141
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 25 Jul 2023
141 points (97.3% liked)
World News
32285 readers
1191 users here now
News from around the world!
Rules:
-
Please only post links to actual news sources, no tabloid sites, etc
-
No NSFW content
-
No hate speech, bigotry, propaganda, etc
founded 5 years ago
MODERATORS
You are mistaken. A downgrade attack is where an attacker can convince their victim to use a less secure version of a protocol. If there is a deliberate defect that allows that, it would be a backdoor. However, the backdoor here is not related to a downgrade attack (unless there is also a way to force a victim to downgrade to TEA1, which I haven't heard). The backdoor here is that the key space of TEA1 turns out to be 32 bits, instead of the 80 bits it was advertised to be. 32 bits means there are nearly twice as many humans on earth as there are possible keys for TEA1.
Everyone outside of ETSI agrees this is an intentional backdoor. The only way that it would questionable to call it a backdoor would be if the intentionality was plausibly deniable, but, ETSI has now admitted that it was intentional... while absurdly arguing that it was not a backdoor because it was done for "export requirements". There is no requirement to lie about key sizes in Wassenaar or any other export control regime I'm aware of.
This is the quote from the linked article which which I assume led you to conclude that it is "not a backdoor":
I highly recommend reading the full interview with Brian Murgatroyd by Kim Zetter (this article's author).
No cryptographer would say that a 32-bit key provided any meaningful security, even in the 70s, much less in the 90s.
In 1978 Triple DES was proposed because even then people realized that the 54-bit keys in DES were not enough.
So, again, everyone agrees that it is a backdoor except the ETSI people, and imo these are people who should really be charged with criminal negligence for what they have done: They falsely advertised that their proprietary cryptosystem had 80-bit keys when it really had 32-bit keys, and they caused it to be deployed in life-or-death situations (like systems that control railway switches... 😱) all over the world.
Again, there is no export law requirement to lie to critical infrastructure operators about key sizes. This is strictly a favor that ETSI et al did at the request of western intelligence agencies, because they had the audacity to assume nobody else would figure out how to break it for a long time. Since this is only becoming public 25 years later, one could say they were right, but we'll never actually know how many entities have independently discovered and exploited this backdoor over that time period.