NSA/NIST Security Lab
NSA and NIST will set up a new lab for evaluation of information-security products, including crypto algorithms: http://jya.com/nsa-nist.txt The lab will coordinate with other nations. Plans include eventual shifting the evaluation to private testing labs once accreditation standards are set. With critiques by Bruce Schneier and Steve Walker, and a slap from NCSA, which now provides testing, "They've been talking about this stuff for years."
On Tue, 2 Sep 1997, John Young wrote:
NSA and NIST will set up a new lab for evaluation of information-security products, including crypto algorithms:
The lab will coordinate with other nations. Plans include eventual shifting the evaluation to private testing labs once accreditation standards are set.
With critiques by Bruce Schneier and Steve Walker, and a slap from NCSA, which now provides testing, "They've been talking about this stuff for years."
Uh huh, yeah, we'll be getting the NSA to review security... Joy. I can see it now. "Single DES is very safe. 40 bit keys are more than enough..." Even with Bruce on this, it doesn't warm my trust to them... =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ==========================
At 10:51 AM 9/2/97 -0700, Tim May wrote:
Now, Ray, you're being too harsh. When NSA/NIST sought the analysis of Clipper/Tessera several years ago, the distinguished panel met for a weekend in a D.C. area hotel and concluded...drum roll...that Clipper/Tessera was secure.
No, they put out an interim report asserting that Skipjack was secure, promising to do a final report covering the Clipper chip, the escrow system, the key-loading charade in the vault, and all the other things that make Clipper, and hyped the <expletive deleted> out of how secure Skipjack was, implying that you should trust Clipper and the friendly NSA that gave it to you. Of course, N years later, they haven't come out with that final report, and in context issuing the Skipjack interim part was a blatantly dishonest ploy, as well as being too short an analysis to be anything resembling thorough, even if Skipjack is fairly strong (which it probably is, for 80 bit Feistel.)
Of course, Matt Blaze broke the Tessera version a few months later....
Not an extremely practical break, but good enough to show the fundamental shoddiness of the Clipper system and embarass them at a time that a good heavy-duty embarassment was politically damaging.
Some believe they have a role in helping industry to secure its communications. I don't agree. The NSA has no business getting involved in business. Period.
I think they've got a role in making sure that defense contractors making products for the US military, whether the contractors are handling militarily sensitive information or especially building tools that the military will use to handle sensitive information, are adequately secure. You could argue that that's a job for some other centralized expert agency that's under better civilian control or Pentagon control rather than being out of control (as the CIA is), perhaps National Science Foundation, but it's also arguable that the only people who can do an adequate job of protecting secrets are people with lots of practice cracking them, and that's something pretty much like an NSA. There's also a potential role, though it's a much tougher sell, for NSA or similar experts helping the State Department, and perhaps civilian Federal agencies that handle private information about citizens, do a good job at protecting it, though the military models of security are often not a good match for civilian data protection. My past experience with the NSA "helping" the State Department was a 3-year debacle in the late 80s, where they provided a bunch of unrealistic wish-list advice to a bunch of, ummm, technically challenged Wang administrators about how to build a secure world-wide network, which gradually fell apart in turf battles because the main Embassy customers for highly secure communications don't really work for State and they wanted their secure network provided by Real Spooks, and they may not have had the budget or political clout to get a network built but they could sure spoil a procurement :-) But other than supporting Federal customers, they ought to leave business alone, at least until they get privatized.... # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)
At 10:12 AM -0700 9/2/97, Ray Arachelian wrote:
Uh huh, yeah, we'll be getting the NSA to review security... Joy. I can see it now. "Single DES is very safe. 40 bit keys are more than enough..." Even with Bruce on this, it doesn't warm my trust to them...
Now, Ray, you're being too harsh. When NSA/NIST sought the analysis of Clipper/Tessera several years ago, the distinguished panel met for a weekend in a D.C. area hotel and concluded...drum roll...that Clipper/Tessera was secure. Of course, Matt Blaze broke the Tessera version a few months later.... NSA has long had a dual mission. SIGINT and COMINT to break enemy messages, and COMSEC to help ensure national security through strong crypto. Code breakers and code makers. For government uses, this has worked pretty well, most of us would agree. ICBM launch codes are apparently secure, submarines can communicate securely, etc. (Please don't chime in with anecdotes about Walker.) Some believe they have a role in helping industry to secure its communications. I don't agree. The NSA has no business getting involved in business. Period. NIST (formerly NBS, of course) may have a role, but I doubt even this. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
-----BEGIN PGP SIGNED MESSAGE----- In <v0310280db03200b3cc75@[207.167.93.63]>, on 09/02/97 at 10:51 AM, Tim May <tcmay@got.net> said:
At 10:12 AM -0700 9/2/97, Ray Arachelian wrote:
Uh huh, yeah, we'll be getting the NSA to review security... Joy. I can see it now. "Single DES is very safe. 40 bit keys are more than enough..." Even with Bruce on this, it doesn't warm my trust to them...
Now, Ray, you're being too harsh. When NSA/NIST sought the analysis of Clipper/Tessera several years ago, the distinguished panel met for a weekend in a D.C. area hotel and concluded...drum roll...that Clipper/Tessera was secure.
Of course, Matt Blaze broke the Tessera version a few months later....
NSA has long had a dual mission. SIGINT and COMINT to break enemy messages, and COMSEC to help ensure national security through strong crypto. Code breakers and code makers.
For government uses, this has worked pretty well, most of us would agree. ICBM launch codes are apparently secure, submarines can communicate securely, etc. (Please don't chime in with anecdotes about Walker.)
Some believe they have a role in helping industry to secure its communications. I don't agree. The NSA has no business getting involved in business. Period.
NIST (formerly NBS, of course) may have a role, but I doubt even this.
I do not see how NIST could have any role in the private sector as long as they maintain their cozy relationship with the government especially the NSA. - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNAxSAY9Co1n+aLhhAQH/dwP7BATbMQ8Y5/muQ2jj7XtIk8Aty6XggaAm BC2FDwjcsWGSgj+y9jMJaHumnKbMXBtX6zZtzCWE/I6PmRD6t2vRnRwQFu/dRk1D zPTVlIq5W54fFsESVJn36tO4BgcI+IxZx/j2K7wUwkpCMSq6aXBoNqs44bTgPPzr q0+i/It0SHI= =he6z -----END PGP SIGNATURE-----
participants (5)
-
Bill Stewart -
John Young -
Ray Arachelian -
Tim May -
William H. Geiger III