There’s been no shortage of discussion and debate in recent week about the possibility that the NSA has intentionally weakened some cryptographic algorithms and cipher suites in order to give it an advantage in its intelligence-gathering operations. If you subscribe to the worst-case scenario line of thinking, then most of the commonly used ciphers are compromised. If you’re more optimistic, then you tend to think that maybe the NSA has some private capabilities against encryption protocols and is exploiting them. However, Jon Callas, co-founder of Silent Circle, which announced Monday that it was moving away from potentially compromised ciphers, said that it really doesn’t matter whether the NSA has done this, because the damage has been done.

“This issue that we’re dealing with now is, can we trust any of this?” Callas said in an interview. “It really boils down to, they’ve said they’ve tried to break things, so have they done that or not? If you’re going to look at it from a realistic point of view, it really doesn’t matter whether they did it. It’s as much about the NSA undermining confidence.”

Silent Circle, a provider of secure messaging systems, made the decision to replace AES and SHA-2 in its products with Twofish and Skein, respectively. AES and SHA-2 both were part of competitions sponsored by the National Institute of Standards and Technology and recent revelations have shown that the NSA may have exerted some influence on the NIST standards process in some cases. It’s not known which protocols may have been affected, and that uncertainty is part of what drove Silent Circle’s decision, as well as the debate in the security community about what actions to take, if any.

Callas, a cryptographer and former founder of PGP Corp., said that Silent Circle had been thinking about this move for a few weeks before the announcement and that the technical implementation would not be difficult. For companies such as Silent Circle, whose customers depend on the security and confidentiality of the products, the issue comes down to removing doubt from its customers’ minds. But for the rest of the Internet community, there are other issues to consider as it relates to the security of some of the elliptic curves designed by NIST and the NSA.

“The thing that would be the most likely, and in some ways the scariest, is what if, in good faith, the NSA created these curves in good faith and then the mathematicians there found issues with them they’re weaker than anybody thought,” Callas said. “There are things that we’ve discovered about elliptic curves in the past. If the NSA knew that these curves were weaker that we thought, does it matter?

“The defense we’ve always had in the past is that the crypto the NSA recommended was the same stuff they used to protect top secret data, so we could always say, Well, would they shoot themselves in the foot, too? Now, it seems perfectly plausible to me that if the intel side of the house found something that gave them an advantage over everybody else, they would keep it from the other side of the house. Now we’re really wondering if maybe they would shoot themselves in the foot on purpose.”

The ciphers that Silent Circle is planning to use in its products going forward both were designed independently, something that Callas believes will be important for the company’s customers going forward.

“There have always been people who haven’t trusted the standard things, and even the NIST people have would say, if you don’t trust it, go use these other finalists over here that are intellectual property free,” he said. “That got me thinking. We have to find our way through the legitimate mistrust that starts to resemble a hall of mirrors in a bad 1960s spy movie.”

Image from Flickr photos of HarshLight

Categories: Cryptography, Government

Comments (4)

  1. Dennis Farr
    1

    True or false:

    I trust Silent Circle’s algorithms to be reliable, and I trust Silent Circle more than the NSA.

  2. martin roberts
    3

    Why should anyone trust Jon Callas and Phil Zimmerman more than NIST and the independent review of AES and SHA-2 from the Europeans at their NESSIE project.

    Callas is, in effect, saying, “Use this crypto because I designed it and I trust myself.” That is a clear example of hubris but not of logical security thinking.

    Suppose Silent Circle accidentally discloses my data and I go to my insurance company and try to collect on my errors and omissions policy – the error was trusting Silent Circle. The insurance company asks me – well did you follow best practices and use government approved crypto – well no. These guys Schneier and Callas sold us on this crypt that lost out in the competition for becoming standards. The insurance company would tell me to take a hike.

  3. sam
    4

    “moving away from potentially compromised ciphers.” and to stuff that Callas designed but wasn’t good enough to become a standard. Maybe nobody competent even looked at his SKEIN hash function.

    It seems all this hoopla is from guys who have a grudge against NIST for not adopting their algorithms as standards or who profit by making us scared of the government. I’m not saying we should trust NSA but let’s get a grip.

    From what we know, NIST only allowed NSA to push a set of optional parameters for an optional random number generator to be allowed (but not required) to be in compliance with their standard. How do optional parameters for an optional and slow RNG that almost no one implements much less uses constitute a subversion of basic trust? I think a cryptographer from a small company trying to make its name in the commercial world pushing a hash function that he designed is a bit more suspect — don’t you think?

Comments are closed.