[cryptography] the spell is broken

Jeffrey Goldberg jeffrey at goldmark.org
Thu Oct 3 10:13:59 EDT 2013

On 2013-10-02, at 5:23 PM, Jon Callas <jon at callas.org> wrote:

> A friend of mine offered this analogy -- what if it was leaked that the government replaced all of a vaccine with salt water because some nasty jihadis get vaccinated. This is serious and pretty horrifying. If you're a responsible doctor, and source your vaccines from the same place, even if you test them yourself you're stuck proving a negative and in a place where stating the negative can look like you're part of the conspiracy.

I have been like that doctor, trying to explain to people why I remain confident in AES and SHA-2. Most who have asked have been understanding, but there have been a few “if you still use NIST/NSA algorithms, it’s because you are being told to.” Now some of us do have a (non-evil) financial incentive not to switch. We are encrypting data in files that a user synchronizes among multiple platforms. Even if we built in alternative ciphersuites today, it would probably be a year before we could create data using the new ones.

So unless you and Silent Circle have information that the rest of us don’t about AES and SHA-2, I’m actually pissed off at this action. It puts more pressure on us to follow suit, even though such a move would be pure security theater.

> Let me also add that I wouldn't fault anyone for deciding differently. We, the crypto community, need to work together with security and respecting each other's decisions even if we make different decisions and do different things. I respect the alternate decision, to stay the course.

Would you fault people for engaging in security theater? And how is moving away from AES anything other than security theater?

Traditionally we’ve used the term “security theater” to refer to things instigated by politicians and large entities. But the term applies just as well when it is motivated by demand from semi-sophistical users. Some instances of security theater of that sort are relatively harmless (256 bit symmetric keys, etc), but switching to an AES alternative carries real risks. I have nothing against Skein and Twofish (simply because I’m not familiar with the research on these and other SHA-3 and AES alternatives), but that choice only helps confirm the charge of security theater.

I also think that the choice of Twofish and Skein reeks of security theater as well. It’s based on the public image of a high-profile contributor instead of on security considerations. Other things being equal, going with ciphers that are popular is wise. But are “other things” equal here? (genuine question. I don’t know how well Twofish and Skein hold up in comparison to other AES or SHA-3 finalists.)

I’m not unsympathetic to you and Silent Circle. I can foresee engaging in the same sorts of security theater due to user demand. We’ve done it ourselves in a move from 128 bit AES to 256 bits despite the problems with the 256 bit key schedule. I’m also sympathetic to showing the world that we consider NIST tainted in general. NIST may never regain credibility even if Dual_EC_DRGG was the only case. But that loss of credibility should come (as it has) in renewed scrutiny of NIST behavior; it shouldn’t be throwing out the baby with the bath water just to make people feel more secure.

Although I’m angry, I do recognize that Silent Circle’s actions are legitimate. But I do wish you would acknowledge that wrt AES and SHA-2 it is security theater instead of security.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3071 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131003/b14a1046/attachment.p7s>

More information about the cryptography mailing list