[Cryptography] NSA versus DES etc.... was: iOS 8

John Gilmore gnu at toad.com
Thu Sep 25 17:10:46 EDT 2014


> I don't know about a single algorithm but one attempt was to provide black
> boxes under the CCEP that accepted a key and plaintext/ciphertext and spat out
> ciphertext/plaintext.  The CCEP gear would be non-exportable, thus solving the
> DES problem where either US banks/corporates could export it or you could buy
> foreign gear built to the publicly-available design.  Since it never survived
> into production several aspects of it were rather unclear, but it looked like
> the NSA would be a middleperson in the key management process.

I think "middleperson in key management" is too weak a description.
As I recall, you had to get all the keying material from NSA!

The theory as I recall it was that the basic encryption scheme was
insecure if keyed with 99.99% of random strings, but secure if the
keys were generated in certain ways.(*)  This meant they didn't
have to worry about the CCEP boxes leaking out to undesirables like us.
NSA would not tell you the key generation criteria, so if you just
made up your own keys, the traffic was easy for them to read.

In such a program, you could never know whether the keys NSA was
supplying you with were real "good keys" or easy to subvert "weak
keys".  They didn't even promise not to keep copies of the keys they
sent you, so they could read your traffic either way.  And if they
didn't like what you did with the boxes, they'd just stop giving you
keying material, leaving you hung out to dry with no recourse other
than re-using old keys.

No wonder this scheme didn't catch on...

	John

(*) Many number-theoretic cryptosystems, like RSA, have this property.
If you run RSA with arbitrary numbers, it's easy to crack; you need
to key it only with the product of two large primes.


More information about the cryptography mailing list