Non-NIST Cipher Suite

One of the most upsetting things about the recent revelations about the NSA’s shenanigans is that it has apparently devoted US$250M to suborning international standards. (One of the very upsetting things about these revelations is that there are several most upsetting things.) Over the last few weeks, just about everyone in the standards and crypto business has been looking over the crypto with an eye towards seeing what the NSA might have subverted.

There hasn’t been much definitive to say. There is the much-discussed elliptic curve random number generator in NIST’s documents. There is also the concern that the elliptic curves that are part of NSA Suite B aren’t as strong as they could be. There are also discussions about interference in various standards from IPsec to TLS to whatever.

There have been no smoking guns. The DUAL_EC_DRBG discussion has been comic. The major discussion has been whether this was evil or merely stupid, and arguing the side of evil has even meant admitting it is technologically a stupid algorithm, which sends the discussion into an amusing spiral of meta-commentary. Matt Green has an excellent blog post on its multi-dimensional stupidity. Was the NSA so stupid they think we wouldn’t notice the flaws (we did notice nearly immediately)? Was the NSA so stupid that this is the best they can do? And can we even believe the claim that they’ve been trying to subvert standards? They’re liars. They’ve lied to Congress, lied to the technical community, and lied to everyone. Should we believe them when they say they punked us, or believe that we saw the ball under the wrong cup all along?

Arguing the side of evil and avoiding the stupid leads to non-falsifiabilty — there must be something that is so clever we haven’t seen it yet. I keep thinking of Cabell’s quip that a pessimist fears that the optimist is right.

The issue of the Suite B curves is more interesting. Cryptographers Dan Bernstein and Tanja Lange have been arguing that the Suite B curves are weak since before we ever heard of Ed Snowden. I’ve been public and pointed; I’ve always thought that the DUAL_EC_DRBG random number generator is patently stupid. But I’ve always believed that the Suite B curves were designed secure. All crypto has a lifespan of utility. Even if there are issues with the Suite B curves, I think they were designed well at the time.

The NSA has argued intellectually that elliptic curve cryptography is a good idea for a decade. They have actively stumped for it as a technology, and even buying patent licenses (there have been controversies, but those are not at all about the integrity of the technology). If the Suite B curves are intentionally bad, this would be a major breach of trust and credibility. Even in a passive case — where the curves were thought to be good, but NSA cryptanalysts found weaknesses they have since exploited — it would create a credibility gap of the highest order, and would be the smoking gun that confirms the Guardian articles.

At Silent Circle, we’ve been deciding what to do about the whole grand issue of whether the NSA has been subverting security. Despite all the fun that blogging about this has been, actions speak louder than words. Phil, Mike, and I have discussed this and we feel we must do something. That something is that in the relatively near future, we will implement a non-NIST cipher suite.

Not everything is in place, yet. We have been discussing elliptic curves with Dan and Tanja and they are designing some for us (and the rest of the world, too). Dan’s 25519 curve is very nice, but smaller than we want. We’ve been using the P–384 curve and want a replacement for it, which they’re working on. We are going to replace our use of P–384 with that new curve, or perhaps two curves. We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement. We are going to replace our use of the SHA–2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense. (Full disclosure: I’m a co-author of Skein and Threefish.) Threefish is the heart of Skein, and is a tweakable, wide-block cipher. There are a lot of cool things you can do with it, but that requires some rethinking of protocols.

The old cipher suites will remain in our systems. We’re not going to get rid of them, but the new ones will be the default in our services. We understand there are gentlepersons who will disagree with our decision, so we’re not completely getting rid of the existing crypto.

This doesn’t mean we think that AES is insecure, or SHA–2 is insecure, or even that P–384 is insecure. It doesn’t mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA’s perfidy, along with the rest of the free world. For us, the spell is broken. We’re just moving on. No kiss, no tears, no farewell souvenirs.

[Typos corrected on 30 Sept, jdcc]