----- Forwarded message from John Gilmore <gnu@toad.com> ----- Date: Fri, 06 Sep 2013 10:27:58 -0700 From: John Gilmore <gnu@toad.com> To: Jon Callas <jon@callas.org> Cc: cryptography@metzdowd.com, "Perry E. Metzger" <perry@piermont.com> Subject: Re: [Cryptography] IA side subverted by SIGINT side

I have a small amount of raised eyebrow because the greatest bulwark we have against the SIGINT capabilities of any intelligence agency are that agency's IA cousins. I don't think that the Suite B curves would have been intentionally weak. That would be a shock.

Then be "shocked, shocked" that the muscular exploitation side of an intelligence agency would overrule the weak Information Assurance side. It happens over and over. It even happens in companies that have no SIGINT side, like Crypto AG, when somebody near the top is corrupted or blackmailed into submission. As late as 1996, the National Academy of Sciences CRISIS panel was tasked by the US Congress with coming up with a US crypto policy that would be good for the whole nation, updating the previous policy that was driven by spy agency and law enforcement excesses to sacrifice the privacy and security of both people and companies. After taking a large variety of classified and unclassified input, the panel's unanimous consensus suggested that everybody standardize on 56-bit DES, which they KNEW was breakable. Diffie, Hellman and Baran persuasively argued in the 1970s when DES was up for standardization that a brute force DES cracker was practical; they recommended longer keys than 56 bits. See for example this contemporaneous 1976 cassette recording / transcript: https://www.toad.com/des-stanford-meeting.html Subsequent papers in 1993 (Weiner, "Efficient DES Key Search") and in 1996 (Goldberg & Wagner, "Architectural Considerations for Cryptanalytic Hardware") provided solid designs for brute-force DES key crackers. Numerous cryptographers and cypherpunks provided input to the CRISIS panel as well. They even cited these papers and input on page 288 of their report. I have never seen a subsequent accounting by the CRISIS panel members for this obviously flawed recommendation. It was rapidly obsoleted by subsequent developments when in June 1997 Rocke Verser coordinated a team to publicly crack DES by brute force in months; when in 1998 EFF revealed its DES Cracker hardware that cost $250K and could crack DES in a week; and when in 2000 the export regs were effectively removed on any strength encryption in mass market and free software, a change forced upon them by EFF's success in Dan Bernstein's First Amendment case. The panel members included substantial information-assurance folks like Marty Hellman and Peter Neumann, Lotus Notes creator Ray Ozzie, and Willis Ware (an engineer on WW2 radars and the Johnniac, who later spread computers throughout aviation design and the Air Force, ended up at RAND, and served on the 1974 Privacy Act's Privacy Protection Study Commission). But several of those people (and others on the panel such as Ann Caracristi, long-term NSA employee and 2-year deputy director of NSA) also have a long history involved with classified military work, which makes their publicly-uttered statements unlikely to reflect their actual beliefs. John PS: The CRISIS panel also recommended that encryption of any strength be exportable "if the proposed product user is willing to provide access to decrypted information upon a legally authorized request". They assumed the ongoing existence of a democratic civilian government and a functioning independent court system in the United States -- an assumption that is currently questionable. I don't think the panel foresaw that a single "legally authorized request" would come with a gag order from a secret court, would purport to "target" a single unnamed individual, but would nevertheless require that information about every person making a phone call in the United States be turned over to a classified government agency for permanent storage and exploitation. Nor did they see that the government they were part of would be committing serious international war crimes including political assassination, torture, indefinite detention without trial, and wars of aggression, on an ongoing basis. Either that, or maybe NSA blackmailed the committee members into these recommendations, just as J. Edgar Hoover blackmailed his way through 40 years of unchecked power. Trouble is, Hoover eventually had to die; NSA, not being human, does not have that natural limit. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5