An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies.
In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them.
The NSA has now agreed to drop all but the most powerful versions of the techniques - those least likely to be vulnerable to hacks - to address the concerns.
Have the chickens come home to roost for the NSA, or should we distrust the report that they backed down?
(Score: 4, Insightful) by bzipitidoo on Friday September 22 2017, @02:50PM (12 children)
There is no such thing as middle ground on this. Encryption can be broken, or not. This attempt to walk an invisibly thin line in which those with massive computing resources can break the encryption while those with just a little less cannot, is extremely difficult even without skeptics pointing out various problems. The spy agencies ought to give up on this approach.
(Score: 2, Insightful) by Anonymous Coward on Friday September 22 2017, @03:07PM
It's not about a little less computing resources. The right maths can dramatically reduce the complexity of breaking an ostensibly secure encryption standard. When the NSA promotes weak encryption, it is being lazy, but it could work.
(Score: 4, Insightful) by linkdude64 on Friday September 22 2017, @03:13PM (10 children)
Encryption can be broken, but am I not mistaken in that it is much more common for it to be bypassed by some other means?
(Score: 2) by DannyB on Friday September 22 2017, @03:32PM (2 children)
I'm going to assume practical feasibility here.
While a brute force attack can discover a key that reveals plaintext, is such an attack practical? If it would take more seconds than there are atoms in the universe, then such an attack is theoretical but not practical. A cipher is secure enough if a brute force attack could not succeed in the expected lifetime of the human species, even if all the mater in the solar system were converted into computers to perform the attack.
A brute force attach may work in a mathematical logical sense. But not in an engineering sense.
So I'll state this: If you don't have a way to bypass the encryption, then you cannot break the encryption.
By 'bypass' the encryption, I mean capture plaintext either at the point of encryption, at the point of decryption, or have some flaw in the encryption enabling you to recover the plaintext without a brute force attack. And this flaw still could involve expending significant amounts of compute horsepower*.
Therefore ALL success in breaking encryption is by bypassing the encryption. (And my definition of 'bypass' also includes a trap door in the algorithm.)
-=-=-=-=-=-=-=-=-=-
(*1 compute horsepower = amount of thinking one horse can do, like mechanical hp.)
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Funny) by DannyB on Friday September 22 2017, @03:44PM
Let me add: also use of any techniques to steal encryption keys, in order to recover plaintext.
Efforts, such as malware to capture the encryption key. Spies. Sneaking into facility and copying encryption keys.
What? You photocopied the USB thumb drive? That's not what I meant when I said to bring back a copy of the USB thumb drive with the encryption key.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by bob_super on Friday September 22 2017, @11:14PM
> A cipher is secure enough if a brute force attack could not succeed in the expected lifetime of the human species
"Great! I feel better about legacy system's security!"
"Why, you got a new way to patch the hundreds of known flaws?"
"Nope, but the nukes launch at midnight"
(Score: 3, Informative) by http on Friday September 22 2017, @03:35PM
The BULLRUN program administrators at the NSA would beg to differ with you. They devised at least one cryptographic routine with a backdoor (the one in Dual_EC_DRBG is moderately obscure, but "obvious" if you're a crypto-wonk like Bruce Schneier), and have been known to stack the standards board in charge of reviewing candidate cryptographic routines.
I browse at -1 when I have mod points. It's unsettling.
(Score: 2) by Runaway1956 on Friday September 22 2017, @03:54PM (5 children)
Spearphishing works best, I believe. That, or the bargain bin five dollar wrench. The choice is a matter of finesse and elegance.
(Score: 2) by DannyB on Friday September 22 2017, @06:46PM (1 child)
The choice may also be a matter of being detected. The wrench is fairly likely to be detected. The spear phishing may not be depending on how well it is done. But then I suppose that reinforces your point about finesse and elegance.
I bet that even today, leaving a USB thumb drive in the men's room, or parking lot is likely to work.
attractive male/female: "Oh, I'm late for my meeting, could you please, PLEASE print my document for me real quick? I have it right here on this USB stick."
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by bob_super on Friday September 22 2017, @11:17PM
> The wrench is fairly likely to be detected.
I sell dual-use wrenches, which provide passwords and guarantee that their owners need a long leave of absence.
If you order with your credit card in the next five minutes, you get the exclusive upgrade code which enables you to also torque bolts.
(Score: 3, Funny) by The Mighty Buzzard on Friday September 22 2017, @10:58PM (2 children)
You haven't been tool shopping in a while. A good beatin-sized wrench ain't that cheap nowadays.
My rights don't end where your fear begins.
(Score: 2) by c0lo on Friday September 22 2017, @11:32PM (1 child)
Given the glut of steel persists, that should be a sign that the demand is increasing fast.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by The Mighty Buzzard on Saturday September 23 2017, @12:14AM
Nah. I'd say it's mostly just inflation. It took quite some time for a $5 wrench to become a $10-15 wrench. Also, tools are always way more expensive than the amount of steel in them would suggest, given that they're a necessary component to make significant amounts of money for the purchaser.
My rights don't end where your fear begins.