Internet |Emerging

Exclusive: NSA encryption plan for ‘internet of things’ rejected by international body

Talk (13)

Taxo Rubio

Taxo Rubio

"This is the closest example of the "a..."
Jack Barton

Jack Barton

"You're right, we'll try to reach out ..."
BG

Billy Grubbs

"Snowden is the man to talk to. Who el..."
MS

Marko Simicic

"OK, all clear now. Thank you for the ..."

An attempt by the U.S. National Security Agency (NSA) to set two types of encryption as global standards suffered a major setback on Tuesday, after online security experts from countries including U.S. allies voted against the plan, for use on the “internet of things.”

You can edit or expand this story

Edit

A source at an International Organization for Standardization (ISO) meeting of expert delegations in Wuhan, China, told WikiTribune that the U.S. delegation, including NSA officials, refused to provide the standard level of technical information to proceed.

The vote is the latest setback for the NSA’s plan, which was pruned in September after ISO delegates expressed distrust and concerns that the U.S. agency could be promoting encryption technology it knew how to break, rather than the most secure.

(Read our follow-up analysis to this story: “‘Black cloud’ of the NSA ‘looms over’ international encryption.“)

The ISO sets agreed standards for a wide range of products, services, and measurements in almost every industry including technology, manufacturing, food, agriculture, and health. The body has been looking into adopting recommended encryption technology to improve security in devices that make up the “internet of things.” These include household items such as smart speakers, fridges, lighting and heating systems, and wearable technology.

The NSA has been pushing for these encryption tools to get a seal of approval from the ISO so they will become approved by the National Institute for Standards and Technology (NIST), and become standard for all U.S. government departments and related companies, said the source.

Agreeing to adopt ‘Simon’ and ‘Speck’ as standard block cipher algorithms would have made these part of the recommended encryption technology for a huge range of products.

Something missing from the story? Say so

Talk

The NSA had originally been promoting a broader range of encryption technologies, but during a three-year dispute behind closed doors, delegates from other countries expressed concern over the NSA’s motives. Several cited information leaked by Edward Snowden, which showed the agency had previously planned to manipulate standards and promote technology it could penetrate, as a source of distrust, according to documents seen by Reuters.

Two delegates told WikiTribune that the opposition to adding these algorithms was led by Dr. Tomer Ashur from KU Leuven University, representing the Belgian delegation and it was supported by a large group of countries.

Israeli delegate Orr Dunkelman told Reuters he did not trust the U.S. designers following the September meetings.

“There are quite a lot of people in NSA who think their job is to subvert standards,” said Dunkelman. “My job is to secure standards.”

The NSA said Simon and Speck were developed to protect U.S. government equipment without requiring a lot of processing power, and firmly believes they are secure.

The NSA has a history (Atlas Obscura) of trying to create “backdoors” in software so it can access data. Documents leaked by Snowden also showed the NSA has made extensive efforts to break encryption tools, and insert vulnerabilities into encryption systems. The Dual EC, a standardized algorithm championed by the NSA, was withdrawn in 2014 due to wide public criticism.

According to WikiTribune’s source, experts in the delegations have clashed over recent weeks and the NSA has not provided the technical detail on the algorithms that is usual for these processes. The U.S. delegation’s refusal to provide a “convincing design rationale is a main concern for many countries,” the source said.

Discuss or suggest changes to this story

Talk

What are Simon and Speck?

Created by the NSA in 2013, Simon and Speck are families of lightweight block ciphers, meaning they’re cryptographic algorithms tailored for low-resource devices, such as limited memory and power. Though both algorithms are versatile in hardware and software, Simon is optimal in hardware while Speck is optimal in software. Detailed information about the Simon and Speck families is compiled by the NSA Cybersecurity in it’s official GitHub repository.

In 2014, Simon and Speck were proposed to be included (IACR paper) in the ISO standard that specifies the requirements for lightweight cryptography and suitable block ciphers. Published 2012, this standard already covers two lightweight block ciphers, Present and Clefia. Furthermore, there are two “Proposed Draft Amendments” recorded without any content information. They might concern the proposed NSA block ciphers.

Another relevant standard specifies the security and privacy aspects of Service Level Agreements (SLA) for cloud services with the “cryptography component” as a central part. According to a notice of Prismacloud, this standard was the theme in Wuhan, April 16-20, where the Working Groups of the responsible SO/IEC JTC 1/SC 27  held their 26th meeting. This meeting is not listed in the ISO meeting calendar.

According to the NSA, the aim of Simon and Speck is to secure applications in constrained, or specialized, environments, largely to prepare for the era of the internet of things. The basic idea is to design algorithms that are flexible and simple enough to be performed just about anywhere.

What is unusual about Simon and Speck is that the NSA had a four-year delay in publishing the ciphers with a security analysis and a description of the design decisions, which are considered mandatory best practices.

 

Know a fact to enhance this story? You can edit it

Edit


Started by

United Kingdom
Jack Barton is a staff journalist at WikiTribune where he writes about international law, human rights and finance, whilst covering daily news. He was previously a senior reporter at Law Business Research and has experience covering law and international development, with credits in the Sunday Times, the New Indian Express, and New Statesman online among others. He has an LLM in Human Rights and worked on a UN-funded research project, looking at peace processes.

History for stories "Exclusive: NSA encryption plan for ‘internet of things’ rejected by international body"

Select two items to compare revisions

01 May 2018

11:19:39, 01 May 2018 . .‎ Jack Barton (Updated → Much clearer!)
11:16:24, 01 May 2018 . .‎ Ingrid Strauch (Updated → tried less technical jargon. Tnx, Jack! WP link added.)

30 April 2018

14:55:21, 30 Apr 2018 . .‎ Ed Upright (Updated → added analysis link)
11:26:09, 30 Apr 2018 . .‎ Jack Barton (Updated → lower case consistency. Too much technical jargon IMO)
11:18:49, 30 Apr 2018 . .‎ Ingrid Strauch (Updated → about SIMON/SPECK, ISO standards, sources)

25 April 2018

16:25:47, 25 Apr 2018 . .‎ Ed Upright (Updated → url)

24 April 2018

15:18:32, 24 Apr 2018 . .‎ Ed Upright (Updated → summary clarification)
14:36:25, 24 Apr 2018 . .‎ Daniel Wilson (Updated → change 'recommended' to 'recommending' in subtitle)
12:29:05, 24 Apr 2018 . .‎ Ed Upright (Updated → Changed breaking to exclusive)
12:16:44, 24 Apr 2018 . .‎ Ed Upright (Updated → missing space added)
10:50:11, 24 Apr 2018 . .‎ Ed Upright (Updated → adding detail on opposition)
08:26:23, 24 Apr 2018 . .‎ Ed Upright (Updated → additions)
08:01:18, 24 Apr 2018 . .‎ Orit Kopel (Updated → Adding the name of main objector)
06:13:08, 24 Apr 2018 . .‎ Ed Upright (Updated → publish)
06:11:09, 24 Apr 2018 . .‎ Ed Upright (Updated → save)

20 April 2018

17:25:52, 20 Apr 2018 . .‎ Jack Barton (Updated → Created)

Talk for Story "Exclusive: NSA encryption plan for ‘internet of things’ rejected by international body"

Talk about this Story

  1. Other

    This is the closest example of the “antivirus companies make their own viruses” statement

  2. Rewrite

    Snowden is the man to talk to. Who else knows the NSA and it’s capabilities and intent and who also loves his country, despite what the hawks are claiming.

    The founding fathers weren’t stupid. They knew government could not be trusted and look where we are today.

    Like Chelsea, he should be pardoned on the condition he run for Congress.

    Opinions aside, he is the one to talk to about this.

    1. Rewrite

      You’re right, we’ll try to reach out to Snowden. He’s spoken to us before so fingers crossed.

  3. Rewrite

    “There are quite a lot of people in NSA who think their job is to subvert standards,” said Dunkelman. “My job is to secure standards.”

    The ISO is it! Thank you Mr. Dunkelman.

  4. Rewrite

    It surprises me that ISO would meet in inland China considering the country’s distinct privacy and intellectual property dynamics.

    Is China considered to respect encryption more than the U.S.?

    1. Rewrite

      It’s headquartered in Geneva but these meetings (every six months) seem to tour around – the next one is in Norway apparently

  5. Rewrite
  6. Rewrite

    Nice article, Jack!

    I was wondering though, why not give the names of your sources? The article says: “Two delegates told WikiTribune” and “According to WikiTribune’s source”, but there are no names. What is the reason for this vagueness?

    Another comment, to give some weight on the opposition it might be interesting to add that Dr. Tomer Ashur works in the COSIC department of KU Leuven (https://www.esat.kuleuven.be/cosic/cosic-research/symmetric-key-cryptography-team/), which is a internationally recognized cryptography team (https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).

    1. Rewrite

      Thanks Marko. I know the “sources say” is frustrating and we avoid using it wherever we can. In this case, we were able to get information that has not been made public yet, and the sources gave us time to prepare – only on the grounds that we didn’t make public who they were, as it might have disrupted future ISO proceedings.
      Thanks for your links – I’ve gotten in touch with Dr Ashur for a follow-up piece – feel free to collaborate here https://www.wikitribune.com/story/2018/04/24/wikiproject/encryption-for-the-internet-of-things-and-a-setback-for-the-nsa/67367/

      1. Rewrite

        OK, all clear now. Thank you for the information!

  7. Rewrite

    Very interesting article Jack, thank you!

    I was wondering if there were any points of view from IoT producers? Do they have a problem with Simon and Speck encryption because it’s the NSA or are they worried that if the NSA has tools to break that encryption then they’re vulnerable as a corporation? Or are firms quite happy to acquiesce in the hopes that it’ll be beneficial in some way in the future?

    1. Rewrite

      Thanks Thibagaran. I’ll be working today to try to add some perspective on this from different PoVs.

Subscribe to our newsletter and be the first to collaborate on our developing stories:

Support Us

Why this is important and why you should care about facts, journalism and democracy

WikiTribune Open menu Close Search Like Previous page Next page Back Next Open menu Close menu Play video RSS Feed Share on Facebook Share on Twitter Share on Reddit Follow us on Instagram Follow us on Youtube Connect with us on Linkedin Email us Message us on Facebook Messenger Save for Later