Suspicion towards the U.S. National Security Agency (NSA) is holding back cooperation in the vital area of encryption, experts told WikiTribune, after an NSA plan to increase global encryption standardization for the “internet of things” was rejected by a leading body.
On April 24, delegates to the International Organization for Standardization (ISO) met behind closed doors in Wuhan, China, and voted to end a program to adopt two forms of encryption championed by the NSA. The plan had already been reduced in 2017 due to delegates’ suspicions towards the agency. (Read the exclusive WikiTribune story here.)
The NSA has a track record (Atlas Obscura) of trying to install vulnerabilities, or backdoors, into security tools, including forms of encryption. This dispute over the Simon and Speck algorithms – which would have been included in household objects such as smart speakers, fridges, lighting and heating systems – showed the agency still lacks the trust of many countries, including U.S. allies.
You can edit or expand this story
You can edit or expand this storyEdit
In cyber-security, the rules are different
“In the cyberspace, alliances are quite different than in the conventional strategic spaces,” said Dr. Nicolas Mazzucchi, from the Foundation for Strategic Research in Paris.
“In traditional military, having an alliance is, above all, sharing the strengths. In the cyberspace, on the contrary, alliances are made upon the sharing of vulnerabilities,” said Mazzucchi, explaining that allied agencies test each other’s vulnerabilities and share solutions. They even sometimes test the strengths of their allies’ security, on the basis of mutual trust, and the understanding that one ally’s weakness makes them all potentially vulnerable.
Leaks from whistleblower Edward Snowden, including the allegation that the NSA tapped the phones (Guardian) of 35 world leaders including German Chancellor Angela Merkel and then-French President Francois Hollande, undermined the good faith on which this relationship was built, said Mazzucchi.
“Their distrust over the NSA-run ISO program could be regarded as a will to explore other ways to achieve a satisfying level of cybersecurity, avoiding [the risk of] communications [being] systematically intercepted by the U.S. intelligence agencies,” said Mazzucchi.
Discuss or suggest changes to this story
Discuss or suggest changes to this storyTalk
The NSA still lives under a cloud of its own making
“If those designs were not coming from NSA, they would not have received the attention they did,” Stefan Kölbl, who advised the Danish delegation to the ISO, told WikiTribune.
This suspicion is not entirely down to Snowden, he added. “There has been a long history of conflicts between the widespread application of strong cryptography and NSA, but it definitely brought the issue to a broader audience and also revealed the full scope to us on the effort being carried out to subvert secure systems,” said Kölbl.
Dr. Tomer Ashur of KU Leuven University in Belgium was the most ardent opponent of the plan, according to several people WikiTribune contacted who were at the meeting.
“Of course the NSA’s history was looming over us like a black cloud, but I don’t think this was a prime factor [in closing the program],” Ashur told WikiTribune.
“Many crypto experts both within and outside ISO had concerns about the security of the algorithms,” said Ashur. “The NSA tried to remain as obscure as it could about certain design decisions and parameter choices they have made. As this is out of line with what is perceived as best practices of cipher design, this alarmed some of the delegates, including myself.”
Specific requests for more detailed information were met with obfuscation, said Ashur.
“I can’t speak for the other delegates but I believe it was these concerns together with the adversarial and aggressive behavior of the NSA that eventually led them to support the cancellation of the project,” he said.
The NSA has acknowledged a WikiTribune request for comment, but has not yet offered a response.
Something missing from the story? Say so
Something missing from the story? Say soTalk
ISO encryption program will move forward, without the NSA
Standardizing encryption for the internet of things is perfectly achievable, said Kölbl, but the dispute with the NSA has convinced many developers that their mission might not be compatible with the aims of government intelligence agencies.
“In general it is healthy to be very careful with cryptographic algorithms coming out of any intelligence agency, as there is often some sort of conflict of interests,” said Kölbl. “One group inside such an organization might have a general interest in providing strong cryptographic algorithms, however other parts will also have the goal to insert vulnerabilities into commercial encryption systems.”
“I think in the end this whole controversy will be beneficial to the standardization process at ISO,” he said. “It showed that we need to have clearer rules stated which enforce transparency from the designers of a cryptographic algorithm before we consider them for standardization and there has been a lot of discussion going on, on how to improve this process.”
The proposal to adopt Simon and Speck was only an amendment to existing standards, said Ashur, meaning there are ISO-approved standards for this type of encryption. The U.S. National Institute of Standards and Technology, which also contributed to the U.S. delegation, has made further recommendations for types of algorithms that Ashur said he expects the academics at the ISO to be more open to.
Know a fact to enhance this story? You can edit it
Know a fact to enhance this story? You can edit itEdit