I wanted to share an interesting development in the NSA’s quest to have their lightweight cryptographic tools (i.e., tools for constrained environments such as Internet of Things (IoT) and implanted medical devices (IMD)) “Simon” and “Speck” adopted by the International Organization for Standards (ISO – ever wonder why it’s ISO instead of IOS, ISO provides an answer [1]). First a brief background.
Simon and Speck are families of lightweight block ciphers for symmetric encryption [2]. There is a tremendous need for these algorithms as current cryptography running on constrained devices is, shall I say, best characterized by this joke, “the ‘S’ in ‘IoT’ stands for security” ([3] provides a basic reason why and [4] is all about IMD’s…it’s okay to freak out a bit, I did). Remember the Mirai Botnet attack in September 2016? It was due to poor security on IoT devices [5, 6] (a former executive from an affected party, Dyn, has recently announced a startup to protect IoT devices [7]). Such is the need, that on April 18, 2018, NIST “initiated a process to solicit, evaluate, and standardize lightweight cryptography algorithms that are suitable for constrained environments” [8, 9]. Simon and Speck were considered front-runners. The ISO, however, does not appear to agree.
As first reported by Jack Barton in WikiTRIBUNE [10] and later picked up by other outlets (e.g., [11, 12]), the international community has supposedly voted in secret to end the adoption process that began back in 2014. Was there a fatal flaw in their math? Nope. Was a backdoor discovered? No again. Were the algorithms in any detectable way weak? Not that has been discovered yet. So why was it rejected? Trust, and a good dose of “adversarial and aggressive behavior” on the part of the NSA.
The NSA has been accused of withholding technical specifications crucial to their selection of parameters, which flies in the face of best practices. With the NSA’s vast computational resources, it would be quite “easy” for them to select parameters that appear random/secure, only to have secretly injected/detected a weakness. That is, what appears to be a safe, e.g., value, is actually something the NSA can exploit. When questioned, the agency because “adversarial and aggressive”, according to reports, personally attacking the credibility of their detractors – that didn’t exactly work in their favor. Their lack of candor and decorum was quite disturbing to the ISO and research community. Oh, and let’s not forget their past either. The Snowden documents show how the NSA paid RSA [13] $10 million to introduce backdoors into their enterprise-grade solutions [14]. Also, the NSA’s “optimized” version of AES and SHA-1 proposal exhibited flaws as well [11].
The main takeaway, the international community has lost faith in the NSA’s ability to produce strong encryption for the masses. While the mission of the NSA includes “Information Assurance (IA) products and services”, most feel it does not extend beyond the US government. Instead, it is assumed the rest of the world (including US citizens) fall under “Signals Intelligence (SIGINT)…to gain a decision advantage for the Nation and our allies under all circumstances” (emphasis mine) [15]. Dr. Tomer Ashur, the Belgian representative on the ISO was quoting as saying [11]:
On a personal note: spying agencies have no place in civilian standardization. If you can’t motivate your decisions, we can’t trust you. The Russians and Chinese seem to understand that and are much more cooperative in addressing concerns.
Ouch! The Russians and Chinese are more trusted than the US? Mull that over for a minute.
In response, Neal Ziring, NSA Capabilities Technical Director, said the following [11]:
Both Simon and Speck were subjected to several years of detailed cryptanalytic analysis within NSA, and have been subject to academic analysis by researchers worldwide since 2014. They are good block ciphers with solid security and excellent power and space characteristics.
Weighing in on the discussion was Bruce Schneier, Chief Technology Office of IBM Resilient, in his blog who (cautiously) backed the NSA [16]:
The risk of using NSA-designed ciphers, of course, is that they include NSA-designed backdoors. Personally, I doubt that they’re backdoored. And I always like seeing NSA-designed cryptography (particularly its key schedules). It’s like examining alien technology.
Like I said, it’s an interesting development.
Edit:
If you’re interested in an example of parameter explanations, the SafeCurves project [17] includes what they term rigidity analysis, which explains parameter selection for public elliptic curves. Most are incredibly basic and easily understood. For instance, the M-221 curve states:
p is the largest prime smaller than 2221; B = 1; A > 2 is as small as possible
That’s it! p is a prime number used in modulo operations, and A and B are parameters in the Montgomery (hence the M in M-221, also, the 221 represents the superscript in p) equation By2 = x3 + Ax2 + x. In actual values, these correspond to p = 2221-3 and A = 117050 (B is already defined as 1). These seem arbitrary, but both follow best practices as defined in the literature, and can be easily validated [17, 18, 19].
The point is to show just how easy and simple it is to explain parameter selection, which makes the NSA’s inability to answer the basic questions even more suspect. Of note, SafeCurves has deemed all NIST-approved curves (as developed by the NSA) unsafe! Each failed the rigidity test as the NSA refused to motivate their parameter selections (seems like a pattern), along with at least three other tests. All totaled, NIST P-224 failed five, and NIST P-256 and P-384 failed four of ten tests.
References:
[1] ISO, About ISO, https://www.iso.org/about-us.html, Accessed May 3, 2018.
[2] Beaulieu, Ray, Shors, Douglas, Smith, Jason, Treatman-Clark, Stefan, Weeks, Bryan, & Wingers, Louis, The Simon and Speck Families of Lightweight Block Ciphers, June 19, 2013, https://eprint.iacr.org/2013/404.pdf, Accessed May 3, 2018.
[3] Caindec, Keao, 5 Key Challenges in Securing Resource-Constrained IoT Devices, June 29, 2017 https://www.mocana.com/blog/5-key-challenges-in-securing-resource-constrained-iot-devices, Accessed May 3, 2018.
[4] Rios, Billy & Butts, Jonathan, Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependencies, May 17, 2017, https://drive.google.com/file/d/0B_GspGER4QQTYkJfaVlBeGVCSW8/view, Accessed May 3, 2018.
[5] Grau, Alan, Mirai Botnet Show Just How Vulnerable the IoT Really Is, http://www.iconlabs.com/prod/mirai–botnet-shows-just-how-vulnerable-iot-really-0, Accessed May 3, 2018.
[6] Bursztein, Elie, Inside Mirai the infamous IoT Botnet: A Retrospective Analysis, December 2017, https://elie.net/blog/security/inside-mirai-the-infamous-iot–botnet-a-retrospective-analysis, Accessed May 3, 2018.
[7] Shoorbajee, Zaid, Former Dyn exec spins up IoT security startup to avoid the next Mirai, May 1, 2018, https://www.cyberscoop.com/minim-mirai-attacks-dyn–iot-security/, Accessed May 3, 2018.
[8] NIST, NIST Issues First Call for ‘Lightweight Cryptography’ to Protect Small Electronic, April 18, 2018, https://www.nist.gov/news-events/news/2018/04/nist-issues-first-call-lightweight-cryptography-protect-small-electronics, Accessed May 3, 2018.
[9] NIST, Lightweight Cryptography, April 18, 2018, https://csrc.nist.gov/Projects/Lightweight-Cryptography, Accessed May 3, 2018.
[10] Barton, Jack, ‘Black cloud’ of the NSA ‘looms over’ international encryption, April 24, 2018, https://www.wikitribune.com/story/2018/04/24/internet/encryption-for-the-internet-of-things-and-a-setback-for-the-nsa/67367/, Accessed May 3, 2018.
[11] Targett, Ed, NSA: Our Crypto Is Good. ISO: No Thanks Though, April 27, 2018, https://www.cbronline.com/news/iso–nsa, Accessed May 3, 2018.
[12] Cushing, Tim, International Standards Body Rejects Weakened IOT Encryption Methods Pushed By The NSA, April 30, 2018, https://www.techdirt.com/articles/20180427/19421739732/international-standards-body-rejects-weakened-iot-encryption-methods-pushed-nsa.shtml, Accessed May 3, 2018.
[13] RSA, https://www.rsa.com/, Accessed May 3, 2018.
[14] Menn, Joseph, Exclusive: NSA infiltrated RSA security more deeply than thought – study, March 31, 2014, https://www.reuters.com/article/us-usa-security-nsa–rsa/exclusive-nsa-infiltrated-rsa-security-more-deeply-than-thought-study-idUSBREA2U0TY20140331, Accessed May 3, 2018.
[15] NSA & CCS, Mission & Values, https://www.nsa.gov/about/mission-values/
[16] Schneier, Bruce, Two NSA Algorithms Rejected by the ISO, April 25, 2018, https://www.schneier.com/blog/archives/2018/04/two_nsa_algorit.html, Accessed May 3, 2018.
[17] Bernstein, Daniel J. & Lange, Tanja, SafeCurves: choosing safe curves for elliptic-curve cryptography. https://safecurves.cr.yp.to, Accessed May 4, 2018.
[18] Aranha, Diego F., Barreto, Paulo S. L. M., Pereira, Geovandro C. C. F., & Ricardini, Jefferson E., A note on high-security general-purpose elliptic curves, Technical report, January 2013, https://eprint.iacr.org/2013/647.pdf, Accessed May 4, 2018.
[19] Montgomery, Peter L., Speeding the Pollard and Elliptic Curve Methods of Factorization, Mathematics of Computation, Volume 48 (117), January 1987, pp. 243-264, http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866113-7/S0025-5718-1987-0866113-7.pdf, Accessed May 4, 2018.