Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”
“Eventually, N.S.A. became the sole editor,” the memo says.
"The New York Times and ProPublica said they were asked not to publish their findings by intelligence officials who argued that their foreign targets might switch to newer forms of encryption or communications if the NSA tactics were revealed. 'Some specific facts' were removed, the New York Times said. The articles do not say which mainstream encryption systems have been effectively broken."
Would love to see an update to this with some context. So this became a government standard...but was it widely adopted in the industry (outside of government)? It had already been under suspicion of this fatal flaw before its release and Schneier says it was "also three orders of magnitude slower than its peers"...even if the security flaw didn't deter users, I would think a performance drop of three magnitudes would make it unpopular for use in anywhere but the government [insert joke about government inefficiency here].
This is clearly exaggerated. There's no way the NSA would ever do such a thing. Surely it would weaken US communications as well, and one of their mandates is to protect US communications - not to spy on americans, which it's forbidden to do.
NIST and the NSA are obviously above reproach in this case.
read the article again. Why is there no way the NSA would do such a thing ? There is no silver bullet in the crypto world. If somewhere 10% or 5% or even 1% of someone uses that encryption because it is 'standardized' you have a turn key solution without wasting any time. It makes perfect sense that they would push it in there.
Is this encryption standard used in any real life applications? It sounds like people had a ton of problems with it even just right as it was released. They may have forced the standard, but it didn't look like it was adopted.
That's why my projects use RIPEMD rather than SHA. I prefer my encryption algorithms to not be developed by an organization that has a vested interested in them being broken.
I think he is trolling, with just enough information to sound correct. The Keccak authors have proposed a "duplex construction"[1][2], using the arbitrary length inputs/outputs and the lack of a output transformation in the sponge construction, that could be used for authenticated encryption. The NIST has yet to included that use case in the SHA-3 standard. So, until there is enough solid understanding for its correct use and tested implementations with that use, it is just a hash function.
> So, until there is enough solid understanding for its correct use and tested implementations with that use, it is just a hash function.
I don't understand the logic here. Isn't the use of Keccak as a hash function currently largely-untested too? I would think you'd avoid using it at all in a production system right now, but if you're willing to use the algorithm why not use all of its capabilities?
Keccak is a generic construction suitable for more than just hashing. Here, let me copy the first bullet point off their site.
> As a sponge function, Keccak has arbitrary output length. This allows to simplify modes of use where dedicated constructions would be needed for fixed-output-length hash functions. It can be natively used for, e.g., hashing, full domain hashing, randomized hashing, stream encryption, MAC computation. In addition, the arbitrary output length makes it suitable for tree hashing.
Note that Keccak has a significant amount of hidden state, and they proved that the sponge construction itself is secure as a function of how many bits are hidden.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”
“Eventually, N.S.A. became the sole editor,” the memo says.