NSA Backdoors in Crypto AG Ciphering Machines

This story made the rounds in European newspapers about ten years ago—mostly stories in German, if I remember—but it wasn’t covered much here in the U.S.

For half a century, Crypto AG, a Swiss company located in Zug, has sold to more than 100 countries the encryption machines their officials rely upon to exchange their most sensitive economic, diplomatic and military messages. Crypto AG was founded in 1952 by the legendary (Russian born) Swedish cryptographer Boris Hagelin. During World War II, Hagelin sold 140,000 of his machine to the US Army.

“In the meantime, the Crypto AG has built up long standing cooperative relations with customers in 130 countries,” states a prospectus of the company. The home page of the company Web site says, “Crypto AG is the preferred top-security partner for civilian and military authorities worldwide. Security is our business and will always remain our business.”

And for all those years, US eavesdroppers could read these messages without the least difficulty. A decade after the end of WWII, the NSA, also known as No Such Agency, had rigged the Crypto AG machines in various ways according to the targeted countries. It is probably no exaggeration to state that this 20th century version of the “Trojan horse” is quite likely the greatest sting in modern history.

We don’t know the truth here, but the article lays out the evidence pretty well.

See this essay of mine on how the NSA might have been able to read Iranian encrypted traffic.

Tags: , , , , , ,

Posted on January 11, 2008 at 6:51 AM40 Comments

Comments

erlehmann January 11, 2008 7:18 AM

really sensitive information and they were not paranoid enough to demand open implementations ‽

Anonymous January 11, 2008 7:43 AM

@Ben:

“I’m not sure I would pay much attention to anything on inteldaily.com […]”

That may be so, but the allegations, from a decade ago are nonetheless reported accurately. Feel free to believe what you wish, but in my opinion, you have to be a complete numb-skull to look away from the strange number of coincidences around this business.

Paul Crowley January 11, 2008 7:57 AM

Now that Iranians are taking part in the open crypto community, can we expect some smart hacker to take apart one of these devices, reverse engineer the algorithm, and find the back door?

Ben January 11, 2008 8:10 AM

Dear Anonymous,

Sorry about that, I shall pay more attention to accurately reported allegations and coincidences in future, and less to the facts.

Cheers

Ben

kamper January 11, 2008 8:17 AM

“the article lays out the evidence pretty well”??

There was an incredible amount of information in that article with no references whatsoever. Regardless of whether or not it’s true, to me that’s a sign that the the author was more interested in a juicy story than summarizing facts.

Nico January 11, 2008 8:54 AM

I don’t know how reliable Inteldaily/Ohmynews is, but many of those facts seem to come from the 1996 story in German magazine Der Spiegel ( http://en.wikipedia.org/wiki/Der_Spiegel ), which has a very good reputation for fact-checking. (‘”Wer ist der befugte Vierte?”‘, in Der Spiegel 36/1996, pp. 206-207.)

There is a copy of that article online here: http://jya.com/cryptoag.htm . I have access to the original Spiegel article and just compared the online text briefly, it seems to be an accurate copy.

That site also has an unofficial English translation, which is a bit clumsy but conveys the facts correctly as far as I can see:
http://jya.com/cryptoa2.htm

Anonymous #2 January 11, 2008 8:58 AM

Many of these allegations were published about a decade ago. I don’t know whether they are true or not, but that doesn’t really matter. The story is plausible. For those not personally involved, the lessons that can be learned from it are the same whether the story is true or not, much like Aesop’s fables.

sooth_sayer January 11, 2008 9:11 AM

If a dumb bureaucrats thinks all he has to do is pluck down a few thousand dollars to “quietly” plan/coordinate assassinations, they got what they deserved for staying ignorant. Iran was one of the “victims” .. they started suspecting the machines when their complicities in some murders became know.

If you are so paranoid .. let your kids understand science, and create your own NSA.

If I am not wrong this is the 2nd time in the past 2 months Bruce has picked on at 10 years old story .. pray tell what’s new.

anon1234 January 11, 2008 9:33 AM

I’ve seen this before, probably in Bamford’s “Puzzle Palace” or one of David Kahn’s later books.

Carlo Graziani January 11, 2008 10:00 AM

The story may or may not be true, but that article is very long on hearsay, while scoring near zero on actual technical evidence. There are also some plausibility holes, and conflation of at least two separate alleged conspiratorial actions.

In the first place, the original Hagelin machines (which were sold up to some time in the ’70’s, apparently) were, so far as I am aware, mechanical rotor machines, of the same family heritage the Enigma. At the time, the WWII Enigma break was a closely-held secret, so their security was rated more highly than they really deserved. It’s likely that NSA and GHQ had efficient attacks on those machines that didn’t require any kind of back-door type of collaboration from Hagelin Sr. — by the mid-fifties, they’d had over a decade of industrial-scale experience in attacking such machines, and a decade of actual digital computing, so presumably they could accomplish considerably more than they had against the Germans (also presumably they were attacking a much lower volume of traffic).

Given this, I would say that documentation of meetings between Hagelin Sr. and Friedman prove nothing. They are just a way of providing some conspiratorial atmospherics to the article, to serve in lieu of evidence.

The more specific “back door” allegations appear to be made against the electronic devices of ’70s vintage. Here the evidence is very circumstantial — settled court case, Iranian suspicions, disgruntled ex-employees. The funny thing is, it shouldn’t be necessary to rely on this crap level of evidence to determine whether these machines are secure. If these allegations have been around for a decade, in the era of flourishing public cryptographic expertise, you’d think that some academic cryptographer of the full disclosure school would have grabbed one of these machines and analyzed it. In which case, we would just know. This happens all the time, viz. the Dual_EC_DRBG back door fiasco.

So, maybe there’s smoke, but I can’t say that the inteldaily.com people have credibly located a fire. Judging by the breathless tone of their reporting, they seem to think that smoke is a fire.

anonymous-8:58am January 11, 2008 10:01 AM

@anon1234 – possibly Bamford’s “Body of Secrets”, “Puzzle Palace” is about a decade too old.

@Ben – do you have enough references now?

The UK supposedly sold Enigma variants to foreign powers after the war. Same idea. As I recall the CRYPTO AG stuff was seen as newer and better. I also bet the Enigma market dried up after (if not before) “The Ultra Secret” in ’74.

References anyone?
Timeline anyone?

Pure speculation on my part but, could it be possible that the switch was engineered?

anonymous-8:58am January 11, 2008 10:24 AM

@Carlo

Has there been new news confirming Dual_EC_DRBG (I read Bruce’s blog on it – and will avoid it)?

Although I’d like to think it were true,
I’m not aware of many researchers going after obsolete crypto hardware. Or even if there are many of these machines available for analysis?

There are simulators available like at http://frode.home.cern.ch/frode/crypto/ but I don’t know if anyone’s analyzed them for this. Or even if the problem was in the algorithm?

@Bruce – hey – this is a re-tread
http://www.schneier.com/crypto-gram-0406.html#1

RF January 11, 2008 10:26 AM

@ the commenters asking why someone in the academic world hasn’t found the backdoor: presumably it takes money and elbow grease to reverse-engineer electronic crypto machines. And the “backdoor” may simply be that the cipher is very weak (like GSM A5/1), so there might not be a smoking gun for NSA involvement even if it were reverse-engineered.

Can’t say much more because I haven’t read all these sources; I don’t know if the devices were backdoored either. It could even be that Crypto AG was merely incompetent rather than complicit, or that the Iranians’ problem was somewhere other than their crypto machines.

no real health care in third world america January 11, 2008 11:26 AM

we’re just a jar of ants to the government, wake up sheep! nothing but a google earth like sim ant game for big brother. sing along with good old judas priest:

“Up here in space
I’m looking down on you.
My lasers trace
Everything you do.
You think you’ve private lives
Think nothing of the kind.
There is no true escape

I’m watching all the time.
I’m made of metal
My circuits gleam.
I am perpetual
I keep the country clean.

I’m elected electric spy
I protected electric eye.
Always in focus
You can’t feel my stare.
I zoom into you
You don’t know I’m there.
I take a pride in probing all your secret moves My tearless retina takes pictures that can prove.

Electric eye, in the sky
Feel my stare, always there’s
nothing you can do about it.
Develop and expose
I feed upon your every thought
And so my power grows.
Protected. Detective. Electric eye.”

look outside and wave, smile at the sky and spell out NSA in the sand at your favorite beach.

Alan January 11, 2008 12:11 PM

@RF

You are assuming that someone in academia has access to the equipment and can afford it. It is my understanding that these machines are only sold to governments and other high profile clients. They are not something sold in the Best Buy down the street, nor does Consumer Reports publish reviews on them.

darkuncle January 11, 2008 12:15 PM

@erlehmann: in 1952, the phrase “open implementations” would have made no sense whatsoever – Crypto AG started selling these devices to gov’t 30 years before the open source meme started to receive any kind of widespread recognition as such.

(now if you meant to say, “why were they not paranoid enough to demand open implementations” today, then yeah, I’d totally agree with you. In 1952, ignorance of such would have been understandable; not so much so in 2008.)

anonymous-8:58am January 11, 2008 12:29 PM

@RF & Carlo the articles say that Crypto AG rigged some existing models of machines. If that’s the case a researcher would need to get their hands on one of the tampered machines. Having a simulator or an untampered machine would not help.

I would expect that the machines were destroyed or locked away. I can’t see Iran selling them on the open market where their other enemies might be able to obtain and study them (just in case they were sitting on old ciphertext).

@anon1234 – you were right – it seems there was a veiled reference to an NSA Crypto AG arrangement in the Puzzle Palace

Xoebe January 11, 2008 1:05 PM

There are a lot of things unsaid in this story. You can probably safely figure that it’s mostly true. However, consider the following:

  • Crypto AG fires their salesman and bills him for the ransom money they paid? Really? Even Kafka wouldn’t have gone that far. There is more to this story.
  • Reagan’s “slip” is nowhere near definitive enough to cast doubt on any particular process, not was it likely a “slip” anyway. Reagan was no idiot, and everything he and his staff was vetted 9 different ways before it was presented. And of course there is the obvious – that he was lying, and there was no “definitive” evidence at all, and this was another red herring. Besides, “irrefutable” evidence suggests it was corroborated, and that means more than one source of information.
  • Security and intel types meet regularly with their vendors and clients. None of those meetings mean a thing, unless we could see a real transcript of what actually happened.
  • Doubtless the U.S intel would have asked for backdoors. Whether or not they were provided is unknown, and subject to informed speculation.

  • It is probably not likely that any of this would have come to light at all if the powers that be didn’t want it to come to light. For example – and here I speculate – why fire Buehler? Why not just kill him? Perhaps the whole disgruntled employee thing was a ruse, and the lawsuit was an excuse to deliver misinformation.

-There are likely numerous intelligence holes on both sides of the Iranian-American thing. There was significant American-Iranian intel and security cooperation going back decades. Those personal relationships didn’t just evaporate, plus the overthrow of the Shah in 1979 certainly wasn’t something that made everybody in the Iranian intel community very happy. There are plenty of opportunities for American intelligence to get access to Iranian data.

Essentially, we in the public find these things out long after they are no longer important. It’s unlikely that any of this means anything of immediate importantance. It however, a fascinating and interesting story. It is also a cautionary tale in terms of security.

Know your vendor. Trust nobody.

Anonymous January 11, 2008 2:04 PM

Gee, can you imagine the uproar if some other country tried something like that, especially with a product the US used?

RF January 11, 2008 2:38 PM

@Alan — right. So it would prob’ly be even harder for an public reverse engineering to happen than I originally suggested.

RF January 11, 2008 2:45 PM

@Alan — I do kind of want to see Consumer Reports reviews for crypto machines, though. 🙂

(Disclaimer: I’m joking.)

Niyaz PK January 12, 2008 9:49 AM

I heard this news some months back. But i thought Bruce would have covered the news.
But I think i read it from some other ource, and as Bruce pointed out, the news was pretty convincing.
Who knows if they have back doors in AES, SHA …..

Roger January 13, 2008 6:27 AM

This topic has been discussed in crypto circles for quite some time, and majority opinion seems to be that if the Crypto AG equipment really did have a backdoor, then it was most likely an algorithm with a known weakness. The theory given in this article — namely, that the hardware was rigged to secretly transmit an obscured copy of the key along with the ciphertext — is rather improbable. There are a number of reasons for believing this but the simplest is that for about the first 25 years for which they were supposedly doing this, their cipher machines were constructed from relays and rotors which could be, and usually were, regularly dismantled and serviced by their customers’ code clerks. Before ultra-miniaturisation, any such hardware gimmick would almost certainly have been found within weeks.

Another issue is that all of these machines were stream ciphers, so there was a 1:1 correspondence in the characters in the plaintext and ciphertext. In the old days, and even to some degree for a while after Crypto AG introduced VLSI electronic systems, it was very common to include counts of characters as an error check. A mismatch in PT and CT sizes would immediately ring alarm bells. As such, there simply was no room to hide a key in the ciphertext.

Bruce Schneier January 13, 2008 8:45 AM

“This topic has been discussed in crypto circles for quite some time, and majority opinion seems to be that if the Crypto AG equipment really did have a backdoor, then it was most likely an algorithm with a known weakness.”

This is my guess, too. The NSA’s success with rotor machines was a closely guarded secret, because crypto manufacturers continued to sell these machines to many countries around the world.

Bruce Schneier January 13, 2008 8:51 AM

“I heard this news some months back. But i thought Bruce would have covered the news.”

I was surprised, too. I wrote about it in passing ten years ago — before I started the blog — but that was it.

Frode Weierud January 14, 2008 3:24 AM

This is indeed an old story. It probably carries some truth but which of course never has been proved.

However, one thing I always found curious is that the Swiss banks, the Swiss army and other Swiss government organizations always seemed to use equipment from the Swiss firms Gretag and Brown Boveri (BBC) and never from Crypto AG.

I once asked a Crypto AG employee about this and the answer I got was: “Well, we have shared the market. They supply the domestic market and we do the exports.” I always found this a curious form of competition.

Clive Robinson January 16, 2008 8:33 AM

One of the things that is seldom mentioned about Boris Hagelin’s early days.

Boris’s original cipher machine was based on a coin counting mechanisum (not rotors like the Enigma). The mechanisum produced a key stream that was added mod to the plain text (the mod was achived simply by rotating the print head round in a similar way to a clock face under the minute hand).

The important thing was that only something like 5% of the keys was even remotly secure for the 1940s the other 95% ranging from poor to totaly inadiquate.

These machines where used by U.S. troops as a field cipher for many years.

One of the reasonings for this was,

1) Current and future enamies on capturing the equipment where either likley to re-use it or copy it’s design.

2) Unless they possessed the technical expertesse they where unlikley to know which keys where secure and those that where not.

Therefore on the balance of probability 90% of those signals would be easily broken by the U.S.

Dirk Rijmenants January 30, 2008 4:46 AM

Nice story, but the only thing we still are waiting for are sources and evidence. We could see this from another point of view. NSA had lots of reasons to descredit a foreign crypto manufacturor. The US has a long history of blocking or weakening good cryptography (limiting key sizes, making designs less effective, even in their own country!). Putting Crypto AG in a bad light would surely be in the intrest of NSA and limit the proliferation of quality (?) crypto in the world. The lack of sources, academic proof or any hard evidence whatsoever about the Crypto AG tampering stuff does makes one wonder where the story really came from…

However, rigging the electronic devices still ‘could’ be possible. But the mechanical machines could be considered as ‘open source’ since the mechanics are widely known and cryptanalysed (in the case of the CX-52 without succes). You cannot tamper a mechanical design like the CX-52 (which also was higly customable by the costumer) By the way, although pin-and-lug devices like the C series are described as stream ciphers it should be noted that all message procedures on sending messages used random message keys (encrypted starting position of the wheels), ensuring a unique stream for each new message, even when key and CT were identical.

As often, we’ll never know the real story. I remember a NSA guy saying “in 99 percent of the cases we even don’t need to break anything, we get it before it’s encrypted”. Knowing which Iranian sent something doesn’t have to come from broken or leaked keys. Enough other ways to get information, either by SIGINT or HUMINT.

To some of the Enigma comments above: the Hagelin machines were completely different to the Enigma design and Enigma’s security came nowhere near to the CX models. The only rotormachine, produced by Hagelin was the HX-63, wich was far more complex.

Dirk Rijmenants January 30, 2008 5:28 AM

@Bruce,

“This is my guess, too. The NSA’s success with rotor machines was a closely guarded secret, because crypto manufacturers continued to sell these machines to many countries around the world.”

I agree on the weak algorithm theory, but why do you mention the rotor machines as they were by Hagelin???

The only rotormachine, produced by hagelin, the HX-63, was experimental and only 12 were manufactured. I don’t understand why people keep talking about rotor machines, and pull the (cracked) Enigma into this story.

Hagelin never sold rotor machines (for a good reason). He made his fortune before the electronics era with pin-and-lug type machines.

PS: The russian Fialka M-125, an advanced version from the Enigma, which incorporated solutions to all Enigma weaknesses is a good example of why the crypto community stopped using rotor machines ages ago: the Israeli’s captured one and learned how to crack it. Hagelin was clever enough to use other devices.

Individual pal August 14, 2008 2:58 PM

Under my point of view if NSA would have had such a wonderful way to get secret information, never this story would have came out. Intelligent people only can think that this was a gossip to generate fud (fear, uncertainty and doubts) and therefore provoque the crash of this firma. I believe that Crypto AG is still alive and prospering more than 10 years after these presumed events, because intelligent intelligence agencies know about how to judge between reality and conspiration theories.

fajensen September 9, 2016 3:18 AM

@Individual pal
I believe that Crypto AG is still alive and prospering more than 10 years after these presumed events, because intelligent intelligence agencies know about how to judge between reality and conspiration theories.

Indeed, Faith makes everything possible – Even the assumption of intelligent intelligence agencies after them first missing the collapse of the USSR and then “Curveball”, a nutter who gave us all the “intelligence” needed for the Iraq war.

Now,

Having worked a bit with MIL-spec designs, the stark reality is, I Believe, that Crypto AG is happily selling even 1980’s equipment profitably simply because there is no budget available to complete the mandatory change management process and required vendor qualification before using a different product. It can easily take a year of paperwork and 25 signatures from people it is very hard to get hold off “just” to change some resistors. This after documented in-the-field failures.

New designs are rare, that’s why they cost obscene amounts of money to procure: The supplier has to live off that project for decades, to get these contracts they are committing to keep test and manufacturing alive.

One may not actively spec Crypto AG chips for a new design, but, most military hardware just sits in a logistics centre for 15-20 or even 30 years with regular maintenance. So, even known broken tech has to stay around for the duration.

I say “actively” because if a 1980’s Crypto AG chip is the only NATO qualified chip for that kind of design, then it goes in anyway, flaws and all. Someone has to kick off the qualification process for another part, this is almost never the job of the design team.

There exists, in use to this day, AA-RADAR that use Thyratrons a 1950’s technology those lasts about 200 hours. EEV (GEC-Marconi) still have a small production line for them, they are hand-made.

There are warehouses full of obsolete 1980’s components just sitting there until some defence gadget is finally scrapped and it doesn’t have to be built or serviced any more.

Graham Toal February 12, 2020 8:03 AM

Heh – you get to say “I told you so” now 🙂 Fun looking at some of the old naysayers comments above. Hard to believe any country would have used closed-source crypto from a foreign vendor even 10 or 20 years ago.

Clive Robinson February 12, 2020 8:40 AM

@ Graham Toal,

Hard to believe any country would have used closed-source crypto from a foreign vendor even 10 or 20 years ago.

Two reasons,

1, Legacy issues (as I mentioned above)

2, Lack of choice (as I mentioned elsewhere part of the deal was the US would kill of the competition).

But there are other reasons.

As I’ve mentioned making secure equipment is one heck of a lot more than chucking a few crypto algorithms into a box. The issue of,

1, Side Channels.
2, Passive TEMPEST/EmSec.
3, Active Em/Sec.
4, System Segregation
5, System and subsystem encapsulation.
6, Gap crossing choke point control.
7, Transparancy reduction.

And other more detailed issues all come into play and can blow your system security out of the water when your enemy is technically more advanced.

Ore put it another way, if the country you are talking about does not have atleast one highly technical University for each 10 million in population, you won’t have the spare capacity in your population to train up in such subjects to the level required. Thus your choice is have your very own “Manhatan Style” project or buy in from abroad.

Tom O'Brien February 15, 2020 8:41 PM

Open source? Kerckhoff’s/Shannon’s principle? It would seem to me that the cryptoprofessionals who bought Crypto AG’s machines could have insisted on seeing the “source code” and then verifying its security themselves. “The enemy knows the system”. I am an amateur, so I’m very likely oversimplifying.

Clive Robinson February 16, 2020 8:59 AM

@ Tom O’Brien,

… who bought Crypto AG’s machines could have insisted on seeing the “source code” and then verifying its security themselves.

First off remember it started with mechanical ciphers so “no source code” to look at only engineering drawings and maybe some undergraduate level maths.

But even if you did have “source code” for the later electronic machines we actuall know from history that does not work in the case of “hidden knowledge”…

Thus a little history, the NSA have a list of things they have definitely been caughut out on, and a way bigger list of things we think they have probably done but can not say for certain. Which begs the question,

    How big is the list of things the NSA et al have gotten away with, without raising suspicion or getting caught?

Crypto is at it’s very heart a form of asymmetric combat between those who design systems and those who break systems.

As in all things in life to be good at designing new things you have to not just know about previous systems and all their short comings, but more importantly how to analyse for them. When people get taught the related engineering supject of electronics they get taught about this under the title “Testing Techniques”.

If you are unaware of certain ways to test systems, then you will have issues trying to find methods that exploit the mechanisums such tests enumerate.

Sometimes you have a hint because certain things are “odd” or give “a hinky feeling”. That is when you tot the numbers up something appears missing.

Such was the case with DES people were suspicious of various parts of it for various reasons. Part of which was it was known what the security requirment was, and under the then open knowledge DES appeared much stronger than it should have been. Which based on what was known about the NSA then did not appear to be something they would do, so the odor of a large rodent was felt by many to be present. But from where was it emanating?

Initial suspicion fell on the part that the least was known about, which was the Sbox values. It was suspected that the NSA might have some “trap door” in what should have been a “one way function”. But looking for this with inadequate tools did not pan out.

At the same time, the DES hunt was on, another –perhaps the most unlucky– modern cipher design came under scrutiny. It was called “FEAL” for the “Fast Encryption ALgorithm” and it almost became the equivalent of a “bear baiting” festival. You can look the history up but from the carnage almost Phoenix like arose two new powerfull cryptanalytic tools. When these were applied to DES the sums totted up correctly.

That is not to say there is not a backdoor or trapdoor in the DES Sbox there may well be, but people stopped looking because of the two new crypanalytic techniques, and moved onto other things.

We have more than good reason to believe that the NSA stiched up NIST and the AES contest. The NSA and it’s Five-Eye partners had –untill congress got silly– probably the best “real world” practical experience of issues involved with implementing Crypto Algorithms into Practical systems. Thus they would very definately have known to quite an indepth level about “time based side channels” in software implementations, and how they arise in the design process. But at no point in the competition or it’s rules were side channels to be considered. In fact with hind sight the rules were such that they quite deliberatly encouraged side channels to be formed and thus arise in practical implementations. The result was that implementations of AES –that are still out there in use– that haemorrhage key information via time based side channels caused by CPU caches. Whilst one or two people complained not just during but after the competition they were largely ignored, even when absolutly devistating remote POC code was produced. Well eventually people woke up and smelled the daisys but by then it was much to late for many embedded systems that had design lives of 25+years.

Then the NSA did it to NIST yet again but so ineptly this time even people on the standards committee were raising alarm bells. But the NSA still managed to get the Dual Elliptic Curve Digital Random Bit Generator (Dual EC-DRBG) into the SP 800-90A standard. Eventually the weight of evidence was such that NIST was forced into an embarasing defensive position then climbdown and withdrawal of the standard.

But even before the NSA was formed as I’ve pointed out several times in the past the Boris Haglin mechanical cipher machine used by the US military as a field cipher during WWII had been “backdoored” and I had worked out why. Others may well have done so as well, re reading Dorothy Dennings writings suggest she certainly had suspicions but refrained from talking about them (which is maybe why the NSA selected her as one of the people to review the “Clipper Chip” of “Crypto Wars 1” cipher algorithm “skipjack”).

So as you can see your ability to determin if a cipher system is any good or not realy depends on the ratio of knowledge between those who are selling the system and those who are buying the system. Whilst I could say “Caveat Emptor” that would be unfair, because as has been seen you can design a crypto system that is both strong and weak, you knowing how to use it in only the strong way can give me the system knowing that I will probably use it more in the weak way than the strong…

Thus looking at the source code will not help you find such backdoors, only fairly esoteric and usually secret or hidden knowledge will.

As an algorithm AES has some good points, as a practical implementation the algorithm positively encorages time based side channels. I’ve repeatedly advised not to use AES in an “on-line” method of operation only an “off-line” method of opperation. Unfortunatly the same constructs that make AES undesirable for on-line use also apper in other crypto algorithms that NIST has given a rubber stamp to… Something that nodoubt will become a cause for concern in the years to come.

[1] https://en.m.wikipedia.org/wiki/Dual_EC_DRBG

[2] http://gos.sbc.edu/d/denning.html

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.