Export Grade Cryptography

Story: Latest attack against TLS shows the pitfalls of intentionally weakening encryptionTotal Replies: 2
Author Content
dotmatrix

Mar 03, 2016
1:43 PM EDT
This statement has nothing whatsoever to do with purposefully weakened cryptography. This is yet another nonsensical article filled with misleading information.

The US government has several 'grades' so to speak of cryptographic solutions. These 'grades' are assigned via the level of testing done on the cryptographic solution. The 'grade' of cryptography has nothing at all to do with purposefully weakened algorithms or inserted backdoors or anything of that sort...

The 'grade' does refer to the evaluation of an implementation of the cryptographic solution. However, the evaluation is only positive rating biased -- meaning the solution has been tested more rather than tested less. So, the 'grade' is a guarantee of a certain level of robustness. However, this does not mean that a lesser 'grade' is necessarily weaker... all if means is that the lower graded solution wasn't tested as thoroughly.

As far as 'export grade' goes: This is a reference to compatibility of cryptographic solutions and has nothing to do with 'weakened' anything.

For example:

Type 1 encryption...

https://en.wikipedia.org/wiki/NSA_product_types

Is the 'highest grade' solution. This is because Type 1 encryption and devices has been tested and passed those tests.

FIPS-140-2 encryption:

https://en.wikipedia.org/wiki/FIPS_140-2

Is a 'lower grade' solution. This type of encryption and associated devices are labeled FIPS-140-2 because they have tested and found to be acceptable in implementation to qualify for at least FIPS-140-2 certification.

However, all of these use AES...

https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography

The difference is not the encryption 'kind' or 'method' or 'strength' or 'weakness'... the difference is the level of testing done and the level of strictness in algorithm implementation in structure and computer code. The difference has nothing to do with purposefully weakening of a code base.

However, this is not to claim that the government doesn't seek to weaken publicly available crypto code... it's simply to indicate that this posted article is making dubious claims about all sorts of things related to cryptographic solutions and overt government 'grading' of those solutions.

dotmatrix

Mar 03, 2016
2:57 PM EDT
Rather than lengthen the above...

Two more points:

1. It's not the government's fault if Internet server admins don't adhere to the government's recommendations in using TLS/SSL...

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf

2. If the government is truly interested in weakening encryption options for citizens how is it that I can post a very strong public key...

like this one:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFbYgqIBEACqw8ts8U6R3k5WZWqFBCCzFHXMSTMe4KTcMZaj/jM9YSVlpZoL rcndBRZ1q6gncW58cOrHXOsNfrXxFuPETxm1wblHCDvVAe2wPv1ZStLSX4u7M0iv uxEHT9Id2c6fxc5H2ZkUScYJjG9sYXiFYYN8k/ROYqtlNDEPQiuXupaOHFaQUv+w s/0MMEjdDs8DZgIPOnt9Se+p78QcJ1o7L2p7+RuoauTDpA63V3lpjT9V3SBrDgbC BIIewyaRpGir5PizhqOMfa7L7E60WsQbz/T0ctJYmlW5z+SYxW29GeCiFzQOqQq5 N2B41ZXkjaq9nSQAkL6Ub616AOs9X41e90kBABLjnA0eOQn5/ceZL8BCNko0gMDk dRwXxB4x0b4PRZfI8nIKFHaFkW6dkmA7j0tMpLgF25XeVscVU51vAJRRU3d0zSfU Qx/nZrxC1BEAXudlik+ajNrD8oIEZyyjcpcuHGuj+ZX06mmTlPNppLLXUa1om4p1 785U9n5iHVyjJaRaL8AYI66k1iLfdD4eRzJxbWFMLigAuoe6MFtRPlQ2QSdtePsY oowD+ut1puX35mt5/xkEvO6KpKBLxs8S8lEfiFyQ89EUZXpZsHaqVjfVL253EK9E jCKTkf44uzU0hgEt8KGafNNWUVZL6/a9spCLlSi6ZQGw0t3MCSFeWj54QwARAQAB tEZ0ZXN0IGtleSAoRE8gTk9UIFBPU1QgVE8gS0VZU0VSVkVSIC0gdGVzdCBrZXkg b25seSkgPHRlc3RAZXhhbXBsZS5jb20+iQI4BBMBAgAiBQJW2IKiAhsDBgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCCJ8TK+UiKIyglD/4/VrzwFr4+nawOFQ1H kPGpSMtJJHmwyndgld/2Z0XXbhBHZKP/IjDTonu+jAzhRqtoh510Dskorv5i3MTC 4rpTe4eG/4K2kdoYkDYpXcQozluBzTHjaccqm84ufQRvcnWSOjUYPE5okIZPxnZP QA9Q/BcAlBRdwwDeuHKEZ+tT4U2beGfuBRTT5HwC1M5UR3glnMAykgGJg2uAvaWH AdWrZUMG1egozy2ZtyRbH1N/VQbwBk2hUZPKu5eo67QApeBpHTLnD3D2TvxmNoY4 60lDSxZMVaJ5tbh3002wPz82mCHUhySbdn5ISH3lntgj7ZpYt1uNdpUpzcjXSs0D cm3mRKHLxHFyvQJDf2L16KchMpmf//6Ka6c+YAxrYpHevjYJVfSeExs89UNoyDts S/D5Y9iBi1V0o3PlDzhAi3BJj5B81w0PfSY9MU6Q+vNlW11AIEdRnw2u8KIqqgZh wld1u1hlU8dA75pa/ZwsuoH/BD4txHTE4AVoE125+M1kRGa7vHUhJp47MmIIbVPo Oa1DCo1Cuuq4J/iIvsN0TJfUgLsK0R37VUhuFsKVQdzld45yTXGqUl410hRli7H1 M7G8HxizJMMEDmhqG2W//Hl9xjntbUtcLHFj/EfLi3xyZQTXbQJyIDa+WvaZGS4j 9cuLNel9Iscm/5w2inJA0/48o7kCDQRW2IKiARAArsUgI+5kEMQmENANFC4X1G43 S/gASd+KR2IUyj4cp3l8qg9EQVI6tOxpnau6JjjeHpTXTyQJ0mTmd3iKpaMSQ+WF wA6MUHiO0lwXSsdYfl2+X+20/IbocIfhbsLzLtM4q3wk81qIayn1BWp9IHWVCR3N iNQ2JfMEK7F/NkYpkh0gOUOaeho9KIr4DjatAp4ZXQW1vfc1DwtXfxpQg72LWL5T jQgVSIcuetG93TmKwzUH80vP32HPPnW/zwOLjcqahvMAFeWNWB/pI57Q7UtfBCTn rWjr2hUUr2oPnB1OTHQe2679bDi9CAdjfOeHIsvCjLKnxH4maBslKDI23bi324a4 uoiCqH75KJPixcptiMKBkfFStuetB4JJV3ZOAxPb7kySw1M9AG0KvrF/LhBDBpSf DsWSocnpKN7xqcDG0bglYLDwOGXriUpT22M7AirUXvYUv4JTzX7X0nZN4xXF+n0a tpigl2ZIk02kER5JGebePUbLP2r9Z+77HG7S4/Eea12T5xJGxkHVNTs1Di6sH0s9 sFtq04V1/+yzaYdggWaiwD6oiI2N5fwLgvDpM2DCQ4IeCcF0M3adfH8kGuUL6eWa 0FQYDMCfKDo8q+BPAGLMcZKiR37iKFta2bt5LHehFTfZHkSsawU7h8CFg2FgN1Iy /JMp6UBMm41wYB9aNaUAEQEAAYkCHwQYAQIACQUCVtiCogIbDAAKCRCCJ8TK+UiK IxJVD/sENBPiW943c2GZuH57dRzNo2WavaQr+nEvFakeMntIo9I+0MXa4JE1wgPK qU7Z1W8TMqsj7EqfcHI9cPf9GXUACWX25g9iI0y2q5hEnh4mbhkehKRuJZ3IlqE0 gq8BiSZviQEHEIKciAOd0PsGB44AtB1PC9zUdQ2Vgjy47c3O0tGT6H8+A2Hc2T6K rsMNYghpHoRcOSEOVZUTSXgNn6b3t/KvdX9TYAkqC3iJKjtEiD6QXZxjhHc6eSeM cVUXNshx0jVjg4Koh9eGQBmvDwSGp3aWxcsl7RACrpvRIRKmPmdc37FL/O98Jkvm YqidlzzYrBqo13FRckhO4hk7BZME2hJu5Nn82inJgWOnsMOXrwdZ/bu20oLCyrRB 8XbS5Ski6CxrCsaFppm2N9pOi5Wlm3wgOLx0HdrCepY5KGOc+JR7O6mzZOibmxuc m08ocN83N/gxTiYCa/5T12f4owOwEzFNtUytNWq/1wC5CXe2uYJcxd3ZSBkb4seY qA2mqkoMg5D89jh9fNbphbdvu7rZKVL+V0LMYIEZu+6MGF40NJYTB4YStlLsbham 19sGQsp0jdaLMdWgId2UhNxbB2KOZF6Zg0xAFXEeMHPf0dj5Jl1/III7K2bmM+bH U68RY5iZYUMY3trc0ACGGL0zP07Jh3PGDTyhIdbUYn5LLWHScg== =i5RW -----END PGP PUBLIC KEY BLOCK-----
Which could be used by anyone in the world who finds it to encrypt -- in an unbreakable way -- information... and then post that encrypted information anywhere... without fear of anyone decrypting it except the owner of the private key.

I may seem to be on a rant here... and I suppose I am -- but I'm getting quite tired of hearing about the US government trying to 'break' encryption that is available to the public... it's simply not true in the overt. There may be covert operations going on -- but if there are, these operations are not targeted as government run citizen snooping programs...

In short the US government doesn't give a crap about your data... although, they do give a crap about your data if your data is heading to Hezbollah, and they should care too.
nmset

Mar 03, 2016
3:20 PM EDT
I was pleased enough to read your comment that I want to thank you to have made it plain and clear.

I don't think even third world countries' governments would be stupid enough to declare publicly they would weaken crypto and really do it. And if they need to, it would be silently and temporarily at well defined targets.

These click-bait articles are for sensational waiting room magazines at the barber's shop.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!