a helluva lot of acronyms. Talk about encoding!

Re:WTF?

[Kesh]

... I got first post and it got modded 5, Funny?

I need a life. n.n

The truth finally comes out...

[Feztaa]

With names like ECDH, ECMQV, and ECDSA, the NSA must be taking naming cues from Mxyzptlk.

Frankly, I don't think these algorithms will really catch on, their names aren't near as sexy as "RSA" or "SHA".

ECMQV broken

[Anonymous Coward]

ECMQV has been partially broken [bris.ac.uk] -- I'd be wary of using it in any standards.

Would any cryptographers here care to comment?

Re:ECMQV broken

[Anonymous Coward]

One presumes that any encryption standard the US is going to reccomend has in fact been broken by the NSA or other security organzation. The US has been very clear that it does nto want its citizens of anyone else in the world to use encyption that the US cannot break.

So i would posit that the standard has already been broken by someone, and, if need be, can be decrypted as needed. Perhaps it won't be cheap, but it will be possible.

Re:ECMQV broken

[bluGill]

You would presume that. However it is important to recall that the NSA made changes to the original DES standard that made it more resistant to differential attacks, something that the rest of the cryptography world wouldn't "invent" for 15 years or so.

I know for a fact that several government agencies (Those three letter names before homeland security) used DES encryption for a lot of stuff 10 years ago, because I worked for a company selling it. (We couldn't tell you who they were, but there are only so many places where you can tell someone what city you are going to but not what organization[1]) I also can't tell you what level of security our products were trusted to.

Course the NSA also shortened the key to 56 bits. So this isn't a clear case of them helping against their interests.

[1]Not the IRS, we sold the IRS some stuff too, but AFAIK no encryption. Several engineers "regretted" not putting a backdoor in after they learned the IRS was sending tax data with our equipment.

Re:ECMQV broken

[cynic10508]

You would presume that. However it is important to recall that the NSA made changes to the original DES standard that made it more resistant to differential attacks, something that the rest of the cryptography world wouldn't "invent" for 15 years or so. Course the NSA also shortened the key to 56 bits. So this isn't a clear case of them helping against their interests.

Well, yes and no. The actual key is 56 but the entire length is 64 with the 8 bits of parity. That parity was important back in the day

Re:ECMQV broken

[Martin Blank]

No, they bring in the musicians for the social graces.

This is an eternal quandary, though. If the NSA can't break it easily, then it's considered good. But if the NSA says they approve of it, then it's considered suspicious at best. However, the NSA has to approve of most (all?) of the encryption standards used within the government, and much of the government cannot be trusted to not open their yap at some point, so they have to provide a list of algorithms that they not only approve of, but which are theoretically extremely difficult or impossible to break, even by allies, some of whom have their own incredibly gifted cryptography labs.

What do you do? What do you do?

Re:ECMQV broken

[Simon Garlick]

As Schneier said,

"Algorithms from the NSA are considered a sort of alien technology: they come from a superior race with no explanations."

Re:ECMQV broken

[3waygeek]

Schneier obviously read this [milk.com].

Re:ECMQV broken

[Coryoth]

One presumes that any encryption standard the US is going to reccomend has in fact been broken by the NSA or other security organzation. The US has been very clear that it does nto want its citizens of anyone else in the world to use encyption that the US cannot break.

And likewise the US has been very clear that it does not want its government, military, businesses using an encryption system that can be broken by other countries. The NSA has 2 roles, Signals Intelligence (which may involve breaking encryption) and Information Assurance (which involves providing secure computing to US government and business). ECC is out there and available, so pretending it doesn't exist just because they can't break it hardly helps them in stopping people using it. That means, from the Signals Intelligence perspective ECC is a moot questions, breakable or no. Export controls make little difference considering the company (Certicom) with all the patents on ECC (hundreds, literally) is Canadian. On the other hand, if it is good, strong, and secure, then it is entirely sensible for the Information Assurance arm to promote it as a standard for US business. Let's be honest, RSA has looked weak the last couple of years. You could just as easily claim that this announcement is an effort to move US government and business to a more secure system. Maybe this announcement means that the NSA knows how to break RSA, and figures other countries either know too, or will figure it out soon.

In short, there is no reason to expect that the NSA can break ECC, and to claim otherwise is just shotting your mouth off with absolutely zero basis. There are other perfectly good explanations, why not consoder them instead/as well?

Jedidiah.

Re:ECMQV broken

[Coryoth]

SKIPJACK, as far as we know, is quite secure with no backdoors. What the NSA did do was keep the algorithm secret and only allow it to be implemented in hardware on chips that also implemented a key escrow system. They were up front that that was on the chip.

The point here is that they weren't foisting a weak algorithm on people - the algorithm is pretty strong. They were foisting hardware onto people that let NSA decrypt anything you encrypted with that hardware. The distinction is important because anyone (not just the NSA) can break a weak algorithm, but only the NSA can exploit hardware key escrow designed specifically for them.

If ECC was breakable by NSA that doesn't make it a good system to promote, because other countries could also have found the weaknesses. The point is that they do want to promote systems that are secure from other people, and pushing weak algorithms is a really bad way to do that.

Jedidiah.

Re:ECMQV broken

[Taladar]

...but only the NSA can exploit hardware key escrow designed specifically for them.

Remind me not to let you design any security systems. An additional weakness in a "secure" system is an additional weakness, regardless of what is was designed to do.

Re:ECMQV broken

[TheLink]

Key escrow is a feature not a flaw or weakness.

Just because people design such systems does not make them incompetent or malicious.

There are many people or organizations where such an escrow feature is vital.

It is esp useful with key splitting+combining features. e.g. if A is in a coma, B or C can't individually decrypt the stuff. But B and C _together_ can decrypt the stuff. This maps well to real world requirements.

Re:ECMQV broken

[Coryoth]

Remind me not to let you design any security systems. An additional weakness in a "secure" system is an additional weakness, regardless of what is was designed to do.

Given what was implemented, I think you're massively overreacting. Each chip had a secret key and an ID number. When the chip encrypted data it first encrypted its session key using its secret key and included that and the ID in the message. That meant the NSA had to look up the secret key for that ID chip, and then decrypt the session key. Is this a significant extra weakness? To be a weakness you either need: the NSA's ID/secret key table, or the ability to break the algorithm. If the NSA can't keep secrets, or the algorithm is breakable, then the whole question is moot. This is hardly a significant reduction in the strength of the system.

Yes, this system is weaker than a system that used purely session keys: if you want to spend the time you can break the secret key for a given chip, and then decrypt everything thereafter from the chip. That presumes it is at all feasible to break the algorithm - and I suspect the NSA is quite good at designing strong algorithms. In short the system was exactly as strong as the algorithm, and in fact SKIPJACK was declassified and is still considered a very strong algorithm.

Jedidiah.

Re:ECMQV broken

[m50d]

They want an algorithm that they can break but no-one else can. Since anyone can make a mathematical breakthrough, but they have far more computing power than anyone else, the simplest way to do this is to make sure it requires their level of computing power to break, but can be broken by them (CF DES). Nowadays we think good algorithms would not be breakable by even them with a key length easy enough to use on personal computers. So it's in their interests to promote an under-strength algorithm, but one th

SkipJack/Clipper's Back Door and Sleight-of-hand

[billstewart]

The Clipper system had a back door - it had a great big neon sign over it saying COPS ONLY, so it was pretty hard to miss. Skipjack was mostly used as a sleight-of-hand, so the government could dishonestly issue a report saying that a team of experts who should have known better didn't find a problem in a couple of weeks, when the key-handling parts of the system were a hopelessly designed charade. The Skipjack algorithm itself appeared to be not too bad for something with an inadequately short key - if n

Re:ECMQV broken

[Coryoth]

Sorry but that's a bit naive. Do you really think the NSA isn't capable of publicly recommending encryption that it can break (but most governments can't) and privately using/recommending a really secure system.

I'm suggesting the requirement for the NSA to promote to the US government, military and US businesses a system that they are as certain as possible that other countries can't break is at least as significant as having other people se algorithms they can break. Please note that US business is part of that requirement, so they need to be public about it. If the NSA can break it, then they can reasonably expect that other people might be able to break it. That makes it useless for Information Assurance purposes, and promoting US businesses to use such thing runs contrary to their mandate.

Okay, maybe they have all manner of cunning schemes in perfect secrecy, and have all kinds of extra secret orders from the govenment that we don't know about - but at that point you're haring off in wild paranoia with about as much justfication as claiming Area 51 is stocked with aliens. We just don't know, but there's no good reason to believe it.

Jedidiah.

Re:ECMQV broken

[mr100percent]

How do we know the NSA doesn't have a 3-million-processor cluster hidden somewhere that can easily break any encryption in under an hour? Wouldn't that mean they can push good, non-backdoor encryption techniques to the world, and only they have hardware good enough to brute-force it?

Re:ECMQV broken

[RWerp]

How do we know George Bush is not an alien and Jacques Chirac is not a disguised vermin?

Wait... we know that!

Re:ECMQV broken

[RWerp]

We're not talking about black boxes, are we? We're talking about algorithms which can be analysed and all backdoors may be brought to light by independent researchers.

Re:ECMQV broken

[Coryoth]

ECMQV has been partially broken -- I'd be wary of using it in any standards.

Would any cryptographers here care to comment?

The paper itself isn't online, so I can only judge from the abstract. It does sound like a reasonable approach (on a completely cursory inspection), but there are a lot of details there, and I am a little unfamiliar with some of the stuff they reference.

As to how severe the break is: they claim they've reduced the complexity from O(q^{1/2}) down to O(q^{1/4}). Now I presume that q here is referring to the characteristic of the finite field that the curve group is over (I'm guessing, I would have to read the paper to know for sure - they don't say - but this is the logical choice). That is, of course, in cryptographic terms fairly significant. In practical terms most serious ECC implementations are using q in the order of 2^200 or more, so it doesn't necessarily represent a serious compromise.

As I say, with only the abstract to go on I really can't comment much. It does look interesting, but I would have to see more.

Jedidiah.

Re:ECMQV broken

[Paul Crowley]

Where you say "characteristic", I take it you mean "order"? These curves are usually built over a field of characteristic 2.

Wish I could get hold of the paper. I'm astonished that the NSA would approve a standard that didn't have a tight reduction to the underlying problem though.

Re:ECMQV broken

[Anonymous Coward]

A finite field is essentially a set of q=p^n numbers, where p is a prime and n is a positive integer. The characteristic of the finite field is defined to be p. Fields themselves have the operations addition, subtraction (so we have additive inverses), multiplication, and division (so we have multiplicative inverses), are commutative, associative, have the elements 0 (additive identity) and 1 (multiplicative identity), and all distributive properties hold. Examples of fields are the rational numbers, real numbers, and complex numbers, which by definition have characteristic 0. For crypto, we use finite fields because finite things are nicer to work with. The best example of a finite field is F_p = {0,1,2,..., p-1}. All arithmetic is done modulo p, so in the case of F_5 = {0,1,2,3,4} we have
4*2 = 8 = 3 mod 5 and 4*4 = 16 = 1 mod 5, so the inverse of 4 is 4.
For the case of the finite field q=2^n, n>0, elements are polynomials of degree at most n-1 with coefficients in F_2 = {0,1}. Arithmetic is done modulo an irreducible polynomial of degree n, like x^2+x+1 if n=2, which means that
x*x = x^2 = -x-1 = x+1 (in F_2, -1 = +1).
For elliptic curves, the points of the elliptic curve are the elements in the group we work with and are ordered pairs (x,y) satisfying y^2 = x^3+ax+b, where x,y,a, and b are in the finite field. Hope this helps!

-- Eric

oh yeah.

[Fross]

that really did help. now ECMQV *and* my head are BOTH broken.

Re:2^50 == broken

[Coryoth]

I'm suggesting they start at around 2^200, and go up from there. I found this [certicom.com] handy little chart at certicom, so here we're looking at things more in the order of 2^400 and 2^500 as standard key sizes. Those should be quite safe for now.

I'm still curous to see the details of the attack anyway, an abstract doesn't tell you very much.

Jedidiah.

400-500 bits is Too Long

[billstewart]

The really cool useful thing about Elliptic Curves, besides just being another set of math besides factoring that can be used for crypto, is that you can use really *short* keys, so you can fit them in places where an RSA or Diffie-Hellman key would be annoyingly long. 2048 bits is 256 bytes, which is an annoyingly long thing to put in a DNS record, for instance, where you can normally only hold ~512 bytes. But 165-200 bits are 20-25 bytes (usually 40-50 in practice), which make them convenient for applic

I like my encryption broken.

[Anonymous Coward]

If someone with the resources to break ECMQV really wants my info, they probably also have the resources to Abugharab and get me to give them my keys through other means. Having encryption just hard enough that my ISP can't spy; but weak enough that anyone really powerful can still break it _enhanses_ my safety -- because anyone who breaks it will see I have nothing significant to hide anyway.

Re:I like my encryption broken.

[Dwonis]

Are you aware that any above-average worm-writing criminal has more computational resources at his/her disposal than an an average government agency? Criminals are able to leverage the computing power of zillions of vulnerable Windows machines to break your data. White-hats and spooks typically aren't.

Re:I like my encryption broken.

[TheRaven64]

General purpose CPUs are generally not very good at decryption. What is required is a large vector unit. The NSA runs specialist hardware containing large arrays of 1024-bit vector processors. This kind of thing is orders of magnitude more powerful than a bot-net for cyptographic tasts.

Re:ECMQV broken

[caluml]

I am not doubting that there is a weakness in ECMQV.

Re:ECMQV broken

[Coryoth]

Of course, if you had actually opened AC's link, you would have seen a paper describing a weakness in ECMQV. Elliptic curves aren't the best objects on which to base an encryption scheme, as they have far too much structure.

What, may I ask, do you intend to use instead? Elliptic curves are an excellent choice under the circumstances: implementing a Diffie-Hellman (or, in the case of Menezes-Qu-Vanstone, a more complicated variation of Diffie-Hellman) key exchange over a group other than integers mod p. Elliptic curve groups maximise the difficulty of the known algrithms for solving the discrete log problem (breaking Diffie-Hellman).

Besides, with elliptic curve systms you have the benefit of choosing a random curve, and hence, within constraints, a random group, which means structures of the group are a lot harder to predict - beyond very basic elliptic curve group structures.

I would be very interested to hear what you are suggesting should be used instead. Is there a cryptosystem using semi-groups that I've never heard of?

Jedidiah.

Re:ECMQV broken

[Anonymous Coward]

As a grad student studying crpyto I think I can answer some questions out there. Elliptic curves are the best available as far as security goes. The structure is beautiful, but its the lack of a small enough factor base that keeps the elliptic curve discrete log free of a subexponential attack. The best attack is Pollard's Rho, which runs in exponential time. Well, if you have a quantum computer, then you can break this stuff in polynomial time via Peter Schor's algorithm, but we aren't anywhere close to having a big enough quantum computer.

Another alternative to elliptic curves are hyperelliptic curves, which allow the same amount of security with a much smaller key size, as long as you don't use a curve with genus greater than 4, since there are faster ways to attack those guys. The big problem with hyperelliptic curves is that the arithmetic, while efficient, isn't as efficient as in an elliptic curve.

For the curious:
elliptic curve: E: y^2 = x^3 + a*x + b
hyperelliptic curve: C: y^2 = f(x),
where the degree of f(x) = 2*g +1 or 2*g + 2 and g is the genus of the curve. So a hyperelliptic curve of genus 1 is an elliptic curve.

In response to another question above:
In crypto we work with these curves over a finite field, which is basically a set of numbers of the size q=p^n, where p, the characteristic, is a prime. We either work with p=2 and n~163 or p = a 163-bit prime and n=1. Elements in the finite field of p elements looks like {0,1,2, ..., p-1} and you do arithmetic modulo p. If you work in the finite field of 2^n elements, the elements of the finite field look like polynomials with degree n with coefficients either 0 or 1. The size of the group that we work with and do the key exchange and everything in has size in the range [((sqrt(q) - 1)^(2g), ((sqrt(q) + 1)^(2g)], so about q^g. That's why hyperelliptic curves are nice: with genus 3 curves, your key size is a third of the length of the key size for elliptic curves.

If I'm unclear or if anyone else has other questions, I'm happy to explain anything further.

Re:ECMQV broken

[STrinity]

The NSA is a political organization, not a scientific institution.

The NSA has some hella good mathematicians working for them. As others have already pointed out, the NSA has on occassion announced that certain cryptosystems are insecure before anyone on the outside had even developed the theorems necessary to attack the system.

And as any true tin-foil-hatter knows, the NSA developed quantum computers fifteen years ago.

They have vested interests in promoting standards 5-10 years behind their current t

Re:ECMQV broken

[GileadGreene]

Actually, they're in the business of doing both.

Re:ECMQV broken

[Anonymous Coward]

I hate to burst your bubble, but NSA has two primary missions.
Breaking into stuff Signals Intelligence [nsa.gov]
and providing good encryption Information Assurance [nsa.gov]

Re:ECMQV broken

[Coryoth]

The NSA is in the business of breaking encryption, not providing unbreakable encryption.

How did this get modded insightful? The NSA is responsible for Signals Intelligence [nsa.gov], which may involve some breaking of encryption, and Information Assurance [nsa.gov] which most certainly involves the provision of strong security, including encryption.

ECC is already widely available - Certicom, a Canadian company provides good implementations, and owns about 200 patents relating to it. If it is secure and the NSA can't break it, ignoring its existence isn't going to help them: it is already out there - it is too late for the Signals Intelligence people to worry about it. On the other hand, if there is a good secure encryption system available then promoting it to US government and US companies is a positive thing for the Information Assurance role to be engaged in.

The amount of uninformed, random, misinformation in this thread is astounding.

Jedidiah.

Jedidiah.

Canadian

[cameldrv]

The fact that they are foreign doesn't really provide any real assurance. Do a search for Crypto AG sometime. The NSA has set up front companies in the past to sell comprimised crypto equipment.

Re:ECMQV broken

[jericho4.0]

The NSA has a budget larger than the CIA. Yes some of that money may involve some breaking of encryption, or maybe they spend 3 billion plus a year researching how to protect consumers credit card numbers.

Re:ECMQV broken

[Coryoth]

The NSA has a budget larger than the CIA. Yes some of that money may involve some breaking of encryption, or maybe they spend 3 billion plus a year researching how to protect consumers credit card numbers.

The NSA are responsible for Foreign Signals Intelligence. That means intercepting, collecting, collating, and analysing foreign signals of interest. That is going to cost huge sums of money regardless of whether there is any encryption to crack along the way.

The other half of their job is providing s

Re:ECMQV broken

[GileadGreene]

The amount of uninformed, random, misinformation in this thread is astounding.

You must be new here ;)

It's not just this thread. In my experience pretty much every Slashdot thread involving an area in which I have any knowledge is filled with the kind of misinformed crap that you are complaining about. The difference in this case is that you actually have enough knowledge to sort the wheat from the chaff, while in many other threads you may not. Caveat Emptor when it comes to any information derived from a

Re:ECMQV broken

[Coryoth]

It's not just this thread. In my experience pretty much every Slashdot thread involving an area in which I have any knowledge is filled with the kind of misinformed crap that you are complaining about.

True, I guess it is partly that many thread topics are pure opinion, so random spouting is expected, and there are fewer contradictory and false facts cited.

Jedidiah.

Re:ECMQV broken

[STrinity]

This is nothing compared to the story last year about the NSA tracking email to identify a terror cell in Britain. An astonishing number of Slashdot users were shocked to discover that the National Security Agency spies on people.

Beware Spooks bearing Gifts

[refactored]

NSA, Crypto AG, and the Iraq-Iran Conflict [aci.net]

Breaking Iranian Codes [schneier.com]

Huh?

[FiReaNGeL]

Does this mean that we're more secure? Or our data? Or theirs? Or something? Does it means anything at all? Do we really exist? What will I eat for supper?

I JUST DON'T KNOW!

Re:Huh?

[nkh]

Your data will be OK (well, I hope). But the article forgot to say that SHA and AES were also included in this "Suite B."

Re:Huh?

[Coryoth]

If you really want to read anything meaningful into NSA Information Assurance people throwing their weight behind Elliptic Curve Cryptography, you should consider that maybe that means they consider RSA and standard Diffie-Hellman public key systems to be weak and potentially borken some time in the near future. Now RSA has been looking shaky for the last year or two - it hasn't been broken for key sizes in use, but various improvement and speedups for the Number Field Sieve have made it look a lot more vulnerable. Ordinary Diffie-Hellman possibly being judged a little weak is more interesting.

Jedidiah.

Re:Huh?

[bcmm]

The NSA is secure. You are not secure, the NSA ()\/\/|\|Z your computer, and possibly your mind. I exist, but I can't prove it. You might not exist, you might be a highly unlikely bug in Slashcode. My advice to you, if you exist, or even if you are just a bug, is to eat lots of cheese for supper, possibly in a pizza, unless you are lactose intolerant.

I hope life makes more sense now. I can hear digeredoo music.

I just re-read that. I need sleep.

Re:Huh?

[Anonymous Coward]

You should start a religion!

Re:Huh?

[bcmm]

I will. To start with, just remember that cheese is good...

Ram-a-llama-ding dong

[goombah99]

Ram-a-llama-ding dong may ram is full of llama's ding dong

Re:Ram-a-llama-ding dong

[ratsnapple tea]

There's fans of Le Tigs on Slashdot?

Re:Huh?

[iabervon]

The NSA is responsible for advising the government and critical private-sector infrastructure on how to protect data. If there's a backdoor in an NSA-recommended standard, heads will roll (only figuratively, of course; they use the electric chair). Academic cryptography research is not believed to be too far behind the NSA, and it is reasonable to guess that the Chinese government is about even with the NSA. So a backdoor inserted by the NSA would probably be discovered by the Chinese within a year and academics worldwide within 5 years, at which point terrorists destroy the US economy and wipe out military deployments.

The NSA may not really want our private data to be kept secure, but they do want the banking network to be kept secure. In general, they prefer to get data by finding plaintext or keys on seized equipment, rather than breaking encryption, because anybody can break encryption about equally well, but the government has an advantage in seizing things. That's not to say that they don't insert backdoors in things they don't intend to be secure (like consumer operating systems), particularly in implementations (where the hole can easily involve use of a secret key). But such things don't get this sort of announcement.

Re:Huh?

[m50d]

You forget something: the NSA has more computing power than the rest of the world. (Yes I'm exaggerating, but seriously, they have a helluva lot). This gives them a huge advantage in breaking encryption.

Re:Huh?

[kurt555gs]

Yeah, which is why the Chinese are using Red Flag Linux

Cheers

Wow...

[nuclear305]

"ECDH and ECDSA appear to be generally unencumbered."

Except for their names, of course...

Not unencumbered =(

[mg2]

All elliptical curve math, unfortunately, falls under Microsoft's patent on all things curvy or mildly resembling a circle. =\

Recommended Elliptic Curves

[NEOtaku17]

Recommended Elliptic Curves for Government Use, NIST document (PDF file) [nist.gov]

Wait, what?

[FireballX301]

AES and Secure Hashing Algorithm also are included in Suite B.

Weren't the SHA algorithms broken? Or, at least, SHA-1?

Re:Wait, what?

[clap_hands]

You can find collisions for SHA-0 faster than expected, and it's claimed that you can do the same for SHA-1 (the attack hasn't yet been published, but it's pretty certain to be genuine). The SHA-2 algorithms (that is, any of SHA-224, SHA-256, SHA-384, or SHA-512) remain uncompromised. See: SHA article on Wikipedia [wikipedia.org].

Ok, there's a lot of misunderstanding on this

[Sycraft-fu]

People keep using the term "broken", as though SHA is no longer useful, that's not the case. SHA-0 and 1 are still perfectly useful hashing systems. The fact that there are collisions means nothing, that is a known property of hashes.

Finding a hash collision, is a bitch however. Hash functions, by their nature, aren't reversable, so that means that you have to sit and try and brute force a collision. You take the value you want, and just keep hashing data until finally after a number of tries that needs exponential notation to express, you find a collision.

What has happened is that a group has shown how to find a collision in the hash faster than just by brute force for SHA 0 (and also 1 they claim). So it takes a lot less work to find a collision. Now that's a relitive term, it's still a ton of processing time. What's more, just finding a collision does you no good in most cases, a bunch of random garbage won't be mistaken for a genuine message even if the hashes match. You need to generate a message that has the same hash, and is also a plausable replacement. That's a hell of a lot harder to do and requires a LOT more computation.

So SHA hasn't been broken in that it's not usable, it's just been shown to be not as strong as previously thought, you can find a collision faster than by straight brute force. It still takes a long time, it's just not as long as you'd predict based on hash size.

However, in this case, they are talking about the new SHA-2 standards, which remain unbroken.

You misunderstand greatly, I'm afraid

[Paul Crowley]

SHA-0 and SHA-1 may be useful for your non-cryptographic application. However, it's hard to see that there's any cryptographic purpose you'd recommend them for.

For a lot of purposes, we rely on our hash functions having basically no "interesting" properties at all. An algorithm for finding collisions faster than brute force can only exist if the hash function has "interesting" properties. This violates our assumptions about what we can do with the hash function. There aren't many cryptographic applicat

Good encryption?

[Husgaard]

What they are now recommending is believed to be state-of-the-art, and practically unbreakable.

If this really is the case, this would cause them problems eavesdropping.

So the question remains: Have they found a successful attach on ecliptic curves, or have they finally seen the light and realized that strong encryption is good for society?

Re:Good encryption?

[OverlordQ]

OK seriously enough of this tinfoil/conspiracy theorist crap. If the NSA wanted info from Group Foo, they'd say "Hey group foo, we need some info about bar" instead of "Hey group foo, implent algo quux for your security. *waits for how long it gets them to implement*, *waits for important info to get transmitted* *waits even more time to crack cipher*"

Re:Good encryption?

[Husgaard]

OK seriously enough of this tinfoil/conspiracy theorist crap.

I don't think that somebody deserves this label just because they are realizing that the interests of a government agency is different from the interests of the general public.

Think about the past of NSA.

They kept recommending DES until somebody else (amateurs in this regard) demonstrated that it was possible - and relatively cheap - to break DES by brute force.

And their intent to be able to eavesdrop was even more obvious with the Cli

Re:Good encryption?

[Coryoth]

So the question remains: Have they found a successful attach on ecliptic curves, or have they finally seen the light and realized that strong encryption is good for society?

Technically fully half the NSA's job is Information Assurance, which is to say providing strong crypto and information security solutions to US governemnt and US companies. It was the Information Assurance people that provided us with SELinux as a demo of how a secure system could easily be achieved just working from a commodity OS. They are supposed to believe that strong encryption is good for society - US society anyway.

Jedidiah.

Re:Good encryption?

[Alsee]

I'm generally about the last person who would say "trust the government", but the NSA has a proven track record of giving GOOD encryption advice in their public announcements. They have recommended minor changes to encryption and hashing algorithm standards that, several years later, were discovered to make them signifigantly harder to crack.

-

Re:Good encryption?

[Speare]

the NSA has a proven track record of giving GOOD encryption advice in their public announcements

[tinfoil] But that's just what they want us to believe... [/tinfoil]

Re:Good encryption?

[Sycraft-fu]

Well offically and apparantly, the NSA gave up on trying to keep good crypto out of the hands of the public some time ago. The US government even changed offical policy allowing for stronger crypto exports, since you could get the same crypto from non US sources anyhow.

I wouldn't say you should really trust them more than any other crypto group, but look at it this way: These alogrithms are public and known. The NSA, though a big employer, doesn't even begin to have all the math and crypto people in the world. These things get looked at by people from all across the world, and the findings are published.

Basically, I trust that these are strong, because the international crypto community says so. If the NSA also throws in on it, great, I regard their opinon up there with a major university with good researchers in this field.

I mean I suppose it's theoretically possible that the NSA has discovered a break that no one else has, and it's obscure enough they believe that no one ever will discover it. Remember for it to be of value it has to be broken, but people have to think it's not. If someone discovered a break the NSA knew about people would stop using the crypto, and the NSA would take a major reputation hit. So while that's possible, I guess, it's pretty far fetched and sounds like pure AFDB land to me.

I'm betting that yes, it really is good crypto. The NSA and US government seem to have acnowledged the fact that there are smart people all over the world, and they'll develop and distribute good crypto. Nothing the NSA can do to stop it, so they might as well get with the program, make use of it, and recommend it to help protect American assets.

Other countires (which are what the NSA is concerned about, they are for foreign spying, not domestic) will get good crypto, like it or not. So they just have to deal with that, and they might as well make sure Americans have it as well. The answer to dealing with it then comes from the CIA and human intelligence. The NSA captures the encrypted data, the CIA supplies the key.

Re:Good encryption?

[spaceyhackerlady]

I wouldn't say you should really trust them more than any other crypto group, but look at it this way: These alogrithms are public and known. The NSA, though a big employer, doesn't even begin to have all the math and crypto people in the world. These things get looked at by people from all across the world, and the findings are published.

This is why it's so good to have algorithms like these published: they can be examined by others, tested by others, and their security (or lack thereof) can be establi

Re:Good encryption?

[Fizzl]

Who god damn moderator mods these clueless looneys up?
Go read a book on crypto.

Suggested: Applied Cryptography. Everything explained so that anyone with opposable thumbs can get the gist.

Answer is: Neither
They just have seen that it's pointless to fight against the windmills. (I don't now if they actually want their recommendations to be public, but it seems they pretty much have no choice.)

Re:Good encryption?

[xquark]

Because they are the worlds largest employer of mathematicians. Lets say out of every 1000
mathematicians they have working for them only 1 or 2 of them turn out to be real geniuses,
thats still more than enough to do the work they need...

Its all about playing the numbers :D

Arash
________________________________________ _ _________
Be one who knows what they don't know,
Instead of being one who knows not what they don't know,
Thinking they know everything about all things.
http://www.partow.net

Obligatory Wikipedia Link

[Brock Lee]

wikipedia: Elliptic Curve Cryptography [wikipedia.org]

Re:Obligatory Wikipedia Link

[Coryoth]

As it isn't included in the Wikipedia article, and I had to look up the details myself:

Menezes-Qu-Vanstone key agreement is essentially a varation/extension of Diffie-Hellman using a combination of a "static" and "ephemeral" public keys to compute the shared secret. The extra wrinkles in the procedure eliminate the possibility of a couple of subtle man in the middle attacks that can be made against EC Diffie-Hellman for certain parameters.

Jedidiah.

Obligatory Wikipedia Reply

[m50d]

http://en.wikipedia.org/wiki/Karma_whoring [wikipedia.org]

Goverment is slow

[KingOfTheNerds]

It's about time, the Government is so slow to announce standards. Suite B has been in the works for years now. ECDH and ECMQV were invented and refined in the 90's. Maybe they were waiting on the ECDSA? Certicom licensed it to the NSA last year, but they waited this long to ratify the standard. Now that they have the standard how long will it be before they employ the technology.

Surprising Announcement

[MrAsstastic]

"In a surprise announcement the RNC has announced it is bankrupt, but not everyone is going begging. Greenpeace, The United Negro College Fund, Amnesty International, and other charities announced *record* earnings this week. Due mostly to large, anonymous donations." NO MORE SECRETS

ECC: What and Why?

[clap_hands]

Elliptic curve cryptography [wikipedia.org] is (if you squint your eyes) a translation of older crypto techniques onto slightly more exotic mathematical objects. Rather than (say) integers modulo a prime, ECC uses a group of an elliptic curve [wikipedia.org] over some finite field. But the new techniques are analogous to the old: Diffie-Hellman, ElGamal, DSA. The advantage is meant to be that keys can be a lot smaller for an equivalent level of security.

Re:ECC: What and Why?

[Lehk228]

The advantage is meant to be that keys can be a lot smaller for an equivalent level of security.

more importantly keys of the same length are even more secure

No, the first thing was more important

[Paul Crowley]

No-one sane uses 2048-bit ECC keys. ECC is used to provide good security with shorter keys (and shorter encrypted messages and suchlike).

I suppose I have to get rid of enigma now

[multi-flavor-geek]

And I was just getting the kinks out of a usb powered enigma machine to provide encryption for online banking. I mean damn? Who could ever crack enigma?

HAH!

[Tufriast]

1. Steal half-broken encryption process that has an impossibly hard name to say. 2. ???? 3. Profit!

Makes you wonder...

[chill]

Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.

-Charles

Re:Makes you wonder...

[Lehk228]

either they know a new way, or they have some CPU cluster hard wired to be Really Freaking Good(TM) at prime factorization.

I'd guess the latter

[Lifewish]

If I recall correctly (please, someone tell me if I'm wrong), easy prime factorisation is a problem of a specific class - the P=NP problems.

Basically, the P=NP conjecture says that, if it's easy to prove, it's easy to solve. So, for example, it's easy to check that a jigsaw has been completed correctly, but jigsaws seem hard to solve. A proof of the conjecture would imply that there is in fact an easy (mathematically speaking) way of solving jigsaws.

The interesting thing about the conjecture is that a pro

Re:I'd guess the latter

[LnxAddct]

In the 1970's it was estimated that the NSA is at a lower bound 50 years more advanced in mathematics then society and 200 years for an upper bound. This notion was reinforced when they protected DSA from differential attacks 15 years before anyone even knew such a thing existed. There were other algorithmic changes made that people still haven't found the significance of.
Regards,
Steve

Someone always says it

[cryptor3]

Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.

Yeah I can do large prime factorization in my head. But I'm sure as hell not telling anyone else how to do it.

Re:Someone always says it

[cryptor3]

All right, fine, so I'm having a little fun at the expense of semantic ambiguity.

large-prime factorization
vs.
large prime-factorization

Re:Makes you wonder...

[Coryoth]

Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.

Actually factorization has been looking a little weak for the last couple of years. There hasn't been any big breakthrough, and 1024-bit (and up) RSA isn't exactly broken right now, but there have been a steady number of papers that have offered various improvements to the basic Number Field Sieve algorithm (such as Dan Bernstein's facorization circuit [cr.yp.to]) that it is beginning to look as if it is merely a matter of time before at least 1024-but RSA is considered insecure.

Certainly if you have enough compute power the present NFS with improvements will be good enough to break RSA keys out. The NSA is not exactly lacking in potentially dedicated compute power.

Jedidiah.

Re:Makes you wonder...

[TheLink]

How many computers does Google have? 100K?

Is that significant for factorization?

This is good news

[NemesisStar]

While marking work as a tutor at my university, I was lucky enough to be marking with somebody who has written a thesis on the subject.

The good thing about elliptic curve methods for cryptology is that they have a completely different "hard" function to our current cryptographic methods. Instead of using discrete logarithms, elliptic curves use the fact that you need to know three things to be able to get a curve. Two points in space and formula that describes the curve in reference to these points.

The most important thing about these standards being made official is not that they are unbreakable. It is that there is an alternative cryptographic method out there, that should quantum computers be invented tomorrow, we would still have an effective method of cryptography. (Quantum computers will be very good at solving discrete logarithms)

Re:This is good news

[Coryoth]

The good thing about elliptic curve methods for cryptology is that they have a completely different "hard" function to our current cryptographic methods.

I'm not sure what you mean here. ECC protocols and standard Diffie-Hellman both rely on the hardness of solving the Discrete Log Problem over a finite group. All ECC buys you over standard Diffie-Hellman is a different group (the group formed by the set of points of the curve over some finite field), for which known methods for the discrete log problem are extremely (maximally, in theory) inefficient.

It is that there is an alternative cryptographic method out there, that should quantum computers be invented tomorrow, we would still have an effective method of cryptography.

Not true in the least. The protocols in Suite B are Elliptic Curve Diffie-Hellman, and Elliptic Curve Menezes-Qu-Vanstone (which is essentially a extended/more complicated version of Diffie-Hellman). Both are entirely useless in a situation where the Discrete Log Problem is easy. As there exists a quantum computing algorithm than solves DLP incredibly efficiently it is safe to say that in the advent of Quantum Computing these protocols will be rendered completely useless.

While marking work as a tutor at my university, I was lucky enough to be marking with somebody who has written a thesis on the subject.

I think perhaps he's been having some fun at your expense.

Jedidiah.

Question about quantum computing

[cryptor3]

It's been a while since I've read up on quantum computing. You mentioned that there is a 'quantum computing algorithm that solves DLP incredibly efficiently.' Is this Shor's algorithm? My gut instinct was that Shor's algorithm factors integers quickly, but I never thought of it as a DLP solver. Or is this just a case of mapping factoring to a DLP problem?

Re:Question about quantum computing

[Coryoth]

Shor's algorithm is indeed for factoring. There is another algorithm for the DLP. I don't know too much about it, as Quantum computing isn't my field. I just pay attention when told things like "DLP is not secure under Quantum Computing". Sorry I couldn't be more informative.

Jedidiah.

Re:This is good news

[Coryoth]

Not off the top of my head no. Actually maybe not - I've seen a system that used 2 neural networks sharing information to converge to a shared secret that an eavesdropper couldn't. I don't know of any specifically quantum computing algorithms to break that easily. Of course, I've seen some non-quantum computing based systems for breaking it easily enough. So basically, no, nothing of note.

Jedidiah.

Re:This is good news

[Coryoth]

There seems to be a lot of misinformation being moderated up in this thread. How exactly did this get moderated to +4 Insightful? This is about the fourth comment I've seen that's been moderated up for spouting what amounts to complete and utter drivel.

Someone further up provided a good link to the ECC page on Wikipedia. Perhaps a few of the mods could go and read that before using up their points. It might save us from swimming in uninformed bullshit.

Jedidiah.

Alfred Menezes and Scott Vanstone

[Anonymous Coward]

When I was an undergrad at the University of Waterloo (located in Waterloo, Ontario [Canada]), I had the benefit of having both Alfred and Scott as professors.

Alfred [uwaterloo.ca] taught C&O 487, which is Applied Crytography. He is an excellent lecturer and actively involved in the crypto community. His level of intelligence, professionalism, and kindness never cease to amaze me.

Scott "taught" C&O 331, which is Coding Theory. He's a down-to-Earth kind of guy, who really didn't know how to teach a class, but boy did he sure know how to simplify tough concepts. His trademark is that he's what we called a "celebrity professor". He never used his office (located at St. Jerome's on campus) to the point where if you looked through his window, you'd never see him there, and everything would be packed up in boxes. His computer was never hooked up and chairs were stacked up such that no one could actually sit down with him and have a conversation :).

He was a celebrity professor because he worked at Certicom, and was one the company's original founders [certicom.com]. He was paid the highest amount out of any C&O professor at the University, and barely ever made it to teach class. He'd spend the day at Certicom instead, and send one of his grad students over from Toronto to Waterloo (despite the weather, since Coding Theory is only available in the Winter term) to teach the class. Sometimes, when there were no grads available to do his teaching duties, he'd ask Alfred (who wrote his PhD under the supervision of Mr. Vanstone) to fill in. Whenever Alfred taught the class I learned 200% more than if Scott were to teach the exact same material.

All that aside, it's nice to see these two fellows get their name in bright lights after all of their hard work throughout the years.

Re:Alfred Menezes and Scott Vanstone

[stevesliva]

When I was an undergrad at the University of Waterloo

So when did you start work at Microsoft?

Obvious conclusion: NSA has fast factoring

[ca1v1n]

The obvious conclusion to draw from this is that the NSA is capable of very fast (maybe near-polynomial) factoring. Think about it. They changed the sboxes in DES, and decades later an attack was found against everything but a small class. They rolled out SHA-1 to replace SHA-0, and decades later SHA-0 was found to be very easy to generate collisions for, much more so than SHA-1 is. Now they're pushing elliptic curves for asymmetric crypto, though they've been resisting pushing RSA for a long time. An alternative explanation is that RSA alone is insecure, but if that were the case, they'd probably have suggested an improvement by now.

Key agreement

[ebvwfbw]

Everyone, what is proposed is the key agreement algorythm. Please don't confuse this with the encryption method. I see a lot of messages that are misleading on what this is.

WTH is it? When a key needs to be exchanged between two machines (like two routers for example), a mutually agreed upon key must exist no matter which encryption you use - blowfish, aes, des, and on and on. The idea is that only the two machines would know what the real key is and it is done automatically.

Diffy-helman has been used for decades (Patent expired in 1997) for this and can be found as close as your nearest cisco router that has encryption enabled. The new algorithm adds a few new twists to it. Those twists may make the key easier to crack, however. Buyer beware, don't bet your life on a mutually agreed upon key like that. Be sure your keys are very secure. This goes for the so called quantum encryption channel as well. I don't think it is as secure as they say it is.

However for most all of us in the world this is perfectly safe for digital signature encrypted data. If you have a need to be absolutely sure a signature is valid, don't use the network. Get it on paper.