[Cryptography] RSA is dead.

Jerry Leichter leichter at lrw.com
Mon Jan 20 14:39:03 EST 2014 

On Jan 20, 2014, at 12:49 PM, John Kelsey <crypto.jmk at gmail.com> wrote:

> Perhaps this is the result of living in a government bubble for awhile, but I certainly saw and heard a lot of the bigger community who thought NSA's involvement in domestic crypto standards and companies was intended to improve security.  That's why NSA people were and are openly members of a bunch of standards committees, why people invited NSA guys to give talks and take part in competitions, why people were using stuff like SE Linux.  People have been using DSA, the NIST curves, SHA1, and SHA2 for many years, believing them secure--because the assumption was that NSA wasn't putting backdoored stuff out there.  
Absolutely.  And it's not just a matter of living inside the government bubble.

NSA has had a surprisingly good reputation pretty much until Snodownia.  Before their involvement with DES, no one really knew anything about them - but every interaction I've ever heard of with NSA people left the impression that they were extremely bright and extremely competent.  (A friend who, many years ago interviewed with both CIA and NSA, thought the interviewers for the former were a bunch of bumbling idiots, while he was very impressed with the latter.  He never took a government job, however.)

NSA managed to appear not to be much involved in the old crypto wars.  Sure, everyone knew that they were the ones who wanted to be able to keep decrypting stuff, but they managed to come across as mere implementers of policies set elsewhere.  Their involvement with DES looked bad for a while - why *those* S boxes?  Why 56 bits? - but then differential cryptanalysis was re-discovered in public and it turned out that NSA had actually specified S-boxes as strong against it as possible - and that the real strength really was around 56 bits.  NSA came out as being ahead of the rest of the world, and using their lead to strengthen publicly available crypto.

This is one reason I find all the whining about the NSA/RSA business a bit of revisionist history.  You can't look at what RSA did in the light of what we know today.  You have to look at it based on what was known or reasonably strongly suspected at the time.  Certainly at the time DUAL EC DRBG was added to the NIST standards, and RSA added it to BSAFE, NSA was accepted in the role of "helper".  The demonstration that it *could* have a trap door didn't show it *did* have a trap door - and after all NSA was fulfilling its role of helping to improve the security of American communications, no?  (Well, that *was and is*  one of its legally-defined roles, and that was the one we all saw, repeatedly, in public.)

> That's part of the collateral damage of the dual ec drbg trapdoor.  They had spent 10-15 years trying to build a good relationship with the crypto and computer security community, and when this came out, they lost that relationship.  Researchers will still take their money, government agencies required by law to work with them will continue to do so, but the default assumption won't be "they're on our side" anymore.  The ultimate cost of that will be many times higher than however much was budgeted for the project that got the dual ec drbg into the world.  

Absolutely.  Whoever thought this was a good idea should have been shown the door a *long* time ago.  It took incredible arrogance to think this kind of thing could be kept secret - and in fact the suspicions were raised a long time ago.  It was only an aggressive "good cop" campaign - and a great deal of luck, e.g., the long history of suspicion that NSA had planted back doors in the DES S-boxes that we now know was nonsense, thus making claims that they planted back doors elsewhere seem like tinfoil-hat stuff - that let it last as long as it did.

In the end, one wonders just how much they actually gained anyway.  What significant NSA targets ever used BSAFE and DUAL EC DRBG?  I'd guess relatively few.  Terrorist organizations use home-brew or open source stuff - they don't spend money on crypto libraries.  (If NSA had managed to subvert the Linux RNG, they'd have had something.)  The larger governments have their own crypto organizations.  Maybe this helped them with some smaller governments and some (likely mainly American) large corporations.  Hardly seems worth in light of what they've now lost.
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140120/fc5cfbd3/attachment.bin>

More information about the cryptography mailing list