[Cryptography] new wiretap resistance in iOS 8?

Jerry Leichter leichter at lrw.com
Sun Sep 21 09:13:27 EDT 2014 

On Sep 20, 2014, at 4:18 PM, John Denker <jsd at av8n.com> wrote:
> Probably the biggest threat from the NSA is more
> /indirect/.  I am referring to weakening crypto 
> standards and products, again and again over the 
> years, thereby creating conditions for a Hobbesian 
> war of all against all.  For example, IMHO it was 
> both arrogant and stupid for the NSA to think they 
> would be the only ones who could break 56-bit DES.
I'm not sure this is an accurate rendering of the history.  NSA comes up with ciphers that are approved for some period of time.  They are then replaced with new, stronger ones.  When it was approved in 1976, it's not clear even NSA could muster the hardware for a brute force attack; in fact, I'd guess not.  The first *public* attack wouldn't come until 1999 - 23 years later.  The difference between hardware resources available even to the NSA across that period of time is almost impossible to fathom.  In 1976 "supercomputer" was a Cray-1 - with a single CPU (albeit with vector processing) and an 80 MHz clock.  I don't know how much memory it could support, but it would certainly have been way less than is in smartphone today.  The fastest long-distance digital links were probably 56Kb/sec, so distributed processing would have been a non-starter.  In 1976, an estimate of 10 years until *anyone* could brute-force DES would have been reasonable.  I don't know what time limit might have been set in 1976, but the standard was re-affirmed in 1988.  I will agree that the re-affirmation was getting somewhat dicy - and the second reaffirmation, in 1993, was clearly not correct (though the second reaffirmation did add 3-DES).

The problem, however, is that by 1988 and 1993, there were other political moves in play.  Business isn't much interested in security - it's interested in standards it can say it followed, thus shifting any responsibility on someone else.  By 1988, there was a large and growing infrastructure relying on DES - much of it, given the CPU's of that era, in hardware.  Even without NSA involvement, there would have been resistance to a new standard as "too expensive" - see our current use of magnetic stripe credit cards in the US.  NSA, in its internal systems, doesn't face any such constraints:  If they decide a system needs replacing, money isn't an issue.  Give the human propensity to assume everyone else thinks and works like you do until you get overwhelming evidence to the contrary, I'll bet that NSA in the mid-70's would have assumed that if they told everyone to drop DES because there was a serious attack against it - they would have done so.

There's also a technical issue.  NSA always claimed that they didn't design DES - IBM did.  All NSA did was change the S boxes and drop the key from 64 to 56 bits.  In fact, as we know since the discovery of differential cryptography in the outside world, the S boxes NSA specified were the strongest possible against DC - and the resulting system was effectively good for 56 bits anyway.  To have done better, NSA would have had to toss IBM's algorithm entirely.

Being paranoid about NSA, given what we now know about them, is rational and even prudent.  (Now how often is "paranoia" prudent....)  On the other hand, assuming they are omniscient means you might as well give up.

                                                        -- Jerry

More information about the cryptography mailing list