New Jersey Congressman Seeks To Bar NSA Backdoors In Encryption 200
Frosty P writes "Congressman Rush D. Holt, a New Jersey Democrat, has proposed legislation (summary, full text) that would prohibit the agency from installing 'back doors' into encryption, the electronic scrambling that protects e-mail, online transactions and other communications. Representative Holt, a physicist, said Friday that he believed the NSA was overreaching and could hurt American interests, including the reputations of American companies whose products the agency may have altered or influenced. 'We pay them to spy,' Mr. Holt said. 'But if in the process they degrade the security of the encryption we all use, it's a net national disservice.'"
Re:Locks? (Score:4, Interesting)
You can also use the same sort of mathematics that makes DH, ECDH, RSA and ECDSA possible to design secure-looking moduli or curves (in the case of ECDH and ECDSA) that are secure as long as you don't know the parameters used to generate the curve. It's basically DSA/DH but with three factors instead of the usual two.
Both parties know the curve (it's a published standard), and one party (the guy with the private key) has both factors of the configuration parameter, the other party knows only the composite of the two secret factors (the public key). Now the exchanged nonce can be obtained by either the party with the private key or the party with the curve factors (the NSA).
It is speculated that some published curves for ECDSA, have been designed in such a way that some aspect of their generation that is only known to the NSA allows elliptic curve solutions to be rapidly reduced. It is at least well known by cryptographers that certain curves are insecure in any usage, and that other curves might be designed to be trivially reduced only with some knowledge of the parameters used to generate them. What is not known is whether designing curves in such a manner doesn't also make them weak to other yet-to-be-discovered reduction methods.
Interesting tidbit: there is no theory of security* for either ECDSA, RSA or DH, faith in all of these public key cryptographies rests solely on the lack of a theory of insecurity for them and the belief that if it were easy to create a theory of insecurity, someone would have published one by now (and some partial reductions of RSA have been published, prompting the necessity of using larger RSA keys than previously thought necessary)
* For commonly used symmetric block ciphers, theories of security exist, that is there is good mathematical reason to believe they are secure and not merely presumption.
Re:This is a stupid idea. (Score:5, Interesting)
but they tend not to screw with cryptography which is allowed to be on the GSA schedule when embodied in communications equipment for sale to the U.S.Military.
So the NSA did not screw with Dual_EC_DRBG [wired.com] in the NIST standard? Or is it just that any hardware which implements Dual_EC_DRBG is going to be rejected without explanation when it is submitted for FIPS 140 [wikipedia.org] certification?
Re:Locks? (Score:5, Interesting)
The NSA is interested in people using encryption /it/ can break but others cannot. This helps maintain its monopoly on secrets, which is the source of its power (that it may also be useful in protecting American businesses and interests from foreign penetration is a bonus). Therefore it will point you towards stronger tools if it can, so its advice is not totally without merit.
The kinds of people that publish non-classified papers about encryption by the NSA also know damn well that there are other very smart people around the world who do not work for the NSA, the U.S. federal government, or even give a damn about America.
Seriously, where do you come up with this crap?
Yes, if you see something published by the NSA, perhaps take it with a grain of salt and do your own kind of analysis. Learn a bit about mathematics first and understand not just that they have pontificated about some sort of algorithm but understand why they came to those conclusions. If not yourself, then at least find somebody who you can trust.
There are secure encryption methods that are being used, and there is a good reason why the NSA wants to be assisting with the larger cryptographic community in developing secure forms of communication. Don't get into this kind of conspiracy theory bullshit and claim that they have some kind of mystical powers that simply don't exist. The NSA doesn't have any sort of monopoly over the concept, and of course neither did the Germans with the Enigma machine. In fact, it would have helped the Germans in World War II to have at least discussed their design with a few mathematicians prior to spending so much effort building the device rather than being so damn clever that some of the design ideas actually backfired and made it easier to crack that encryption method.... not that the guys at Bletchley Park complained if German engineers made their job easier.
NSA agents aren't gods. They are good at what they do because they are professionals who do encryption on a full time basis and have received advanced training in mathematics. It is sufficient training that some of those people could teach mathematics as a professor at almost any university in the world, yet they choose to use their efforts to understand encryption in regards to the country they serve. That doesn't make them sinister, just patriots... patriots that know there are people just like them in other countries around the world.
Besides, all encryption, from any point in history, has always been an issue of how much effort must be applied in order to break the code, not the question as to if the message can be read at all. If you need the services of a server farm covering a hundred acres working for a month in order to crack a message, you've done your job. The NSA isn't going to be applying that kind of brute force decryption effort on love letters between you and your girlfriend.
Re:Pointless posturing (Score:3, Interesting)
Try suing the NSA, good luck.
Hell, try suing the IRS or even ATT for that matter, and for pretty much anything
And blame it on the president? WTF? Are you a silver spoon fed child?