The secure communications provider Silent Circle is pretty upset about the apparent betrayal of the cryptographic community by the NSA, so it’s moving away from encryption standards that the intelligence agency helped develop.
Silent Circle, co-founded by PGP author Phil Zimmermann, provides encrypted mobile and desktop voice and text services for personal and enterprise use. In a blog post on Monday, the company said it would soon adopt new defaults to replace certain widely-used standards that came out of the U.S. National Institute of Standards and Technology (NIST) with the co-operation or guidance of NSA representatives.
While NIST is a highly-respected standards body, it was recently forced to advise against the use of its own Dual_EC_DRBG random number generator after Edward Snowden’s leaks suggested it had been subverted by NSA representatives involved in the standardization process. Long story short: the NSA seems to have set constants in the generator that makes its output easier to guess, in turn making encryption that uses the generator easy to crack if you know the constants. The security firm RSA, which used Dual_EC_DRBG by default, also had to warn its customers to steer clear.
The standards that Silent Circle will drop as default (it will keep them in its systems for those who want them) are included in Suite B, a set of NSA-promoted algorithms and curves that was unveiled in 2005 and formalized in 2010. They are:
- The SHA-2 hash function, to be replaced by the Skein hash function co-authored by Bruce Schneier, Silent Circle CEO Jon Callas and others.
- The Advanced Encryption Standard (AES) cipher, to be replaced by the Twofish cipher (co-authored by Schneier) that was once in the running to be the AES cipher, but was turned down. AES may also be replaced by Threefish, part of Skein, although that looks like a technically tricky option.
- The P-384 curve, to be replaced by one or more new curves.
As Callas wrote on Monday:
“This doesn’t mean we think that AES is insecure, or SHA–2 is insecure, or even that P–384 is insecure. It doesn’t mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims the NSA’s perfidy, along with the rest of the free world. For us, the spell is broken. We’re just moving on.”
But how necessary is it to move on?
Better safe than sorry?
Silent Circle has achieved a certain amount of prominence during the current surveillance scandal — mostly due to its decision to shut down its secure hosted email service, Silent Mail, but also because Zimmermann and Callas are highly respected cryptographers. There is no indication from the Snowden leaks (yet) that PGP has been compromised, for example. If anything, Zimmermann’s encryption technology has been shown to cause the NSA some alarm.
So the company’s moves are worth noting. However, according to Professor Alan Woodward of the computing department at the University of Surrey in the UK, Silent Circle’s inference that the NSA deliberately made NIST’s curves more vulnerable is “a bit of a stretch.”
As Woodward told me by email:
“Do I think the curves chosen are deliberately weak? No. I think they are weaker than some others — there has been much analysis showing that there are potentially sets of other curves that are stronger than those chosen in suite B of the NIST standard but the corollary of that statement doesn’t mean that those chosen were deliberately weak.
“Remember that this standard is approved to protect US classified material up to Top Secret. Why would they weaken their own security? It’s not like it is a back door or some secret magical key: it would amount to using something that was deliberately weak in which case any other cryptanalysis organisation (i.e. other governments) would exploit it.”
Woodward also pointed out that AES is one of the most studied encryption standards out there, yet there is no evidence that it can be routinely cracked. He suggested that moving from AES to Twofish “seems to be more of a political statement than anything founded in the knowledge of some weakness in the algorithm.”
“Basically I think Silent Circle are saying that they don’t trust NSA so Silent Circle doesn’t want anything to do with anything that NSA has been involved in developing,” Woodward said. “IMHO that seems to be a trifle of an overreaction but they presumably think those who use their service are those who likewise distrust the NSA and hence publicly disassociating Silent Circle from anything developed by NSA will appeal to their client base.”
On the other hand, Woodward said Silent Circle’s exploration of more modern implementations of elliptic curve cryptography was sensible. “A few years can bring a lot of changes in computer technology and it is a constant arms race between cryptographers and cryptanalysts,” he said. “Hence, all encryption schemes require revisiting.”