[cryptography] NSA's position in the dominance stakes

Ian G iang at iang.org
Wed Nov 17 07:06:31 EST 2010


On 16/11/10 11:38 AM, Jon Callas wrote:
> In some places, there's a formal or quasi-formal breakout of who is doing what. For example, in the UK, they have GCHQ and CESG. Even though they're in the same buildings, there's an FLA for each, so you can talk about offense vs. defense.
>
> In the US, the offense and defense portions of the NSA. At least some of the defense folks in the NSA are called the "IA" (Information Assurance) people, but there's also NIAP (who primarily deal with Common Criteria etc.) and NIST, who are a completely different organization, being both civilian and part of Commerce.


Right, the NIAP people and the CC programme is more or less where I'm 
heading (I'm certainly not interested in the crypto side).

Do NIAP/CC have the intellectual leadership in this field of infosec 
architecture, in the way that we might have once ascribed without 
question to NSA for the more mathematical field of cryptography?

We know of course that CC will be essential for selling into (long list 
of) security-related government contracts.  But is this any more than a 
compliance issue?  That article I posted:

http://threatpost.com/en_us/blogs/nsa-our-development-methods-are-open-now-111010

suggested that at least at the level of *methodologies* for building 
secure systems, the rest of the world can now do as well.  Once, the NSA 
had unquestioned superiority in the design and creation of secure systems.

Thanks to all for the answers, I'm guessing it is "not any more."


> When you talk about the NSA employing mathematicians, they are not IA, NIAP, etc. As Paul has pointed out, NIST is not the NSA, and calling them an "open partner" is not accurate at all. If you rush back to DES days, you have a point, but as they say, "that was Zen, this is Tao."


Right, I was speaking analogously, sorry for not making that abundantly 
clear.  Although, it looks like NIAP is a partnership between NIST and 
NSA's IA area.

> Certainly, NIST will respect what the NSA has to say, but the NSA is not the only player. Not only will other parts of the Intelligence Community freely disagree with the NSA, but other people like Treasury, DHS, and even NIST themselves have their own smart people who often don't like anyone dictating to them. Heck, even in the Army, they often just say that the NSA can have whatever opinions it wants, but. All of these entities will use their own deployment expertise to argue what they like and use the very things you said to fight back. (Well, those *mathematicians* may know what's best in theory, but let me tell you a thing or two about the real world.) These days, even the FTC has its own expertise, and quangos like BITS make their own policy as well, albeit starting from NIAP and NIST.

This suggests that NSA doesn't have that leadership role.  And indeed 
nobody does.


> The whole elliptic curve issue is a place where competing interests are dancing.


Yeah.  And just on that question of patents, and so forth.  IMHO, anyone 
thinking that the patents aren't valid is ignoring the business risk of 
the attack.  An ethical or "unpatentability" defence is somewhere 
between worthless and financial suicide :)

Which makes one wonder how far the NSA is going to get without industry 
on its side?  Possibly we're waiting for some honest broker to come out 
and say which curves, etc are open for business.



iang



More information about the cryptography mailing list