[cryptography] NSA's position in the dominance stakes
iang at iang.org
Wed Nov 17 07:06:31 EST 2010
On 16/11/10 11:38 AM, Jon Callas wrote:
> In some places, there's a formal or quasi-formal breakout of who is doing what. For example, in the UK, they have GCHQ and CESG. Even though they're in the same buildings, there's an FLA for each, so you can talk about offense vs. defense.
> In the US, the offense and defense portions of the NSA. At least some of the defense folks in the NSA are called the "IA" (Information Assurance) people, but there's also NIAP (who primarily deal with Common Criteria etc.) and NIST, who are a completely different organization, being both civilian and part of Commerce.
Right, the NIAP people and the CC programme is more or less where I'm
heading (I'm certainly not interested in the crypto side).
Do NIAP/CC have the intellectual leadership in this field of infosec
architecture, in the way that we might have once ascribed without
question to NSA for the more mathematical field of cryptography?
We know of course that CC will be essential for selling into (long list
of) security-related government contracts. But is this any more than a
compliance issue? That article I posted:
suggested that at least at the level of *methodologies* for building
secure systems, the rest of the world can now do as well. Once, the NSA
had unquestioned superiority in the design and creation of secure systems.
Thanks to all for the answers, I'm guessing it is "not any more."
> When you talk about the NSA employing mathematicians, they are not IA, NIAP, etc. As Paul has pointed out, NIST is not the NSA, and calling them an "open partner" is not accurate at all. If you rush back to DES days, you have a point, but as they say, "that was Zen, this is Tao."
Right, I was speaking analogously, sorry for not making that abundantly
clear. Although, it looks like NIAP is a partnership between NIST and
NSA's IA area.
> Certainly, NIST will respect what the NSA has to say, but the NSA is not the only player. Not only will other parts of the Intelligence Community freely disagree with the NSA, but other people like Treasury, DHS, and even NIST themselves have their own smart people who often don't like anyone dictating to them. Heck, even in the Army, they often just say that the NSA can have whatever opinions it wants, but. All of these entities will use their own deployment expertise to argue what they like and use the very things you said to fight back. (Well, those *mathematicians* may know what's best in theory, but let me tell you a thing or two about the real world.) These days, even the FTC has its own expertise, and quangos like BITS make their own policy as well, albeit starting from NIAP and NIST.
This suggests that NSA doesn't have that leadership role. And indeed
> The whole elliptic curve issue is a place where competing interests are dancing.
Yeah. And just on that question of patents, and so forth. IMHO, anyone
thinking that the patents aren't valid is ignoring the business risk of
the attack. An ethical or "unpatentability" defence is somewhere
between worthless and financial suicide :)
Which makes one wonder how far the NSA is going to get without industry
on its side? Possibly we're waiting for some honest broker to come out
and say which curves, etc are open for business.
More information about the cryptography