[Ach] Network Operations Division Cryptographic Requirements

Aaron Zauner azet at azet.org
Wed Mar 8 13:31:25 CET 2017 

> On 08 Mar 2017, at 12:25, Aaron Zauner <azet at azet.org> wrote:
> 
>> 
>> On 08 Mar 2017, at 01:33, Hanno Böck <hanno at hboeck.de> wrote:
>> 
>> On Tue, 7 Mar 2017 15:11:03 +0000
>> Aaron Zauner <azet at azet.org> wrote:
>> 
>>> For review:
>>> https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf
>> 
>> The document contains a lot of outdated advice.
>> 
>> E.g.:
>> 
>> "(S//NF) Confidentiality must be provided by AES, Serpent, Twofish,
>> Blowfish, 3DES, or RC4 with a minimum key size of 128 bits. Block
>> ciphers must be operated in Galois/Counter Mode (GCM), Counter Mode
>> (CTR), or Cipher Block Chaining Mode (CBC). If RC4 is used, at least
>> the first 1024
>> bytes of the cryptostream must be discarded and may not be used."
>> 
> 
> Yeah, it's not really up to date. I guess purging the first 1024 bytes in the bitstream of RC4 would make bias attacks far harder as the biases are at the beginning of the stream. In general this seems to be stupid advice, though. I haven't seen any Suite A ciphers mentioned - so I think they're still only used by NSA for satcom / classified networks et cetera, everything else seems to use Suite B-based crypto. The leaks also contain discussion about Equation Group and choices of ciphers for CNC/exfil - apparently NSA recommended a weird internal crypto lib that the intelligence community was using for quite a while and was easy to detect because of certain parameters and especially algorithm choices: https://wikileaks.org/ciav7p1/cms/page_14588809.html

```
2015-02-23 10:03 [User #1179925]:

The "custom" crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems.

In the past there were crypto issues where people used 0 IV's and other miss-configurations. As a result the NSA crypto guys blessed one library as the correct implementation and every one was told to use that. unfortunately this implementation used the pre-computed negative versions of constants instead of the positive constants in the reference implementation.

I think this is something we need to really watch and not standardize our selves into the same problem
```

TBH: I don't want to know how bad Suite A is, it's not publicly audited - if they already fuck up implementation basics,..

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20170308/332d90c9/attachment.sig>

More information about the Ach mailing list