[146634] in cryptography@c2.net mail archive
[Cryptography] Can you backdoor a symmetric cipher (was Re: Opening
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Sep 6 00:33:29 2013
X-Original-To: cryptography@metzdowd.com
Date: Fri, 6 Sep 2013 00:33:00 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <4BC87FAE-A3B0-47C3-8000-2B6FF7DB774A@lrw.com>
Cc: cryptography@metzdowd.com, Jon Callas <jon@callas.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Thu, 5 Sep 2013 23:24:54 -0400 Jerry Leichter <leichter@lrw.com>
wrote:
> They want to buy COTS because it's much cheap, and COTS is based on
> standards. So they have two contradictory constraints: They want
> the stuff they buy secure, but they want to be able to break in to
> exactly the same stuff when anyone else buys it. The time-honored
> way to do that is to embed some secret in the design of the
> system. NSA, knowing the secret, can break in; no one else can.
> There have been claims in this direction since NSA changed the
> S-boxes in DES. For DES, we now know that was to protect against
> differential cryptanalysis. No one's ever shown a really
> convincing case of such an embedded secret hack being done ... but
> now if you claim it can't happen,
It is probably very difficult, possibly impossible in practice, to
backdoor a symmetric cipher. For evidence, I direct you to this old
paper by Blaze, Feigenbaum and Leighton:
http://www.crypto.com/papers/mkcs.pdf
Perry
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography