Export Grade Cryptography
|
| Author | Content |
|---|---|
| dotmatrix Mar 03, 2016 1:43 PM EDT |
This statement has nothing whatsoever to do with purposefully weakened cryptography. This is yet another nonsensical article filled with misleading information. The US government has several 'grades' so to speak of cryptographic solutions. These 'grades' are assigned via the level of testing done on the cryptographic solution. The 'grade' of cryptography has nothing at all to do with purposefully weakened algorithms or inserted backdoors or anything of that sort... The 'grade' does refer to the evaluation of an implementation of the cryptographic solution. However, the evaluation is only positive rating biased -- meaning the solution has been tested more rather than tested less. So, the 'grade' is a guarantee of a certain level of robustness. However, this does not mean that a lesser 'grade' is necessarily weaker... all if means is that the lower graded solution wasn't tested as thoroughly. As far as 'export grade' goes: This is a reference to compatibility of cryptographic solutions and has nothing to do with 'weakened' anything. For example: Type 1 encryption... https://en.wikipedia.org/wiki/NSA_product_types Is the 'highest grade' solution. This is because Type 1 encryption and devices has been tested and passed those tests. FIPS-140-2 encryption: https://en.wikipedia.org/wiki/FIPS_140-2 Is a 'lower grade' solution. This type of encryption and associated devices are labeled FIPS-140-2 because they have tested and found to be acceptable in implementation to qualify for at least FIPS-140-2 certification. However, all of these use AES... https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography The difference is not the encryption 'kind' or 'method' or 'strength' or 'weakness'... the difference is the level of testing done and the level of strictness in algorithm implementation in structure and computer code. The difference has nothing to do with purposefully weakening of a code base. However, this is not to claim that the government doesn't seek to weaken publicly available crypto code... it's simply to indicate that this posted article is making dubious claims about all sorts of things related to cryptographic solutions and overt government 'grading' of those solutions. |
| dotmatrix Mar 03, 2016 2:57 PM EDT |
Rather than lengthen the above... Two more points: 1. It's not the government's fault if Internet server admins don't adhere to the government's recommendations in using TLS/SSL... http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf 2. If the government is truly interested in weakening encryption options for citizens how is it that I can post a very strong public key... like this one: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 I may seem to be on a rant here... and I suppose I am -- but I'm getting quite tired of hearing about the US government trying to 'break' encryption that is available to the public... it's simply not true in the overt. There may be covert operations going on -- but if there are, these operations are not targeted as government run citizen snooping programs... In short the US government doesn't give a crap about your data... although, they do give a crap about your data if your data is heading to Hezbollah, and they should care too. |
| nmset Mar 03, 2016 3:20 PM EDT |
I was pleased enough to read your comment that I want to thank you to have made it plain and clear. I don't think even third world countries' governments would be stupid enough to declare publicly they would weaken crypto and really do it. And if they need to, it would be silently and temporarily at well defined targets. These click-bait articles are for sensational waiting room magazines at the barber's shop. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!