Silent Circle Moving Away From NIST Ciphers in Wake of NSA Revelations

Silent Circle has said that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA’s influence on NIST’s development of ciphers in the last couple of decades.

The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA’s influence on NIST’s development of ciphers in the last couple of decades.

Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it’s in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein.

“At Silent Circle, we’ve been deciding what to do about the whole grand issue of whether the NSA has been subverting security. Despite all the fun that blogging about this has been, actions speak louder than words. Phil [Zimmermann], Mike [Janke], and I have discussed this and we feel we must do something. That something is that in the relatively near future, we will implement a non-NIST cipher suite,” Callas wrote in a blog post explaining the decision.

Twofish is a cipher suite written by Bruce Schneier and it was one of the finalists during the AES competition, but lost out to the Rijndael algorithm. It has been resistant to cryptanalysis thus far, and Callas said it also has the advantage of being an easy replacement for AES in Silent Circle’s products. The company also will be replacing SHA-2, an older NIST hash function, with Skein, which was a finalists in the recently completed SHA-3 competition.

“We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement. We are going to replace our use of the SHA–2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense. (Full disclosure: I’m a co-author of Skein and Threefish.) Threefish is the heart of Skein, and is a tweakable, wide-block cipher. There are a lot of cool things you can do with it, but that requires some rethinking of protocols,” Callas said.

The decision by Silent Circle comes at a time when there are many unanswered questions about the NSA‘s influence on cryptographic algorithm development, specifically those standards developed by NIST. The National Institute of Standards and Technology is responsible for developing technical standards for the U.S. federal government and many of those standards are adopted by other organizations, specifically crypto standards. Recent revelations from the NSA leaks have shown that the NSA has some unspecified capabilities against certain crypto algorithms and also has been working to influence NIST standards development. In response to one of these revelations, NIST itself has advised people to stop using the Dual EC_DRBG random number generator developed under its supervision.

“The DUAL_EC_DRBG discussion has been comic. The major discussion has been whether this was evil or merely stupid, and arguing the side of evil has even meant admitting it is technologically a stupid algorithm, which sends the discussion into an amusing spiral of meta-commentary,” Callas said.

Silent Circle’s move away from AES and SHA-2 shouldn’t be seen as an indictment of those two ciphers, Callas said, but more of an indication that there are better options out there without the shadow of potential NSA influence hanging over them.

“This doesn’t mean we think that AES is insecure, or SHA–2 is insecure, or even that P–384 is insecure. It doesn’t mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA’s perfidy, along with the rest of the free world. For us, the spell is broken. We’re just moving on. No kiss, no tears, no farewell souvenirs,” he said.

Image from Flickr photos of Marcin Wichary

Suggested articles

Black Hat and DEF CON Roundup

‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.