CDR: why should it be trusted?

matthew gream matthewgream at hotmail.com
Sun Oct 22 09:16:09 PDT 2000 

Your email is very cynical, perhaps too cynical for reality - but we need 
cynics to keep reality in check.

>  I don't know much about crypto politics, but...  isn't it utterly
>obvious that the mere fact that the NSA suggest a certain algorithm (say
>Rijndael) for a national standard and recomends its use internationally
>imply that they have a pretty darn good idea (if not actual technology)
>on how to break it efficiently?  I just don't see why else they would
>advocate its use.

The NSA exists in part as a national authority on computer and 
communications security, and therefore should recommended an algorithm for 
use as a means to protect its citizens and countries national security. By 
recommending its use "internationally", I assume that the fine print is that 
they recommend it for use by US nationals in an international environment, 
not to international users (a subtle but useful distinction, the NSA is a 
domestic agency, I don't think it attempts to speak for the world yet). 
Ideally, the NSA should be able to break this algorithm when no one else in 
the world can, as this would give it an advantage in its signals 
intelligence activities - supposedly these are activites used "in the 
national interest", for the benefit of citizens and society as a whole - 
commerce, etc. Well, society is no utopia and there are many other interests 
(relationships with policy in washington, etc), but you know what I mean.

>After all isn't the fact that NSA could break DES since the 70's the reason 
>for the 'success' of DES?

Complicated answer. By 'approving' DES, then medium security grade products 
procured by the government would presumably have had to have DES and ANSI 
conformance before they would be bought by the government. This at least 
then made DES a commercial choice for government use and something that 
industry had experience with because there is virtually no other choice, and 
thence also for financial institutions, and thence eventually more and more 
into the public arena as the need for information security products became 
more prevalent.

Also, there were few alternatives to DES, and in fact during the 1970s and 
1980s, significant academic activity was put into fiestal network research, 
S-box research, cipher modes of operation, cryptoanalytic attacks 
(differential cryptanalysis, for instance). From this, new symmetric 
algorithms, sometimes based on similar design principles to DES, or new 
principles investigated as an alternative, were created. You must remember 
that a large proportion of DES use in commercial products is outside the 
scope of technological paranoics (that is not entirely fair, there are many 
objective technologists) and in the scope of money men and corporate 
standards conformance and spread sheets - these people are more than happy 
with a NSA/NIST approved solution.

What you see in the AES candidates are the fruits of decades of research and 
activity partially thanks to DES, but also a result of the age we live in 
(in the same way that "people knew the internet was coming, but they didn't 
know that it would be the internet", you could say that symmetric, 
assymetric ciphers were going to happen, they just happened to be DES and 
RSA to start with, the ball has to start somewhere, and it turned out that 
DES was a pretty good choice thanks to the skill of Coppersmith and 
associates at IBM). Whether the NSA could break DES is up for debate, and 
may be known in the future perhaps - what is known now is that the advance 
of technology has made DES an uneconomically feasible solution for medium to 
high grade risk situations.

As a result of the AES selection, you must also remember that now there are 
5 highly valued symmetric algorithms created by world class cryptographers, 
and 1 exceptional algorithm. While the AES may be recommended, they are now 
alternatives and additional algorithms that could be used for those desiring 
increased security (i.e. as wrappers for the AES, or alternatives to the 
AES, or whatever).

What you will see in the coming years is a focus on analysing the strengths 
and weaknesses of the AES - hopefully this will only further prove that it 
is a good candidate. Also, in the same way that 3DES and Ritter style DES 
networks were seen as advantageous modes of operation, perhaps additional 
AES modes of operation will add a further layer of security that may allay 
some concerns about whether the NSA can break the algorithm.

That's my rough answer, no doubt a few people could iron out my bumps.

Best regards,
Matthew Gream
Year 2000 Grand Tour
Madrid, Spain
(enraptured by Goya and his use of diagonal line)

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.

More information about the cypherpunks-legacy mailing list