Your Source for Leaks Around the World!

NSA Agent Co-Chairing Crypto Forum Research Group Puts Legitimacy of WebCrypto API in Doubt

In Archive, Encryption, Internet, NSA on October 20, 2014 at 10:16 AM

crypto-weaken

10/20/2014

Odinn/cpunks.org  (h/t Cryptome):

For those of you on this list who have been watching the progress of things relating to the W3C coordinated process for the WebCrypto API, you know that a lot of work and thought has gone into this and it is
an impressive collaboration.

But with the IETF CFRG (Crypto Forum Research Group) still being co-chaired by an agent of the NSA (n1), anything that passes through that organization must be questioned at this time. (In the unlikely event that the CFRG page is censored after this message is sent, I’ve included the names and e-mail addresses of the current co-chairs as part of this message as they currently appear on the CFRG’s site, where their names and e-mail addresses have been sitting in full public view for a very long time (n2)).

As some of you already know, people within the Crypto Forum Research Group have tried (so far unsuccessfully) since last year (n1, n2, n3) to remove the NSA Co-chair.  It should not matter who the person is, but the issue is that having anyone who is in the employ of or affiliated with the NSA chair (or co-chair) a research group whose purpose it is to advise all IETF Working Groups, is highly problematic for reasons which now should be obvious to anyone reading this message.

Currently the WebCrypto API is approaching its last call ~ it’s in a process of being finalized.  For those who are not sure what the WebCrypto API is, it’s one of those things that is designed to basically help make ordinary webpages that you see work, and includes the definition of cryptographic primitives that make your internet go. That’s a terrible description actually, but if you want a better or more comprehensive description of WebCrypto API in plain English, consider reading poulpita’s blog (n4).  It’s also described at a W3C page as a “JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption. Additionally, it describes an API for applications to generate and/or manage the keying material necessary to perform these operations. Uses for this API range from user or service authentication, document or code signing, and the confidentiality and integrity of communications.” (n5)

But the WebCrypto API Doc process and, and indeed the legitimacy of the WebCrypto API itself, should be questioned and doubted, for the WebCrypto group has recently held off on including the widely-used curve25519 within NamedCurve dictionaries or as part of its extensibility and errata process, until the (NSA co-chaired) Crypto Forum Research Group gives W3C the go-ahead.   For further information and confirmation on this, see (n6) below.

If you are concerned about this, check out the message thread discussing attempts to remove the NSA co-chair (n3) and consider posting to the CFRG list (n7) about it once you subscribe.

NSA affiliated persons need to be removed from groups that influence the direction of the entire web. I hope those who receive this message will organize to help make that happen.

(n1) https://irtf.org/cfrg
(n2) From CFRG’s public webpage (n1) as of Oct. 20, 2014:  “CFRG is chaired by Kevin Igoe (kmigoe at nsa.gov), Kenny Paterson (kenny.paterson at rhul.ac.uk) and Alexey Melnikov (alexey.melnikov at isode.com).”
(n3) http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html
(n4) http://poulpita.com/2014/08/28/w3c-web-crypto-whats-next/
(n5) https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
(n6) https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839 (see in particular: comments 11, 12, 48, and 59 through 63 on that page)
(n7) https://irtf.org/mailman/listinfo/cfrg

———————————————————————————————————————————————————————————————————————————————

Related Links:

Secret Documents Reveal NSA Campaign Against Encryption

Security Industry Pioneer RSA Paid $10 Million to Use Backdoored NSA Algorithm in Crypto Software

SENTRY EAGLE: NSA’s “Core Secrets” Re: Covert Activities Inside Companies; Access Sensitive Data, Compromise Networks, Subvert Encryption

  1. […] the cryptographic standards that are used to implement the respective systems. Documents show that NSA agents travel to the meetings of the Internet Engineering Task Force (IETF), an organization that develops such standards, to […]

    Like

  2. […] NSA Agent Co-Chairing Crypto Forum Research Group Puts Legitimacy of WebCrypto API in Doubt #WakeUp http://leaksource.info/?p=25716 […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: