[Owasp-leaders] NIST, the NSA and fun with crypto reviews

Jim Manico jim.manico at owasp.org
Sun Sep 15 14:04:40 UTC 2013

Good points, Tobias.

If you decide to use AES, I recommend open source crypto libraries such as
http://www.keyczar.org/ which simplify the implementation complexities.
(Java, Python and C++ support). They use CBC mode, but otherwise seem to
get IV management, crypto authentication and padding correct. It's also a
very active and well reviewed project. It's not reasonable to expect
developers to otherwise get this right.

For AES alternatives, consider the "European version of AES", Camellia. (In
addition to Serpent and Twofish).


Conspiracy theories aside, applied crypto is brutally difficult. Even the
best and brightest get it wrong.

Jim Manico
(808) 652-3805

On Sep 15, 2013, at 8:44 AM, Tobias <tobias.gondrom at owasp.org> wrote:

I haven't given up on NIST, just yet.

IMHO, AES and SHA-2 (and the upcoming SHA-3) are probably safe, the
trick is the implementation. (and I could imagine the NSA might have
subverted quite a number of implementations...)
But the algorithms themselves are public and the crypto community has
put quite some effort on scrutinizing, analyzing and breaking them.

As the NIST is under the US government control, its statements have of
course to be seen in a new light after the broad attempts of the NSA and
the US government to subvert crypto.
But, consider that NIST is using outside resources including the NSA
like other organisations, too.
So do many other open organisations like the IETF and we at OWASP, too
(just see that the NSA was looking at our ESAPI, and that we are per
definition open to all contributors....).
That means that these outside resources can try to manipulate and try to
subvert or exploit open organisations for their own goals. So the
general truth holds: be careful what you eat and diversity of
contributors and peer review are vital for good projects. When I see
standards written by only one person or only one organisation (e.g. the
NSA), it makes sense to question their motives and whether this is the
best technology to choose.

Having said that, at this moment I see that NIST has fallen prey to NSA
activities (and possibly collaborated in some cases), but IMHO that does
not necessarily mean to abandon everything they did in total when it
comes to some of the crypto standards which received a broad public
review from many crypto scientists around the world.

All the best, Tobias

On 15/09/13 00:28, Jim Manico wrote:

I am personally aborting NIST standards when I can.

>From AES -> Serpent and Twofish
http://en.wikipedia.org/wiki/Serpent_(cipher) and

>From SHA -> Whirlpool http://en.wikipedia.org/wiki/Whirlpool_(cryptography)

And as for the NSA subverting crypto standards, take a look at our own
experience at the ESAPI for Java project.

Back in June 2010 the NSA graciously agreed to review the crypto of the
ESAPI for Java project:

[Esapi-dev] NSA to perform ESAPI review


The made a few suggestions to make it "stronger" but otherwise validated
our implementation.

Now flash forward to this month.

[Esapi-dev] ESAPI Java and Authenticated encryption implementation


They did not add anything that was malicious, but Ooops! they missed
something important.

The has been fixed, however.

[Esapi-dev] Crypto and the "ESAPI for Java" release 2.1.0


We live in interesting times.



FYI: From NY Times <http://j.mp/1degxpA>:

Cryptographers have long suspected that the [NSA] planted vulnerabilities

in a standard adopted in 2006 by the National Institute of Standards and

Technology and later by the International Organization for Standardization,

which has 163 countries as members.

Note that I am explicitly not stating an opinion, just forwarding

potentially related information.

On Fri, Sep 13, 2013 at 3:02 PM, Bev Corwin <bev.corwin at owasp.org> wrote:

NIST seeks early adopters of draft cybersecurity framework




OWASP-Leaders mailing list

OWASP-Leaders at lists.owasp.org


-------------- next part --------------

An HTML attachment was scrubbed...

URL: <


OWASP-Leaders mailing list

OWASP-Leaders at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130915/46dec080/attachment.html>

More information about the OWASP-Leaders mailing list