The NSA Conference


This week I was in San Francisco to attend the RSA Conference, where I gave and attended a couple of talks, met some old and new friends, walked around the exhibition hall, and enjoyed this amazing city. Here’s some highlights:


It all starts with Markku‘s 2 accepted papers at CT-RSA, the cryptography track at the RSA Conference. CT-RSA stands out by being the only academic track of the event. It thus consists of more technical talks and it tends to gather experts in the field, as opposed to the typical RSA lecture. Unfortunately Markku couldn’t make it to SF, so I replaced him and gave the two talks on Wednesday morning. Here’s the slides and TL;DR of the results (the titles link to the slides prepared by Markku):

  • CBEAM: Efficient authenticated encryption from feebly one-way phi functions: CBEAM is a new AEAD (Authenticated Encryption algorithm with Associated Data) based on the sponge construction and relying on an optimized boolean function whose large algebraic degree in the backward direction allegedly makes it more secure. In my talk I forgot to mention that CBEAM will be a CAESAR candidate. (Shameless plug: another candidate will be NORX.)
  • Beyond modes: Building a secure record protocol from a cryptographic sponge permutation: While the security industry has trends such as APTs and big data, the academic cryptography has lightweight cryptography. Zillions of designs of “lightweight ciphers” have been published (with zillions of analysis papers published subsequently), noone seemed to care about lightweight protocols. So that’s what BLINKER is about: a half-duplex secure communication protocol that, unlike SSH or TLS, authenticates the whole message flow (content and order).


At some point Markku and Whit Diffie had the same employer: the now bankrupt Revere Security, then based in Texas. Diffie contributed to the design of Revere’s flagship technology, the cipher Hummingbird. Then Markku broke it. Then he helped Revere design Hummingbird-2. Then he attempted to break it again in the “related-key” model.

Diffie is now employed by a company called Safelogic, and he appeared at RSA in a 20min session with Safelogic’s CEO. In this short discussion, he mentioned that he (on behalf of Revere Security) had presented Hummingbird to NSA and noted that NSA later published the ciphers Simon and Speck (also known as cryptanalysis-DoS techniques). He then briefly discussed the relative technical merits of Hummingbird, Simon and Speck, which all have unique properties compared to academic designs, and are engineered toward efficiency. I don’t know who uses Hummingbird(-2) today.


Cloud security was one of the hot topics at RSA this year, and I discussed with some people doing serious work in that area:

First I met with my friend Zooko, known for his amazing work on the secure cloud storage system Tahoe-LAFS, now commercialized through the company Least Authority. Zooko and his team recently performed a security audit of Crypton, a cloud-based “zero knowledge application framework” (don’t ask me what this means) developed by SpiderOak. They found some bugs, including those deliberately left by SpiderOak, and published their report. I recommend the read to auditors and developers of that kind of application, and I believe that such transparency greatly increases the trust in a service like Crypton.

I also met Davi Ottenheimer, co-author of Securing the Virtual Environment. I was not familiar with Davi’s work, and when he gave me a copy of his book I though the subject would be a bit boring. Yet back to my hotel I started reading a couple pages from various chapters, and suddenly found it more interesting: the book is really accessible, seems to provide a comprehensive and up-to-date coverage of the topic, and is extremely well written (compared to the average security book). I hope that Davi’s upcoming Securing Big Data will be of the same caliber.


The cryptographic hash function BLAKE2 was created last year, by Samuel Neves, Chris Winnerlein, Zooko, and myself. Due to its efficiency and high security, and maybe because NIST has yet to publish the SHA-3 FIPS standard, BLAKE2 was quickly adopted in several projects, including WinRAR and CyaSSL.

Although we’re pretty confident that BLAKE2 is as secure as we claim, it’s always good to see that skilled people have spent time trying to break it and failed to do so. Along those lines, the cryptanalysis results of Pierre Karpman (and others from NTU in Singapore) were presented at CT-RSA. Their research tends to confirm our expectations that relaxing the cryptographic complexity of some internal components for speed’s sake, as we did by tweaking the original BLAKE, does not affect the security of the hash function.

Vendor booths

I haven’t spent a lot of time in the exhibition halls mostly because as a technical guy, I felt a bit confused by the marketing and sales pitches. Nevertheless, I noticed the trends of cloud-based security (such as for mobile platforms), logs analysis and reporting (things like Splunk). Also, “advanced” seems to be a popular adjective, be it on the attack or on the defense side. I was surprised not see more products related to visualization; many solutions still show boring Excel-like tables or pie charts. Maybe we’ll have to wait til next year to see “secure cloud visualization”. Unsurprisingly, nobody really seemed to care about NSA surveillance (more on that later).

And there were things like this:


One of the few booths where I stopped was that of NSA, where I chatted about the Enigma machine they brought. (No, I didn’t ask about Suite A.)

PRNG debate

The PRNG debate in the crypto track was about the infamous Dual_EC_DRBG, with a panel composed of Dan Boneh, Paul Kocher, Bart Preneel, Adi Shamir, Dan Shumow.

They all mostly agreed that “something fishy is going on”, as Kocher put it, yet Shumow noticed that the Snowden leaks contained no explicit reference to Dual_EC. Boneh pointed out the unknown original of the constants in NIST’s P256 curve and discussed various ways to backdoor a crypto scheme; Shamir discussed theoretical models of RNGs and refered to the work of Dodis et al., and believes that “NSA had very little option in how to insert a backdoor, and this is all they could do”; Kocher clarified that “[his] company has never used this Dual_EC and never will”.

Summary: Dual_EC is no good, although we don’t know for sure that the trapdoor has been exploited (using the word trapdoor rather than backdoor, as the property was previously documented).


The new director of FBI, James Comey, gave a keynote lecture. Comey is former general counsel of Bridgewater Associates, of Lockheed Martin, and earlier was Deputy Attorney General in Bush’s 2003-05 administration.

After a few commonplace statements (focus on “high-level intrusions”, prevent rather than react, etc.), he briefly refered to FBI’s methods and challenges: the “old-fashion techniques” (confidential informants, wires), collaboration with agencies of the intelligence community, special agents in “cyber hot spots” (citing Estonia, Romania, Ukraine, the Netherlands) to “spot emerging trends and identify key players”.

He first then spent a large part of the talk’s 25 minutes on the need for a collaboration with the private sector, and on the means to enable it. He acknowledged the current obstacles caused by the federal procedures and gave some directions to develop more effective partnerships.

Then Comey announced the existence of the Binary Analysis Characterization and Storage System (BACSS), a tool used by FBI to share malware intelligence. He said that an unclassified version of BACSS will be rolled out and called “Malware Investigator”, so that private partners can send samples to the FBI and receive a report within hours.

On the unavoidable topic of privacy, he claimed to disagree with the notion of trade-off privacy/security, arguing that it suggests “a zero-sum game framework”. Yet he cited the need for electronic surveillance to identify threat agents against the usual suspects, and quoted his predecessor saying that cybersecurity will come to dominate his 10 years in FBI like counter-terrorism dominated the last 10 years. Well then…

Dan Geer

I was delighted to see that Dan Geer (apparently no longer with In-Q-Tel) was giving a talk. Reading his articles or speeches transcripts is always enlightening, even—and especially—when one disagrees with his views. His talk contained some elements previously discussed in his October 2013 talk at UNCC, which I encourage you to read.

As usual, Geer gave a different perspective on the current problems, as well as predictions on how things will evolve. Regarding data collection, he noted the ubiquity of sensors (like LEDs) and argued that it is now much cheaper to keep everything than to do selected collection. Other points he made (lazily paraphrasing and quoting):

  • We can design systems more complex than we can operate (citing Obamacare as an example).
  • “Above some threshold it is no longer possible to test, only to react.”
  • Traffic analysis is more powerful than content analysis (with only content but not metadata “I am an archeologist, not a case officer”; “no one here is convinced that ‘it is only metadata’ means anything”).
  • “What is observable will be observed, what is observed is sold” (refering to data collection from private sector firms).
  • Commercial firms are catching up with the intelligence community on traffic analysis.
  • “The root cause of risk is dependence”; “The price of dependence is risk”.
  • “It is categorically true that technology today is more democratically available” (citing DIY biotech, 3D printing, constant contact, etc.), and that data collection may be the “last fundamental tradeoff before the singularity occurs”.
  • “We are all data collectors, keepers, analysts (…) not just a society of informants, we’re becoming an intelligence community”.
  • In today’s context, he defines privacy as the “effective capacity to misrepresent yourself”.
  • “Small may be beautiful, but big is inevitable”.
  • “If knowledge is power, then increasing the storage of knowledge increases power (…) all power tends to corrup, and absolute power corrupts absolutely; that power has to go somewhere”.
  • “No government can compete with the advances of the private sector, and no government can afford to try”.
  • “Security is the absence of unmitigated surprise”.


Last but not least, Stephen Colbert came well-prepared to give the final keynote, summarized in this CNN article. He joked about the security industry, NSA, the cloud, Bitcoin (“a really fun game that completely got out of control”), cryptography (“I am the best cryptographer in the world”), etc. When asking the audience about who supported Snowden, a dozen hands raised up in a crowd of 1000+, and he himself criticized Snowden for leaking information on “how we spy on other countries”. Maybe the best part was the final Q&A, where he showed his improvisation skills and even made some serious comments.

Prior to Colbert’s keynote, Hugh Thompson started his lecture with pictures of “extortionist monkeys” from Bali; I liked the idea.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s