NIST trying to win back crypto-cred after NSA sabotage


#1

[Permalink]


#2

And they are doing it while working hand in hand with the NSA.

No thanks.


#3

What if you just encrypted your data like 50 different times using different protocols and then on top of that encode your message into Welsh. That's a pretty secure language by the looks of it.

neges hon yn cael ei amgryptio gan Gymraeg.


#4

No no no, KOREAN is the most secure language, since it's not very closely related to anything else.


#5

I don't speak welsh, so I'd have to use something like google translate which famously doesn't work all that well. On top of that there are (were?) various problems with encrypting an encrypted file that was previously encrypted 47 times afaik. Those issues may have been fixed by now, my scant knowledge on the subject is out of date.


#6

infiltrated and sabotaged

collaborated more likely


#7

NIST has two masters. The NSA and the US Public. Currently the NSA is not advancing the interests of the US Public. NIST needs to chose which master it is going to serve.

If NIST chooses to serve the interests of the US Public again, it can easily demonstrate that decision. Just advance a standard that protects privacy.

A month ago, when we were discussing NSA's Operation Bullrun, User bardfin had a great suggestion:

We need open-hardware ASICs that do nothing but dump true physical-noise-derived random numbers, in a SIM card package or SDCARD or USB or something that can be pulled out, swapped out, upgraded, thrown away when or if it is determined to have an implementation weakness — at a price point that is pennies. We need them on a single-layer process, mounted in a clear epoxy, so they can be put under a microscope and audited physically so we can say "this isn't counterfeit".

Trust-able sources of random numbers would be one way NIST could demonstrate they are not the NSA's puppet.

With a good source of random numbers, I could pre-share a few gigs of random every place I needed point to point privacy. Then it would be fairly straight forward to build a brutally simple variant of SSH that always used symmetric crypto and derived the keys from the pre-shared random file.


#8

Assuming at this point that any US govt entity actually has the general public as a master seems really super optimistic. My george carlin / george orwell bitter cynicism doubts that - at the same time a more hopeful me wants to believe in that kind of idealism.


#9

I do understand that open and transparent cryptography is not an oxymoron, honest, but it looks really weird.


#10

Well that's all right then. I knew they'd come good.


#11

At one time I would've suggested Navajo, but with Navajo-dubbed Star Wars making the news, that language may no longer be secure.


#12

Has NIST ever has much crypto-cred outside of government? Going back to their days as the NBS people have accused them of working hand-in-hand with the NSA supporting possibly compromised crypto standards like the DES.

Any improvement in the agency would be welcome, but the first step in secure communications is not to trust government-approved standards.


#13

Related - I thought this was interesting http://slashdot.org/story/13/10/16/1241207/security-researchers-want-to-fully-audit-truecrypt


#14

I think the major difference is that (while absurdly suspicious-looking at the time), the NSA's meddling in DES turned out to be a warning about an attack on the standard nobody else knew about yet. It looked super sketchy; but apparently the NSA itself was on the side of a better DES standard at the time.

Now we know that the NSA is as opaque and high handed in their involvement as ever (and, unfortunately, still a pretty sharp bunch, so getting their good advice would be valuable); but definitely is not in favor of actually-good encryption standards anymore. This makes their continued involvement deeply problematic.


#15

So by looking super incredibly sketchy people only pay attention to the first few valuable items that disappear into your pockets, and miss the ones you swallow and drop into your socks. Hmmmmmmm. I can possibly use this information...


#16

This topic was automatically closed after 6 days. New replies are no longer allowed.