[Owasp-leaders] NIST, the NSA and fun with crypto reviews

Jim Manico jim.manico at owasp.org
Sat Sep 14 23:28:01 UTC 2013

I am personally aborting NIST standards when I can.

>From AES -> Serpent and Twofish http://en.wikipedia.org/wiki/Serpent_(cipher) and http://en.wikipedia.org/wiki/Twofish	
>From SHA -> Whirlpool http://en.wikipedia.org/wiki/Whirlpool_(cryptography)

And as for the NSA subverting crypto standards, take a look at our own experience at the ESAPI for Java project.

Back in June 2010 the NSA graciously agreed to review the crypto of the ESAPI for Java project:

> [Esapi-dev] NSA to perform ESAPI review
> http://lists.owasp.org/pipermail/esapi-dev/2010-June/000816.html

The made a few suggestions to make it "stronger" but otherwise validated our implementation.

Now flash forward to this month.

> [Esapi-dev] ESAPI Java and Authenticated encryption implementation
> http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html

They did not add anything that was malicious, but Ooops! they missed something important.

The has been fixed, however.

> [Esapi-dev] Crypto and the "ESAPI for Java" release 2.1.0
> http://lists.owasp.org/pipermail/esapi-dev/2013-September/002291.html

We live in interesting times.


> FYI: From NY Times <http://j.mp/1degxpA>:
>> Cryptographers have long suspected that the [NSA] planted vulnerabilities
>> in a standard adopted in 2006 by the National Institute of Standards and
>> Technology and later by the International Organization for Standardization,
>> which has 163 countries as members.
> Note that I am explicitly not stating an opinion, just forwarding
> potentially related information.
> On Fri, Sep 13, 2013 at 3:02 PM, Bev Corwin <bev.corwin at owasp.org> wrote:
>> NIST seeks early adopters of draft cybersecurity framework
>>  http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/nist-seeks-early-adopters-of-draft-cybersecurity-framework/menu-id-1075.html#!
>>  Bev
>>  _______________________________________________
>>  OWASP-Leaders mailing list
>>  OWASP-Leaders at lists.owasp.org
>>  https://lists.owasp.org/mailman/listinfo/owasp-leaders
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130914/ea393ab2/attachment.html>

More information about the OWASP-Leaders mailing list