[governance] Fwd: [New post] UK Cryptographers Call For Outing of Deliberately Weakened Protocols, Products

Norbert Bollow nb at bollow.ch
Tue Sep 17 02:50:39 EDT 2013


Am Tue, 17 Sep 2013 05:46:00 +0530
schrieb Suresh Ramasubramanian <suresh at hserus.net>:

> Norbert, about my saying 'participate', as you can see,
> cryptographers from across academia in the UK have responded to NIST.

Suresh, your characterization of the fine open letter of the UK
cryptographers does not describe it correctly.

http://bristolcrypto.blogspot.ch/2013/09/open-letter-from-uk-security-researchers.html

The open letter does not in any way reference NIST, nor does it
indicate any intention to become participants in NIST processes.

Greetings,
Norbert

> -------- Original message --------
> From: Threatpost <donotreply at wordpress.com> 
> Date: 09/16/2013  9:35 PM  (GMT+05:30) 
> To: suresh at hserus.net 
> Subject: [New post] UK Cryptographers Call For Outing of Deliberately
> Weakened Protocols, Products 
> New post on Threatpost
> 
> 
> UK Cryptographers Call For Outing of Deliberately Weakened
> Protocols, Products by Dennis Fisher
> A group of cryptographers in the UK has published a letter that calls
> on authorities in that country and the United States to conduct an
> investigation to determine which security products, protocols and
> standards have been deliberately weakened by the countries'
> intelligence services. The letter, signed by a number of researchers
> from the University of Bristol and other universities, said that the
> NSA and British GCHQ "have been acting against the interests of the
> public that they are meant to serve."
> 
> The appeal comes a couple of weeks after leaked documents from the
> NSA and its UK counterpart, Government Communications Headquarters,
> showed that the two agencies have been collaborating on projects that
> give them the ability to subvert encryption protocols and also have
> been working with unnamed security vendors to insert backdoors into
> hardware and software products. Security experts have been debating
> in recent weeks which products, standards and protocols may have been
> deliberately weakened, but so far no information has been forthcoming.
> 
> The cryptography researchers in the UK are asking the UK and U.S.
> governments to reveal which ones are suspect.
> 
> "By weakening cryptographic standards, in as yet undisclosed ways,
> and by inserting weaknesses into products which we all rely on to
> secure critical infrastructure, we believe that the agencies have
> been acting against the interests of the public that they are meant
> to serve. We find it shocking that agencies of both the US and UK
> governments now stand accused of undermining the systems which
> protect us. By weakening all our security so that they can listen in
> to the communications of our enemies, they also weaken our security
> against our potential enemies," the letter says.
> 
> Published on Monday, the letter is signed by cryptographers from the
> University of Bristol, University of London, University of
> Birmingham, University of Luxembourg, University of Southampton,
> University of Surrey, University of Kent, Newcastle University and
> University College London. In it, the researchers call on the
> relevant authorities to publicly name the products and standards that
> have been weakened in order to inform users which systems they should
> avoid.
> 
> "We call on the relevant parties to reveal what systems have been
> weakened so that they can be repaired, and to create a proper system
> of oversight with well-defined public rules that clearly forbid
> weakening the security of civilian systems and infrastructures. The
> statutory Intelligence and Security Committee of the House of Commons
> needs to investigate this issue as a matter of urgency. In the modern
> information age we all need to have complete trust in the basic
> infrastructure that we all use," the letter says.
> 
> In the weeks since the documents detailing the NSA's cryptographic
> capabilities emerged, further details about exactly which protocols
> the agency can attack successfully and which standards it may have
> influenced have been scarce. NIST, the U.S. agency that develops
> technical standards for cryptography, among other things, as denied
> accusations that the NSA was able to weaken some of the NIST
> standards. However, at the same time, NIST officials have issued a
> recommendation that people no longer use one of the encryption
> standards it previously published.
> 
> "NIST strongly recommends that, pending the resolution of the
> security concerns and the re-issuance of SP 800-90A, the
> Dual_EC_DRBG, as specified in the January 2012 version of SP
> 800-90A, no longer be used," the NIST statement says.
> 
> The standard in question is an elliptic curve random bit generator,
> and cryptographers have called into question its integrity in the
> wake of the latest NSA revelations, mainly because its difficult to
> tell how the points on the elliptic curve were determined.
> 
> "This algorithm includes default elliptic curve points for three
> elliptic curves, the provenance of which were not described. Security
> researchers have highlighted the importance of generating these
> elliptic curve points in a trustworthy way. This issue was identified
> during the development process, and the concern was initially
> addressed by including specifications for generating different points
> than the default values that were provided. However, recent community
> commentary has called into question the trustworthiness of these
> default elliptic curve points," the NIST statement says.
> 
> Image from Flickr photos of Elliott Brown. 
> 
> Dennis Fisher | September 16, 2013 at 12:05 pm | URL:
> http://wp.me/p3AjUX-qC1
> 
> 
> 


-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list