Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
Crypto and security, not really my wheelhouse. This guy is definitely taking NSA to task.
Speaking as someone who followed the IPSEC IETF standards committee
pretty closely, while leading a group that tried to implement it and
make so usable that it would be used by default throughout the
Internet, I noticed some things:
* NSA employees participted throughout, and occupied leadership roles
in the committee and among the editors of the documents
* Every once in a while, someone not an NSA employee, but who had
longstanding ties to NSA, would make a suggestion that reduced
privacy or security, but which seemed to make sense when viewed
by people who didn't know much about crypto. For example,
using the same IV (initialization vector) throughout a session,
rather than making a new one for each packet. Or, retaining a
way to for this encryption protocol to specify that no encryption
is to be applied.
* The resulting standard was incredibly complicated -- so complex
that every real cryptographer who tried to analyze it threw up
their hands and said, "We can't even begin to evaluate its
security unless you simplify it radically". See for example:
https://www.schneier.com/paper-ipsec.html
That simplification never happened.
...
In other circumstances I also found situations where NSA employees
explicitly lied to standards committees, such as that for cellphone
encryption, telling them that if they merely debated an
actually-secure protocol, they would be violating the export control
laws unless they excluded all foreigners from the room (in an
international standards committee!). The resulting paralysis is how
we ended up with encryption designed by a clueless Motorola employee
-- and kept secret for years, again due to bad NSA export control
advice, in order to hide its obvious flaws -- that basically XOR'd
each voice packet with the same bit string! Their "encryption"
scheme for the control channel, CMEA, was almost as bad, being
breakable with 2^24 effort and small numbers of ciphertexts:
https://www.schneier.com/cmea-press.html
To this day, no mobile telephone standards committee has considered
or adopted any end-to-end (phone-to-phone) privacy protocols. This is
because the big companies involved, huge telcos, are all in bed with
NSA to make damn sure that working end-to-end encryption never becomes
the default on mobile phones.
http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html?goback=%2Egde_2769297_member_273636108#%21
pretty closely, while leading a group that tried to implement it and
make so usable that it would be used by default throughout the
Internet, I noticed some things:
* NSA employees participted throughout, and occupied leadership roles
in the committee and among the editors of the documents
* Every once in a while, someone not an NSA employee, but who had
longstanding ties to NSA, would make a suggestion that reduced
privacy or security, but which seemed to make sense when viewed
by people who didn't know much about crypto. For example,
using the same IV (initialization vector) throughout a session,
rather than making a new one for each packet. Or, retaining a
way to for this encryption protocol to specify that no encryption
is to be applied.
* The resulting standard was incredibly complicated -- so complex
that every real cryptographer who tried to analyze it threw up
their hands and said, "We can't even begin to evaluate its
security unless you simplify it radically". See for example:
https://www.schneier.com/paper-ipsec.html
That simplification never happened.
...
In other circumstances I also found situations where NSA employees
explicitly lied to standards committees, such as that for cellphone
encryption, telling them that if they merely debated an
actually-secure protocol, they would be violating the export control
laws unless they excluded all foreigners from the room (in an
international standards committee!). The resulting paralysis is how
we ended up with encryption designed by a clueless Motorola employee
-- and kept secret for years, again due to bad NSA export control
advice, in order to hide its obvious flaws -- that basically XOR'd
each voice packet with the same bit string! Their "encryption"
scheme for the control channel, CMEA, was almost as bad, being
breakable with 2^24 effort and small numbers of ciphertexts:
https://www.schneier.com/cmea-press.html
To this day, no mobile telephone standards committee has considered
or adopted any end-to-end (phone-to-phone) privacy protocols. This is
because the big companies involved, huge telcos, are all in bed with
NSA to make damn sure that working end-to-end encryption never becomes
the default on mobile phones.
http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html?goback=%2Egde_2769297_member_273636108#%21