Should we abandon AES Encryption?
Which Encryption has been subverted?
One of the most upsetting things about the recent revelations about the NSA’s shenanigans is that it has apparently devoted US$250M to suborning international standards. Over the last few weeks, just about everyone in the standards and crypto business has been looking over the crypto with an eye towards seeing what the NSA might have subverted.
Dual Ecliptic Curve… (NSA tried to run rings around you)
The DUAL_EC_DRBG discussion has been comic. The major discussion has been whether this was evil or merely stupid… Matt Green has an excellent blog post on its multi-dimensional stupidity. Was the NSA so stupid they think we wouldn’t notice the flaws (we did notice nearly immediately)? Was the NSA so stupid that this is the best they can do? The issue of the Suite B curves is more interesting. Cryptographers Dan Bernstein and Tanja Lange have been arguing that the Suite B curves are weak since before we ever heard of Ed Snowden. I’ve been public and pointed; I’ve always thought that the DUAL_EC_DRBG random number generator is patently stupid. But I’ve always believed that the Suite B curves were designed secure. All crypto has a lifespan of utility. Even if there are issues with the Suite B curves, I think they were designed well at the time.
“Not the NSA” – SilentCircle abandons AES
- We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement.
- We are going to replace our use of the SHA–2 hash functions with the Skein hash function.
AES is for legacy use only.
- The old cipher suites will remain in our systems. We’re not going to get rid of them, but the new ones will be the default in our services.
Who else has abandoned AES?
Schneier wrote an article in 2000, warning that AES was almost a broken cipher, just as it was selected as the “winner”. If a broken ciper = 1 and a safety margin of 2 is generally acceptable, the AES 128 result was = 1.11.
1.11 is almost a broken cipher
And well below the minimum safety factor of 2. In 2000, AES didn’t make sense… but today, we understand the NSA. They were promoting broken ciphers – so that their offensive capabilities were strong. You can’t mix offensive and defensive, as offensive will always win out. If the NSA could break these ciphers, so could state intelligence in other countries, like Russia and China. And that’s before we get to Criminal activity. So yes, I agree with Sir Tim Berners Lee – the breaching of encryption security by the NSA is pretty stupid. Schneier also tried to calculate the extra rounds needed to make AES safe – and he found it couldn’t be made safe, without becoming too slow to use. AES should never have been a finalist… unless the motive of the NSA – was to weaken Global security. THEN AES makes perfect sense.
So, what to do?
- Well, Schneier developed Twofish… it has a good safety factor of 2.56.
- There’s also Serpent, with a safety factor of 3.56 – it’s slow on software but fast on hardware.
Twofish looks the best replacement NON NSA cipher – and swapping might give society some sense of security.
Now we just have to convince enough open source applications, to offer Twofish. It’s available in Truecrypt, but not in OpenVPN… yet. But with public pressure to drop AES mounting, it would make good commercial sense to offer Twofish and Skein rather than NSA crypto bundles.
The next phase, would be to automatically disqualify any AES candidate that fails to meet the generally agreed safety factor of 2.
All war is based on deception. Alas, the first thing that happens when society is betrayed, is they turn on the betrayer. We already know the ending to this story. It’s game over.