[HN Gopher] NSA, NIST, and post-quantum crypto: my second lawsui...
___________________________________________________________________
NSA, NIST, and post-quantum crypto: my second lawsuit against the
US government
Author : trulyrandom
Score : 401 points
Date : 2022-08-05 19:07 UTC (3 hours ago)
(HTM) web link (blog.cr.yp.to)
(TXT) w3m dump (blog.cr.yp.to)
| throwaway654329 wrote:
| The history in this blog post is excellently researched on the
| topic of NSA and NIST cryptographic sabotage. It presents some
| hard won truths that many are uncomfortable to discuss, let alone
| to actively resist.
|
| The author of the blog post is also well known for designing and
| releasing many cryptographic systems as free software. There is a
| good chance that your TLS connections are secured by some of
| these designs.
|
| One of his previous lawsuits was critical to practically
| protecting free speech during the First Crypto War:
| https://en.m.wikipedia.org/wiki/Bernstein_v._United_States
|
| I hope he wins.
| nimbius wrote:
| the author was also part of the Linux kernel SPECK cipher talks
| that broke down in 2013 due to the nsa's stonewalling and hand
| waving for technical data and explanations.
|
| nsa speck was never adopted.
|
| https://en.m.wikipedia.org/wiki/Speck_(cipher)
| ddingus wrote:
| Interesting read!
| aliqot wrote:
| Given his track record, and the actual meat of this suit, I
| think he has a good chance.
|
| - He is an expert in the domain
|
| - He made a lawful request
|
| - He believes he's experiencing an obstruction of his rights
|
| I don't see anything egregious here. Being critical of your
| government is a protected right for USA. Everyone gets a moment
| to state their case if they'd like to make an accusation.
|
| Suing sounds offensive, but that is the official process for
| submitting an issue that a government can understand and
| address. I'm seeing some comments here that seem aghast at the
| audacity to accuse the government at your own peril, and it
| shows an ignorance of history.
| newsclues wrote:
| Trump Card: National Security
| CaliforniaKarl wrote:
| That's a valid reason (specifically, 1.4(g) listed at
| https://www.archives.gov/declassification/iscap/redaction-
| co...). And while the NIST returning such a response is
| possible, it goes against the commitment to transparency.
|
| But still, that requires a response, and there hasn't been
| one.
| maerF0x0 wrote:
| I'd add
|
| * and it's been 20 yrs since the 9/11 attacks which
| predicated a lot of the more recent dragnets
| kevin_thibedeau wrote:
| The dragnets existed before 9/11. That just gave
| justification for even more funding.
| throwaway654329 wrote:
| Which programs do you mean specifically?
|
| We know the nature of the mass surveillance changed and
| expanded immensely after 9/11 in a major way, especially
| domestically.
| KennyBlanken wrote:
| Every piece of mail that passes through a high-speed
| sorting machine is scanned, front and back, OCR'd, and
| stored - as far as we know, indefinitely. That's how they
| deliver the "what's coming in your mailbox" images you
| can sign up to receive via email.
|
| Those images very often show the contents of the envelope
| clearly enough to recognize and even read the contents,
| which I'm quite positive isn't an accident.
|
| The USPS is literally reading and storing at least part
| of nearly every letter mailed in the United States.
|
| The USPS inspectors have a long history of being used as
| a morality enforcement agency, so yes, this should be of
| concern.
| greyface- wrote:
| Some more details: https://en.wikipedia.org/wiki/Mail_Iso
| lation_Control_and_Tra...
| throwaway654329 wrote:
| Agreed. It's even worse: they also have the capability
| with the "mail covers" program to divert and tamper with
| mail. This happens to Americans on U.S. soil and I'm not
| just talking about suspects of terrorism.
| UpstandingUser wrote:
| I've heard rumors that this was going on for a long time
| before it's been publicly acknowledged to have -- before
| OCR should have been able to handle that sort of variety
| of handwriting (reliably), let alone at scale. Like a
| snail-mail version of the NSA metadata collection
| program.
| nuclearnice1 wrote:
| Apparently not a pre 9/11 program, if Wikipedia is
| correct.
|
| https://en.m.wikipedia.org/wiki/Mail_Isolation_Control_an
| d_T...
| fanf2 wrote:
| TFA says: _<<The European Parliament already issued a
| 194-page "Report on the existence of a global system for
| the interception of private and commercial communications
| (ECHELON interception system)" in 2001>>_ (July 2001,
| that is)
| throwaway654329 wrote:
| Yes, Duncan Campbell's report is legendary ( https://www.
| duncancampbell.org/menu/surveillance/echelon/IC2... ).
| This is the same guy who revealed the existence of GCHQ,
| and was arrested for this gift to the public.
|
| To clarify, I was asking them for their specific favorite
| programs as they didn't indicate they only meant the ones
| in the blog post.
| michaelt wrote:
| There was the Clipper Chip [2] and the super-weak 40-bit
| 'export strength' cryptography [3] and the investigation
| of PGP author Phil Zimmerman for 'munitions export
| without a license' [4].
|
| So there was a substantial effort to weaken cryptography,
| decades before 9/11.
|
| On the dragnet surveillance front, there have long been
| rumours of things like ECHELON [1] being used for mass
| surveillance and industrial espionage. And the simple
| fact US spies were interested in weakening export SSL
| rather implied, to a lot of people, they had easy access
| to the ciphertext.
|
| Of course, this was before so much stuff had moved
| online, so it was a different world.
|
| [1] https://en.wikipedia.org/wiki/ECHELON [2]
| https://en.wikipedia.org/wiki/Clipper_chip [3] https://en
| .wikipedia.org/wiki/Export_of_cryptography_from_th... [4]
| https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Crimina
| l_i...
| feet wrote:
| I'll also add
|
| Which have not prevented anything and instead are used in
| parallel construction to go after Americans
| gene91 wrote:
| I don't like the collateral damages of many policies. But
| it's not fair to say that the policies "have not
| prevented anything" because we simply don't know. The
| policies could have stopped in-progress evil acts (but
| they were never revealed to the public for intel reasons)
| or prevented attempts of an evil acts (well, nothing
| happened, nothing to report).
| Quekid5 wrote:
| One cannot prove a negative, but given how much public
| recording of _everything_ there is these days (and in the
| last decade+), I 'd say it's safe to err on the side of
| them not having prevented much of consequence. ("Absence
| of evidence..." doesn't really apply when evidence
| _should_ be ample for the phenomenon to be explained.)
| colonwqbang wrote:
| The bar for public policy should be set quite a bit
| higher than "it could have done some good at some point,
| maybe".
|
| In comic books, we read fanciful stories about the good
| guys saving the world in secret. But the real world
| doesn't really work like that.
|
| When the police seize some illegal drugs, what is the
| first thing they do? They snap a picture and publish it
| for society to see:
|
| https://www.google.com/search?q=police+seize+drugs&tbm=is
| ch
|
| because citizens want to see that their tax money is
| being used successfully. The same would likely be done by
| the surveillance authorities if they saw significant
| success in their mission.
| feet wrote:
| I find it rather funny that we know about the parallel
| construction which they attempt to keep hidden, yet don't
| know about any successful preventions. I would assume
| they would at least want people to know if a program was
| a success. To me, the lack of information speaks volumes
|
| This is on top of all the entrapment that we also know
| about, performed by the FBI and associated informants on
| Islamic/Muslim communities
|
| The purpose of a system is what it does
| sweetbitter wrote:
| Considering that they do not obey the law, if they had
| actually stopped any terrorists we would be hearing all
| about it from "anonymous leakers" by now.
| [deleted]
| maerF0x0 wrote:
| It also could have stopped the Gods from smiting us all,
| but there's no evidence that it has.
|
| This article[1] is a good start at realizing the costs
| outweigh the benefits. There's little or no evidence of
| good caused, but plenty of evidence of harms caused.
|
| [1]: https://www.eff.org/deeplinks/2014/06/top-5-claims-
| defenders...
| daniel-cussen wrote:
| There is evidence of that, in fact. There were many
| serious terrorist attacks in Europe, like in Spain's
| subway (300 dead) and Frankfurt, in the aftermath of 9/11
| and other...uh howmy gonna say this...other stuff, the
| Spanish terrorist attacks were done by Basque
| nationalists or such, not Muslims.
|
| So there's your control group, Europe.
| fossuser wrote:
| I remember reading about this in Steven Levy's crypto and
| elsewhere, there was a lot of internal arguing about lots of
| this stuff at the time and people had different opinions. I
| remember that some of the suggested changes from NSA shared
| with IBM were actually stronger against a cryptanalysis attack
| on DES that was not yet publicly known (though at the the time
| people suspected they were suggesting this because it was
| weaker, the attack only became publicly known later). I tried
| to find the specific info about this, but can't remember the
| details well enough. _Edit: I think it was this:_
| https://en.wikipedia.org/wiki/Differential_cryptanalysis
|
| They also did intentionally weaken a standard separately from
| that and all the arguing about 'munitions export' intentionally
| requiring weak keys etc. - all the 90s cryptowar stuff that
| mostly ended after the clipper chip failure. They also worked
| with IBM on DES, but some people internally at NSA were upset
| that they shared this after the fact. The history is a lot more
| mixed with a lot of people arguing about what the right thing
| to do is and no general consensus on a lot of this stuff.
| api wrote:
| > I remember that some of the suggested changes from NSA
| shared with IBM were actually stronger against a
| cryptanalysis attack on DES that was not yet publicly known
|
| So we have that and other examples of NSA apparently
| strengthening crypto, then we have the dual-EC debacle and
| some of the info in the Snowden leaks showing that they've
| tried to weaken it.
|
| I feel like any talk about NSA influence on NIST PQ or other
| current algorithm development is just speculation unless
| someone can turn up actual evidence one way or another. I can
| think of reasons the NSA would try to strengthen it and
| reasons they might try to weaken it, and they've done both in
| the past. You can drive yourself nuts constructing infinitely
| recursive what-if theories.
| kmeisthax wrote:
| The NSA wants "NOBUS" (NObody-But-US) backdoors. It is in
| their interest to make a good show of fixing easily-
| detected vulnerabilities while keeping their own
| intentional ones a secret. The fantasy they are trying to
| sell to politicians is that people can keep secrets from
| other people but not from the government; that they can
| make uncrackable safes that still open when presented with
| a court warrant.
|
| This isn't speculation either; Dual_EC_DRBG and its role as
| a NOBUS backdoor was part of the Snowden document dump.
| api wrote:
| Here's the counter-argument that I've seen in
| cryptography circles:
|
| Dual EC, a PRNG built on an asymmetric crypto template,
| was kind of a ham fisted and obvious NOBUS back door. The
| math behind it made such a backdoor entirely plausible.
|
| That's less obvious in other cases.
|
| Take the NIST ECC curves. If they're backdoored it means
| the NSA knows something about ECC we don't know and
| haven't discovered in the 20+ years since those curves
| were developed. It also means the NSA was able to search
| all ECC curves to find vulnerable curves using 1990s
| technology. Multiple cryptographers have argued that if
| this is true we should really consider leaving ECC
| altogether. It means a significant proportion of ECC
| curves may be problematic. It means for all we know
| Curve25519 is a vulnerable curve given the fact that this
| hypothetical vulnerability is based on math we don't
| understand.
|
| The same argument could apply to Speck:
|
| https://en.wikipedia.org/wiki/Speck_(cipher)
|
| Speck is incredibly simple with very few places a
| "mystery constant" or other back door could be hidden. If
| Speck is backdoored it means the NSA knows something
| about ARX constructions that we don't know, and we have
| no idea whether this mystery math also applies to ChaCha
| or Blake or any of the other popular ARX construction
| gaining so much usage right now. That means if we
| (hypothetically) knew for a fact that Speck was
| backdoored _but not how it 's backdoored_ it might make
| sense to move away from ARX ciphers entirely. It might
| mean many or all of them are not as secure as we think.
| fossuser wrote:
| I think it's just both. It's a giant organization of people
| arguing in favor of different things at different times
| over its history, I'd guess there's disagreement
| internally. Some arguing it's critical to secure encryption
| (I agree with this camp), others wanting to be able to
| break it for offense reasons despite the problems that
| causes.
|
| Since we only see the occasional stuff that's unclassified
| we don't really know the details and those who do can't
| share them.
| throwaway654329 wrote:
| There are plenty of leaked classified documents from NSA
| (and others) that have been verified as legitimate. Many
| people working in public know stuff that hasn't been
| published in full.
|
| Here is one example with documents:
| https://www.spiegel.de/international/world/the-nsa-uses-
| powe...
|
| Here is another:
| https://www.spiegel.de/international/germany/inside-the-
| nsa-...
|
| Please read each and every classified document published
| alongside those two stories. I think you may revise your
| comments afterwards.
| throwaway654329 wrote:
| You are not accurately reflecting the history that is
| presented in the very blog post we are discussing.
|
| NSA made DES weaker for _everyone_ by reducing the key size.
| IBM happily went along. The history of IBM is dark. NSA
| credited tweaks to DES can be understood as ensuring that _a
| weakened DES stayed deployed longer_ which was to their
| advantage. They clearly explain this in the history quoted by
| the author:
|
| "Narrowing the encryption problem to a single, influential
| algorithm might drive out competitors, and that would reduce
| the field that NSA had to be concerned about. Could a public
| encryption standard be made secure enough to protect against
| everything but a massive brute force attack, but weak enough
| to still permit an attack of some nature using very
| sophisticated (and expensive) techniques?"
|
| They're not internally conflicted. They're strategic
| saboteurs.
| fossuser wrote:
| > "NSA credited tweaks to DES can be understood as ensuring
| that a weakened DES stayed deployed longer which was to
| their advantage. They clearly explain this in the history
| quoted by the author"
|
| I'm not sure I buy that this follows, wouldn't the weakened
| key size also make people not want to deploy it given that
| known weakness? To me it reads more that some people wanted
| a weak key so NSA could still break it, but other people
| wanted it to be stronger against differential cryptanalysis
| attacks and that they're not really related. It also came
| across that way in Levy's book where they were arguing
| about whether they should or should not engage with IBM at
| all.
| throwaway654329 wrote:
| It follows: entire industries were required to deploy DES
| and the goal was to create one thing that was "strong
| enough" to narrow the field.
|
| Read the blog post carefully about the role of NBS, IBM,
| and NSA in the development of DES.
|
| It's hard to accept because the implications are
| upsetting and profound. The evidence is clear and
| convincing. Lots of people try to muddy the waters, don't
| help them please.
| bragr wrote:
| >IBM happily went along. The history of IBM is dark.
|
| Then, as of now, I'm confused why people expect these kinds
| of problems to be solved by corporations "doing the right
| thing" rather than demanding some kind of real legislative
| reform.
| throwaway654329 wrote:
| Agreed. It can be both but historically companies
| generally do the sabotage upon request, if not
| preemptively. This hasn't changed much at all in favor of
| protecting regular users, except maybe with the expansion
| of HTTPS, and a few other exceptions.
| thorwayham wrote:
| dig @1.1.1.1 blog.cr.yp.to is failing for me, but 8.8.8.8 works.
| Annoying!
| jcranmer wrote:
| If anyone is curious, the courtlistener link for the lawsuit is
| here: https://www.courtlistener.com/docket/64872195/bernstein-v-
| na...
|
| (And somebody has already kindly uploaded the documents to RECAP,
| so it costs you nothing to access.)
|
| Aside: I really wish people would link to court documents
| whenever they talk about an ongoing lawsuit.
| xenophonf wrote:
| Good god, this guy is a bad communicator. Bottom line up front:
|
| > _NIST has produced zero records in response to this [March
| 2022] FOIA request [to determine whether /how NSA may have
| influenced NIST's Post-Quantum Cryptography Standardization
| Project]. Civil-rights firm Loevy & Loevy has now filed suit on
| my behalf in federal court, the United States District Court for
| the District of Columbia, to force NIST to comply with the law._
|
| Edit: Yes, I know who DJB is.
| jcranmer wrote:
| That is truly burying the lede...
|
| I spent most of the post asking myself "okay, I'm guessing this
| is something about post-quantum crypto, but _what_ are you
| actually suing about? "
| [deleted]
| kube-system wrote:
| Well, he is an expert in cryptic communication
| lizardactivist wrote:
| An expert, prominent, and someone who the whole cryptography
| community listens to, and he calls out the lies, crimes, and
| blatant hypocrisy of his own government.
|
| I genuinely fear that he will be suicided one of these days.
| gred wrote:
| This guy is the best kind of curmudgeon. I love it.
| bumper_crop wrote:
| This definitely has the sting of bitterness in it, I doubt djb
| would have filed this suit if NTRU Prime would have won the PQC
| NIST contest. It's hard to evaluate this objectively when there
| are strong emotions involved.
| [deleted]
| cosmiccatnap wrote:
| It's funny how often the bitterness of a post is used as an
| excuse to dismiss the long and well documented case being made.
| bumper_crop wrote:
| If NTRU Prime had been declared the winner, would this suit
| have been filed? It's the same contest, same people, same
| suspicious behavior from NIST. I don't think this suit would
| have come up. djb is filing this suit because of alleged bad
| behavior, but I have doubts that it's the real reason.
| throwaway654329 wrote:
| Yes, I think so. His former PhD students were among the
| winners in round three and he has other work that has also
| made it to round four. I believe he would have sued if he
| won every single area in every round. This is the Bernstein
| way.
|
| The behavior in question by NIST isn't just alleged - look
| at the FOIA ( https://www.muckrock.com/foi/united-states-
| of-america-10/nsa... ). They're not responding in a
| reasonable or timely manner.
|
| Does that seem like reasonable behavior by NIST to you?
|
| To my eyes, it is completely unacceptable behavior by NIST,
| especially given the timely nature of the standardization
| process. They don't even understand the fee structure
| correctly, it's a comedy of incompetence with NIST.
|
| His FOIA predates the round three announcement. His lawsuit
| was filed in a timely manner, and it appears that he filed
| it fairly quickly. Many requesters wait much longer before
| filing suit.
| pixl97 wrote:
| When it comes to the number of times DJB is right versus the
| number of times that DBJ is wrong, I'll fully back DJB. Simply
| put the NSA/NIST cannot and should not be trusted in this case.
| bumper_crop wrote:
| You misread. I'm saying his reasons for filing are in
| question. NIST probably was being dishonest. That's not the
| reason there is a lawsuit though.
| throwaway654329 wrote:
| They're not in question for many people carefully tracking
| this process. He filed his FOIA before the round three
| results were announced.
|
| The lawsuit is because they refused to answer his
| reasonable and important FOIA in a timely manner. This is
| not unlike how they also delayed the round three
| announcement.
| lawrenceyan wrote:
| Here's an interesting question. Even if post-quantum cryptography
| is securely implemented, doesn't the advent of neurotechnology
| (BCIs, etc.) make that method of security obsolete?
|
| With read and write capability to the brain, assuming this comes
| to fruition at some point, encryption as we know it won't work
| anymore. But I don't know, maybe this isn't something we have to
| worry about just quite yet.
| Banana699 wrote:
| The thing you're missing is that BCIs and friends are,
| themselves, computers, and thus securable with post-quantum
| cryptography, or any cryptography for that matter, or any means
| of securing a computer. And thus, for somebody to read-write to
| your computers, they need to read-write to your brain(s), but
| to read-write to your brain(s), they need to read-write to the
| computers implanted in your brain(s). It's a security cycle
| whose overall power is determined by the least-secure element
| in the chain.
|
| Any sane person will also not touch BCIs and similar technology
| with a 100 lightyear pole unless the designing company reveals
| every single fucking silicon atom in the hardware design and
| every single fucking bit in the software stack at every level
| of abstraction, and ships the device with several redundant
| watchdogs and deadmen timers around it that can safely kill or
| faraday-cage the implant on user-defined events or manually.
|
| Alas, humans are very rarely sane, and I come to the era of bio
| hacking (in all senses of the word) with low expectations.
| yjftsjthsd-h wrote:
| The encryption is fine, that's just a way to avoid it. Much
| like how tire-iron attacks don't _break_ passwords so much as
| bypass them.
| lawrenceyan wrote:
| Ok that's actually a great point. To make the comparison:
|
| Tire-irons require physical proximity. And torture generally
| doesn't work, at least in the case of getting a private key.
|
| Reading/writing to the brain, on the other hand, requires no
| physical proximity if wireless. And the person(s) won't even
| know it's happening.
|
| These seem like totally different paradigms to me.
| ziddoap wrote:
| I think we are a _long_ way away from being able to
| wirelessly read a few specific bytes of data from the brain
| of an unknowing person. Far enough away that I 'm not sure
| it's productive to begin thinking of how to design
| encryption systems around it.
| lawrenceyan wrote:
| Memory and experience aren't encoded in the brain like
| traditional computers. There's no concept of a "byte"
| when thinking about the human computational model.
| aaaaaaaaata wrote:
| > And torture generally doesn't work, at least in the case
| of getting a private key.
|
| This seems incorrect.
| PaulDavisThe1st wrote:
| > torture generally doesn't work, at least in the case of
| getting a private key.
|
| Why not?
| [deleted]
| [deleted]
| lysergia wrote:
| Yeah I've even had very personal dreams where my Linux root
| password was spoken in the dream. I'm glad I don't talk in my
| sleep. There's also truth serums that can be weaponized in war
| scenarios to extract secrets from the enemy without resorting
| to torture.
| xenophonf wrote:
| Cryptographic secrets stored in human brains are already
| vulnerable to an attack mechanism that requires $5 worth of
| interface hardware that can be procured and operated with very
| little training. Physical security controls do a decent job of
| preventing malicious actors from connecting said hardware to
| vulnerable brains. I assume the same would be true with the
| invention of BCIs more sophisticated than a crescent wrench.
| politelemon wrote:
| So, question then, isn't one of the differences between this
| time's selection, compared to previous selections, that some of
| the algorithms are open source with their code available.
|
| For example, Kyber, one of the finalists, is here:
| https://github.com/pq-crystals/kyber
|
| And where it's not open source, I believe in the first round
| submissions, everyone included reference implementations.
|
| Does the code being available make it easy to verify whether
| there are some shady/shenanigans going on, even without NIST's
| cooperation?
| aaaaaaaaaaab wrote:
| What? :D
|
| Who cares about a particular piece of source code?
| Cryptanalysis is about the _mathematical_ structure of the
| ciphers. When we say the NSA backdoored an algorithm, we don 't
| mean that they included hidden printf statements in "the source
| code". It means that mathematicians at the NSA have knowledge
| of weaknesses in the construction, that are not known publicly.
| [deleted]
| gnabgib wrote:
| Worth noting DJB (the article author) was on two competing
| (losing) teams to Kyber[0] in Round 3. And has an open
| submission in round 4 (still in progress). That's going to
| slightly complicate any FOIA until after the fact, or it
| should. Not that there's no merit in the request.
|
| [0]: https://csrc.nist.gov/Projects/post-quantum-
| cryptography/pos...
| greyface- wrote:
| > the Supreme Court has observed that a FOIA requester's
| identity generally "has no bearing on the merits of his or
| her FOIA request."
|
| https://www.justice.gov/archives/oip/foia-
| guide-2004-edition...
| throwaway654329 wrote:
| It is wrong to imply he is unreasonable here. NIST has been
| dismissive and unprofessional towards him and others in this
| process. They look terrible because they're not doing their
| jobs.
|
| Several of his student's proposals won the most recent round.
| He still has work in the next round. NIST should have
| answered in a timely manner.
|
| On what basis do you think any of these matters can or may
| complicate the FOIA process?
| lostcolony wrote:
| Not really. For the same reason that "here's your github login"
| doesn't equate to you suddenly being able to be effective in a
| new company. You might be able to look things up in the code
| and understand how things are being done, but you don't know
| -why- things are being done that way.
|
| A lot of the instances in the post even show the NSA giving a
| why. It's not a particular convincing why, but it was enough to
| sow doubt. The reason to make all discussions public is so that
| there isn't an after the fact "wait, why is that obviously odd
| choice being done?" but instead a before the fact "I think we
| should make a change". The burden of evidence is different for
| that. A "I think we should reduce the key length for
| performance" is a much harder sell when the spec already
| prescribes a longer key length, than an after the fact "the
| spec's key length seems too short" "Nah, it's good enough, and
| we need it that way for performance". The status quo always has
| inertia.
| ehzy wrote:
| Ironically, when I visit the site Chrome says my connection is
| not secured by TLS.
| kzrdude wrote:
| I was hoping for chacha20+Poly1305
| bsaul wrote:
| side question :
|
| I've only recently started to digg a bit deeper into crypto
| algorithms ( looking into various types of curves etc), and it
| gave me the uneasing feeling that the whole industry is relying
| on the expertise of only a handful of guys to actually ensure
| that crypto schemes used today are really working.
|
| Am i wrong ? are there actually thousands and thousands of people
| with the expertise to actually proove that the algorithms used
| today are really safe ?
| [deleted]
| jacooper wrote:
| Flippo valrosida and Matthey green aren't too happy.
|
| https://twitter.com/matthew_d_green/status/15556838562625208...
| dt3ft wrote:
| Perhaps the old advice ("never roll your own crypto") should be
| reevaluated? If you're creative enough, you could combine and
| apply existing algorithms in such ways that it would be very
| difficult to decrypt? Think 500 programmatic combinations (steps)
| of encryption applying different algorithms. Content encrypted in
| this way would require knowledge of the encryption sequence in
| order to execute the required steps in reverse. No amount of
| brute force could help here...
| TobTobXX wrote:
| > Would require knowledge of the encryption sequence...
|
| This is security by obscurity. Reputable encryptions work under
| the assumption that you have full knowledge about the
| encryption/decryption process.
|
| You could however argue that the sequence then becomes part of
| the key. However, this key [ie. the sequence of encryptions]
| would then be at most as strong as the strongest encryption in
| this sequence, which kindof defeats the purpose.
| thrway3344444 wrote:
| Why is the link in the URL http: not https: ? Irony?
| cosmiccatnap wrote:
| If you spend all day making bagels do you go home and make
| bagels for dinner?
|
| It's a static text blog, not a bank
| theandrewbailey wrote:
| The NSA has recorded your receipt of this message.
| sam0x17 wrote:
| Well https uses the NIST standards so.... ;)
| theknocker wrote:
| eointierney wrote:
| Yippee! DJB for the win for the rest of us!
| sgt101 wrote:
| yeah, but where do all these big primes come from?
| pyuser583 wrote:
| Please include links with https://
| tptacek wrote:
| I may believe almost all of this is overblown and silly, as like
| a matter of cryptographic research, but I'll say that Matt Topic
| and Merrick Wayne are the real deal, legit the lawyers you want
| working on something like this, and if they're involved,
| presumably some good will come out of the whole thing.
|
| Matt Topic is probably best known as the FOIA attorney who got
| the Laquan McDonald videos released in Chicago; I've been
| peripherally involved in some work he and Merrick Wayne did for a
| friend, in a pretty technical case that got fierce resistance
| from CPD, and those two were on point. Whatever else you'd say
| about Bernstein here, he knows how to pick a FOIA lawyer.
|
| A maybe more useful way to say the same thing is: if Matt Topic
| and Merrick Wayne are filing this complaint, you should probably
| put your money on them having NIST dead-to-rights with the FOIA
| process stuff.
| api wrote:
| I don't think it's a bad thing to push back and demand
| transparency. At the very least the pressure helps keep NIST
| honest. Keep reminding them over and over and over again about
| dual-EC and they're less likely to try stupid stuff like that
| again.
| tptacek wrote:
| Transparency is good, and, as Bernstein's attorneys will ably
| establish, not optional.
| ddingus wrote:
| It's as optional as the people can be convinced to not
| worry about it.
| taliesinb wrote:
| Why is the submission URL using http instead of https? That just
| seems... bizarre.
| CharlesW wrote:
| https://blog.cr.yp.to/20220805-nsa.html works too.
| ForHackernews wrote:
| Maybe this is too much tinfoil hattery, but are we _sure_ DJB isn
| 't a government asset? He'd be the perfect deep-cover agent.
| throwaway654329 wrote:
| Please don't do the JTRIG thing. Dan is a national treasure and
| we would be lucky to have more people like him fighting for all
| of us.
|
| Between the two, material evidence shows that NIST is the deep-
| cover agent sabotaging our cryptography.
| crabbygrabby wrote:
| Seems like a baaad idea lol.
| yieldcrv wrote:
| seems like they just need a judge to force the NSA to comply
| with a Freedom of Information Act request, its just part of the
| process
|
| I'm stonewalled on an equivalent Public Record Act request w/ a
| state, and am kind of annoyed that I have to use the state's
| court system
|
| Doesn't feel super partial and a couple law journals have
| written about how its not partial at all in this state and
| should be improved by the legislature
| throwaway654329 wrote:
| This is part of a class division where we cannot practically
| exercise our rights which are clearly enumerated in public
| law. Only people with money or connections can even attempt
| to get many kinds of records.
|
| It's wrong and government employees involved should be fired,
| and perhaps seriously punished. If people at NIST had faced
| real public scrutiny and sanction for their last round of
| sabotage, perhaps we wouldn't see delay and dismissal by
| NIST.
|
| Delay of responding to these requests is yet another kind of
| sabotage of the public NIST standardization processes. Delay
| in standardization is delay in deployment. Delay means mass
| surveillance adversaries have more ciphertext that they can
| attack with a quantum computer. This isn't a coincidence,
| though I am sure the coincidence theorists will come out in
| full force.
|
| NIST should be responsive in a timely manner and they should
| be trustworthy, we rely on their standards for all kinds of
| mandatory data processing. It's pathetic that Americans don't
| have _several IG investigations in parallel_ covering NIST
| and NSA behavior. Rather we have to rely on a professor to
| file lawsuits for the public (and cryptographers involved in
| the standardization process) to have even a glimpse of what
| is happening. Unbelievable but good that _someone_ is doing
| it. He deserves our support.
| PaulDavisThe1st wrote:
| Even though I broadly agree with what you've written here
| ... the situation in question isn't really about NIST/NSA
| response to FOIA requests at all.
|
| It's about whether the US government has deliberately acted
| to foist weak encryption on the public (US and otherwise),
| presumably out of desire/belief that it has the right/need
| to always decrypt.
|
| Whether and how those agencies respond to FOIA requests is
| a bit of a side-show, or maybe we could call it a prequel.
| throwaway654329 wrote:
| We are probably pretty much in agreement. It looks like
| they've got something to hide and they're hiding it with
| delay tactics, among others.
|
| They aren't alone in failing to uphold FOIA laws, but
| they're important in a key way: once the standard is
| forged, hardware will be built, certified, deployed, and
| _required_ for certain activities. Delay is an attack
| that is especially pernicious in this exact FOIA case
| given the NIST standardization process timeline.
|
| As a side note, the NIST FOIA people seem incompetent for
| reasons other than delay.
| yieldcrv wrote:
| > This is part of a class division where we cannot
| practically exercise our rights which are clearly
| enumerated in public law. Only people with money or
| connections can even attempt to get many kinds of records.
|
| As someone with those resources, I'm still kind of annoyed
| because I think this state agency is playing chess
| accurately too. My request was anonymous through my lawyer
| and nobody would know that I have these documents, while if
| I went through the court - even if it was anonymous with
| the ACLU being the filer - there would still be a public
| record in the court system that someone was looking for
| those specific documents, so that's annoying
| throwaway654329 wrote:
| That's a thoughtful and hard won insight, thank you.
| gruturo wrote:
| Yeah, terrible idea, except this is Daniel Bernstein, who
| already had an equally terrible idea years ago, and won. That
| victory was hugely important, it pretty much enabled much of
| what we use today (to be developed, exported, used without
| restrictions, etc etc etc)
| zitterbewegung wrote:
| He won a case against the government representing himself so I
| think he would be on good footing. He is a professor where I
| graduated and even the faculty told me he was interesting to
| deal with. Post QC is his main focus right now and also he
| published curve25519.
| matthewdgreen wrote:
| He was represented by the EFF during the first, successful
| case. They declined to represent him in the second case,
| which ended in a stalemate.
| throwaway654329 wrote:
| The full story is interesting and well documented:
| https://cr.yp.to/export.html
|
| Personally my favorite part of the history is on the
| "Dishonest behavior by government lawyers" page:
| https://cr.yp.to/export/dishonesty.html - the disclaimer at
| the top is hilarious: "This is, sad to say, not a complete
| list." Indeed!
|
| Are you implying that he didn't contribute to the first win
| before or during EFF involvement?
|
| Are you further implying that a stalemate against the U.S.
| government is somehow bad for self representation after the
| EFF wasn't involved?
|
| In my view it's a little disingenuous to call it a
| stalemate implying everything was equal save EFF involved
| when _the government changes the rules_.
|
| He challenged the new rules alone because the EFF
| apparently decided one win was enough.
|
| When the judge dismissed the case, the judge said said that
| he should come back when the government had made a
| "concrete threat" - his self representation wasn't the
| issue. Do you have reason to believe otherwise?
|
| To quote his press release at the time: ``If and when there
| is a concrete threat of enforcement against Bernstein for a
| specific activity, Bernstein may return for judicial
| resolution of that dispute,'' Patel wrote, after citing
| Coppolino's ``repeated assurances that Bernstein is not
| prohibited from engaging in his activities.'' -
| https://cr.yp.to/export/2003/10.15-bernstein.txt
| matthewdgreen wrote:
| I'm saying that the EFF are skilled lawyers who won a
| major case, and they should not be deprived of credit for
| that accomplishment.
| throwaway654329 wrote:
| Sure, EFF played a major role in that case as did
| Bernstein. It made several lawyers into superstars in
| legal circles and they all clearly acknowledge his
| contributions to the case.
|
| Still you imply that he shouldn't have credit for that
| first win and that somehow he failed in the second case.
|
| EFF shouldn't have stopped fighting for the users when
| the government changed the rules to something that was
| also unacceptable.
| matthewdgreen wrote:
| The original poster said "he won a case against the
| government representing himself" and I felt that
| statement was incomplete, if not inaccurate and wanted to
| correct the record. I'm pretty sure Dan, if he was here,
| would do the same.
| zitterbewegung wrote:
| Sorry I didn't know that part. I have only seen Professor
| Bernstein once (he had a post QC t shirt on so that's the
| only way I knew who he was ). I have never interacted
| with him really. He is also the only faculty that is
| allowed to have a non UIC domain. Thank you for
| correcting me .
| throwaway654329 wrote:
| You appear to be throwing shade on his contributions. Do
| I misunderstand you?
|
| A stalemate, if you already want to diminish his efforts,
| isn't a loss by definition - the classic example is in
| chess. He brought the government to heel even after EFF
| bailed. You're also minimizing his contributions to the
| first case.
|
| His web page clearly credits the right people at the EFF,
| and he holds back on criticism for their lack of
| continuing on the case.
|
| I won't presume to speak for Dan.
| mort96 wrote:
| Weirdly, any time I've suggested that maaaybe being too trusting
| of a known bad actor which has repeatedly published intentionally
| weak cryptography is a bad idea, I've received a whole lot of
| push-back and downvotes here on this site.
| throwaway654329 wrote:
| Indeed. Have my upvote stranger.
|
| The related "just ignore NIST" crowd is intentionally or
| unintentionally dismissing serious issues of governance. Anyone
| who deploys this argument is questionable in my mind,
| essentially bad faith actors, especially when the topic is
| about the problems brought to the table by NIST and NSA.
|
| It is a good sign that those people are actively ignoring the
| areas where you have no choice and you _must_ have your data
| processed by a party required to deploy FIPS certified software
| or hardware.
| [deleted]
| [deleted]
| 616c wrote:
| Another upvote from someone with many friends and colleagues in
| NIST. I hope transparency prevails and NISTers side with that
| urge as well (I suspect many do).
| throwaway654329 wrote:
| They could and should leak more documents if they have
| evidence of malfeasance.
|
| There are both legal safe avenues via the IG process and
| legally risky many journalists who are willing to work for
| major change. Sadly legal doesn't mean safe in modern America
| and some whistleblower have suffered massive retribution even
| when they play by "the rules" laid out in public law.
|
| As Ellsberg said: Courage is contagious!
| glitchc wrote:
| Many government or government affiliated organizations are
| required to comply with NIST approved algorithms by regulation
| or for interoperability. If NIST cannot be trusted as a
| reputable source it leaves those organizations in limbo. They
| are not equipped to roll their own crypto and even if they did,
| it would be a disaster.
| icodestuff wrote:
| "Other people have no choice but to trust NIST" is not a good
| argument for trusting NIST. Somehow I don't imagine the NSA
| is concerned about -- and is probably actively in favor of --
| those organizations having backdoors.
| wmf wrote:
| It's an argument for fixing NIST so that it is trustworthy
| again.
| throwaway654329 wrote:
| This.
|
| One wonders if NIST can be fixed or if it should simply
| be abolished with all archives opened in the interest of
| restoring faith in the _government_. The damage done by
| NSA and NIST is much larger than either of those
| organizations.
| [deleted]
| zamadatix wrote:
| "Roll your own crypto" typically refers to making your own
| algorithm or implementation of an algorithm not choosing the
| algorithm.
| lazide wrote:
| Would you really want every random corporation having some
| random person pick from the list of open source cipher
| packages? Which last I checked , still included things like
| 3DES, MD5, etc.
|
| You might as well hand a drunk monkey a loaded sub machine
| gun.
| CodeSgt wrote:
| Surely I'm misunderstanding, are you really advocating
| that people should roll their own encryption algorithms
| from scratch? As in, they should invent novel and secure
| algorithms in isolation? And this should happen.... at
| every major enterprise or software company in the world?
| lazide wrote:
| You are completely misunderstanding yes.
|
| I'm saying some standards body is appropriate for
| validating/vetting algorithms, and having a standards
| body advocate for known reasonable ones is... reasonable
| and desirable.
|
| That NIST has a history of being compromised by the NSA
| (and other standards bodies would likely similarly be a
| target), is a problem. But having everyone 'figure it
| out' on their own is even worse. 'hand a drunk monkey a
| loaded submachine gun' worse.
| dataflow wrote:
| Tangential question: while some FOIA requests do get stonewalled,
| I continue to be fascinated that they're honored in other cases.
| What exactly prevents the government from stonewalling
| practically _every_ request that it doesn 't like, until and
| unless it's ordered by a court to comply? Is there any sort of
| penalty for their noncompliance?
|
| Tangential to the tangent: is there any reason to believe FOIA
| won't be on the chopping block in a future Congress? Do the
| majority of voters even know (let alone care enough) about it to
| hold their representatives accountable if they try to repeal it?
| bsaul wrote:
| holy crap, i wondered why the post didn't mention work by dj
| bernstein outing flaws in curves submitted by nsa...
|
| Well, didn't expect the post to actually be written by him.
| xiphias2 wrote:
| An interesting thing that is happening on Bitcoin mailing list is
| that although it would be quite easy to add Lamport signatures as
| an extra safety feature for high value transactions, as they
| would be quite expensive and easy to misuse (they can be used
| only once, which is a problem if money is sent to the same
| address twice), the current concensus between developers is to
| ,,just wait for NSA/NIST to be ready with the algorithm''. I
| haven't seen any discussion on the possibility of never being
| ready on purpose because of a sabotage.
| potatototoo99 wrote:
| Why not start that discussion yourself?
___________________________________________________________________
(page generated 2022-08-05 23:00 UTC)