Silent Circle moves away from NIST cryptographic standards, cites uncertainty

The company plans to replace AES and SHA-2 with Twofish and Skein in its encrypted communication services

The U.S. National Security Agency's reported efforts to weaken encryption standards have prompted an encrypted communications company to move away from cryptographic algorithms sanctioned by the U.S. National Institute of Standards and Technology (NIST).

Silent Circle, a provider of encrypted mobile Voice over Internet Protocol (VoIP) and text messaging apps and services, will stop using the Advanced Encryption Standard (AES) cipher and Secure Hash Algorithm 2 (SHA-2) hash functions as default cryptographic algorithms in its products.

"We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement," Silent Circle CTO Jon Callas said Monday in a blog post. "We are going to replace our use of the SHA-2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense."

The company also plans to stop using P-384, one of the elliptic curves recommended by the NIST for use in elliptic curve cryptography (ECC).

The NSA has long been a supporter of ECC, an approach to public-key cryptography based on the arithmetic of elliptic curves, arguing that it is more secure and offers better performance than traditional public-key cryptography schemes. P-384 is one of the elliptic curves used in Suite B, a set of cryptographic algorithms used for encryption, key exchange, digital signatures and hashing that was selected by the NSA for use when handling classified information.

Silent Circle plans to replace the P-384 elliptic curve with one or more curves that are being designed by cryptographers Daniel Bernstein and Tanja Lange, who have argued in the past that Suite B elliptic curves are weak.

"If the Suite B curves are intentionally bad, this would be a major breach of trust and credibility," Callas said. "Even in a passive case -- where the curves were thought to be good, but NSA cryptanalysts found weaknesses they have since exploited -- it would create a credibility gap of the highest order, and would be the smoking gun that confirms the Guardian articles."

The New York Times and the Guardian newspapers reported last month, based on documents leaked by former NSA contractor Edward Snowden, that the NSA has used its influence to weaken an encryption standard published by the NIST in 2006.

That standard is the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), a secure pseudo-random number generator (PRNG) that's based on the elliptic curve discrete logarithm problem. PRNGs play an important role in many aspects of cryptography, and a vulnerability in one of them could undermine the whole security of a cryptographic system that uses it.

Researchers have warned since 2007 that Dual_EC_DRBG has a serious weakness, but some companies have implemented it in their encryption products anyway because it was a NIST recommendation.

Following the recent reports about the NSA weakening this standard, the NIST reopened Special Publication 800-90A, which includes the Dual_EC_DRBG specification, for public comments. The organization also denied that it would deliberately weaken a cryptographic standard.

However, the harm to the NIST's reputation seems already to have been done.

RSA, the security division of EMC, has since advised customers that its BSAFE cryptographic libraries and its Data Protection Manager products have been using Dual_EC_DRBG by default and strongly recommended that they switch to a different PRNG using instructions in the product documentation.

Silent Circle's new decision to move away from AES, SHA-2 and the P-384 curve doesn't mean that these standards are insecure, Callas said in the blog post. "It doesn't mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA's perfidy, along with the rest of the free world. For us, the spell is broken. We're just moving on."

The company still plans to support the NIST-sanctioned algorithms in its services, but they won't be the default choice anymore.

Asked why Twofish and Skein in particular were chosen to be the new default choices for Silent Circle's products, Callas said via email that both algorithms come from trusted sources, including himself in the case of Skein.

Twofish was a finalist in the NIST's selection of the AES cipher, and the team that developed it included people that Silent Circle's co-founders personally know and trust, he said. "A number of the same people produced Skein -- which was a SHA-3 finalist -- and I am a member of the Skein team."

For Silent Circle this was a "decision of conscience," Callas said. "Our primary responsibility is to protect our customers, especially in the face of uncertainty."

However, Callas doesn't think other vendors necessarily should follow suit and move away from NIST cryptographic standards.

"I wouldn't fault anyone for deciding differently," he said. "We need more of the world coming together with security and respecting each other's decisions even if we make different decisions and do different things. If someone decides to stay the course, I respect that."

"That's also why we're going to allow customers to use the old algorithms," Callas said. "We respect their personal decisions, too."

Join the CSO newsletter!

Error: Please check your email address.

Tags Silent Circlersa securitysecurityencryption

More about Advanced Encryption StandardAES EnvironmentalEMC CorporationNational Security AgencyNSARSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts