From cryptome’s http://cryptome.org/2014/01/nsa-rep-dirt.htm document, and it’s ”scholarly sources”
NSA Reputation Is Dirt
Date: Tue, 21 Jan 2014 18:30:39 -0500
From: William Allen Simpson <william.allen.simpson[at]gmail.com>
To: Jerry Leichter <leichter[at]lrw.com>, John Kelsey <crypto.jmk[at]gmail.com>
Subject: Re: [Cryptography] RSA is dead.
I’m surprised at the sudden interest in my month old December 23 post.
On 1/20/14 2:39 PM, Jerry Leichter wrote:
On Jan 20, 2014, at 12:49 PM, John Kelsey <crypto.jmk[at]gmail.com> wrote:
Perhaps this is the result of living in a government bubble for awhile, but I certainly saw and heard a lot of the bigger community who thought NSA’s involvement in domestic crypto standards and companies was intended to improve security. That’s why NSA people were and are openly members of a bunch of standards committees, why people invited NSA guys to give talks and take part in competitions, why people were using stuff like SE Linux. People have been using DSA, the NIST curves, SHA1, and SHA2 for many years, believing them secure–because the assumption was that NSA wasn’t putting backdoored stuff out there.
THE RIGHT WAY TO THINK OF NSA IN THE PERIOD IN QUESTION IS THAT – COMPARED TO HOW IT OPERATED BEFORE – IT WAS NOW INTENDING TO DO THE RIGHT THING. ITS ULTIMATE MISSION WAS AND IS, INHERENTLY, TO DELIVER HIGH ASSURANCE AND LOW SECURITY. I DO BELIEVE THAT NSA ENACTED A GOOD FAITH ATTEMPT TO DELIVER ENGINEERING KNOWHOW IN THE HIGH ASSURANCE AREA. “YEARS OF KNOWHOW” WERE GIVEN UP TO THE GENERAL COMMUNITY, IN ORDER THAT THE BASELINE IN ASSURANCE MOVED UP, SIGNIFICANTLY. AND YES, THAT BENEFIT HAS NOTHING TO DO WITH CONTROL OVER SECURITY STRENGTH, WHICH ONE HAD TO ASSUME WAS BEING SUBVERTED – SINCE THAT ITS WHAT “NATIONAL SECURITY” AGENCIES DO.
MY OWN ASSUMPUPTION WAS THAT THE DESIGN THEORY INTRODUCED INTO STANDARDS WAS FINE, ON A PER- LAYER ANALYSIS; ABNOUT SPYING IN THE LAYER MODEL SENSE, AND MOSTLY ABOUT ENSURING THE VENDORS (IN IETF) AND IESG LAND TYPE FOLKS WOULD THENB BE DELIVERING OR INDUCING COMPROMISED IMPLEMENTATIONS. AFTER ALL, THAT’S WHAT “NATIONAL SECURITY” AGENCIES DO (COMPROMISE IMPLEMENTATIONS OF VENDORS, WITH OR WITHOUT CONSENT; AND INFLUENCE POLICY MAKERS WITH BRIBES AND BLACKMAIL)
Absolutely. And it’s not just a matter of living inside the government bubble.
NSA has had a surprisingly good reputation pretty much until Snodownia. Before their involvement with DES, no one really knew anything about them – but every interaction I’ve ever heard of with NSA people left the impression that they were extremely bright and extremely competent. (A friend who, many years ago interviewed with both CIA and NSA, thought the interviewers for the former were a bunch of bumbling idiots, while he was very impressed with the latter. He never took a government job, however.)
NSA IS A VERY FEDERAL AGENCY IN ITS MANAGEMENT STYLE. ITS QUALITY IS A FUNCTION OF THE CULTURE OF BEING A FEDERAL AGENCY – WHICH YOU PERHAPS HAVE TO EXPERIENCE TO RECOGNIZE (AS BEING GOOD, IN A UNIQUELY AMERICAN WAY). BUT YES, I HAVE MET 20- YEAR NSA KEY MANAGENMENT SYSTEM CONTRACTORS AT GTE/GENERALDYNAMICS WHO JUST ROLLED THERE EYES AT ME WHEN I SAID THE ABOVE (IMPLICITLEY RECOGNIZING ENGINEERING QUALITY AT THE HEART OF THE AGENCY). AT THE TIME I JUST ASSUMED IT WAS BURNOUT EFECT (SINCE THE FEDERAL PROCESS IS CUMBERSOME AND A GRIND FOR ALL INVOLVED).
No. NSA had a good reputation in the ’60s. I even recommended a friend for a position there in the mid ’70s. (AFAIK, he’s still there.)
WHEN YOU READ THE NSA INTERNAL MAGAZINES YOU GET A A FEEL FOR 60S AND 70S CULTURE. IN WHAT IS AN OPERATIONAL GRIND JOB, ONE COULD SENSE THAT THE CORE OF THE AGENCY (THEN) WAS NOT TECHNOLOGY BUT INTELLIGENCE. THAT IS AFTER TURING BROKE THE CIPHER, AN ENBTIORELY DIFFERENT MAGICAL SKILL IS APPLIED TO INTERPRET THE RELEVANCE, APPLY IT TO SOME POLITICAL JUDGEMENTS, AND ALSO LET THE INTEPRETATION AMPLIFY THE EFFECITVESS OF THE COLLECTION PROCESS ITSELF. YOU “BREAK’ THE CRYPTO NET, NOT JUST THE MACHINES, THAT IS.
By the ’90s, its reputation was dirt. Because, other than what was known or suspected about DES, every action they took was to inhibit public use of cryptography.
IN THE 1990S THE KNIVES WERE OUT, AS THE BUDGET SLASHES MEANT THAT THE OLD NSA WAS NO LONGER REVERED/FEARED BY THE OTHER AGENCIES (AND FBI IN PARTICULAR GOT UPPITY, DOING THE G-MEN THING NOW MORE THAN EVER, SINCE THE MAN IN BLACK – NSA – HAD CEDED THE TOP DOG SPOT). THE RELATIONSHIP WITH DOD WAS SOUND THOUGH, AND NSA REBUILT ITSELF – FOR A NEW MISSION. YES, THE NEW MISSION WAS THE “MISSION” OF OPEN NETWORKS (I.E. INTERNET).
NSA managed to appear not to be much involved in the old crypto wars. Sure, everyone knew that they were the ones who wanted to be able to keep decrypting stuff, but they managed to come across as mere implementers of policies set elsewhere.
THIS IS FAIR. AND TO SOME DEGREE IT WAS TRUE, WITH CLIPPER. THE DESIGN OF THE CHIPS AND PCMCIA CARDS INTERNDED FOR DOD UPGRADING (FOR THE LAPTOP AND CHEAP HP SERVER REVOLUTIONS) WAS “SUBVERTED” TO FORM THE CLIPPER PROGRAM. NSA DID AN ENGINEERS JOB ON KEY ESCROW, BUT LEFT IT TO FBI TO LEAD THE ‘NUVEAU’ NATIONAL SECURITY REGIME, TARGETING OPEN NETWORKS (AND NOW “EVERYONE”). CULTURALLY, NSA WAS AT THT TIME NOT ABOUT SPYING ON THE PUBLIC. BUT THEN, THE NATURE OF OPEN NETWORKS HAD NOT BEEN FULLY UNDERSTOOD.
Their involvement with DES looked bad for a while – why *those* S boxes? Why 56 bits? – but then differential cryptanalysis was re-discovered in public and it turned out that NSA had actually specified S-boxes as strong against it as possible – and that the real strength really was around 56 bits. NSA came out as being ahead of the rest of the world, and using their lead to strengthen publicly available crypto.
HERE IS DISAGREE WITH THE TONE, THOUGH THE FACTS ARE LARGELY RIGHT. NSA WAS SEEN AS THE SECRET MOVER, HIDING BEHIND SECRECY. IT HAD NOT, IN THE DES DESIGN ERA UNDERSTOOD THE NATURE OF THE NEED TO INDUCING PUBLIC TRUST. BUT THEN, OPEN NETWORKS WERE ONLY AN ACADEMIC CONCEPT, AT THAT POINT. FEW UNDERSTOOD HOW NSA (AND THE ISSUES ADDRESSED BY NSA) WOULD HAVE TO EVOLVE.
ON DES, ONCE AGAIN, THE TRADEOFF WAS TO STRENGTHEN THE SBOXES TO LESSEN THE RISK THAT DIFFERENTIAL TRAILS WOULD BE APPARENT – AND REVEAL THE CI, GENERALLY. PROTECTING THE CI ITSELF CAN BE MORE VITAL THAT DECRYPTING LOW GRADE STUFF – KEEPING IT AVBAILABLE FOR THE GOOD STUFF.
NSA was *very* involved in the crypto wars!
IN ISO AND OTHER FORMAL BODIES LIKE EMA AND ABA, YES NSA WAS VERY INVOLVED. IT WAS A 60S INOVLEMENT FURTHERMORE, LOTS OF SECRET BRIEFINGS AND INDOCTRINATED PARTIES. BUT AGAIN, THINGS WERE ABOUT TO CHANGE. THE STEVE KENTS OF THE WORLD, IN IESG, WERE NO LONGER TO BE ALL POWERFUL.
(THE STEBE KENT RANT BELOW IS ONLY 50% FAIR, NOTE. HE AND THOSE LIKE HIM I KNEW WELL, BEING THOSE RESPONSIBLE FOR ENSURING THAT THERE COULD BE A TRANSITON FROM 80 CLOSED NETWORKS TO 90S OPEN NETWORKS, BY KEEPING THE MILITARY NETWORKS NOT TOO DISTINCT FROM THE GENERAL INTERLET, ALLOWING THE TWO TO GROW SYBIOTICALLY).
Have we forgotten that the NSA mole in the IETF, Steve Kent, removed the link encryption option from PPP before RFC 1134 publication in 1989?
STEBE WAS NOT A MOLE. HE WAS A NSA CONTRACTOR THOUGH. IT WAS QUITE OPENLY KNOWN. MY JUDGEMENT ON HIM IS THAT ULTIMATEL.Y HE WAS AS I CHARACTERIZED ABOVE: AIMING TO FASHION A WORLD WHOSE NATURE NOONE UNDERSTOOD, BUT EVERYONE KNEW WAS GOING TO COME ABOUT.
IF HE WAS A MOLE IT WAS MORE A CASE OF BEING A DARPA MOLE, PARTICULAR IN HOW DARPA MANIPULATED NSA, RSA, BBN, MIT AND OTHERS – AGAIN ONLY WITH A VIEW TO FORMENTING THE OPEN NETWORKING MODEL. AND HERE WAS WHERE I GOT INVOLVED, SOMEWHAT “INTERFERING” WITH THE DARPA PLANS.
Have we forgotten that Steve Kent had the NSA (via the FBI) investigate me for *treason* for posting the PPP CHAP internet-draft circa 1991?
I DON’T KNOW IF THATS TRUE. I CAN SAY THAT IN 1991 THERE WAS STILL LOTS OF BELIEF THAT OLDBOY NETWORKS AND PEER REIVEW SHOULD GOVERN CRYPTO AND SECURITY PROTOCOL PUBLICATION. WE SHOULD REMEMBER THAT NOTHING IN PPP WAS NOT BEING ADDRESSED IN ISO TP4, TP3, AND THE SDNS PROGRAM.
IF THERE WAS A FEAR IT WOULD HAVE BEEN THAT ACADEMIC INTERNET NETWORKS, BEING LARGLEY UNTAPPED, WERE SUDDENLY VIEWED AS A TARGET FOR WHICH THERE WAS NO PLANNING. AND THIS AGAIN IS PART OF THE OPENNESS CHANGE; THAT INDUCES LOTS OF RETHINKING. ITS LIKELY THAT SENSING A HOLE, FOLKSWOULD USE OTHER STICKS, TRYING TO CONTAIN A BREAKOUT.
Because that would prevent the security agencies from intercepting passwords and pretending to be somebody else…. So by then we knew they were already wiretapping passwords of US citizens and presumably everybody else.
WELL DURR. ANY READER OF A 1980S BOOK ON THE ENIGMA STORY KNEW THAT HALF THE 1940S ERA BATTTLE WAS PENERATION OF THE CRYPTONET (AND NOT JUST THE BREAKING AGAINST THE MACHINERY OF CRYPTO VIA TECHNICAL CRYPTANALYSIS).
This is one reason I find all the whining about the NSA/RSA business a bit of revisionist history. You can’t look at what RSA did in the light of what we know today. You have to look at it based on what was known or reasonably strongly suspected at the time.
RSA CHANGED, ONCE IT WAS RUN BY STUCKY. HE TOOK ITS INTENGIOUS IDEAS ABOUT PUBLIC TRUST, THAT WERE AGHEAD OF THE CURVE, AND MILKED THEM WHILE HE WAS AHEAD. I WAS VERY MUCH PART OF THAT, THOUGH WAS VERY AWARE HOW TENUOUS WAS THE PUBLIC TRUST TOPIC. THIS WAS THE ONLY REASON I CAMPAIGNED AGAINST KEY ESCROW (AS I DIDN’T WANT CERTS, THEMN THE HEART OF THE PUBLIC TRUST CONCEPT, TO BE UNDERMINED BY BECOMING ASSOCIATED IN THE PUBLICS MIND WITH THE PROCESS OF ENFORCING KEY ESCROW). ON KEY ESCROW ITSELF, I CARE NOT A JOT; SO LONG AS SOME OTHER TECHNOLOGY, NOT CERTS, ADDRESSED THOSE GOALS. IF THIS MEAN VIRUS CULTURE, TPM CHIPS IN LAPTOPS, ETC ETC SO BE IT.
Hogwash. In addition to the well-known Clipper chip, and the well-known 40-bit key export:
(A) Have we forgotten that Steve Kent had my 1994 Cypher Block CheckSum (CBCS) removed from the IETF publication schedule — because it wasn’t compatible with his Null Encryption option?
DUNNO. BUT SOUNDS INTERESTING. THE IDEA THAT A BIG LIE WAS AFOOT IS TRUE – THAT SUCH AS NULLCIPHER WERE THERE TO ALLOW DECEPTICIONS IN CHANNEL FORMATION TO OCCUR (WITH THE ANNOUNCEED CIPHERSUITE NOT BEING THAT ACTUALLY DELIVERED).
AFAIK, CBCS was the first attempt at integrating encryption with integrity. Had it been adopted, there would have been no Lucky13, et alia.
THIS SPEAKS TO THE CRYPTOWARS, AND NSAS VERY PUBLIC POSITION OF THE 90S. DO WHAT YOU WILL SIGNATURES AND AUTHENTICATION. DON’T MIX, THOUGH, WITH ENCRYPTION, SINCE THEN A DIFFERENT PART OF NSA GETS INVOLVED. IN THE SPIRIT OF TRYING TO FIND WAYS OUT OF THE MORASS, THE NSA POLIICY WAS RELATIVELY LIBERAL. EVERYONE KNEW THAT CRYPTO HAD A CORE PART TO PLAY IN THE INTERNET AND OPENNESS, COMPENSATING FOR THE NEW VULBERABILITY *DUE TO* OPENNESS ITSELF. NSA CRYPTO TYPES KNEW IT WAS A CORE ENABLER OF THE INTERET, AND WANTED FOLKS TO NOT ONLY DO IT RIGHT, NOT ONLY STAY CLEAR OF THE POLITICAL MINEFIELDS, BUT ALSO UNDERSTAND WHAT HIGH ASSURANCE INTEGRITY REALLY MEANT.
And why the heck did we need a null encryption option anyway!
(B) Have we forgotten that Photuris was adopted by acclamation at the Montreal IETF — and then Cisco announced they were supporting ISAKMP/Oakley/IKE?
WE MUST ALSO NOT FORGET THAT CISCO HAD TO ENSURE THAT ITS INFRASTRUCTURE APPLEID TO THE OSI AND LEGACY NETWORK SUITES, INCLUDING VOICE CIRCUITS, TOO. NSA WAS VERY MUCH INVOLVED IN OSI.
My guess is forensic accounting would show that Cisco was paid, just as RSA was recently. Whether it was a cash payment or just a promise that they’d be favorably considered in future bids….
THIS IS PARTLY THE CASE, BUT ITS MOSTLY ABOUT UNDERSTANDING THAT CISCO’S INTERNET MARKETING WAS NOT WHERE IT WAS MAKING MONEY. THERE WAS NO MUCH MONEY TO BE MADE AT THAT TIME.
I remember meeting with NSA twice at the supposedly neutral NRL. Phil Karn refused to meet with them, even though he grew up in Maryland and it would have been cheaper for him to meet them. But I naively thought that we could come to an agreement.
WHY WOULD A BILLION DOLLAR AGEBNCY GIVE A DAMN ABOUT SOME INDIVIDUAL? REMMEBER IT ALREADY OWNED IESG.
Their biggest complaint was that Photuris concealed the parties, which inhibited traffic analysis. And sure enough, that’s still what they still want today!
IN THE LAYERING VIEW OF SECURIYT MODELLING THERE WAS, YES, A PERPESCTIVE THAT SAID THAT OTHERS SHOULD DELIVER CERTAIN SERVICES – AND THUS WHOLLY INTEGRATED CHANNELS WERE “NOT IN THE DESIGN ETHOS” NEEDED FOR A NATIONAL-LEVEL SECURIYT POLICY. AND YES, SOME OF THE RATIONALE FOR THE LAYERING WAS SO THOSE TELCO-OTHERS COULD BE INDUCED TO REMOVE CERTAIN PROTECTIONS, ON DEMAND.
All I could get agreement on was expanding the Group-Index field (renamed Schemes in draft -03) from 8 to 16 bits for them to define their own. That took 2 meetings!
(C) Have we forgotten that H-MAC was adopted over IP-MAC, even though we had already shown that H-MAC was formally less secure than IP-MAC (and IP-MAC was older and already had had more analysis)?
AH IBM, IN THE 1990S. ANOTHER STORY ENTIRELY. IT WAS QUITE FUN SEEING IBM AT WORK, FIRST HAND, IN THE CRYPTO PAYMENTS WORLD.
Why is it that everything NSA supported at NIST (SHA, SHA1, SHA2, …) was demonstrably less secure than other proposals?
COMES DOWN TO HOW HIGH-ASSURANCE ENGINEERING PROCESS WORKS. YOU BUILD ON WHAT YOU KNOW. YOU DON’T CHANGE FAMILY; YOU STAY WITH THE FAMILY ONCE ITS COMPROMISES IN COST, DESIGN, IMPLEMENTATION AND POLICY FIND A SUCCESSFUL PLACEMENT – MATCHING THE RISK CATEGORY.
On 12/23/13 9:29 PM, Theodore Ts’o wrote:
As for the rest, the lesson we should take from this is, moving forward, if any company in the future hears the words, “I’m from the NSA and I’m here to help”, they should run away, as fast their legs can carry them.
NSA REBUILD ITSELF, WHILE DOD CARETAKED PUBLIC NETWORKING POLICY IN THE 2001-2005 ERA. NSA RETOOLED. IT SPEND YEARS SUBVERTING THE WEB, TO KEEP IT VULBERABLE, BY ENABLING IT TO TARGET THE SYSTEM ADMINS, IN CHARGE OF SECURITY MIBS. ONE AGAIN, THIS JUST CRYPTONET KINOWHOW AT WORK, UPDATED FOR THE MASSIVE OPEN NETWORK ERA.
OLD MEN TELING OLD STORIES. FOLKS ARE FAILING TO ADDRESS HOW IESG AND IETF ARE TODAY COMPROMISED. FOLKS ARE FAILING TO FORSEE THE OPEN NETWORKS OF 20 YEARS TIME AND PLAN FOR IT.
The cryptography mailing list
A VERY QUICK LOOK AT DES CBC IN ESP (CBCS?) INDICATES THAT NSA/KENT WOULD WISH TO HIDE CERTAIN CLASSES OF VULBERABILITY THAT A POORLY ARCHITECTED SOLUTION WOULD ONLY HIGHLIGHT AND MAKE MORE LIKE THAT THE COMPROMISE TECHBNIQUE BE EXPOSED (ORACLE ATTACKS ON CBC CHAINS, WHEN ENCRYPTING MACS).
THIS IS LIKELY THE ROOT OF THE ISSUE, NOT SIMPSONS EXPLANATION. PROTECTING THAT PIECE OF CI WOULD HAVE BEEN PARAMOUNT. ONE WISHED TO PRVENT GENERAL KNOWLEDGE OF THE VERY CLASS OF ATTACK, AND THAT CAN MEAN INTERFERING WITH STANDARDS IF THEY WOULD LESSEN THE SECRET’S VALUE-LIFETIME, ETC.