Ask Slashdot: Can We Still Trust FIPS?

First time accepted submitter someSnarkyBastard writes "It has already been widely reported that the NSA has subverted several major encryption standards but I have not seen any mention of how this affects the FIPS 140-2 standard. Can we still trust these cyphers? They have been cleared for use by the US Government for Top-Secret clearance documents; surely the government wouldn't backdoor itself right?...Right?"

surely the government wouldn't backdoor itself...

[Skiron]

Depends who runs the Government. Which is always the same people no matter who gets voted in, so the answer is YES.

Re:

[Anonymous Coward]

Depends who runs the Government. Which is always the same people no matter who gets voted in, so the answer is YES.

Probably not. The NSA is not just concerned about wiretapping you and foreign governments. They are very concerned about foreign governments getting US government secrets. They would only consider back dooring the methods they use if they could be highly confident that it wouldn't help foreign governments crack their codes.

Re:surely the government wouldn't backdoor itself.

[cheater512]

Yeah but they wouldn't shoot themselves in the foot by giving out unbreakable encryption to the people they are trying to spy upon.

If they got a very secure algorithm, weakened it in a hard to detect way which makes it easier for the NSA and nobody else then that would be perfectly fine to both use for government documents and to give out to other nations.

Re:

[93 Escort Wagon]

If they got a very secure algorithm, weakened it in a hard to detect way which makes it easier for the NSA and nobody else then that would be perfectly fine to both use for government documents and to give out to other nations.

We've seen the level of "thought" that goes into these decisions. I doubt anyone with decision-making authority ever considered that weakening encryption so the NSA could get in more easily would also make it easier for criminals to get at the same information.

Nobody else ?

[DrYak]

If they got a very secure algorithm, weakened it in a hard to detect way which makes it easier for the NSA and nobody else then that would be perfectly fine to both use for government documents and to give out to other nations.

It's "nobody else" part which is very hard: the NSA are not the only one playing this game. In fact, the FSB (formely KGB, formely Tcheka) has been at this game (mass surveillance including on own's population) for much longer than the NSA.

Even get real known example: NSA has discovered differential analysis as a method to help breaking ciphers. They kept it as a secret. What happened:
- First they developed ciphers resistant to it (DES). They made a part, the controversial S-Box, to specially make the cyphe

Re:

[Anonymous Coward]

They weakened Lotus Notes by allowing the the NSA to know some of the bits of secrets: http://www.heise.de/tp/artikel/2/2898/1.html [heise.de]

So yeah they could backdoor US stuff.

Re:

[Anonymous Coward]

Depends who runs the Government. Which is always the same people no matter who gets voted in, so the answer is YES.

You're right but not the way you are thinking. The NSA is the boss. It knows enough of elected officials to keep them in check. The NSA allows the three branches of government "run" the country as long as they keep funding the NSA and never interfere with its doings.

Well, ok, even the NSA has a boss. Just a few hours ago it was reported on Slashdot that the NSA offers everything it knows on a silver platter to Israel [slashdot.org].

Sneakernet, bitches.

[Penguinisto]

Minus physical assault, it's getting to be the only way to transport anything securely.

./ also p0wned by NSA

[sigxcpu]

This is the wrong place to ask, "ask slashdot" is also controlled by the NSA.
They have been spending years building cover identities and collecting karma, so they can control ./
And that's why this post is going to be modded down, see, I told you so!

Re:

[GLMDesigns]

wish I had karma to mod you up.

Of course you're probably trolling to get mod points. ;-)

Or ... you're NSA trying to get a handle on all those subversives who agree with you.

Re:

[FatdogHaiku]

Don't be so quick on the trigger, I think there was a xxx vid titled "Hermaphroditic Dreams" or something like that...

How can anyone trust

[i kan reed]

How could anyone trust an encryption algorithm provided by an organization whose purpose is decryption and interception? That will always be the craziest part.

Re:How can anyone trust

[Entropius]

That's not their only purpose. The NSA is supposed to:

1) Make sure the bad guys don't snoop on Americans;
2) Snoop on the bad guys.

I use "bad guys" here with intentional irony, since nobody quite knows how to resolve the dichotomy that happens when the NSA's suspected of being bad guys.

Re:How can anyone trust

[gl4ss]

you forgot 3) make sure that they can snoop on the "bad guys". ...where do you think export restrictions on cryptos came from?

do you know what's super silly? some companies selling crypto products internationally proudly tout around their NSA certification.. certification from the same organisation that has a role in making sure that they don't export too good products.

Re:

[mtm_king]

I am stealing your sig. It is too good for just one person to have. And when I use it the world will only be 5 seconds old and I will have been the first to use it.

Logical Solution

[Anonymous Coward]

Exactly and so the logical way to achieve both of these at the same time is to tell everyone to use an encryption standard which only you have the back door to...since "you" are obviously a good guy.

Re:

[Anonymous Coward]

Too much enciphering could be a threat to world peace. 0,1% of population must work against 99,9% to ensure 100% survive.

That's why they did not have encrypted radio on the B52s raiding Vietnam. Nuclear weapons (and carriers) with the potential for a sneaky strike are dangerous, so they did not equip them with ciphers.

I would not be surprised to find out the Russian and the American SIGINT service are actually working closely with each other to clamp down on any attempt of modern-day LeMays to destroy human

Re:

[Flere Imsaho]

Or when the NSA considers everyone a potential bad guy.

Re:

[Goaway]

Now, maybe. In the past, not.

Re:

[Entropius]

That's the point. They're inconsistent now -- perhaps in 1980 they weren't.

Re:

[Jeff Flanagan]

re: your sig

I think you mean "Anthony," unless there are two Weiners in politics that like to show off their weiners.

Re:

[Anonymous Coward]

That's sort of like asking why anybody would ask the Army for tips on self-defense, given that their role is blowing stuff up and killing people.

Well, the Army's role is also defense. The NSA has dual-roles, just like the Army.

The problem is, they've been turned on us. It's effectively like the Army going house-to-house searching for terrorists. All of a sudden that don't want to teach you self-defense practices, because it makes breaking down your door harder.

But you can imagine that, for a long time, peop

Re:

[GLMDesigns]

Your conclusions are kind of funky.

The neo-con idea was to "drain the swamp" with Saddam being at the center of the swamp. (By the way I'm not a neo-con and don't support their views.)

Would it have made sense to bomb mecca? Maybe. But there would have been repercussions with that action as well.

One of the best solutions is to be energy independent and not give the Saudis any money and let the kingdom face the wrath of the wahabbi clerics without having any money to pacify them. Of course the left i

Re:How can anyone trust

[bill_mcgonigle]

If there are "good guys" at the NSA, they need to be moved to NIST instead. Nobody will ever trust the NSA to do good work again.

Re:How can anyone trust

[Lank]

If by good you mean "for the common good" then yes, I'd agree. I would say they do great work with a terrible purpose.

History cuts both ways on that

[Beryllium Sphere(tm)]

For example, they strengthened DES against differential cryptanalysis when they were the only ones who knew about the technique.

Re:

[jhol13]

They use AES themselves. Some of the smartest cryptoanalysts live in Israel, China, Russia, etc.

It would be extremely stupid to do encryption they know is breakable.

It is, has almost always been, and will be in foreseeable future so much easier to use covert channels. A VPN software to use almost, but not quite, random data in encryption keys. This way NSA needs huge workload (few hours of their massive processing power) to decrypt, without knowledge of the non-randomness it would be infeasible. Say AES-128

Re:

[L4t3r4lu5]

The math is sound. The implementation, or some other side-channel attack, may be the issue.

Do you trust the binary? Do you trust the operating system on which you execute the binary? Do you trust the source code? Do you trust the compiler that created the binary from the source code? Do you trust the BIOS of your computer?Do you trust the hardware?

A weakness in any of these will give an attacker leverage. The math may be sound, but it's extremely sensitive to errors.

Re:

[wvmarle]

There is no need to have backdoors in the standard - that'd be counter-productive anyway considering the large number of cryptographers outside the US that try to find weaknesses in those standards. And indeed some have been broken to lesser and greater extent, others are still standing strong.

It is those that stand strong (AES etc) that are now recommended by the NSA to use for top secret stuff and so, and also to the general public. Nothing fishy there, the standards themselves are fine.

The problem lies i

Re:

[Tom]

How could anyone trust an encryption algorithm provided by an organization whose purpose is decryption and interception? That will always be the craziest part.

It's not crazy, you are just badly informed.

The NSA also has the job to make sure nobody does to the US what the US does to everyone else. They've been developing crypto and security technology for decades, some of which (like SELinux) has passed even the most paranoid double-checking.

You would want to trust them for the same reason an ex-burglar is the best guy to hire for checking out your home security system, or hackers make up some of the best security consultants: They know what they're talking about.

Re:

[Tom]

Before you try cheap jokes on UIDs, come out of hiding and show your own.

You apparently don't understand anything about the official mission of the NSA nor its history. And if you think I'm a shill, you should know that I live in the european country that's #1 on their target list. The only reason I'm not raging is that it really wasn't much of a surprise, the only thing that's changed compared to last year is that we now know what we only suspected.

But all that doesn't change the facts. In all the rage and

Re:

[Chickenlips]

I don't think he said that. He did, however, say this:

I trust no one, not even myself.
Joseph Stalin

I think in this case he was on to something ..

suite b

[Anonymous Coward]

http://www.nsa.gov/ia/programs/suiteb_cryptography/

  AES with 128-bit keys provides adequate protection for classified information up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide adequate protection for classified information up to the SECRET level. Until the conclusion of the transition period defined in CNSSP-15, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.

AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options.

NSA also defined another algorithm suite, Suite A, which contains both classified and unclassified algorithms. Suite A will be used in applications where Suite B may not be appropriate. Both Suite A and Suite B can be used to protect foreign releasable information, US-Only information, and Sensitive Compartmented Information (SCI).

Re:

[letherial]

can you really trust anyone? until the day i can get in someones head and verify beyond any doubt that they are trustworthy, i am going to stop surfing the web, eating local food, going anywhere public and most certainly not answering the door.

If you need me ill be in my buried bunker, dont bother knocking, ill shoot first and then figure out who you are.

The obvious portion of the answer

[stevewahl]

Given the chance, of course the government would backdoor itself. If the government isn't the origin of the idea that the left hand doesn't know what the right hand is doing, it is at least the poster child. The only real question would be whether they've yet succeeded.

The question is...

[brainnolo]

...what are the alternatives? Rolling your own crypto won't work well. Unfortunately answers to this question can only be speculation. I wouldn't be extremely paranoid, but still it depends what you are trying to protect.

Re:

[DavidClarkeHR]

...what are the alternatives? Rolling your own crypto won't work well.

I suppose that depends on the type of information you're trying to protect - now you'll need to decide if it's worth even writing the information down!

Re:

[davydagger]

twofish? MD6? WHIRPOL?

Re:

[PolygamousRanchKid]

I think we've reached peak encryption. No matter what you come up with, the NSA has more than enough resources to crack your encryption method. And if you're using one-time pads, they or their retinue will just crack one of the holders of the one-time pads. Crack, like the holder's skull, knuckles or testicles.

So we need to dump the idea that encryption can be used to transmit our secrets. And come up with entirely new ideas.

A radical thought? Hell, yeah. Do I myself have any ideas how to do this?

Re:

[Razgorov Prikazka]

>>Rolling your own crypto won't work well.

What if Joan Daemen and Vincent Rijmen kept AES to themselves, wouldn't that work for them and still be considered "roll your own"?
Still, I think that FOSS works best for encryption; many eyes make for shallow backdoors... erhm what was the saying again?
It is one of the reasons I dont really trust bloated distros like ubuntu. Too much code to inspect. (but I might be wrong;-)

Re:

[um... Lucas]

A) for the rest of us that arent math geniuses, that gives us no help....

B) how many refinements were added during the peer review process?

Re:

[BitZtream]

As someone who writes cryptography software (I'm not a cryptologist, I just implement known algorithms, and verify they produce was I'm told they should produce), the solution for us is to provide software with multiple algorithms and let the user pick. Our core library supports DES, Blowfish, Twofish, and two separate implementations of AES, one of which is from outside the US. We also support a handful of lesser known algorithms, such as variants of the different Russian GOST standards.

Unless everyone i

Re:

[BitZtream]

Note: The software can't protect you from a broken OS.

Re:

[um... Lucas]

how do you manage key exchange? waiit til you see your trusted friend in person?

i think schneiers main point still stands; its easy to create a crypto system that you cant defeat; much different story to create one that others cant....

Re:

[Anonymous Coward]

This is categorically stupid advice.

I am telling you here that just a minor modification (5 rotor sets of three rotors instead of one set, each set odometer-cycled) of Enigma will make this an excellent algorithm for short messages with very good security. As long as you use it with your trusted friend only, they stand very little chance to break into this. That's a few lines of Java, actually.

Enigma on Java?: Java mostly a broken mess. The most common Java (v6) has been obsoleted by Oracle (no more security patches), and the black hats have looked at the security patches made to v7 and constructed exploits that took advantage of the same security holes on V6... Not that V7 is a model of security either... Enigma? JUSTDONTXUSEXSPACESXANYWHEREX

Another option is to take DES and make the s-boxes part of your secret key. Share key by courier. Generate key by hashing mouse movements. Strong enough for all purposes.

DES-sbox keys: there are only 8 of them which describe a 4-bit output mapping function. Many of the possible sboxes

Re:

[Goaway]

Writing your password on a post-it note is much, much safer than most other things. At least that way you can pick a properly complicated password. If somebody is in your room and looking at the note, you have bigger problems anyway most of the time.

And as for end-point security, you should be worrying far more about whether your decryption software or OS is spying on you after you decrypt.

Re:

[sinij]

No matter how good your encryption it still can be easily decrypted with a rubber hose.

Re:

[L4t3r4lu5]

The weakest point is always the human, so take them out of the loop. Rotating keys and a Dead Man's Switch would do it. Have a keyfile generated every $Period and use it to update the key for the data at every $Period. Require both user passphrase (or similar) and keyfile to access data. Once $Period has ellapsed, no amount of application of the $5 Wrench will get you access.

No.

[Narcocide]

No, and you never actually should have trusted it. None of us did, we all stopped using it the moment the NSA advocated it, just like we stopped trusting every single crypto standard and favorite security tool they promoted, merely because they promoted it so suspiciously, long long before it was public knowledge the agency had gone rouge.

It still makes me chuckle when I hear people worryingly speculate whether SELinux has backdoors. SELinux doesn't have backdoors, SELinux IS A BACK DOOR!!! *Actually read the instructions* for configuration of this tool and you'll see what I mean. Its security-through-obscurity at its worst. At best you can increase the illusion of security to untrained staff members. Anyone who has read the manual though knows there's one command anyone can use to gain root access more easily than if SELinux had not enabled or installed.

Re:

[Anonymous Coward]

Anyone who has read the manual though knows there's one command anyone can use to gain root access more easily than if SELinux had not enabled or installed.

Dear Mr. Narcocide,

Dropping this without elaborating is not something a gentleman would do.

Sincerely,
The Internet

Re:

[Em Adespoton]

No, and you never actually should have trusted it. None of us did, we all stopped using it the moment the NSA advocated it, just like we stopped trusting every single crypto standard and favorite security tool they promoted, merely because they promoted it so suspiciously, long long before it was public knowledge the agency had gone rouge.

Let me know when it goes chartreuse :D

Anyway; SELinux, if taken as a collection of recommendations, has some good stuff in it. I've used a lot of that for securing my BSD boxes. However, just implementing it as a "security package" without understanding what you're doing... well, completely apart from that one command, there are a bunch of other areas where incorrect implementation (which is what people would do by default) is enough to make the entire stack very insecure. But then, people do that just b

Re:

[Gibgezr]

The NSA went rouge? As in red? Are they commies now? I'm confused.

Re:

[SecurityTheatre]

rm -rf

Re:

[Em Adespoton]

And that command is?

install :D

Really; if you need to ask, you shouldn't be installing SELinux in the first place. The NSA actually provides decent quality documentation that explains most of it. They didn't really hide anything here.

Re:

[EETech1]

su su suid-O

Re:

[Fred Foobar]

SELinux is not needed for sudo to work (sudo was created about 18 years before SELinux). And "sudo -i" is preferable to "sudo su", by the way.

No.

[Anonymous Coward]

Trust was assumed on the basis that the NSA would not unreasonably jeopardise its protection mission by furthering its interception mission. This trust was apparently misplaced: it has.

As you will actually see if you look at the documents, the NSA used the NIST analysis process under FIPS 140-2 certification to find ways to secretly attack and subvert the implementation of submitted cryptographic modules, including standalone modules, cards, hardware tokens, and software cryptographic modules, including bot

What else?

[Anonymous Coward]

There isn't really anything better out there. The "standard" cryptographic algorithms like AES, SHA-2 and RSA have received the most public scrutiny by far.
If you think the NSA can break those, you have to ask why they can't break whatever other, less tested primitive you are proposing we use instead.

You probably want to use longer key lengths than the minimum recommendation anyway, especially for public key cryptography - it's cheap.
Specifications with magic numbers are more suspect, but this has been know

a much better question

[slashmydots]

For the other 99% of us that aren't encryption specialists, a list of what software, services, and websites use which encryption method and whether or not it's known to be broken/back doored might be more helpful. I'm even a software programmer and I don't know what uses FIPS and what uses AES and what specifically uses the Dual_EC_DRBG algorithm.

Re:

[GoChickenFat]

Search for FIPS 140-2. It's a paid for government certification for an implementation of an encryption routine. You can implement AES in your software but it's not officially FIPS 140-2 certified until you submit and pay for the certification. So in other words, you will not find any open source encryption certified by the government as FIPS 140-2 since that would require a submission and payment. If you search you will find the official list of software that is certified as FIPS 140-2.

Re:

[nrjyzerbuny]

Or someone like RedHat could decide that they need certification (required for some FedGov projects), and pay to get something like OpenSSH certified. Red Hat Enterprise Linux 6.2 OpenSSH Server Cryptographic Module, when run in FIPS mode is certificate number 1792.

Re: a much better question

[chill]

Bzzzt! Wrong! OpenSSL jumped thru the hoops and has a FIPS 140-2 version.

Re:

[Jah-Wren Ryel]

That is correct. But it's, what, 8 years old now? FIPS certification is a PITA because any changes to the product require re-certification and it is a really long process.

Re: a much better question

[chill]

Uh, no. Cert 1747 was issued originally in June 2012 and renewed as recently as August 23, 2013. It is the latest and greatest.

Re:

[Jah-Wren Ryel]

Ok, so that's new. I was referring to the Jan 2006 certification which took 5 years. Looks like they certified a couple of versions in 2008 and then it took 4 more years for the 2012 cert. You'll note it is also a very specific part of OpenSSL, not the entire suite.

Re:

[chill]

That was by design, and how EVERYONE does it. Only the core cryptographic module is certified. Everything else is a wrapper around it. Since FIPS only requires the crypto functions to be evaluated, this makes it possible to make changes to every other component without invalidating the certificate.

RSA, for example, licenses their certified BSAFE library to several vendors. The other vendors can fiddle with GUIs, interfaces or whatever without having to get their individual products certifed.

If they certifie

Re:

[Tom]

If you search you will find the official list of software that is certified as FIPS 140-2.

Correct. That list is here:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051 [nist.gov]

you will not find any open source encryption certified by the government as FIPS 140-2

Incorrect. OpenSSL has been on that list since 2008, here's the certificate:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1051.pdf [nist.gov]

Re:

[AmiMoJo]

Pretty much all of it I'm afraid.

I think we have to even consider AES to be dead now. Twofish is probably the best bet to replace it. I'm not sure what we can use to replace Dual_EC_DRBG.

Re:

[LainTouko]

What do you have against AES? The US government doesn't pick bad algorithms for itself to use as a matter of principle or anything, suspicion is only really warranted on algorithms which contain data which claims or appears to be random, but could have been specially chosen to have some property. (If you want people to trust your magic numbers, you generate them by doing something like taking the hash of the square root of 2.) The difference between AES and Twofish is that AES got more positive comments fro

Re:

[nrjyzerbuny]

Here's the list of software that is FIPS certified. Be aware that most are libraries that are used in other products, which can sometimes make it hard to tell which particular certified bit is being used by end-user software.

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm [nist.gov]

Re:

[wisnoskij]

Here is the list of software, you CAN trust:

Yes, but...

[sinij]

FIPS is a financial and government-facing certification. FIPS guarantees correct implementation of cryptographic protocols according to a set of standards. It does not guarantee that there are no undiscovered (or backdoored) weaknesses in your implementation. This is still useful function to entities that require this certification. Corporate liability and loss due to getting hacked because of incorrect cryptographic implementation is orders of magnitude greater than liability and loss due to getting exposed NSA backdoors. It is all about risk management, and it says FIPS is still good idea.
 
  Now, if you want personal security this equation changes a bit - possibility of personal harm due to hypothetical NSA backdoors goes slightly up and your likelihood of getting targeted to get pwned goes drastically down. FIPS is still likely net benefit, but diminished.
 
  Keep in mind that there is no such thing as perfect security. You have to ask, how likely that this specific implementation was backdoored by NSA and what the worst possible outcome of such occurrence?

Re:

[Whorhay]

I would wager that the actual encryption protocols, recommended in FIPS, are probably still good enough and not likely sabotaged by the NSA. FIPS is the standard that the military is using and it is highly unlikely that the NSA would tell the military to use something they knew was vulnerable. There are two good reasons for that; first the NSA knows that they are bound to have spies within their agency and so anything like a backdoor to the encyption standard which your entire military is using would certai

Re:

[iroll]

I would love to read about this, but you didn't post enough information for me to google it, and you posted as AC, so you're not likely to see this response. If you do, please point me in the right direction, because I'm very interested.

it was General Paul Van Riper

[enos]

A retired General, not Admiral, Paul Van Riper was in charge of the Red Team.

http://en.wikipedia.org/wiki/Millennium_Challenge_2002 [wikipedia.org]

While the military definitely has its head up its ass over this, I read somewhere, I don't remember where now, that the charges of cheating did have some merit. It would be things like that the motorbike couriers would arrive instantly and various other guerrilla tactics would always work and happen faster that was realistic, etc.

Re:

[iroll]

Thanks!

TS is not SCI

[Anonymous Coward]

"Up to Top Secret" does not include Sensitive Compartmented Information (SCI). The ciphers under discussion, backdoored or not, are not suitable for use on SCI.

Re:

[drdread66]

I have no points to mod this up, but would if I did. This is dead on target, at least as far as how the military views this sort of thing. But do remember that TS and SCI are somewhat orthogonal; you can have SECRET/SCI and TS/collateral in addition to the more common SECRET/collateral and TS/SCI.

Also note that typically NSA is comfortable with encryption as long as they know how much effort is required to break it. The only way NSA will believe a difficulty estimate is if they actually break it. They don't

Re:

[wvmarle]

Obviously the NSA believes they're the smartest when it comes to breaking cryptography.

Shouldn't that also mean, that if they can not break it, no-one else can?

To me it's a bit odd that they'd approve for government use encryption they know they can break already. Knowing that technology advances quickly (more computing power) and also cryptanalyses and related mathematics moves forward constantly.

Re:

[Anonymous Coward]

http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

Suite B still applies to TS/SCI

Re:

[trifish]

If you have anything above Top Secret to hide, good luck to you, you'll need it (either this, or maybe you're a little delusional).

FIPS is not for Top Secret

[Anonymous Coward]

The FIPS 140-2 standard is for "protecting sensitive but unclassified information". It is not for top secret. Also the body of the FIPS 140-2 standard is algorithm agnostic. The part that mandates specific algorithms is Annex A and can be updated to add and remove algorithms without changing the standard.

In terms of how bad the situation actually is.... I refer to Bruce:
The math is good, but math has no agency. Code has agency, and the code has been subverted.

Re:

[uvajed_ekil]

Also, you don't backdoor yourself, for fear of someone finding out about your backdoor without you realizing it.

The gov is a bunch of fuckups

[Mister Liberty]

They backdoor themselves with increasing frequency (Manning, Snowden).
That's the good news.

The thing makes them awesome is their budgets and power. And weak
dicks that populate politics these days. They are hard to kick out. That's
the bad news.

Now get involved.
Have a nice day.

Strangely enough, it's still probably safer

[joeflies]

Based on what I understand of the FIPS process (which is little, admittedly), the whole exercise to put your crypto under the microscope results in eliminating a number of coding mistakes and implementation problems. So even if the algorithms themeselves are potentially weakened (we don't know ), a FIPS approved product that's had 3rd party scrutiny is probably still better off than one that wasn't, due to cleaning up implementation issues with the keys, random numbers and algorithms.

FIPS requires weakness, so exceed std key length

[mileshigh]

FIPS certification is only available for systems that implement modest key lengths. Many of the approved algorithms are designed to support much greater key length, but longer keys are not allowed by the specs. FIPS won't certify 'em. It's a pretty safe guess that the allowed key lengths are such that the NSA can break them if needed using custom hardware or whatever else quasi-unlimited money can buy. Remember 20+ years ago when the gov't regulated all crypto as a munition? They still allowed low-bit encry

Of course they would

[J'raxis]

They have been cleared for use by the US Government for Top-Secret clearance documents; surely the government wouldn't backdoor itself right?...Right?

So the NSA most likely knows what kinds of backdoors they could insert that can't be exploited by other nation-states. So yes, they most certainly could backdoor it.

Along the same lines

[WOOFYGOOFY]

It seems like the encryption of Tor - any version including the latest- cannot be trusted. Anyone know?

Would they backdoor themselves?

[Arancaytar]

As long as they were confident the backdoor remained unusable by anyone else, sure.

Better question?

[FuzzNugget]

Can you trust anything from the NSA and any number of other three letter agencies?

ASCII probably contains a NSA backdoor as well.

[Anonymous Coward]

ASCII stands for "American Standard Code for Information Interchange". Since this is an American standard, then the whole encoding scheme probably contains a backdoor that allows the NSA to read all information encoded in it. We can't trust EBDIC either as IBM is a contractor for the NSA, they would insert a backdoor as well. I think for maximum online privacy we should be using Unicode which shouldn't contain an NSA backdoor because it is an international standard. The American government has no interest in following or creating international standards.

Unfortunately Slashdot does not support Unicode, so one should now safely assume that Slashdot is an NSA honeypot .

No Doubt

[jamander4]

I have no doubt that FIPS 140-2 is fully available to the NSA. The official story is probably so they can monitor or prevent espionage. Also the NSA has political interests in terms of knowing what it's opponents within the government are doing. If the NSA had adequte supervision this wouldn't be allowed but they don't have adequte supervision. So there you are.

A Simple Notion

[b4upoo]

One might build software that divides text into two files with every other bit going to the other file. Two sending units send the material to two addresses from two addresses. On the receiving end the tennis shoe method is used to deliver both halves to the third party who has the software to decode each half and recombine the bits into a coherent message. It might be next to impossible to break but if it is not next to impossible then divide the original into three files and send the bits and rece

Re:

[mikew03]

Nice try NSA

FIPS isn't an Algorithm

[Archangel]

The question here doesn't make sense does it? FIPS is a certification not an algorithm. It's like asking if my soundsystem that was THX certified would still be any good if the we found out their CEO was a crook. AES-256, Serpent, Twofish, etc... are all algorithms but only a few got FIPS certification.

On top of that, from all the articles I read, the NSA isn't actually cracking these protocals, they're using passwords and certificates gleamed from other sources as seed for cracking.

Finally, if you wante

Re:

[mikew03]

There are two issues with this.

1) Some of these algorithms depend on receiving quality random number systems from the underlying operating system. It's possible some of those random number generators have been manipulated and its going to be pretty hard to check on Windows or OSX random number generators.

2) The backdoor's do not look like (if strncmp(pass,"NSA",3) == 0) { return plaintext }. The backdoors are sophisticated mathematical weaknesses in the algorithms. A code inspection is not sufficient to det

yes

[Tom]

As close as you can come to trusting something like the NSA, but yes.

Most people see the NSA as a pure spy agency, but that's not true. It has two jobs. One, to spy on everything else and two, to make sure nobody spies on the US.

They employ enough smart people to understand that if they can break it, so can someone else.

If you are really concerned, you should check the implementation. Past experiences show us clearly that it is a lot easier to put backdoors there. And it has the advantage that if the enemy

trust the algorithm or the implemenation

[iceco2]

the algorithms have a lot of peer review independent of the NSA and the NSA had little input in their design (though may have
significant input in the slection of those algorithms that got standardized).
Though the NSA probably has better methods for attacking common cryptographic algorithms either using undisclosed weaknesses or more likely
custom hardware, it seems likely the NSA can not easily crack these algorithms.

The simplest thing to do is to pick a larger key length which will give you more of a securi