[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSA/NIST Security Lab



At 10:51 AM 9/2/97 -0700, Tim May wrote:
>Now, Ray, you're being too harsh. When NSA/NIST sought the analysis of
>Clipper/Tessera several years ago, the distinguished panel met for a
>weekend in a D.C. area hotel and concluded...drum roll...that
>Clipper/Tessera was secure.

No, they put out an interim report asserting that Skipjack was secure,
promising to do a final report covering the Clipper chip, the escrow system,
the key-loading charade in the vault, and all the other things that make
Clipper,
and hyped the <expletive deleted> out of how secure Skipjack was, 
implying that you should trust Clipper and the friendly NSA that gave it to
you.
Of course, N years later, they haven't come out with that final report,
and in context issuing the Skipjack interim part was a blatantly dishonest
ploy,
as well as being too short an analysis to be anything resembling thorough,
even if Skipjack is fairly strong (which it probably is, for 80 bit Feistel.)

>Of course, Matt Blaze broke the Tessera version a few months later....

Not an extremely practical break, but good enough to show the
fundamental shoddiness of the Clipper system and embarass them at a time
that a good heavy-duty embarassment was politically damaging.

>Some believe they have a role in helping industry to secure its
>communications.  I don't agree.  The NSA has no business getting involved 
>in business.  Period.

I think they've got a role in making sure that defense contractors
making products for the US military, whether the contractors are handling 
militarily sensitive information or especially building tools that the
military will use to handle sensitive information, are adequately secure.
You could argue that that's a job for some other centralized expert agency
that's under better civilian control or Pentagon control rather than
being out of control (as the CIA is), perhaps National Science Foundation,
but it's also arguable that the only people who can do an adequate job
of protecting secrets are people with lots of practice cracking them,
and that's something pretty much like an NSA.

There's also a potential role, though it's a much tougher sell,
for NSA or similar experts helping the State Department,
and perhaps civilian Federal agencies that handle private 
information about citizens, do a good job at protecting it,
though the military models of security are often not a good match
for civilian data protection.  My past experience with the NSA
"helping" the State Department was a 3-year debacle in the late 80s,
where they provided a bunch of unrealistic wish-list advice to a bunch of,
ummm, technically challenged Wang administrators about how to build
a secure world-wide network, which gradually fell apart in turf battles
because the main Embassy customers for highly secure communications
don't really work for State and they wanted their secure network 
provided by Real Spooks, and they may not have had the budget or political
clout to get a network built but they could sure spoil a procurement :-)

But other than supporting Federal customers, they ought to leave business 
alone, at least until they get privatized....

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#   (If this is a mailing list or news, please Cc: me on replies.  Thanks.)