[Cryptography] RSA is dead.

William Allen Simpson william.allen.simpson at gmail.com
Tue Jan 21 18:30:39 EST 2014


I'm surprised at the sudden interest in my month old December 23 post.

On 1/20/14 2:39 PM, Jerry Leichter wrote:
> On Jan 20, 2014, at 12:49 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
>
>> Perhaps this is the result of living in a government bubble for awhile, but I certainly saw and heard a lot of the bigger community who thought NSA's involvement in domestic crypto standards and companies was intended to improve security.  That's why NSA people were and are openly members of a bunch of standards committees, why people invited NSA guys to give talks and take part in competitions, why people were using stuff like SE Linux.  People have been using DSA, the NIST curves, SHA1, and SHA2 for many years, believing them secure--because the assumption was that NSA wasn't putting backdoored stuff out there.
> Absolutely.  And it's not just a matter of living inside the government bubble.
>
> NSA has had a surprisingly good reputation pretty much until Snodownia.  Before their involvement with DES, no one really knew anything about them - but every interaction I've ever heard of with NSA people left the impression that they were extremely bright and extremely competent.  (A friend who, many years ago interviewed with both CIA and NSA, thought the interviewers for the former were a bunch of bumbling idiots, while he was very impressed with the latter.  He never took a government job, however.)
>
No.  NSA had a good reputation in the '60s.  I even recommended a friend for a
position there in the mid '70s.  (AFAIK, he's still there.)

By the '90s, its reputation was dirt.  Because, other than what was known or
suspected about DES, every action they took was to inhibit public use of
cryptography.


> NSA managed to appear not to be much involved in the old crypto wars.  Sure, everyone knew that they were the ones who wanted to be able to keep decrypting stuff, but they managed to come across as mere implementers of policies set elsewhere.  Their involvement with DES looked bad for a while - why *those* S boxes?  Why 56 bits? - but then differential cryptanalysis was re-discovered in public and it turned out that NSA had actually specified S-boxes as strong against it as possible - and that the real strength really was around 56 bits.  NSA came out as being ahead of the rest of the world, and using their lead to strengthen publicly available crypto.
>
NSA was *very* involved in the crypto wars!

Have we forgotten that the NSA mole in the IETF, Steve Kent, removed the
link encryption option from PPP before RFC 1134 publication in 1989?

Have we forgotten that Steve Kent had the NSA (via the FBI) investigate
me for *treason* for posting the PPP CHAP internet-draft circa 1991?

Because that would prevent the security agencies from intercepting
passwords and pretending to be somebody else....  So by then we knew
they were already wiretapping passwords of US citizens and presumably
everybody else.


> This is one reason I find all the whining about the NSA/RSA business a bit of revisionist history.  You can't look at what RSA did in the light of what we know today.  You have to look at it based on what was known or reasonably strongly suspected at the time.

Hogwash.  In addition to the well-known Clipper chip, and the well-known
40-bit key export:

(A) Have we forgotten that Steve Kent had my 1994 Cypher Block CheckSum
(CBCS) removed from the IETF publication schedule -- because it wasn't
compatible with his Null Encryption option?

AFAIK, CBCS was the first attempt at integrating encryption with
integrity.  Had it been adopted, there would have been no Lucky13, et
alia.

And why the heck did we need a null encryption option anyway!

(B) Have we forgotten that Photuris was adopted by acclamation at the
Montreal IETF -- and then Cisco announced they were supporting
ISAKMP/Oakley/IKE?

My guess is forensic accounting would show that Cisco was paid, just as
RSA was recently.  Whether it was a cash payment or just a promise that
they'd be favorably considered in future bids....

I remember meeting with NSA twice at the supposedly neutral NRL.  Phil
Karn refused to meet with them, even though he grew up in Maryland and
it would have been cheaper for him to meet them.  But I naively thought
that we could come to an agreement.

Their biggest complaint was that Photuris concealed the parties, which
inhibited traffic analysis.  And sure enough, that's still what they
still want today!

All I could get agreement on was expanding the Group-Index field
(renamed Schemes in draft -03) from 8 to 16 bits for them to define
their own.  That took 2 meetings!

(C) Have we forgotten that H-MAC was adopted over IP-MAC, even though we
had already shown that H-MAC was formally less secure than IP-MAC (and
IP-MAC was older and already had had more analysis)?

Why is it that everything NSA supported at NIST (SHA, SHA1, SHA2, ...)
was demonstrably less secure than other proposals?

On 12/23/13 9:29 PM, Theodore Ts'o wrote:> As for the rest, the lesson we should take from this is, moving
 > forward, if any company in the future hears the words, "I'm from the
 > NSA and I'm here to help", they should run away, as fast their legs
 > can carry them.
 >
Amen!



More information about the cryptography mailing list