"Oh my god I never thought spies could be so boring."
December 23, 2017 2:29 PM   Subscribe

The Strange Story Of Extended Random - "Those fossilized printers confirmed a theory we’d developed in 2014, but had been unable to prove: namely, the existence of a specific feature in RSA’s BSAFE TLS library called “Extended Random” — one that we believe to be evidence of a concerted effort by the NSA to backdoor U.S. cryptographic technology."
posted by the man of twists and turns (23 comments total) 36 users marked this as a favorite
 
...after all, why would the government spy on itself?

Reality Winner might have some insight into that.
posted by clawsoon at 3:03 PM on December 23, 2017 [6 favorites]


not only are cryptographic backdoors a terrible idea, but they totally screw up the assigned numbering system for future versions of your protocol.

I mean isn't that the de facto answer to the "Trusting Trust" problem?
posted by PMdixon at 3:29 PM on December 23, 2017


Actually really interesting!
posted by Joe in Australia at 3:42 PM on December 23, 2017 [1 favorite]


> Joe in Australia:
"Actually really interesting!"

This sort of stuff is always more interesting than it appears at first look, IMO.
posted by Samizdata at 5:17 PM on December 23, 2017


This sort of stuff is always more interesting than it appears at first look, IMO.
posted by Samizdata


Well, you would say that.
posted by Joe in Australia at 5:22 PM on December 23, 2017 [9 favorites]


Once again the NSA demonstrates its poor judgment that ends up making America less secure. They used to have a mandate to help develop cryptosystems to keep American interests safe. But they totally undermined their ability to do that.

I assume no one at the IETF will no longer talk to any suspected NSA employees or agents. Anyone know for sure?
posted by Nelson at 5:52 PM on December 23, 2017


I don't really want to live in a cyberpunk novel any more. May I please change my current sim to the Anne of Green Gables sim?
posted by loquacious at 6:13 PM on December 23, 2017 [28 favorites]


I asked about the IETF and the NSA on Hacker News and apparently the answer is yes, the IETF still works with NSA agents.
posted by Nelson at 6:32 PM on December 23, 2017 [2 favorites]


May I please change my current sim to the Anne of Green Gables sim?

Sure!

Whoops! You just got typhoid.
posted by TheWhiteSkull at 7:20 PM on December 23, 2017 [17 favorites]


Whoops! You just got typhoid.

Damnit, I was hoping for hysteria.
posted by loquacious at 7:31 PM on December 23, 2017 [9 favorites]


Wait, that's the Road to Wellville sim. Anyway, something less straight up Orwellian will do. I'll even consider a Twilight Zone episode.
posted by loquacious at 7:41 PM on December 23, 2017 [4 favorites]


> Joe in Australia:
"This sort of stuff is always more interesting than it appears at first look, IMO.
, Samizdata

Well, you would say that."


Hey, now, no need to make it personal... [chuckle]
posted by Samizdata at 9:23 PM on December 23, 2017


I got a bit thrown off when I learnt they call random data 'nonces'
posted by KateViolet at 1:59 AM on December 24, 2017


Not all random data. Just rndomness you can only safely use once.
posted by jeffburdges at 2:20 AM on December 24, 2017 [4 favorites]


IIRC, djb was going on about how some cache timing attacks could compromise some NIST algorithm a few years ago. Couldn't find his slide-deck quickly to confirm my recollections though.
posted by mikelieman at 2:51 AM on December 24, 2017




Dual EC: A Standardized Back Door
Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen



Full Disclosure: I <3 qmail. djb's double-bounce message:
Hi. This is the qmail-send program at example.com.
I'm afraid I wasn't able to deliver your message to the following addresses.

This is a permanent error; I've given up. Sorry it didn't work out.
is a life-lesson everyone should learn from.
posted by mikelieman at 3:01 AM on December 24, 2017 [2 favorites]


> ...apparently the answer is yes, the IETF still works with NSA agents.

I'm guessing the IETF has no choice. The NSA is not going away, and they are going to do what they do whether or not the IETF is engaged. So sustaining a relationship that allows some kind of insight into the NSA's interests will be more beneficial to the IETF than telling the NSA to fuck off. Otherwise the U.S. government will have intelligence agency staff involved in the IETF covertly rather than openly, and knowledge transfer will become one-way.
posted by at by at 3:50 AM on December 24, 2017


Just fyi, there are twitter threads by Matt Green who wrote this blog post and Matt Blaze arguing that the NSA could not backdoor their SIMON and SPECK ciphers that the IETF just ditched, in part for originating within the NSA.

In short, these are fast symmetric aka secret key systems, but a nobody-but-us backdoor is equivalent to an asymmetric aka public key system, which run far slower, so a nobody-but-us backdoor means the NSA has a god-like theoretical advance in public key cryptography. Ain't likely. Yes, they employ numerous mathematicians retrained as cryptographic engineers, but their true math theory people work at IDA. IDA in Princeton only has only like 6 permanent staff.
posted by jeffburdges at 4:45 AM on December 24, 2017 [3 favorites]


I hear what you're saying at by, but the idea that a few Internet standards geeks can out-spy the spies is dangerously naive. The NSA is not helping Internet security. The NSA is the adversary. Allowing them to help design cryptosystems after they've proven time and again that they are subverting those systems seems very foolish. Particularly since the NSA weaknesses they've injected so far have proven terribly dangerous in that they are not NSA-only in practice, even when designed to be.
posted by Nelson at 5:46 AM on December 24, 2017 [6 favorites]


It's not about outspying the spies, it's more like the opposite: maintaining diplomatic ties during an adversarial relationship in the hopes of getting the NSA to make some of their desires public and therefore negotiable.
posted by at by at 5:29 PM on December 24, 2017


Cryptographic faults can be very subtle, even when the fault is in the algorithm and not the code. And your secure code is very likely running on shared hardware, which is vulnerable to all sorts of things like row-hammering. It's very possible that you don't even own the hardware, that it doesn't even exist except as an instance on some rack in a data centre. What would secure encryption even look like under those conditions?
posted by Joe in Australia at 6:22 PM on December 24, 2017


I'm fine with IETF booting out SIMON and SPECK due to their origin. In fact, I'd almost worry the NSA might be so dangerously incompetent that they'd install a non-nobody-but-us aka "security through obscurity" backdoor, meaning others will eventually break it and wreck everything, possibly via a side-channel weakness like Joe suggests.

I agree with Matt Blaze and Matt Green that the NSA could not possibly have a non-nobody-but-us backdoor in SIMON and SPECK though. As a rule, there are few if any real theoretical advances in classified work, Nelson, mostly just better funded engineering. In principle, all that engineering could feed back into less abstract advances, but all the secrecy prevents that. An asymmetric system as fast a symmetric systems would influence things across the mathematical world. We're not talking "few standards geeks" vs a well funded government agency, but a government agency staffed by ex-mathematicians who quit real research and hobbled by secrecy vs a mathematical problem whose reverberations would likely be felt across the mathematical world, if it were solvable with anywhere near current technology. Also if they could solve it then they'd use it to do much better things than merely backdoor a cipher.
posted by jeffburdges at 4:46 AM on December 25, 2017 [1 favorite]


« Older Happy Birt Jesus   |   “As a waltz plays, the doggos chew up the boxes... Newer »


This thread has been archived and is closed to new comments