> On 08 Mar 2017, at 12:25, Aaron Zauner <[email protected]> wrote: > >> >> On 08 Mar 2017, at 01:33, Hanno Böck <[email protected]> wrote: >> >> On Tue, 7 Mar 2017 15:11:03 +0000 >> Aaron Zauner <[email protected]> wrote: >> >>> For review: >>> https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf >> >> The document contains a lot of outdated advice. >> >> E.g.: >> >> "(S//NF) Confidentiality must be provided by AES, Serpent, Twofish, >> Blowfish, 3DES, or RC4 with a minimum key size of 128 bits. Block >> ciphers must be operated in Galois/Counter Mode (GCM), Counter Mode >> (CTR), or Cipher Block Chaining Mode (CBC). If RC4 is used, at least >> the first 1024 >> bytes of the cryptostream must be discarded and may not be used." >> > > Yeah, it's not really up to date. I guess purging the first 1024 bytes in the > bitstream of RC4 would make bias attacks far harder as the biases are at the > beginning of the stream. In general this seems to be stupid advice, though. I > haven't seen any Suite A ciphers mentioned - so I think they're still only > used by NSA for satcom / classified networks et cetera, everything else seems > to use Suite B-based crypto. The leaks also contain discussion about Equation > Group and choices of ciphers for CNC/exfil - apparently NSA recommended a > weird internal crypto lib that the intelligence community was using for quite > a while and was easy to detect because of certain parameters and especially > algorithm choices: https://wikileaks.org/ciav7p1/cms/page_14588809.html
``` 2015-02-23 10:03 [User #1179925]: The "custom" crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems. In the past there were crypto issues where people used 0 IV's and other miss-configurations. As a result the NSA crypto guys blessed one library as the correct implementation and every one was told to use that. unfortunately this implementation used the pre-computed negative versions of constants instead of the positive constants in the reference implementation. I think this is something we need to really watch and not standardize our selves into the same problem ``` TBH: I don't want to know how bad Suite A is, it's not publicly audited - if they already fuck up implementation basics,.. Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
