Interesting article about NSA facility and capabilities

Peter Fairbrother zenadsl6186 at
Tue Mar 27 13:22:46 BST 2012

Ian Batten wrote:
> On 27 Mar 2012, at 10:36, Brian Morrison wrote:
>> I wondered if this might be an attempt to discourage the use of 
>> encryption for email in particular, after all they're not going to
>> be able to discourage it for online commerce.
> Given it seems that encouraging people to believe
> AES is broken might have some benefits.
> My own view is that you can trust AES for as long as it's accredited
> for IL5 and above information.   So long AES is in NSA Suite B, and
> NSA Suite B is accredited for TOP SECRET, it would be extraordinary
> were it to turn out that the NSA had an effective attack on AES.

I kinda agree it's likely, though I don't think it's by any means a 
stone certainty that NSA wouldn't do that. For example:

If only CGHQ and the russians/chinese could break it on equipment cost 
grounds, and with a history of "never say anything", then NSA might well 
be able to get away with it, or think they could.

Or, if they fed TS+ disinformation to the russians/chinese in AES, 
authorised at a very high level, then the game might be worth the 
candle. Or they might think it was.

There is Suite A, after all, for the really sensitive stuff ... why have 
that, if AES is unbreakable?

However AES is very seldom used by itself. In non-TS circles key 
exchange is most often done with RSA (which isn't in suite B), and if 
they have eg a factorisation breakthrough or quantum computing then they 
don't have to break AES, they just break the key exchange and out pops 
the AES key.

-- Peter Fairbrother

> That would imply the deliberate use of known-broken algorithms in the
> hope that the opponents don't know those weaknesses and won't find
> them until the data ciphered with that broken algorithm is no longer
> sensitive.  The life-span of TS could be decades, and a gamble on
> "the state of Chinese/Russian/etc cryptanalysis between now and 2060"
> seems one few bookmakers would quote odds on.
> The public policy benefit (you might be able to decrypt some data
> from bad guys without "practical" side-channel attacks, which almost
> certainly exist unless the bad guys have a sophisticated IA
> capability) seems pretty weak compared to the public policy
> disbenefit (the bad guys might be able to decrypt all TS traffic,
> with no way for you to know it's happening).
> ian

More information about the ukcrypto mailing list