Trustworthy contacts

Brian Gladman ukcrypto at maillist.ox.ac.uk
Sun, 10 Sep 2000 21:29:25 +0100 

From: "John Young" <jya@pipeline.com>
To: <ukcrypto@maillist.ox.ac.uk>
Sent: Sunday, September 10, 2000 6:08 PM
Subject: Re: Trustworthy contacts


> Brian,
>
> In the light of your advocacy of close looks at any public
> crypto that you would trust, what is you opinion of the
> AES candidates? Do you think the one selected will
> be reliable for public use, that is, to get down to brass
> tacks, would you trust it for your personal use? Or would
> you be suspicious because of who is running the
> contest and making the selection?

Hi John,

I will certainly trust the AES winner(s) for my own use and I will also be
advocating them for use by UK government authorities that interact
electronically with UK citizens. I am a little uneasy that they have had
only limited scrutiny so far but it is most unlikely in practice that they
will be the weakest link.

Personally I don't have any reservations as a result of the NIST or the NSA
involvement.  In the timeframe in which the winning AES algorithm(s) will be
used the US has more to loose than any other nation if its commercial and
cyberspace information assets were to be inadequately protected.

It would be suicidal to deploy a weak encryption algorithm across the US
information infrastructure and I hence take the view that It makes no sense
for NSA to subvert the selection process to produce a weak algorithm (this
is the principle of Mutually Assured Destruction - MAD - applied in
cyberspace).

In addition, my assessment of the retrospective evidence for the DES design
is that all NSA input, except for the shortening of the key from 64 to 56
bits, resulted in a cryptographically stronger algorithm.  Hence I see the
***covert*** NSA involvement in DES as positive in respect of its strength
and I see no reason why this should be different for AES.

> As more is learned of past governmental abuses of
> public trust, and current plans to betray it more openly
> with RIP, Carnivore, and similar programs, is it inevitable
> that what is considered trustworthy by governments will
> be untrustworthy by those outside of government?

IMHO the government input to published cryptographic algorithms has to be
ignored by most observers since it is unknowable whether it is positive or
negative.  The best we can hope for is that the open international
cryptographic community has intensely reviewed an algorithm and not found
any flaws in it.

> AES in some places is advanced as a solution to this
> dilemma, and it would be swell to have the inventors
> of the candidate algorithms to state in public how they
> see the public trustworthiness prospects for their work
> now that intrusive surveillance and interception programs
> have burgeoned worldwide since the AES contest
> began.

What seems to not be widely appreciated, except by practitioners, is that it
is rare for a cryptographic algorithm to fail.  Almost all cryptographic
security failures arise because of some weakness in how an algorithm is
implemented or a weakness in the design of the wider context in which the
algorithm operates.

What is desperately lacking in commercial systems is effective systems
assurance and it is on this which we need to focus if we are to improve the
effectiveness of such systems.  How many of the failures in commercial
encryption products that have occurred in recent years have been the result
of failures in an underlying encryption algorithm?

> These statements could provide a standard for comparison
> with the tarnished prospects for PGP  -- or for that matter
> any other program which offers assurances that "even
> governments cannot violate your privacy if you use this."
> Despite governments determination to render all such claims
> forever false -- whether by going around crypto protection,
> backdoors, compromising algorithms and their implementation
> or by spreading disinformation by regulation, legislation and
> intimidation of "use crypto, go to jail."
>
> Bruce Schneier's recent declaration that encryption provides
> no assurance of protection is worth pondering. And it would
> be valuable for the other AES contenders, and perhaps their
> cryptologic peers, to openly declare what they think of AES.

I would guess that Bruce's comments are directed at the practical
impossibility of engineering a complete cryptographic system that does not
have exploitable weaknesses.  I would be very surprised if he felt that the
problem rested in the algorithms themselves (I am sure he will comment if I
am wrong on this).

> Is AES a Trojan Horse abuilding? Worse, is public encryption a
> trojan of even greater deception.
>
> The spate of books appearing in the past few years about
> previously undisclosed cracking of encryption, and frank
> admissions that nation's will never disclose the mostly closely
> guarded cracks and other means of getting around encryption,
> does a lot to undermine confidence that encryption it as
> good an information protection method as it has been touted
> for the years, say, of Public Key advocacy.

If the winning AES algorithm(s) are implemented and used correctly, no
organisation on earth will currently be able to read the encrypted data
without the key. But the 'If' represents a huge challenge for the computing
community.   With processors running to millions of gates and software to
100 megabytes of interdependent code there is no prospect whatsoever of
building secure systems without a change of direction.

Sorry for the length of the response but the questions were not simple ones
as I am sure you recognised when you asked them!

     Brian