31

What is the opinion of scholars, cryptographers on NSA Suite A? Containing unpublished algorithms. Could it really be that much better than the published algorithms besides being obscure and not documented publicly?

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
dongle26
  • 455
  • 4
  • 6
  • 1
    The decision may be related to economic attrition. The NSA spent a bunch of money on *mathematical research* to develop Suite A cryptosystems, why give that *research* to your adversaries for free by publishing? Make the adversary *pay* for it through reverse-engineering, espionage, diplomacy, etc. – recursion.ninja Jun 17 '15 at 16:06
  • I wouldn't be surprised if it used RC6 (or a minor tweak of RC6) instead of Rijndael/AES. – CodesInChaos Oct 29 '16 at 08:56
  • @CodesInChaos There was a report somewhere, a few years ago (around the time of the initial Snowden revelations) about some NSA exploit code containing RC6 constants. That doesn't have to mean anything at all, and of course even if it does, then using RC6 (which was already public) might simply have been a way to not risk any of their own crypto in case of a compromise. – user Oct 29 '16 at 11:56
  • It is entirely possible that China or Russia have have already obtained those algorithms through hacking cyber-attacks or espionage attacks. I mean we also lost a supposedly top secret drone over Iran, such should not come as a surprise. But that doesn't automatically means that US military comms have been compromised, as security lies in the key size and complexity, rather than alogrithms, as many users have noted. Until their cryptographers or cryptanalysis have found a way to break down every round, nothing has changed. But don't expect an equally culpable US govt to reveal this publicly. – Nederealm Oct 28 '16 at 19:07
  • @MichaelKjörling I was under the impression that they chose RC6 because the constants are less likely to set off IDS alarms for encryption signatures, while still being cryptographically secure. – forest Jan 28 '18 at 23:20

4 Answers4

53

My opinion (and I am a cryptographer -- I have a shiny diploma which says so) is that:

  • We cannot speculate on unknown algorithms, because they are, well, unknown.
  • NSA is like all secret services in the World, they really love secrecy and will practice it for the sake of it. So the fact that their algorithms are not published is in no way indicative of some particular strength or weakness of the said algorithms.
  • It is entirely plausible that the unpublished algorithms are indeed distinct from publicly known algorithms such as AES or RSA.
  • It is also entirely plausible that "Suite A" and "Suite B" are, in fact, identical. At some point, to use some algorithms, you must have implementations, and these things do not grow on trees. Having your own algorithms is thus expensive.
  • If I were a US taxpayer, I would be slightly dismayed at the misuse of my tax money, if it turned out that NSA spent it on developing and maintaining custom algorithms instead of reusing perfectly fine ones like the AES.
  • There most probably are some people with power to decide a lot of things in the NSA, who believe that not publishing algorithms increases their security. Such people exist everywhere. It does not make them right, though.
  • There is no better security than "cannot break it", which is what we already have with (properly used) AES, RSA, DH, ECC... The NSA could know of faster algorithms which are as secure as the public ones; however, it would be hard to beat the performance of hardware-accelerated AES, unless they have their own CPU foundry.

The danger in security by obscurity is in believing that it works well. It may induce people to feel safe with homemade algorithms, because they would assume that the obscurity will hide the weaknesses of their algorithms. However, if you use good algorithms with published and well-studied protocols (i.e. AES, SSL...) then there is no harm done in not saying that you do.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • 1
    Finally it's entirely plausible that they just happen to be implantations of well known algorithms too, ultimately we don't know. – ewanm89 Sep 20 '12 at 13:16
  • 5
    Re 5th point: I don't mind if NSA develops algorithms. Even if other algo's work, I have no problem if a trivial slice of tax money goes to the NSA to do crypto algorithm research some of which results in new secret algos. You pay someone to research stuff in the number theory, cryptography, etc and they may just come up with a new algorithm even if that wasn't the original goal. Re: 6th, their boss may want to keep it secret not to increase security, but to make it so rivals don't have the algorithm/math to use themselves or are a few years behind (and not let flaws be publicly revealed). – dr jimbob Sep 21 '12 at 05:24
  • 2
    "It would be hard to beat the performance of hardware-accelerated AES, unless they have their own CPU foundry" - they do, of course. Or rather, they have military contractors who produce their hardware designs, for DOD secure communication sets and the like. – Mark Bessey Mar 31 '17 at 13:50
  • 2
    Suite A and B are not identical. The public information we _do_ have shows that some of the ciphers have properties that do not match any public cipher (whether due to a strange key size or a non-flat keyspace where control bits determine things like the number of rounds). It's possible that it is _based_ off of public primitives, but I don't think it's possible that they are identical. – forest May 25 '18 at 04:17
25

An interesting data point here is the DES s-box constants. Wikipedia NSA Wikipedia DES

NSA recommended changes in the S-box constants to make DES resistant to differential analysis, which was unknown in the academic and commercial cryptography world at the time.

In that case, they were able to make that improvement in a way that was opaque to the users of the algorithm. It's possible that publishing the algorithms for secret crypto systems would reveal some other technique used to counter another attack that's not well-known outside their community yet.

Mark Bessey
  • 351
  • 2
  • 3
  • Great point! Very salient here. – adric Sep 20 '12 at 20:53
  • 5
    I was thinking about the same thing! The tl;dr version is that the NSA was about 20 years ahead of academia (and possibly still is) WRT cryptoanalysis. They secretly showed IBM in 1975 how to modify DES to resist differential cryptanalysis, which wasn't *officially* discovered until around 1990. – tylerl Sep 21 '12 at 06:15
  • @tylerl `and possibly still is` They haven't been for decades. Universities have not only caught up, but greatly exceeded the amount of mathematicians being used for things like cryptography. It has been a long time since the NSA could boast that they hired the most cryptographers in the world. Now granted, many universities work on classified stuff, but so much of it is public that the secret work is dwarfed in comparison. They were certainly ahead of us in '75, but now? – forest Jan 28 '18 at 23:24
15

I don't believe in security by obscurity in general, but in case of crypto it's actually worse, because it violates Kerckhoffs Principle

So is it better? Maybe. Is it different? Sure. Is it necessary to hide the algos? If your crypto was good to begin with, you would not need to hide the algorithms, just the keys.

On the other hand, you have the 'many eyeballs make all bugs shallow' idea. However, in case of crypto, there are not too many (well educated) eyeballs to actually point out bugs in crypto algos. So one possible explanation for the hiding would be that the NSA makes the bet that there is a higher chance of another (not friendly) nation state having more and/or better eyeballs, as opposed to the benefits of potential improvement coming from opening algos to the community. Or maybe it's not the probabilities of bug-finding, but the impact that finding a vulnerability would have on the information they use their Suite A to protect. Either way, we will not know, because they will Never Say Anything ;)

Marcin
  • 2,528
  • 1
  • 16
  • 14
  • 17
    I think you're misunderstanding, or maybe misapplying Kerchoffs's Principle. "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge." just means that you shouldn't be relying on the secrecy of the algorithm for security. Keeping the algorithm a secret may (or may not) increase security, but it can't be *required* for a particular level of security. NSA designs their algorithms under the assumption that opponents know how they work. They don't publish them so as to not make it any easier on the bad guys than they have to. – Mark Bessey Sep 20 '12 at 19:48
  • 6
    Also, the NSA probably has the capability to hire many cryptographers for review work, and also has the power to forbid them to publish the details. Most other people do not; thus, obscure algorithms are likely to be very weak. – ithisa Feb 20 '13 at 22:29
  • 4
    Also, if the NSA has developed a new and more secure system, they may not want to release details so no one else can use it. Releasing the details of a system doesn't just let others analyze it, it lets others _use_ it, which is generally a bad thing if you want to read their mail. – cpast Sep 23 '14 at 17:46
  • 2
    @MarkBessey That is correct (in that is the NSA's thinking) but it is also a fallacy. Is Suite A secure? Maybe. There is no provable security so the best defense against compromise is to put it out there and let millions of people TRY to break it. In the case of Suite A that won't happen until the obscurity is broken at which point either it is still secure or it will break horribly. If it is the former nothing is lost by making it public now, if it is the later then it really is only secure through obscurity. – Gerald Davis Jul 03 '15 at 17:01
4

On the other hand, it could well be that such agencies have certain knowledges far ahead of the public. One example, if I don't err, would be the case of public key crypto, where the British agency kept their knowledge from the public for quite a time.

Mok-Kong Shen
  • 1,189
  • 1
  • 10
  • 14