From: Michael Wilson <0005514706@mcimail.com>
Date: Mon, 27 Jun 94 02:01:16 PDT
To: Cypherpunks <cypherpunks@toad.com>
Subject: RE: Is the NSA competent?
Message-ID: <22940627083522/0005514706NA1EM@mcimail.com>
MIME-Version: 1.0
Content-Type: text/plain


An anonymous author writes:

> For all their vaunted competence, for all the mathematicians
> they have been alleged to employ, despite having a cryptography
> budget orders of magnitude larger than any other Western
> crypto group, it looks like the NSA contribued to _none_ of 
> the major advances in cryptography that occured during its zenith.

I think that this message betrays a serious misconception that a number of 
people likely share, and that has to do with the levels of security offered by 
commercial versus military methods.

NSA has never portrayed themselves as having any role in the creation of 
commercial systems until recently (the last few years) when in-fighting 
developed between their organization and NBS now NIST (NSA wanted DES to remain 
the standard, NBS wanted to change).  NSA-CSC will evaluate commercial security 
products to give them an Orange Book rating (a rating which was meaningless when
it was created, thanks to viral/worm technology), but keep to themselves as an 
arm of the military.  The cryptosystems that the anonymous author notes are all 
commercial level systems; NSA concentrates on cryptosystems that have greater 
requirements than the free market.  It is widely rumoured that they had public 
key systems for secure key management before Diffie-Hellman.  Their role in 
engineering the S-boxes for FDES is documented.

The assistance they gave to commercial organizations to provide system 
integration style 'one shot' systems for military use created a number of 
companies, such as the Honeywell Secure Computing Technology Center, as well as 
a number of DARPA funded groups such as Cray and Thinking Machines.

As the saying in the intelligence community goes, their successes are never 
known, but they will always be judged by their failures.  Don't assume that you 
have probed the depths of the NSA's abilities by their unwillingness to play on 
the commercial playing field; underestimating an opponent will lead you into 
gross miscalculations.

Michael Wilson
Managing Director, The Nemesis Group

[Today's Fun Math Problem:  Given an exhaustive search method, how long would it
take to discover the key of a standard DES financial transaction using four 
Connection Machines?  There are more than that in the basement at Fort Meade, or
at least they purchased that many during the time period they used the Maryland 
Procurement Office to buy them.]