NSA Says 'No Backdoor' for Spies in New US Encryption Scheme (bloomberg.com) 99
The US is readying new encryption standards that will be so ironclad that even the nation's top code-cracking agency says it won't be able to bypass them. From a report: The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards. "There are no backdoors," said Rob Joyce, the NSA's director of cybersecurity at the National Security Agency, in an interview. A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor. The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today's computers can't. But it's also one that the White House fears could allow the encrypted data that girds the U.S. economy -- and national security secrets -- to be hacked.
Turns out it's easier to backdoor Microsoft (Score:3, Informative)
What is its name? (Score:3, Interesting)
Has anyone gotten a look at these algorithms yet? Any clue what is in store or if it will be public?
Re: (Score:3)
Here is one candidate. https://pq-crystals.org/ [pq-crystals.org]
Re:What is its name? (Score:5, Informative)
NIST is running the competition largely in the open: https://csrc.nist.gov/projects... [nist.gov]
They started with a large set of candidate algorithms, and in 2020 narrowed the set a second time (the third round of the competition). All of the Third Round candidates are supposed to have both reference implementations and open definitions, although an implementation may be encumbered by patents. The project timeline says they expect to have draft standards sometime between now and 2024.
Re:What is its name? (Score:5, Interesting)
NIST is complicit. Was during DualEC scandal too.
My buddy Dr Adam Young who presented/participated in the group essentially verified to me during conversations how stupid and unable to properly handle these tasks they really are.
I was walking around Manhattan bitching about the backdoor and how NIST didn't do shit to help us and he basically said they are a bunch of old understaffed out of touch folks who are "doing the best they can and had no clue they were being played by the government".
Yeah sure. Nothing but a bunch of hacks. I'm still toying with new cryptographic primitives in the hopes of finding something to *truly* give the people power.
Any claim on "best practices" usually means the backdoor is hidden in those instructions. Any bitsize should be assumed to be too weak. Any padding algorithm should be deemed to inject predictable garbage used to start cryptoanalyst work. Any claims that computationally it's secure, should be vetted against the speed of the current #1 supercomputer known to the public, then doubled in strength after that.
Don't trust anything "weakened" to work with mobile devices. They are so slow that basically supporting them means supporting a brute force search. Amazing people don't realize this.
One time pads were previously not workable in practice but now they are. Trading an 8TB harddrive with noise to a friend for use as pad basically means you have 8TB over the public internet of *100% safe security* before you burn through the pad. Synced clocks driving over the pad can fix the other issues such as 3rd party attempts to force reuse or MiTM.
I basically watch the supposed experts of the crypto world continue to lead us directly into the line of fire while claiming later on "no one could have known". Well I know and I'm trying to stop this crap.
There are no backdoors... (Score:2)
Backdoors are just one subversion. Besides, what's NSA's definition of 'backdoor'?
Re: (Score:3, Interesting)
Last time it was "poisoned key generation, only some are strong most are weak garbage, key point, NSA controls handing out keys (only strong ones)".
Then when we attack that, everyone says "But the government uses the same scheme!". (yeah with their near-perfect strong key selection that they never told anyone about).
Hows that?
Re: (Score:1)
Look up "Skipjack".
Here: https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
(And the clipper chip, obviously: That's where the back door is...)
Re: (Score:2)
Re: (Score:2)
This chaos woo has been around for about 2 decades, and is a bit of Sokal inversely squared.
Coupled-oscillators KEX via Lorenz maps trivially reduces to ZK MPC. Basically, I commit to a number with its hash, and then reveal the number - or not - depending on your generator state you've hash-commited to in your round before (that way you don't leak the entire shared key to eavesdropper, only random half of it). Do this many times over back and forth and bam, you have KEX. It's not really that cheap though, c
Re: (Score:2)
Re: (Score:2)
Entire pq-crypto mailing list did. Just go read it, all the big names are there. And yes, things like MLWE (delivers most efficient schemes) did receive their share of criticism, chiefly because it's not clear whether search/decisional problems really are quantum secure.
As far I can tell, people are far more sure about Picnic (ZK-MPC) and SPHINCS (Lamport on steroids), both of which depend primarily on QROM - and since rest of the crypto world depends on ROM anyway ("hash functions"), they're deemed much st
I have a bridge to sell (Score:1, Redundant)
Re: (Score:2)
Re: (Score:1)
It's purpose is to be able to brute force anything a cell-phone can handle. Any real encryption is always weakened just enough to supposedly allow mobile use to not take on heavy power usage or battery issues.
Then they build a supercomputer that can brute force these slightly weakened algorithms that they know will be used on much faster computers that should have known better.
The answer is to support stronger encryption algorithms that are too non-performant for cell phones. Might actually be strong enough
Re: I have a bridge to sell (Score:4, Interesting)
It's purpose is to be able to brute force anything a cell-phone can handle. Any real encryption is always weakened just enough to supposedly allow mobile use to not take on heavy power usage or battery issues.
What utter nonsense. AES-256 is fully quantum resistant to the heat death of the universe, and can run efficiently on an 8-bit microcontroller. It's doubtful that AES-128 would ever be broken by a quantum computer, but at least it's *possible*
Elliptic curve cryptography (like Curve25519) is also extremely efficient and requires low power -- and is perfectly suitable for extremely low power devices, and has been very thoroughly vetted. EC is vulnerable to Quantum computing - hence the competition.
We (rightly) applaud wildly when researchers manage to get to another milestone. It's also important to realize the ENORMOUS gap between the current state of the art and a quantum computer capable of Shor's algorithm -- which may as fanciful as faster than light travel.
Re: (Score:2)
"Lairs"??
Did you perhaps mean "Liars"?
Because that would make more sense in context - though I admit so many James Bond (and other) movies have their evil villains ensconced in volcano, space or other equally unlikely but amazing lairs.
I can easily see Vladimir Putin clasping his fingers together - snickering evilly - as he plots the downfall of Ukraine, while in his secret LEGO lair (because the dude is a currently a ridiculous tool for utterly failing to defeat a much smaller and presumed weaker country
Re: (Score:2)
Re:I have a bridge to sell (Score:5, Interesting)
NSA = uber-nerds that work for the government.
Whether the government is controlled by political hacks is up to you.
Look at Russia. Russian people are no more monsters than anyone else. They just hate and despise politics. They do so because they have been *taught* to do so: by... politicians. Yes, there are a few people who truly believe the propaganda, but if you scratch the surface of most people what you get is kind of a resigned, apathetic resignation. They go along with what they know is wrong because they don't feel anything better is possible. But better is *always* possible.
Hannah Arendt nailed the way authoritarians emasculate the masses by promoting cheap cynicism: “The aim of totalitarian education has never been to instill convictions but to destroy the capacity to form any.”
Re: (Score:2)
And that's a sad thing. They are going to bounce from one mess to another until they understand that there is a different way to think.
Re: (Score:2)
"Whether the government is controlled by political hacks is up to you." no one at the state or federal level I cast a ballot for.
Re: (Score:3)
That's democracy for you. As Churchill put it, "democracy is the worst form of government – except for all the others that have been tried."
Re: (Score:2)
Re: (Score:2)
Whether the government is controlled by political hacks is up to you.
Liar. It is up to the average. I am part of the average but I am nowhere near the average. I have not voted for a single person that has power right now. I have voted for their opponents. It makes no difference. It is the average that matters and the average is so fucking stupid that if they could forget to breathe, they would.
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
That being said, most simply disable it where ever it is found the split second some thing isn't labeled properly. read: Pretty much one second after initial login. As it's the first recommendation on Google when a problem comes up. Regardless if the problem is SELinux or something else entirely. In that respect, running anything else would be a better option. As a disa
Re: I have a bridge to sell (Score:1)
Re: (Score:2)
You'll excuse me if I don't believe your for one goddamn second.
There is no backdoor in AES (Score:3)
But the new things probably have issues. Because there really is no need for new standards at the moment.
Incidentally, the thing dropped was not an "encryption standard", it was a CPRNG, i.e. a cryptographic pseudo random number generator. With this "quality" of reporting, you should probably not trust anything claimed.
Re: (Score:3, Interesting)
Re: (Score:3)
I am aware of that. And I re-iterate: There is no need for new standards. Quantum computing is not even known to work at this time and it is certainly known to scale exceptionally badly should it turn out to work eventually, say in a few 100 years. I am pretty much convinced there is something else behind this.
Re: (Score:1)
How sure are you of your statement? I'm not worried about the state of quantum cracking in the US, where papers get published. I worried about the state of it in China where they are pouring gobs of money into the technology and very little info comes out.
Your statement of 'no need for new standards' is based on a flawed assumption - that being you, personally, know the current global state of the art in all quantum development. If you did, you wouldn't be posting here on /. - you'd be betting for/agains
Re:There is no backdoor in AES (Score:4, Informative)
I am aware of that. And I re-iterate: There is no need for new standards. Quantum computing is not even known to work at this time and it is certainly known to scale exceptionally badly should it turn out to work eventually, say in a few 100 years. I am pretty much convinced there is something else behind this.
I tend to agree. The rush to standardize PQ algorithms seems out of step with the reality of quantum computers and the state of the cryptanalysis. When one of the three finalists (Rainbow) in the NIST PQ competition gets broken by a classical attack, that suggests that there is not sufficient cryptanalysis going on.
From the NSA guy:
“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”
But they don't all appear strong and either the NSA, with all their resources, failed to find what Ward Beullens found, or they are lying. https://eprint.iacr.org/2022/2... [iacr.org]
Re: (Score:2)
Indeed. The whole thing smells really bad. It may also be incompetence, but that would not make it any better. Finalists must be secure and for the AES competition they all were.
Re: (Score:2)
I don't know how to count how much cryptanalysis is going on. I suspect the PQ side is getting less that AES did, because it's a slightly more esoteric domain of mathematics. Super singular Isogenies for Breakfast? I don't know that, it's just my guess.
I am particularly impressed with the PQ Extractor work, which doesn't not figure in the NIST PQ competition to their shame.
The security proofs take a much stronger form - There is no quantum arrangement of stuff, fully entangled with the noise source, that ca
Re:There is no backdoor in AES (Score:4, Informative)
The 'new things' are not a replacement for AES. They are a replacement (or, more likely, additions) for the public key algorithms used for key exchange and signing (things for which AES is useless). AES doesn't protect you at all if an attacker can intercept the key exchange.
Re: (Score:2)
I am aware of that. In actual reality none of the algorithms they want to replace have backdoors and QCs do not work and may either never work or never scale to be any threat to _current_ key lengths.
yeh, right... (Score:4, Insightful)
So if they say that there is no backdoors and that everyone should use it... them it is full of backdoors for sure
If they were quiet about it, they probably had any backdoor, but if NSA announce something, you know it is a lie!
Re: (Score:3)
Re:yeh, right... (Score:5, Insightful)
if any powerful person or entity makes an absolute statement, it usually means the exact opposite
Such a belief makes you just as easy to manipulate as if you believed that any absolute statement they made usually meant it was true.
Re: (Score:3)
if any powerful person or entity makes an absolute statement, it usually means the exact opposite
Such a belief makes you just as easy to manipulate as if you believed that any absolute statement they made usually meant it was true.
This is exactly true. People need to actually devote thought to issues, not have a standard fallback. Once you think about things instead of being self manipulated by cynicism, you end up a lot more insightful.
I can trigger many people - watch.
Not all Republican ideas are bullshit.
Not all Democrat ideas are bullshit
Not all Libertarian ideas are bullshit
Not all Republican ideas are right.
Not all Democrat ideas are right
Not all Libertarian ideas are right
Anyone I haven't pissed off?
Re: yeh, right... (Score:1)
Real communism has never been tried;
Re: (Score:2)
Real communism has never been tried;
All total 'ism's fail. They all depend on a utopian and monolithic idea of human nature. it's note possible to institute pure communism, or capitalism, or libertarianism. Even the gentlest ism socialism will fail.
People think of the US as a capitalist society. We are actually a blend of many things. It is the only possible way to make things work. If one or the other gets too powerful, things get shaky.
Re: (Score:2)
You missed the Pope. Then again, dude is fairly chill for a Pope.
Re: (Score:2)
You missed the Pope. Then again, dude is fairly chill for a Pope.
Never piss off the Pope.
Re: (Score:3)
Need I remind you, the US government is a res publica. As a citizen, I am also part of the government (as are you, if you're a US citizen). Just because it came from the government doesn't automatically make it contaminated or bad.
In this instance, I'm inclined to trust the NSA. Not that I would ever trust the NSA without a good reason. In this case, they actively want all US interests protected by the best encryption they can devise. If they want to know about the inner workings of any foreign or dom
Re: (Score:2)
In this instance, I'm inclined to trust the NSA. Not that I would ever trust the NSA without a good reason. In this case, they actively want all US interests protected by the best encryption they can devise. If they want to know about the inner workings of any foreign or domestic entity, they have plenty of proven techniques at their disposal. In this case, I perceive the government's interests largely coincide with my own.
Protection from foreign adversaries but not necessarily themselves.
If a contest is conducted with integrity and there is reason to have confidence selected algorithm is not the product of a security service that is a way different scenario than accepting an algorithm a security service devised themselves.
I'm guessing EC encryption will prove as vulnerable as AES, DES, RSA, et. al. to quantum attack?
Symmetric ciphers are generally not vulnerable.
https://eprint.iacr.org/2019/2... [iacr.org]
RSA and EC in the same post quantum boat.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
As an IT professional, I'm paid to be paranoid. You, sir, make me look like a rank amateur.
To be sure, I wouldn't trust NSA either. Fortunately, they're not the only players on the field. I don't trust the NSA, but I do trust the hundreds of non-NSA participants who have eyes on the process. It's the same reason I trust SELinux. NSA may have been the driving force in its creation, but literally thousands of non-NSA eyeballs have looked over the code. If they hid a backdoor in there, it must be based
Re: (Score:2)
Re: (Score:2)
true... but crypto is hard, very hard... it is easy to hide problems in small places, where you can later abuse but others know nothing about
they try... sometimes they manage to merge it, others they fail: https://www.theregister.com/20... [theregister.com]
but you may be less vigilant if NSA pays some "known and trusted specialist" to propose some change they want and claim it as his
Need to nail them down (Score:2)
This might mean getting the NSA top leadership and the management of the section producing the new standard to ALL swear before congress that there are no backdoors - with a clear understanding that they will all go to prison for 10 years and lose their entire pension entitlement if it proves to be otherwise. THEN it's possible I MIGHT believe them...
Re: (Score:2)
that would never happen, for the "security of the nation"... how many had swear to the president, congress, senate and later was found false... yet almost always nothing happen to those people...
Ouch (Score:2)
Too true. One can try... Of course the fact that the CIA was never done for its hacking of congressional computers in a blatant act of 'Contempt of Congress' does prove the point. https://www.nbcnews.com/news/u... [nbcnews.com]
Glaring trust deficit. (Score:3, Insightful)
Wow, I'm finding I have a distinct lack of trust in their word...
No backdoor != unhackable (Score:2)
The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards. "There are no backdoors," said Rob Joyce, the NSA's director of cybersecurity at the National Security Agency, in an interview.
The statement from Joyce does not endorse the submitter/editor's commentary:
If you're going to editorialize, please try to do it with some substance. I can assure you that an encryption standard can be written without a backdoor that the NSA can still easily bypass.
Re: (Score:2)
Re: (Score:2)
Yeah, like dual rot 13.
Federal agents are on their way to your place now. How dare you release this into the wild? Nothing is safe now.
Re: (Score:2)
Re: (Score:2)
FYI it was Dual EC DRBG (Score:5, Informative)
Re: (Score:2)
So the nothing-up-my-sleeve-numbers were actually up his sleeve.
Vulnerabilities are not backdoors (Score:2)
"Backdoors" are not "flaws" in this context, they would be purpose built bypasses of the standard access control mechanism. This varies significantly from undisclosed or unknown design weaknesses that fall apart for everyone when discovered. State actors like backdoors, but it isn't supposed to be an unlocked backdoor, just one that only they have the key to.
Re: (Score:2)
Does that mean (Score:2)
Re:Does that mean (Score:5, Interesting)
>That the AES standard we all know and love does have a backdoor?
The block size limitation. Not a backdoor now (that I know of), but by limiting to 128 bits, they're setting it up to fail.
Take a look at the Simon and Speck paper from the NSA, they obviously left the 256 bit block size option out without explanation. There are six 3 LFSR based sequences in the key schedule and 6 total from XOR each with a repeating pattern. One sequence for each configuration of key and data size. They used 5. #6 is for the 256 bit block size. The hole is rather obvious when you look.
It was in the rules of the AES competition that it have a 128 bit block size. The winning entrant, even though it can support bigger blocks had that stuff pulled out for the standard.
It's not like people haven't been telling NIST that we want bigger block sizes. Anyone doing hardware crypto knows how it gets more efficient in terms of cycles/byte as you increase the block size. But NIST have been silent on the matter for years.
Expanding the block size (Score:2)
You can increase the block size of any symmetric cipher by encrypting your data twice by a multiple of the base block size. Generate two keys and IVs. Encrypt the larger block of data one time with the first key. The output so far is the exact same result of what we do now. The next steps increase the block size. Move the last byte to the beginning. Encrypt the already encrypted data using the second key. You've now enlarged the block size to the new multiple of the original block size, doubled the n
Re: (Score:2)
Wouldn't the NSA still be just cracking two 128 bit block sizes? I get they are stacked, but you basically have two keys and those are each only 128 bit.
It's still an improvement but I would think 256 bit would take exponentially longer then two 128 bit strings.
Re: (Score:2)
Wouldn't the NSA still be just cracking two 128 bit block sizes? I get they are stacked, but you basically have two keys and those are each only 128 bit.
It's still an improvement but I would think 256 bit would take exponentially longer then two 128 bit strings.
Cracking two keys of 128 bits is an O(2^129) problem. Cracking a single 256 bit key is an O(2^256) problem. You can combine independent 128 bit keys to achieve O(2^256) security against brute forcing the key, but you have to do it right.
The problem with block size is that regardless of the key size, the collision rate, or lack therof leaks information and the birthday bound applies so it isn't 2^128 any more. At 128 it's ok today, hence the limit on outputs per key in the CTR spec, but I don't now about a d
Re: (Score:2)
This doesn't increase block size, but merely chains the blocks. Bottom line: Small block size isn't much of an issue in and itself. For instance, stream ciphers are, gasp, one byte of block size! Oh, the humanity!
The issues with Speck were more in terms of key expansion.
Re: (Score:2)
>For instance, stream ciphers are, gasp, one byte of block size!
Well technically 1 bit, but the strength comes from the PRG properties of the key sequence generator (E.G. AES-CTR, or Hash-CTR (like Cha Cha)) and the PRNG properties are a function of the block size and key size along with all the other things that matter.
Re: (Score:2)
Nobody proposed 256bit blocks back then, and nobody sane does now. Most ciphers that entered the competition were in fact derived from 64bit block size ciphers (IDEA, Cast, Twofish at least). Were they all secretly NSA shills? Not really. 64bit is plenty for their structure, and 128bit is deemed conservative.
Pure bollocks. From anything ranging pipelined ASIC to 8bit implementations, you'd en
Re: (Score:2)
Nobody proposed 256bit blocks back then, and nobody sane does now. Most ciphers that entered the competition were in fact derived from 64bit block size ciphers (IDEA, Cast, Twofish at least). Were they all secretly NSA shills? Not really. 64bit is plenty for their structure, and 128bit is deemed conservative.
Pure bollocks. From anything ranging pipelined ASIC to 8bit implementations, you'd end up with double gates or double the register pressure respectively. Hardly "more efficient". It's worth noting that aes indeed isn't very efficient at blocks smaller than 128bits (owing to its weak key expansion, you'd need to do a lot more rounds or per-block expansion). But that doesn't mean it gets better as you increase the size of the block state, either. This ain't a hash function.
>Nobody proposed 256bit blocks back then, and nobody sane does now.
Some time after AES has settled in, I sat in a conference with NIST people and industry people and a guy (I think from Cisco) was proposing exactly that. Bigger blocks, all the way up to the full size of a packet or a disk block. I personally have expressed the need for larger blocks to NIST and NSA employees. The lack of feedback of any form (I.E. they are not going to talk about it) speaks volumes.
You would need to do some more rounds (
Re: (Score:2)
NSA not involved (Score:4, Interesting)
According at least to the article the comment from the NSA was in regards to the standards that NIST is developing and the NSA had no involvement in the development of the standard, they just have done testing on it. Apparently the NSA already has their own quantum-proof systems they use internally.
NIST, which started the post-quantum contest in 2016, has taken pains to stress independence in overseeing the public competition, which is now down to seven finalists from 69 initial viable submissions “from all over the world.” While the NSA has helped design and edit NIST standards in the past, this time the institute has made all decisions about the new algorithms internally, relying on the expertise of its post-quantum cryptography team, a NIST spokesperson told Bloomberg.
Re: (Score:1)
Rather nonsensical to claim "quantum proof" when we don't even know what algorithms QM will be running. Breaking commonly used encryption will take tens of millions of qubits so maybe this decade isn't quite the time to worry though
Re: (Score:2)
NSA had no involvement in the development of the standard, they just have done testing on it
I'm not saying it was aliens . . . but it was aliens. :P
Called “scheme” for reasons (Score:2)
I’m staying on the side that this is a scheme, honest scheme, until a protocol proof emerges quantum impervious and network defensible against attack.
I’m thinking a secret sized under 12 bits.
Right (Score:2)
And I've got this bridge to sell you
Of course they would (Score:2)
...that's exactly what a witchalock would say.
https://www.penny-arcade.com/c... [penny-arcade.com]
semantics sidedoor (Score:2)
Right, it does not have a backdoor that needs to be broken. It has a sidedoor that one can just open with the key, no need to break anything.
Why would anyone trust the NSA for any reason?
Re: (Score:2)
If it has a simple key, then they already have mastered copying keys and that sidedoor has always been there.
Trust any device when we know NSA would intercept shipments from CISCO to tamper with the equipment? If you are a target, you better be sitting outside the factories to pick up your new devices.
Re: (Score:2)
> If you are a target, you better be sitting outside the factories to pick up your new devices.
Do not discount supply chain attacks.
Re: (Score:1)
You're not paranoid enough; you think the NSA wouldn't have someone installing whatever it is they install INSIDE the factory?
Juan may be paid $100/week to assemble routers in Tijuana; if the NSA catches up to him after his shift and offers to pay him $300/wk to load custom firmware, or load this "special" reel of chips into the machine placing chips, or whatever, do you think he's going to turn it down? He has a family of 8 living in a 16x16 plywood house with a dirt floor; with an extra $800/month he can
So they have a backdoor? (Score:2)
As long as they don't admit they backdoor'd Dual_EC_DRBG and subverted both NIST and RSA through money and influence they prove they are untrustworthy.
Any non US governments adopting anything new coming out of NIST is selling their citizens down the river for no real benefit. Just say no.
But of course... (Score:2)
But in fairness, having a known back door in a commonly used encryption scheme makes that information some of the most valuable on earth. That it will be sold off by someone to someone is inevitable. If the government is itself intending to use these new encryption standards, it's in their best interest to use standards with no back door at all. Else they're just fooling themselves.
Use the Frontdoor (Score:2)
Hammers and blow-torches are very effective.
can't help but laugh (Score:2)
Now that's out of the way, let me say that I don't believe a word that comes out of the NSA, and nobody else should, either.
The NSA is a SPY AGENCY. They are SPOOKS. Espionage works dee
For your consideration (Score:1)
We present to you... The FRONT DOOR!
All irrelevant? (Score:2)
The question is, does the NSA not care about backdoors because they figured out a factorization shortcut? With that shortcut the algorithm doesn't need a backdoor, since modern encryption is predicated on the idea that prime factorization is hard.
Whaddya know (Score:2)
But it's also one that the White House fears could allow the encrypted data that girds the U.S. economy -- and national security secrets -- to be hacked.
Glad someone finally noticed. [youtube.com]
AES? (Score:1)
So... that means AES they can crack or worse - has a backdoor?
Hard to believe this (Score:1)