Schneier on Security

Clive Robinson • May 6, 2016 4:41 AM

@ Hugh No,

It was an attempt to design a secure phone for government use that wouldn’t help bad guys who happened to get ahold of the devices.

Err no, that is at best a “spin” on what was going on. The secure phone that was,in GI at the time used DES and despite what the NSA tried to pretend DES was on it’s last legs. Because the NSA had reduced the key space in the original DES design, and had further limited export crypto to 40bits equivalent even on DES (see IBM patent for how that worked).

The political preasure was not just from Bruce or one or two others, it was also from the government security sector as well, the NSA was backed into a corner and had to do something.

The story behind Capstone and skipjack is still clasified and will no doubt remain so untill long after we are dead. However various people have put together their own carefull assumptions about what was done.

The NSA has a charter that encorages schizophrenic behaviour in that it is responsible for both securing US Gov communications and breaking any and all foreign communications it can. When drawn up it was probably not realised that there would fairly quickly be no real difference between Government communications and civil communications. This has got worse due to the driver of various US political entities claiming to “shrink Government”, and all that realy happens is government work just gets outsourced into the greedy maws of a favourd few. With this the need to communicate securely and what was once only government communications spreads further and further into the civilian sector, as the numbers on TS clearences and soaring government spending indicates.

The NSA had further been pushed towards the edge by the requirment of having to be consulted by NIST and the debacal that followed DES. Which several old NSA,hands have commented on in an almost public manner. Put simply you can see from the original DES entrants just what level civilian crypto was at, and life at the NSA must have appeard rosy. After the Data Encryption Standard was released by NIST civilian crypto took a very very large leap forward. An assumption made by NSA/NIST that quickly became clear was wrong was that DES was only going to be “hardware only”. You can see in the DES design the deliberate use of primatives that are easy and fast under hardware but awkward and slow under software, to try and keep it that way. However various people (including myself) felt that the price and hassle of DES chips was a good enough reason to develop software versions of DES on the likes of the AMD Z80. I had developed an earlier design around 1983 using AMD PAL’s and 2900 bitslices to get around the 40bit limits, but it was to expensive for the few customers that had a need. However with just a couple of changes it gave rise to a basic DES cracker, but was far to slow. This in turn gave rise to a paper design which showed that with a small by gov budget terms (~£8million), you could crack a DES key within three weeks max. All of which must have been well understood by the NSA that them lied through it’s teeth for the next decade or two. Untill 98 when the EFF following a similar idea spent a quater of a million dollars and actually built a DES cracker for real and took around three days to brut force a DES key (look up “EFF Deep Crack” for the details).

The Capstone project came from what was fairly obviously an “interanal only” project that arose from the DES fiasco, as to the viability of getting things back under control.

This unknown project gave rise to the SkipJack algorithm. You can look up what others have to say about it, but one thing is clear is it was designed to be extreamly fragil in it’s design in a multitude of ways. That is if you make even tiny apparently insignificant changes to the design it’s strength falls from around eighty bits to under fourty bits a trick which both the British and US crypto community had done with machine ciphers prior to the NSA (look up Sigba and what went on with Crypto AG in Zug Switzerland and have a careful read of “Spycatcher”).

Whilst SkipJack can be seen as the result of many man years of carefull design, other parts of Capstone appear on the face of it “ham fisted” specificaly the very weak LEAF which Mat Blaze found and publicised.

But was it ham fisted? That rather depends on your view point. If you consider the LEAF and the accompanying Key Escrow as a “backdoor” only then the answer is “yes”. However if you look at that backdoor and the Key Escrow as a vulnerability “for them” but “not for us” it starts to make a lot more sense as a design choice. It’s known that various parts of the US Gov run “covert / deniable” operations, the very public Olly North – Fawn Hall Iran-Contra affair is proof enough of that. The LEAF failing when viewed as a “backdoor in the backdoor” to alow deniable communications to LEO’s and other Gov agencies makes a lot of sense and is inline with the ethos of the Skipjack design.

Unfortunatly it was the LEAF failing that was the real death nell in Capstone, when that became public at the time it did it brought into question the NSA’s competence to be able to do what they were telling politicians. Their credability was gone and nobody wanted to have anything to do with Capstone, it had become “a career killer”.

Unfortunately it has had repercussions we are still feeling today as the FUD over “the four horsemen of the Internet” and the Middle East has swung the pendulum the other way back in their favour. Thus the IC is “making hay while the sun shines” because they know full well the pendulum will swing back again.

But what the public does not appear to get a grip on is that pendulum is part of a “ratchet”. That is when it swings against the IC the bad they have previously done, is not fully undone, thus they bide their time taking “three steps forward, for every two they are forced back”. Untill people get that, the net will continue to close around society, and we only have to look back to the 1920s/30s to see where that leads. As is often noted, “Those that fail to study history, are forced to relive it”. But we also have to remember technology is also a ratchet, and when used for bad, it makes the pendulum swing even further in that direction than it does for good, hence the famous observations of “The price of freedom is eternal vigilance” and “The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants”. The need for the latter is because the citizens do not practice the former, and alow not just the bad into power, but also the good to be cut down by the authoritarian followers of the bad.