At 01:05 AM 5/20/96 -0700, Bill Frantz wrote:
At 8:05 PM 5/19/96 -0800, jim bell wrote:
It should occur to all of us that if the NSA was actually doing the job we are vastly over-paying them to do, it is THEY who should be finding, exposing, and correcting these kinds of cryptography faults. Has anybody ever heard any evidence that the NSA has ever acted in this sort of responsible role?
I was rather impressed by NSA's role in the creation of DES. The strengthened it against an attack which was not publicly known, and didn't, in the process, reveal the attack. (See AC2.)
Isn't this partly bad, at least? Sure, if DES was a working, operational cryptosystem revealing the attack immediately might be arguably irresponsible. But since it was merely a design, exposing the flaw didn't help the enemy or hurt "us." Had DES been in use, the NSA could merely have stated, publicly, that "We see a flaw in DES, and we will tell you all about it in 5 years. Enclosed is an encrypted description of the problem, encrypted using a single key system with a 128-bit key. Save it for your files. In five (5) years we will publish the key to decrypt that file, and you will then know what we know now." At that point, anybody who then was using DES would have a five year warning to replace it. And the NSA would be unable to change the contents of what they were revealing, because they would only be withholding the key. Also, exposing the flaw in DES could have alerted the developers of other cryptosystems to watch for the same attack on their systems. All in all, I don't think the NSA's near-silence on DES is unambiguously commendable. Jim Bell jimbell@pacifier.com