I don't buy it. These systems are always multiparty. In a single party cryptosystem we can have internal integrity. We know we're not the bad guys and we didn't share the private information with the bad guys, therefore the bad guys don't have the data.
Once you're multiparty that goes away, any other party can definitely betray you and then it's game over, your own integrity doesn't matter.
Historically NOBUS was about having a particular technological lead, that's very fragile and didn't work out long term. If anybody has that lead today it's the Chinese, but realistically nobody has such a lead.
The argument about who the trustworthy "us" is is deeply uninteresting to me. I just care that there's precedent that if you stipulate the existence of such an "us", computer science does allow for NOBUS-y access mechanisms.
Interesting. My understanding has always been that there wasn't, at least in practice. But you're so insistent, so maybe I've missed something. Do you have some references? I'll go read!
At minimum, bad actors inside the government could always use the access mechanism. What's your concept for preventing other bad actors from getting it though?
"What if 'us' is bad" is a separable question from "is NOBUS possible".
I'm not advocating for it, I'm just saying the computer science of this matters, and a lot of people have objections to the concept of NOBUS that are more ideological than empirical.
I don't think it's a computer science claim to begin with. To my knowledge nobody has ever broken 256-bit AES, but that's not the part of the system that fails. There are two things that prevent it from working in practice:
The first is that "us" would be something like "governments in the US"; but then that's too big of an organization to sustain as free from compromise. There are tens of thousands of judges in the US, well over a million police and military. All it takes is one of them to be corrupt or incompetent or lazy and the bad guys get to use the skeleton keys to everything in the world, which can unlock secrets worth billions or get people killed. And that's assuming they only compromise the authorization system; if they actually gets the keys it's practically armageddon.
And the second is that it's not just one government. If the UK makes Apple and Google build a system to unlock anybody's secrets, is Australia not going to want access? Is China? Let's suppose we're not going to give access to Russia; can the fallible humans operating this system fend off every attack once the FSB has been ordered to secure access by any mean necessary?
It's a system that combines many points of compromise with an overwhelming incentive for everyone from state-level attackers to organized crime to break in and severe consequences when they do.
The logistics are non-trivial. If you have to be nation-state intelligence level of scale then no, you cannot maintain NOBUS level of secrecy because you have too many people involved. That sounds pretty damn empirical to me. The objections to NOBUS aren't ideological, they are moral by the way. They are literally choosing to keep vulnerabilities in place for others to discover under arrogant assumptions that they will be the only ones who will know.
> The objections to NOBUS aren't ideological, they are moral
“ideological” and “moral”, as bases for objection, mean exactly the same thing, though people will often use “ideological” to mean “based in principles of right and wrong that I don’t agree with” and “moral” or “ethical” to mean “based in principles of right and wrong that I agree with”.
I think any practical implementation needs to have an "us" that's like "with a valid warrant" or secured on the govt end anyway, right? Otherwise you have to deal with "what if someone in the govt leaks the keys" or "what if someone in the govt is a spy". I consider those outcomes the same as foreign governments getting backdoor access basically.
But also, Dual EC was suspected of being backdoored from day one, was slower than existing CSPRNGs, and was therefore avoided like the plague. Whereas the premise is that if you put all the world's secrets behind one set of keys, there doesn't exist a level of defense that can withstand the level of attacks that will attract. Which doesn't apply when it isn't widely used.
On top of that, the attackers would be the likes of foreign intelligence agencies, and then them not getting it and the public not hearing about them getting it are two different things.
Exactly. They built a backdoor that "only they" could get into and then somebody else slipped into it anyway.
The backdoor is a vulnerability even if you don't have the keys because it requires the trappings of third party access. If you try to get something in the shape of a backdoor through code review, you should get knocked back. But if something in the shape of a backdoor is required then a change in who has the keys to the lock is much smaller, more subtle and easier to sneak in.
No, that's exactly what didn't happen here. The attackers in this case got and maintained for years the ability to slip code into Juniper/Netscreen releases. That the backdoor they chose happened to replace NSA's NOBUS backdoor is just a funny detail.
NOBUS is only NOBUS until a spy gets their hands on the escrow master key (or until Donald Trump shares it at a dinner party on a lark, for that matter). If RSA's signing keys can be compromised¹, anything can be compromised.
They're a world-class security organization. If a nation-state actor can get access to their most important keys the hard way, then a nation-state actor has a decent shot at compromising any private key on the planet, if they're willing to put enough money into it.
They're a large, trusted enterprise software company specializing in security. I'm very comfortable using them as a heuristic for the most secure that a regularly-used private key can possibly be.
I think you need to adjust your priors on the capabilities of enterprise security companies. I don't think you will find many practitioners that would rank RSA Security in "the most secure that a regularly-used private key can be".
Once you're multiparty that goes away, any other party can definitely betray you and then it's game over, your own integrity doesn't matter.
Historically NOBUS was about having a particular technological lead, that's very fragile and didn't work out long term. If anybody has that lead today it's the Chinese, but realistically nobody has such a lead.