The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA’s influence on NIST’s development of ciphers in the last couple of decades.

Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it’s in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein.

“At Silent Circle, we’ve been deciding what to do about the whole grand issue of whether the NSA has been subverting security. Despite all the fun that blogging about this has been, actions speak louder than words. Phil [Zimmermann], Mike [Janke], and I have discussed this and we feel we must do something. That something is that in the relatively near future, we will implement a non-NIST cipher suite,” Callas wrote in a blog post explaining the decision.

Twofish is a cipher suite written by Bruce Schneier and it was one of the finalists during the AES competition, but lost out to the Rijndael algorithm. It has been resistant to cryptanalysis thus far, and Callas said it also has the advantage of being an easy replacement for AES in Silent Circle’s products. The company also will be replacing SHA-2, an older NIST hash function, with Skein, which was a finalists in the recently completed SHA-3 competition.

“We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement. We are going to replace our use of the SHA–2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense. (Full disclosure: I’m a co-author of Skein and Threefish.) Threefish is the heart of Skein, and is a tweakable, wide-block cipher. There are a lot of cool things you can do with it, but that requires some rethinking of protocols,” Callas said.

The decision by Silent Circle comes at a time when there are many unanswered questions about the NSA‘s influence on cryptographic algorithm development, specifically those standards developed by NIST. The National Institute of Standards and Technology is responsible for developing technical standards for the U.S. federal government and many of those standards are adopted by other organizations, specifically crypto standards. Recent revelations from the NSA leaks have shown that the NSA has some unspecified capabilities against certain crypto algorithms and also has been working to influence NIST standards development. In response to one of these revelations, NIST itself has advised people to stop using the Dual EC_DRBG random number generator developed under its supervision.

“The DUAL_EC_DRBG discussion has been comic. The major discussion has been whether this was evil or merely stupid, and arguing the side of evil has even meant admitting it is technologically a stupid algorithm, which sends the discussion into an amusing spiral of meta-commentary,” Callas said.

Silent Circle’s move away from AES and SHA-2 shouldn’t be seen as an indictment of those two ciphers, Callas said, but more of an indication that there are better options out there without the shadow of potential NSA influence hanging over them.

“This doesn’t mean we think that AES is insecure, or SHA–2 is insecure, or even that P–384 is insecure. It doesn’t mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA’s perfidy, along with the rest of the free world. For us, the spell is broken. We’re just moving on. No kiss, no tears, no farewell souvenirs,” he said.

Image from Flickr photos of Marcin Wichary

Categories: Cryptography, Government

Comments (12)

  1. John
    1

    You guys should publish an article for developers on alternative cryptographic algorithms. If we’re NSA-paranoid, what should we use for symmetric encryption, asymmetric encryption, secure random number generation, and password hashing? I think a lot of developers went for NIST-approved algorithms because of the implied trust the crypto community placed in these. But now what do we pick?

  2. Alternatives
    2

    I don’t know which have had new attacks published since the compettions, but here’s some options beyond AES and SHA-2:
    AES Finalists (encryption)
    *Rijndael (turned into AES)
    Serpent
    Twofish
    RC6
    MARS

    SHA-3 finalists (hashing)
    BLAKE (based on ChaCha, which is based on Salsa20)
    Grostl
    JH Function
    *Keccak (being turned into SHA-3)
    Skein (based on Threefish)

    eSTREAM (stream cipher) Round 3 software survivors:
    HC-128 (in Software 128-bit portfolio)
    Rabbit (in Software 128-bit portfolio)
    Salsa20/12 (in Software 128-bit portfolio)
    SOSEMANUK (in Software 128-bit portfolio)
    HC-256 (in Software 256-bit portfolio)
    Salsa20/12 (in Software 256-bit portfolio)
    CryptMT (Version 3)
    Dragon
    LEX
    NLS (NLSv2, encryption-only)

    NESSIE (block ciphers):
    MISTY1 (64-bit blocks)
    Camellia
    SHACAL-2

    NESSIE (hash)
    Whirlpool

    CRYPTREC (March 2013) block cipher
    Camellia

    CRYPTREC (March 2013) stream cipher
    KCipher-2

    Other ciphers:
    Threefish (related to Skein)

  3. Dr. Hilliard Haliard
    3

    The implication here is that the NSA somehow discovered what the entire crypto community missed. That’s rather insulting to all professional cryptographers, particularly the designers of AES and SHA-3. Then again, perhaps this switch is good, since cryptanalysis efforts have focused on the winners, while the second-place contenders are now benefiting from security by obscurity. At least this will buy some time.

  4. NSA budget
    4

    Dr. Haliard,
    Given the budget, focus, secrecy, and age of the NSA, it is extremely likely that the NSA has at some points in time known of attacks that the entire public crypto community did not.

    For instance, differential cryptanalysis
    simson [dot] net/ref/1994/coppersmith94 [dot] pdf
    ” The design took advantage of knowledge of certain cryptanalytic techniques, most prominently the technique of “differential cryptanalysis,” which were not known in the published literature. After discussions with NSA, it was decided that disclosure of the design considerations would reveal the technique of differential cryptanalysis, a powerful technique that can be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography.”

    Also, possible S-box generation and test techniques:
    www [dot] cosic [dot] esat [dot] kuleuven [dot] be/publications/article-2335 [dot] pdf

    • Dr. Hilliard Haliard
      5

      Yes, the NSA might have known about differential cryptanalysis and S-box design before cryptographers made the same discoveries. However, this was decades ago, when the public crypto community was relatively tiny, and the NSA was the most active center of crypto research. Chances are that no one even seriously pursued the same work the NSA did. Nowadays it’s quite different, with crypto a hugely popular area and scores of world-class crypto luminaries working outside the NSA’s secret labs. No matter what stunt the NSA tries to pull in terms of crypto design, it will be caught sooner rather than later. Backdoors in crypto are extremely unlikely to succeed nowadays; that’s why the NSA needs other approaches, from social engineering to the good old car batteries, clamps and pliers.

  5. Dan
    6

    I can understand their reasoning but I do not agree with their decision. Simply put, AES has withstood withering global cryptanalysis, is supported by modern processors, and is implemented by many third party vendors. The math is not that difficult to understand, even if you’ve only been exposed to undergrad-level math.

    I am still confident using AES, and am still using it to protect my laptop (using Truecrypt), my email (using it as my symmetric cipher in OpenPGP), and my passwords (using KeePass).

    As for the hashes, I have read that the Sha-3 finalists are all very fast hash functions and are not recommended for use in certain cryptographic processes such as key stretching. They’re just too fast. I use Sha-256 and Ripemd-160.

    So far, there is only one modern cryptographic primitive that may have been “tampered” by the NSA, and that is the Dual_EC_DRBG. Cryptanalysis early on has already raised issues with it.

    In the end, I don’t use Silent Circle products so I am not affected by this decision. I would just like to defend the cryptographic primitives which were unjustly sullied by the recent NSA exposures.

  6. Sven
    7

    @Dan: You write “So far, there is only one modern cryptographic primitive that may have been “tampered” by the NSA, and that is the Dual_EC_DRBG. Cryptanalysis early on has already raised issues with it.”

    You probably meant that it is the only one where they have been caught.

    Anyway.. there is an interesting paper regarding problems with the NIST curves by D.J. Bernstein and Tanja Lange at www[dot]hyperelliptic[dot]org/tanja/vortraege/20130531[dot]pdf

  7. Karthik
    8

    Also, I believe more people need to switch their regular Public Key based encryption systems to ECC, ensuring better resistance while keeping the number of bits reasonably the same.

  8. Muddy Road
    9

    Great news and a good start. BUT!

    But, where are the other hundreds if not thousands of companies reviewing their code and the influence of the NSA?

    Does this mean virtually every manor and minor company in the USA has been compromised?

    Where are the proclamations of independent and ethical code and business practices?

    It seems the internet has become the wild west of data.

    And, the Sheriff is crooked, too.

  9. Godel
    10

    @Dan: Good,fast,cheap — pick any two.

    If you read the NIST analysis of the entrants in the competition to select a final crypto algorithm for AES, the ultimate winner (Rijndael) was fast, cheap, but only “good enough”. Some of the other entrants were deemed by NIST to have higher levels of security, but Rijndael was faster and cheaper to implement in readily available hardware for production use, including smartcards. Both Twofish and Serpent were thought by NIST to have higher levels of security protection.

    • Dan
      11

      I have read the NIST analysis and even read the actual submitted papers. Rjindael is good, fast, and cheap, no pick two-of-three needed. What you read as “good enough” or even mere “adequate”, is still heckuva secure, if you understand the math. It’s still way beyond being practical to attack even given Moore’s law and quantum computers.

      If you bother to read the math and not just the summary, you would see the elegance and simplicity of the AES cipher. I won’t knock the other AES finalists since they’re all pretty solidly designed (I myself also have a soft spot for feistel networks). The NIST summary was being extra cautious, pointing the possible weaknesses in the winning cipher.

      The Rjindael cipher has been poked and prodded by cryptographers, mathematicians, engineers, and other highly motivated people all over the world. When I studied crypto in an academic setting a decade or so ago, the cipher of choice for beginning cryptanalysis was DES. Now it’s AES. A whole new generation of cryptanalysts are getting their feet wet by dissecting the intricacies of the Rjindael construction. Given enough eyeballs, all bugs, weaknesses, and backdoors will become shallow.

      If you can point to a practical attack against AES, then you will at least have a leg to stand on. Otherwise, you’re just being a pedantic nitpicker. Maybe you should study crypto. Prove for yourself that the cryptographic primitives you use are really secure. And maybe, just maybe, you won’t rely on other people’s say so.

  10. martin roberts
    12

    I read the Silent Circle post, talk about egotism, instead of the NIST approved algorithms like AES and SHA, these guys want to trust algorithms they created and which were not accepted by NIST. One is an encryption algorithm is called Twofish that Bruce Schneier and company wanted to become the AES — their algorithm was found lacking. The other is a hash function that Jon Callas wanted to become a NIST hash standard — it too was found lacking. Why should anyone trust cryptography from these guys? Just because they trash NSA doesn’t mean they know anything about cryptography. AES and SHA-2 have been vetted by experts for years – why leave them now? Egotism – I’d bet the spies at NSA are just licking the lips ready to dig into all of the home grown ciphers that people will be trying to sell us as they scare us away from NIST standards.

    BTW- did you all really understand what NSA is being accused of? They put optional parameters for an optional (one of four) random number generator in a NIST standard. Before the furlough shut down the NIST website I looked at their list of certified random number generators. Out of over 1000 certifications only around 61 even implemented this Dual_EC thing (at least 61 was my count) and as far as I know it was only RSA that actually used the thing.

    Sounds like Silent Circle is drumming up business based on our fear and their egotistical belief that their cryptography is the best cryptography.

Comments are closed.