[governance] Fwd: [New post] UK Cryptographers Call For Outing of Deliberately Weakened Protocols, Products

Suresh Ramasubramanian suresh at hserus.net
Thu Sep 19 08:13:19 EDT 2013


The two seem to have crossed, I would say. As in the academics may have drafted this before nist threw it open to review. I don't see where the two messages are inconsistent right now, beyond not specifically mentioning nist 

--srs (iPad)

> On 17-Sep-2013, at 12:20, Norbert Bollow <nb at bollow.ch> wrote:
> 
> Am Tue, 17 Sep 2013 05:46:00 +0530
> schrieb Suresh Ramasubramanian <suresh at hserus.net>:
> 
>> Norbert, about my saying 'participate', as you can see,
>> cryptographers from across academia in the UK have responded to NIST.
> 
> Suresh, your characterization of the fine open letter of the UK
> cryptographers does not describe it correctly.
> 
> http://bristolcrypto.blogspot.ch/2013/09/open-letter-from-uk-security-researchers.html
> 
> The open letter does not in any way reference NIST, nor does it
> indicate any intention to become participants in NIST processes.
> 
> Greetings,
> Norbert
> 
>> -------- Original message --------
>> From: Threatpost <donotreply at wordpress.com> 
>> Date: 09/16/2013  9:35 PM  (GMT+05:30) 
>> To: suresh at hserus.net 
>> Subject: [New post] UK Cryptographers Call For Outing of Deliberately
>> Weakened Protocols, Products 
>> New post on Threatpost
>> 
>> 
>> UK Cryptographers Call For Outing of Deliberately Weakened
>> Protocols, Products by Dennis Fisher
>> A group of cryptographers in the UK has published a letter that calls
>> on authorities in that country and the United States to conduct an
>> investigation to determine which security products, protocols and
>> standards have been deliberately weakened by the countries'
>> intelligence services. The letter, signed by a number of researchers
>> from the University of Bristol and other universities, said that the
>> NSA and British GCHQ "have been acting against the interests of the
>> public that they are meant to serve."
>> 
>> The appeal comes a couple of weeks after leaked documents from the
>> NSA and its UK counterpart, Government Communications Headquarters,
>> showed that the two agencies have been collaborating on projects that
>> give them the ability to subvert encryption protocols and also have
>> been working with unnamed security vendors to insert backdoors into
>> hardware and software products. Security experts have been debating
>> in recent weeks which products, standards and protocols may have been
>> deliberately weakened, but so far no information has been forthcoming.
>> 
>> The cryptography researchers in the UK are asking the UK and U.S.
>> governments to reveal which ones are suspect.
>> 
>> "By weakening cryptographic standards, in as yet undisclosed ways,
>> and by inserting weaknesses into products which we all rely on to
>> secure critical infrastructure, we believe that the agencies have
>> been acting against the interests of the public that they are meant
>> to serve. We find it shocking that agencies of both the US and UK
>> governments now stand accused of undermining the systems which
>> protect us. By weakening all our security so that they can listen in
>> to the communications of our enemies, they also weaken our security
>> against our potential enemies," the letter says.
>> 
>> Published on Monday, the letter is signed by cryptographers from the
>> University of Bristol, University of London, University of
>> Birmingham, University of Luxembourg, University of Southampton,
>> University of Surrey, University of Kent, Newcastle University and
>> University College London. In it, the researchers call on the
>> relevant authorities to publicly name the products and standards that
>> have been weakened in order to inform users which systems they should
>> avoid.
>> 
>> "We call on the relevant parties to reveal what systems have been
>> weakened so that they can be repaired, and to create a proper system
>> of oversight with well-defined public rules that clearly forbid
>> weakening the security of civilian systems and infrastructures. The
>> statutory Intelligence and Security Committee of the House of Commons
>> needs to investigate this issue as a matter of urgency. In the modern
>> information age we all need to have complete trust in the basic
>> infrastructure that we all use," the letter says.
>> 
>> In the weeks since the documents detailing the NSA's cryptographic
>> capabilities emerged, further details about exactly which protocols
>> the agency can attack successfully and which standards it may have
>> influenced have been scarce. NIST, the U.S. agency that develops
>> technical standards for cryptography, among other things, as denied
>> accusations that the NSA was able to weaken some of the NIST
>> standards. However, at the same time, NIST officials have issued a
>> recommendation that people no longer use one of the encryption
>> standards it previously published.
>> 
>> "NIST strongly recommends that, pending the resolution of the
>> security concerns and the re-issuance of SP 800-90A, the
>> Dual_EC_DRBG, as specified in the January 2012 version of SP
>> 800-90A, no longer be used," the NIST statement says.
>> 
>> The standard in question is an elliptic curve random bit generator,
>> and cryptographers have called into question its integrity in the
>> wake of the latest NSA revelations, mainly because its difficult to
>> tell how the points on the elliptic curve were determined.
>> 
>> "This algorithm includes default elliptic curve points for three
>> elliptic curves, the provenance of which were not described. Security
>> researchers have highlighted the importance of generating these
>> elliptic curve points in a trustworthy way. This issue was identified
>> during the development process, and the concern was initially
>> addressed by including specifications for generating different points
>> than the default values that were provided. However, recent community
>> commentary has called into question the trustworthiness of these
>> default elliptic curve points," the NIST statement says.
>> 
>> Image from Flickr photos of Elliott Brown. 
>> 
>> Dennis Fisher | September 16, 2013 at 12:05 pm | URL:
>> http://wp.me/p3AjUX-qC1
> 

-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list