<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body ><div>Norbert, about my saying 'participate', as you can see, cryptographers from across academia in the UK have responded to NIST. </div><div><br></div><div><div style="font-size:100%">--srs</div></div><br><br><br>-------- Original message --------<br>From: Threatpost <donotreply@wordpress.com> <br>Date: 09/16/2013 9:35 PM (GMT+05:30) <br>To: suresh@hserus.net <br>Subject: [New post] UK Cryptographers Call For Outing of Deliberately Weakened Protocols, Products <br> <br><br>
<table border="0" cellspacing="0" cellpadding="0" bgcolor="#DDDDDD" style="width: 100%; background: #DDDDDD;">
<tbody><tr>
<td>
<span style="display:none !important">
Dennis Fisher posted: "A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the cou" </span>
<table border="0" cellspacing="0" cellpadding="0" align="center" class="subscribe-body" style="width: 100%; padding: 10px">
<tbody><tr>
<td>
<div style="max-width: 600px; margin: 0 auto; overflow: hidden;">
<table border="0" cellspacing="0" cellpadding="0" bgcolor="#ffffff" class="subscribe-wrapper" style="width: 100%; background-color: #fff; text-align: left; max-width: 1024px; min-width: 320px; margin: 0 auto;">
<tbody><tr>
<td>
<table border="0" cellspacing="0" cellpadding="0" height="8" background="http:/s.wordpress.com/i/emails/stripes.gif" class="subscribe-header-wrap" style="width: 100%; background-image: url(http:/s.wordpress.com/i/emails/stripes.gif); background-repeat: repeat-x; background-color: #43A4D0; height: 8px;">
<tbody><tr>
<td></td>
</tr>
</tbody></table>
<table border="0" cellspacing="0" cellpadding="0" class="subscribe-header" style="width: 100%; color: #08c; font-size: 1.6em; background-color: #EFEFEF; border-bottom: 1px solid #DDD; margin: 0; padding: 0;">
<tbody><tr>
<td>
<h2 class="subscribe-title" style="margin: .4em 0 .3em; font-size: 1.8em; font-size: 16px!important; line-height: 1; font-weight: 400; color: #464646; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 5px 20px!important; padding: 0;">
New post on <strong>Threatpost</strong> </h2>
</td>
<td style="text-align: right;">
<img border="0" class="head-avatar" src="http://s.wordpress.com/i/emails/blavatar-default.png" alt="" style="vertical-align: middle; margin: 5px 20px 5px 0; vertical-align: middle;">
</td>
</tr>
</tbody></table>
<table style="width: 100%" border="0" cellspacing="0" cellpadding="20" bgcolor="#ffffff">
<tbody><tr>
<td>
<table style="width: 100%" border="0" cellspacing="0" cellpadding="0">
<tbody><tr>
<td valign="top" class="the-post">
<table style="width: 100%" border="0" cellspacing="0" cellpadding="0">
<tbody><tr>
<td style="width: 60px !important; white-space: nowrap; vertical-align: top;">
<a href="http://kasperskycontenthub.com/threatpost/?author=12" style="text-decoration: underline; color: #2585B2; display: block; margin-right: 10px;"><img border="0" alt="" src="http://2.gravatar.com/avatar/2eaeb87882023ce8979350b669ecf81a?s=50&d=identicon&r=G" class="avatar avatar-50" height="50" width="50"></a>
</td>
<td>
<h2 class="post-title" style="margin: .4em 0 .3em; font-size: 1.8em; font-size: 1.6em; color: #555; margin: 0; font-size: 20px;"><a href="http://threatpost.com/uk-cryptographers-call-for-outing-of-deliberately-weakened-protocols-products/102301" style="text-decoration: underline; color: #2585B2; text-decoration: none !important;">UK Cryptographers Call For Outing of Deliberately Weakened Protocols, Products</a></h2>
<span style="color: #888;">by <a href="http://kasperskycontenthub.com/threatpost/?author=12" style="text-decoration: underline; color: #2585B2; color: #888 !important;">Dennis Fisher</a></span>
</td>
</tr>
</tbody></table>
<div style="margin-top: 1em; max-width: 560px;" class="post-content">
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em">A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries' intelligence services. The letter, signed by a number of researchers from the University of Bristol and other universities, said that the NSA and British GCHQ "have been acting against the interests of the public that they are meant to serve."</p>
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em">The <a style="text-decoration: underline; color: #2585B2;" href="http://bristolcrypto.blogspot.co.uk/2013/09/open-letter-from-uk-security-researchers.html">appeal</a> comes a couple of weeks after leaked documents from the NSA and its UK counterpart, Government Communications Headquarters, showed that the two agencies have been collaborating on projects that give them the ability to subvert encryption protocols and also have been working with unnamed security vendors to insert backdoors into hardware and software products. Security experts have been debating in recent weeks which products, standards and protocols may have been deliberately weakened, but so far no information has been forthcoming.</p>
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em">The cryptography researchers in the UK are asking the UK and U.S. governments to reveal which ones are suspect.</p>
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em">"By weakening cryptographic standards, in as yet undisclosed ways, and by inserting weaknesses into products which we all rely on to secure critical infrastructure, we believe that the agencies have been acting against the interests of the public that they are meant to serve. We find it shocking that agencies of both the US and UK governments now stand accused of undermining the systems which protect us. By weakening all our security so that they can listen in to the communications of our enemies, they also weaken our security against our potential enemies," the letter says.</p>
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em">Published on Monday, the letter is signed by cryptographers from the University of Bristol, University of London, University of Birmingham, University of Luxembourg, University of Southampton, University of Surrey, University of Kent, Newcastle University and University College London. In it, the researchers call on the relevant authorities to publicly name the products and standards that have been weakened in order to inform users which systems they should avoid.</p>
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em">"We call on the relevant parties to reveal what systems have been weakened so that they can be repaired, and to create a proper system of oversight with well-defined public rules that clearly forbid weakening the security of civilian systems and infrastructures. The statutory Intelligence and Security Committee of the House of Commons needs to investigate this issue as a matter of urgency. In the modern information age we all need to have complete trust in the basic infrastructure that we all use," the letter says.</p>
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em">In the weeks since the <a style="text-decoration: underline; color: #2585B2;" href="https://threatpost.com/questions-about-crypto-security-follow-latest-nsa-revelations/102215">documents detailing the NSA's cryptographic capabilities</a> emerged, further details about exactly which protocols the agency can attack successfully and which standards it may have influenced have been scarce. NIST, the U.S. agency that develops technical standards for cryptography, among other things, as denied accusations that the NSA was able to weaken some of the NIST standards. However, at the same time, NIST officials have issued a recommendation that people no longer use one of the encryption standards it previously published.</p>
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em">"NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used," the NIST statement says.</p>
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em">The standard in question is an elliptic curve random bit generator, and cryptographers have called into question its integrity in the wake of the latest NSA revelations, mainly because its difficult to tell how the points on the elliptic curve were determined.</p>
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em">"This algorithm includes default elliptic curve points for three elliptic curves, the provenance of which were not described. Security researchers have highlighted the importance of generating these elliptic curve points in a trustworthy way. This issue was identified during the development process, and the concern was initially addressed by including specifications for generating different points than the default values that were provided. However, recent community commentary has called into question the trustworthiness of these default elliptic curve points," the NIST statement says.</p>
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em"><em>Image from Flickr photos of <a style="text-decoration: underline; color: #2585B2;" href="http://www.flickr.com/photos/ell-r-brown/">Elliott Brown</a>. </em></p>
<div style="clear: both"></div> </div>
<div class="meta" style="color: #999; font-size: .9em; margin-top: 4px; line-height: 160%; padding: 15px 0 15px; border-top: 1px solid #eee; border-bottom: 1px solid #eee; overflow: hidden">
<strong><a style="text-decoration: underline; color: #2585B2;" href="http://kasperskycontenthub.com/threatpost/?author=12">Dennis Fisher</a></strong> | September 16, 2013 at 12:05 pm | URL: <a style="text-decoration: underline; color: #2585B2;" href="http://wp.me/p3AjUX-qC1">http://wp.me/p3AjUX-qC1</a></div>
<p></p>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
<table border="0" cellspacing="0" cellpadding="20" bgcolor="#efefef" class="subscribe-wrapper-sub" style="width: 100%; background-color: #efefef; text-align: left; border-top: 1px solid #ddd;">
<tbody><tr>
<td class="subscribe-content" style="border-top: 1px solid #f3f3f3; color: #888; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; background: #efefef;">
<p style="font-size: 14px; line-height: 1.4em; color: #444; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0 0 1em; font-size: 12px; line-height: 1.4em; margin: 0px 0px 10px 0px;"><br></p>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
<table border="0" cellspacing="0" cellpadding="0" height="3" background="http:/s.wordpress.com/i/emails/stripes.gif" class="subscribe-footer-wrap" style="width: 100%; background-image: url(http://s.wordpress.com/i/emails/stripes.gif); background-repeat: repeat-x; background-color: #43A4D0; height: 3px;">
<tbody><tr>
<td></td>
</tr>
</tbody></table>
</div>
</td>
</tr>
</tbody></table>
<br>
</td>
</tr>
</tbody></table>
<img alt="" border="0" src="http://stats.wordpress.com/b.gif?host=jetpack.wordpress.com&blog=52985383&post=102301&subd=kasperskycontenthub.com&ref=&email=1&email_o=jetpack" width="1" height="1">
</body>