[Cryptography] Crypto best practices

[Arnold Reinhold]

On Wed, 8 Mar 2017 00:34:44 +0100 Hanno Böck wrote:

> 
>> This looks like some very valuable advice:
>> https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf <https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf>…
...
>>> Confidentiality must be provided by AES with a minimum key size of
>>> 256 bits. The cipher must be operated in Galois/Counter Mode (GCM),
>>> Counter Mode (CTR), or Cipher Block Chaining Mode (CBC).  
> 
> That's already bad advice. Use an AEAD, always. From the mentioned ones
> only [GCM (per Hanno’s correction)] is an AEAD.

They do say elsewhere:  "Authentication must be provided using HMAC, asymmetric cryptography, or by operating the chosen block cipher in Gaolis/Counter Mode (GCM).”

> 
> If you read through the whole document it's long and contains a lot of
> strange advice, including recommendations for RC4 + countermeasures
> that we know don't properly work. It's full of recommendations that I'd
> name outdated.
> 
> There's also some good advice in there, but none of it is surprising.


The document appears to be from 2012, judging by the declassification date, so it is not surprising that it some of it seems out of date. 

As for RC4, it is only discussed in connection with their "Weak Suite” which they say "shall be retired on 31 December 2013 and shall not be used for deliveries after that time. This date complies with NIST Special Publication 800-131A regarding protection of unclassified data for US Government systems.” Interestingly, they say in one paragraph, marked S//NF, that the first 1024 bytes of the RC4 cryptostream should be discarded before use. In the next paragraph, marked TS//SI, they up that to 3072 bytes.

Another interesting recommendation: "Tools should perform key exchange exactly once per connection. Many algorithms have weaknesses during key exchange and the volume of data expected during a given connection does not meet the threshold where a re-key is required.xiii To reiterate, re-keying is not recommended.” Footnote xiii adds "The exact nature of which algorithms are weak at this stage is highly classified. In the absence of those facts this guidance is still relevant; the utility inherent in re-keying derives from minimizing key exposure when performing bulk encryption of large amounts of data. Even the most data-intensive NOD operations involve several fewer orders of magnitude of data per session key. Consequently, re-keying introduces unnecessary complexity (and therefore opportunities for bugs or other unexpected behavior) without delivering value in return."

I also looked at the Wikileaks Apple iOS specific stuff. My two favorite tidbits: 1. The signup sheet for the Sublime Text editor--they have a ten user license and someone suggested getting a 15 user license next time. Not a massive team there. Maybe the NSA has a bigger shop. 2. An instruction in their DRBOOM user guide, complete with a screen shot, that in hooking up an iPhone to the CIA cracking server, when the target phone asks whether or not it should trust this new computer, "make sure you hit the ‘trust’ option on the main screen".

Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170310/8dfc301f/attachment.html>