[Cryptography] Crypto AG and CIA project exposed
Ray Dillinger
bear at sonic.net
Tue Feb 11 22:03:50 EST 2020
On Tue, 2020-02-11 at 15:33 -0800, Henry Baker wrote:
> At 12:51 PM 2/11/2020, Dennis E. Hamilton wrote:
> > Danny Muizebelt said,
> >
> > > For decades Crypto AG sold backdoored crypto solutions to
> > > governments.
> >
> > Technically, there was no back door.
> >
> > There were built-in crypto weaknesses that facilitated decryption
> > of
> > intercepts by an adversary (in this case, the CIA/NSA).
>
> Wasn't this simply a follow-on to the Enigma-clone that was sold to
> many govts around the world in the 1950's & 1960's ?
>
> If this is news to WaPo, then they simply haven't been paying
> attention.
The electronic devices with outright jiggered hardware (Deliberate RF
leaks and a few other things) replaced (or in some cases served
alongside) old-fashioned rotor machines with jiggered manuals and
training materials.
These were machines that could be used securely, or not, and our NSA
worked with Crypto AG to ensure that certain nations got documentation
and training materials that trained them to use the machines
insecurely. The machines passed audit after audit, being
electromechanically identical to machines in secure use elsewhere. But
the people auditing the machines weren't looking at the training
materials.
There were things like key creation methods that gave low-entropy keys
(some amount of actual randomness juxtaposed with predictable
information like a date code that was there "to prevent key reuse", or
a short random key used to look up a longer key in a table, etc.) or a
"data integrity code" that was sent unencrypted and leaked information
about the IV, etc.
I recall reading a chunk of one of the jiggered manuals, spotting a
stinker and thinking, "oh, wait, that's wrong." And thinking I'd have
seen the problem with it even if I hadn't known to be looking for one,
but ... there'd probably be a couple more than just the ones I saw,
right?
A greater risk of failure on my part would be that on finding a clear
flaw in official training materials I might have said nothing assuming
that official training materials must have been written by people who
knew better than I. Crypto AG, at the time, had a reputation a yard
thick! Such people, well known to be highly competent, would obviously
have spotted it already if it were as bad as I thought, I'd have said
to myself, so I must be wrong about this somehow. And then I'd have
spent days or weeks trying to work out why it wasn't a real problem
before bringing it up.
Backdoored crypto is not the kind of accusation I would have wanted to
bring against the most reputable supplier in the world, unless
absolutely sure. Even when bringing it up I'd have been treading as
lightly as possible, asking a why-is-this-okay question instead of
jumping straight to I-think-our-partner-is-a-crook.
Bear
More information about the cryptography
mailing list