> I have no idea if the KRA is still in business, and, as an employee of
> NAI, I don't really care. It doesn't affect me.
>
> Strong crypto is available. There is nothing that the NSA can do about
> that. If they are smart, they have concentrated their efforts on breaking
> RSA, Diffie-Hellman and ElGamal, 3DES, CAST5, and IDEA. (Not to mention
> the AES candidates).
>
> Circumvention of the security of commercial US products can only go so
> far. To do their job, the NSA would need to break the fundamental security
> of those products (the cryptographic algorithms themselves) and to date
> there haven't been any significant compromises in the ones I have named
> reported from the private sector.
Huh? We discover ways to compromise systems that use cryptography
without breaking the crypto algorithms all the time. Implementation
errors and protocol failures (like the Windows 2000 IPSEC weakness being
discussed) almost certainly provide intelligence agencies with more
fruitful sources of attack than weak cryptography, and probably did even
back in the days when people were shipping 40 bit RC4.
> Is the NSA far ahead of the private
> sector? That is speculation... but I have faith in our private
> cryptanalysts to atleast identify potential problems.
