top | item 6038409

(no title)

lifeguard | 12 years ago

Well, it is documented that the NSA made DES weaker by using less bits for key size (this makes brute forcing easier). I aslo noted that Schiener's AES submission was passed over (I speculate that Rijndael is easier to brute force).

The feds used to fight civilian crypto tooth and nail. Then they allowed it, and in one of the crypto books a story was related that the feds were bummed about RSA and friends. The listener questioned why, when surely their efforts were feeble compared to the government's. The response was the pace of development was much faster than expected.

discuss

twoodfin|12 years ago

The NSA, working with IBM, also made DES more resistent to differential cryptanalysis, which was not widely understood at the time.

gizmo686|12 years ago

The change the NSA made was to replace the s-boxes used with ones that made using differential crypto analysis slightly less efficient than brute force. As it happens, the s-boxes provided by the NSA were also among the worst 9%-16% possible with respect to linear crypto analysis. "A software implementation of this attack recovered a DES key in 50 days using 12 HP9000/735 workstations" [1]. I do not know the specs of said workstations, but for reference the book claims that was the fastest attack at the time of writing (1996).

This is not to say that the NSA was aware of linear crypto analysis when they made their recomendation. Indeed the fact that their s-boxes also happened to be just good enough to beet differential, and the fact that an independent government investigation (the details of which are classified) cleared them of wrongdoing, are enough to convince that they did not intend to introduce a hole. Furthermore, the NSA has also now published the requirements they used to generate their s-boxes. Schneier suggests in his book that the s-boxes were weakened unintentionally by the act of introducing structure to them, without knowing to defend against linear analysis.

[1] Bruce Schneier, Applied Cryptography

jpdoctor|12 years ago

> also made DES more resistent to differential cryptanalysis

Was that the result of the last-minute "black box" change? I never heard the result of that, so any light you shed would be welcome.

barbs|12 years ago

> The feds used to fight civilian crypto tooth and nail.

Curious. I'd like to read about this. Can anyone post any links?

IvyMike|12 years ago

Read up on the Clipper chip: A chip which sort of being promoted to be the "official" way to do crypto in the US. Specifically designed to be decryptable by the NSA via "key escrow".

https://en.wikipedia.org/wiki/Clipper_chip

It died when Matt Blaze figured out a way to trick the clipper chip doing encryption that the NSA could NOT decrypt.

Zelphyr|12 years ago

Just do a search for Phil Zimmermann and what they did to him in the 90's for having the audacity to create PGP.

wlesieutre|12 years ago

http://www.loundy.com/Roadside_T-Shirt.html is one example, there are probably others. It ended up going in a sane direction, but it's a bit crazy to imagine in hindsight.

pyre|12 years ago

Many developers that worked on crypto would cross the border into Canada to meet up and work on crypto to get around the export restrictions (crypto software was classified as a weapon; exporting it could get you the same punishment as exporting a missile).

hvs|12 years ago

Read "Crypto: how the code rebels beat the government, saving privacy in the digital age" by Steven Levy. He outlines the whole story of public crypto until about 2000. Good read, too.

santosha|12 years ago

'I speculate that Rijndael is easier to brute force' On what basis?

ReidZB|12 years ago

Well, I guess Rijndael is "easier" to brute force in that it's faster than Twofish. But "easier" to brute force doesn't mean a whole lot; AES-192 is easier to brute force than AES-256, but both are so outside the realm of current-day computation than it doesn't really matter.