[Cryptography] NSA versus DES etc.... was: iOS 8

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Sep 25 21:38:10 EDT 2014


John Gilmore <gnu at toad.com> writes:

>The theory as I recall it was that the basic encryption scheme was insecure
>if keyed with 99.99% of random strings, but secure if the keys were generated
>in certain ways.(*)  This meant they didn't have to worry about the CCEP
>boxes leaking out to undesirables like us. NSA would not tell you the key
>generation criteria, so if you just made up your own keys, the traffic was
>easy for them to read.

I'd always assumed that was an oversimplification/dumbing down of what we know
about Type 1 algorithms like BATON and JUNIPER, that most of the key is
actually "checksum" bits (given that the checksum is 160 bits long I'd guess
it's a SHA-1 MAC over the key data) and that an attempt to load a non-NSA-
generated key will fail the MAC check and load some form of fixed key (e.g.
one where only the low 16 bits are chosen randomly, making them easily brute-
forceable by someone who knows the remaining bits) instead.

>No wonder this scheme didn't catch on...

The main reason was the banks' massive investment in DES and refusal to change
horses mid-stream.  The ABA's pressure to get the NSA to recertify DES was
much, much stronger than the NSA's pressure to get the ABA to switch to CCEP.

>(*) Many number-theoretic cryptosystems, like RSA, have this property. If you
>run RSA with arbitrary numbers, it's easy to crack; you need to key it only
>with the product of two large primes.

See above, you don't need any fancy special-properties cryptosystem, if you've
got tamper-resistant hardware you can bake in whatever behaviour you want,
giving an algorithm properties that go beyond the original design.

Peter.


More information about the cryptography mailing list