[governance] Fwd: [New post] UK Cryptographers Call For Outing of Deliberately Weakened Protocols, Products

Suresh Ramasubramanian suresh at hserus.net
Tue Sep 17 03:11:47 EDT 2013


Feel free to release an open letter if you wish

As long as there is a meaningful and apolitical feedback produced by this 
caucus I couldn't care if it were sent to nist, released as an open letter 
or printed out on a sheet of paper, made into an origami boat and floated 
down the Potomac in the hope that Keith Alexander or James clapper sees it.

--srs (htc one x)



On 17 September 2013 12:20:39 PM Norbert Bollow <nb at bollow.ch> wrote:
> Am Tue, 17 Sep 2013 05:46:00 +0530
> schrieb Suresh Ramasubramanian <suresh at hserus.net>:
>
> > Norbert, about my saying 'participate', as you can see,
> > cryptographers from across academia in the UK have responded to NIST.
>
> Suresh, your characterization of the fine open letter of the UK
> cryptographers does not describe it correctly.
>
> http://bristolcrypto.blogspot.ch/2013/09/open-letter-from-uk-security-researchers.html
>
> The open letter does not in any way reference NIST, nor does it
> indicate any intention to become participants in NIST processes.
>
> Greetings,
> Norbert
>
> > -------- Original message --------
> > From: Threatpost <donotreply at wordpress.com> Date: 09/16/2013  9:35 PM  
> (GMT+05:30) To: suresh at hserus.net Subject: [New post] UK Cryptographers 
> Call For Outing of Deliberately
> > Weakened Protocols, Products New post on Threatpost
> >
> > UK Cryptographers Call For Outing of Deliberately Weakened
> > Protocols, Products by Dennis Fisher
> > A group of cryptographers in the UK has published a letter that calls
> > on authorities in that country and the United States to conduct an
> > investigation to determine which security products, protocols and
> > standards have been deliberately weakened by the countries'
> > intelligence services. The letter, signed by a number of researchers
> > from the University of Bristol and other universities, said that the
> > NSA and British GCHQ "have been acting against the interests of the
> > public that they are meant to serve."
> > The appeal comes a couple of weeks after leaked documents from the
> > NSA and its UK counterpart, Government Communications Headquarters,
> > showed that the two agencies have been collaborating on projects that
> > give them the ability to subvert encryption protocols and also have
> > been working with unnamed security vendors to insert backdoors into
> > hardware and software products. Security experts have been debating
> > in recent weeks which products, standards and protocols may have been
> > deliberately weakened, but so far no information has been forthcoming.
> > The cryptography researchers in the UK are asking the UK and U.S.
> > governments to reveal which ones are suspect.
> > "By weakening cryptographic standards, in as yet undisclosed ways,
> > and by inserting weaknesses into products which we all rely on to
> > secure critical infrastructure, we believe that the agencies have
> > been acting against the interests of the public that they are meant
> > to serve. We find it shocking that agencies of both the US and UK
> > governments now stand accused of undermining the systems which
> > protect us. By weakening all our security so that they can listen in
> > to the communications of our enemies, they also weaken our security
> > against our potential enemies," the letter says.
> > Published on Monday, the letter is signed by cryptographers from the
> > University of Bristol, University of London, University of
> > Birmingham, University of Luxembourg, University of Southampton,
> > University of Surrey, University of Kent, Newcastle University and
> > University College London. In it, the researchers call on the
> > relevant authorities to publicly name the products and standards that
> > have been weakened in order to inform users which systems they should
> > avoid.
> > "We call on the relevant parties to reveal what systems have been
> > weakened so that they can be repaired, and to create a proper system
> > of oversight with well-defined public rules that clearly forbid
> > weakening the security of civilian systems and infrastructures. The
> > statutory Intelligence and Security Committee of the House of Commons
> > needs to investigate this issue as a matter of urgency. In the modern
> > information age we all need to have complete trust in the basic
> > infrastructure that we all use," the letter says.
> > In the weeks since the documents detailing the NSA's cryptographic
> > capabilities emerged, further details about exactly which protocols
> > the agency can attack successfully and which standards it may have
> > influenced have been scarce. NIST, the U.S. agency that develops
> > technical standards for cryptography, among other things, as denied
> > accusations that the NSA was able to weaken some of the NIST
> > standards. However, at the same time, NIST officials have issued a
> > recommendation that people no longer use one of the encryption
> > standards it previously published.
> > "NIST strongly recommends that, pending the resolution of the
> > security concerns and the re-issuance of SP 800-90A, the
> > Dual_EC_DRBG, as specified in the January 2012 version of SP
> > 800-90A, no longer be used," the NIST statement says.
> > The standard in question is an elliptic curve random bit generator,
> > and cryptographers have called into question its integrity in the
> > wake of the latest NSA revelations, mainly because its difficult to
> > tell how the points on the elliptic curve were determined.
> > "This algorithm includes default elliptic curve points for three
> > elliptic curves, the provenance of which were not described. Security
> > researchers have highlighted the importance of generating these
> > elliptic curve points in a trustworthy way. This issue was identified
> > during the development process, and the concern was initially
> > addressed by including specifications for generating different points
> > than the default values that were provided. However, recent community
> > commentary has called into question the trustworthiness of these
> > default elliptic curve points," the NIST statement says.
> > Image from Flickr photos of Elliott Brown. 
> > Dennis Fisher | September 16, 2013 at 12:05 pm | URL:
> > http://wp.me/p3AjUX-qC1
> >
> >



-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list