Blog entry by Les Bell

Les Bell
by Les Bell - Monday, 16 October 2023, 9:10 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


NSA Weakening Post-Quantum Crypto, Warns DJB

We have frequently warned of the need for cryptographic agility, a preparedness to replace the public-key algorithms we currently use in protocols like TLS, SSH, PGP & S/MIME as well as other secure protocols with new ones, should quantum computers become capable of breaking them. As part of this effort, the US National Institute of Standards and Technology (NIST) has been running an open competition to select best-of-breed post-quantum cryptographic algorithms, in much the same way as previous competitions produced AES and SHA-3.

But, claims Dan Bernstein of the University of Illinois Chicago, NIST is deliberately obscuring the level of involvement of the NSA in this process. Speaking to New Scientist magazine, he said,

"NIST isn’t following procedures designed to stop NSA from weakening PQC ... People choosing cryptographic standards should be transparently and verifiably following clear public rules so that we don’t need to worry about their motivations. NIST promised transparency and then claimed it had shown all its work, but that claim simply isn’t true."

Even worse, says Bernstein, calculations performed by NIST for the Kyber512 arlgorithm are "glaringly wrong", leading to an erroneous conclusion that it is more secure than it really is. NIST multiplied two numbers together, rather than adding them, which he claims would have given a more realistic assessment of Kyber-512's robustness to attack.

NIST spokesperson Dustin Moody rejects Bernstein's analysis, stating that "It’s a question for which there isn’t scientific certainty and intelligent people can have different views. We respect Dan’s opinion, but don’t agree with what he says". In any case, while Kyber-512 meets NIST's level one criteria, the agency recommends that in practice users should adopt the stronger Kyber-768 algorithm.

Moody also argues that NIST has followed tight guidelines to ensure transparency and security, and would never knowingly agree to weaken any of these cryptographic standards. He also states that the NSA has, as far as it can, tried to be more open.

But Bernstein claims that NIST has not been open about the level of NSA input, and has used freedom of information requests and court action to force the agency to release internal documents which show that NSA employees are members of the "Post Quantum Cryptography Team. National Institute of Standards and Technologies", as well as undisclosed meetings with personnel from both the NSA and the UK's GCHQ.

The NSA has a checkered past with allegations of attempts to weaken cryptographic algorithms, dating back to unexplained requests to IBM and NIST to change the values in S-boxes (substitution boxes, a type of lookup table) in the algorithm that eventually became DES, the Data Encryption Standard. There were allegations from some cryptologists that this was done to deliberately weaken the algorithm; however, many years later, after Eli Biham developed the differential cryptanalysis attack on DES and similar cryptosystems, it was revealed that NSA had known of this attack decades earlier - they called it the 'T-attack" - and the suggested changes actually made DES more resistant to this attack.

On the other hand, documents released by Edward Snowden alleged that the NSA had subverted the NIST standard for pseudo-random number generation, the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). There followed a period of intense debate amongst cryptologists culminating in a note by the Director of Research at the NSA, Dr. Michael Wertheimer, published in the Notices of the American Mathematical Society, in which he expressed regret that the agency continued to support Dual_EC_DRBG after researchers had discovered the potential for a trapdoor. He further pointed out that Dual_EC_DRBG was only one of four standards and that no-one was obliged to use it - in fact, because it was incredibly slow, they would be wise not to - but there are suggestions that NSA asked RSA Inc. to make it the default PRNG in their BSAFE software library, and compensated the company for doing so.

So, there you have it - something of a mixed bag. As for the case of Dual_EC-DRBG, expect a debate to erupt in the cryptologic community over the correct technique to use in assessing the strength of these algorithms (add? Or multiply?) as well as the ethics of engagement by agencies which have a dual role in both breaking the cryptosystems of adversaries and strengthening their own. Set a thief to catch a thief?

Bernstein, Daniel J., The inability to count correctly: Debunking NIST's calculation of the Kyber-512 security level, The cr.yp.to blog, 3 October 2023. Available online at https://blog.cr.yp.to/20231003-countcorrectly.html.

Green, Matthew, Hopefully the last post I'll ever write on Dual EC DRBG, blog post, 14 January 2015. Available online at http://blog.cryptographyengineering.com/2015/01/hopefully-last-post-ill-ever-write-on.html.

Sparks, Matthew, Mathematician warns US spies may be weakening next-gen encryption, New Scientist, 10 October 2023. Available online at https://www.newscientist.com/article/2396510-mathematician-warns-us-spies-may-be-weakening-next-gen-encryption/.

Wertheimer, M., Encryption and the NSA Role in International Standards, Notices of the AMS, Vol. 62(No. 2), 165–167, February 2015.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
[ Modified: Monday, 16 October 2023, 9:10 AM ]