[Clips] US CODE: Title 50,1811. Authorization during time of war

Thu Dec 22 14:33:46 PST 2005

NSA may claim to use AES256 for classified material but we
don't really know if that is true for all material or only for selected
parts not needing the best protection the agency has. 

NSA has never been a proponent, at least not a practictioner, of 
open testing of crypto to assure security. They read those results, 
file them away and keep quiet about secret inventions.

No intel agency has ever disclosed its best stuff, and that is
true of most commercially valuable inventions. What you can
get is a retail version and a lot of hokum about how good
it is and how bad is that of the competition. You don't what's
true until a rogue employee breaks away to set a new shop
or to get a new paymaster to spread FUD.

Reverse engineering is a double-edged sword when you
don't know if the purloined product you're investigating was
deliberately lofted your way for "independent product
testing" in order to assay your own capabilities and stupidities.

The open competition for AES had a taint of that, and maybe
a couple of hundred cryptographers knew WTF was going on
and half of those were blinded by vanity and ignorance of 
"independence." The NDAs of participants sucked of "trust us."

But no official crypto system has ever been free of the odor of 
suspicion so common are cracks and betrayals as David Kahn
amply describes. Multiple layers of protection are presumably
used along with obscurity about what they are. Relying on a
single crypto system for protection is surely insufficient -- but
it does nicely ID itself for scrutiny. End to end is singularly
noticeable. 

Indeed, it should be assumed that any openly discussed infosec 
system is subject to attacks not made public, particular those
which are successful, which no doubt is why NSA does not openly 
discuss its prowess beyond a few public utterances that are hardly 
revealing even to infosec connoisseurs. Like the vapidities General 
Hayden is oozing these days to dull the perceptions of journalists and
snoozers on the Hill.

To be sure it is likely Hayden knows not much more than he is briefed 
to know by the crypto and cracking wizards who have always danced 
circles around DIRNSAs bemedaled up the kazoo to flummox 
the fleecers.

Bobby Ray Inman may have got a little inside the dark box, but none of 
the others knew any more than they were allowed to know, and much
less after the Church hearings.

Anybody heard a peep about the current NSA dustup from cpunk's old 
crypto control nemesis, ex-NSA Counsel Stewart Baker? His predecessor
was quoted but not him, and once he couldn't get enough face time.

Nearly all infosec standards for military use recommend and/or
require the use of tokens or other mechanical gadgets to backup
passwords and biometrics which are known to be vulnerable to
human weaknesses for sex, drugs, boss hatred and venality.

We finally shelled out a few bucks to buy the PGP version which
provides a token as a backup for passphrases. Haven't used it
yet but the regular alarms about crackability of passphrases
suggests there should be more than your too smart by half,
too lazy by whole, brain for protection. Settle down, Hettinga,
this is only directed at you, you running dog commie bastard.