It's more of intentionally reducing the keyspace when generating keys. You can use weakly generated keys with industry-standard encryption algorithms. When your 4096-bit key is only 32 bits, it doesn't matter how well-trusted the algorithm is.

I just skimmed the paper but it looked to me like the key generation is the same in all profiles, but the TEA1 case has a key setup that compresses the generated key down to 32 bits.

The researchers found several problems. The backdoor seems intentional, but the others do not. They broke the TAA protocol.

And yet this one lasted 30 years. That's far longer than most open encryption algorithms continue to be deemed secure.

Obviously you can debate wether having it 'appear' secure for longer before someone publishes details of the flaw is more important or not...

> And yet this one lasted 30 years.

What do you mean lasted? If it is an intentional backdoor, it was vulnerable (to those who knew the backdoor) from day 1, so it was never secure let alone 30 years.

The TEA1 key compression weakness may have been known to intelligence agencies as early as 2006. See https://www.cryptomuseum.com/radio/tetra/ under section "Compromise".

It lasted 30 years in the sense it hasn't been publicly broken before.

We don't know how many intelligence agencies have found some of these and are happily listening in on "secure" communication, concealing that fact successfully.

This argument holds for any non-disclosed vulnerabilities, however.

Aren't these encrypted radios mostly for cops?

I mean, this is embarrassing - but who cares if the secret police are spying on the regular police?

Seems this was a general export item resulting from the 1990's crypto restrictions. The article mentions 100 countries using them. That would be agencies for whom it didn't matter, yes, (ambulance, corp security, etc) - but also everyone else who could not afford anything better but for whom security actually mattered. Not every country can afford to roll their own for this kind of stuff.

Does the FBI use these? The FBI is tasked with counter intelligence, and for a spy it could be highly relevant to learn if they are being targeted.

Federal stuff is going to be p25 phase 2, usually AES encrypted. Harris or Motorola, and at one point Thales (previously Racal.)

Some other brands end up being used like cobham or bendix but those are usually for aviation.

Tetra isn’t used by us LE. There are military encryption schemes, some of which are classified or controlled occasionally used by feds. Mostly tho you're looking at encrypted voice over data using mobile phones tho. Cellcrypt Inc, for example. Not many investigators lug around a radio to call agents in the field unless they need interoperability with other agencies or tactical communications using local infrastructure.

During the Obama inauguration the Thales liberty triband was used with AES. I think most agencies dumped the Thales Libntry for Harris tri band radios or Motorola now, which is sad because as a result the liberty is basically a dead end platform

Whose secret police are spying on the civilian police.

Is it more concerning if it’s the Russian secret police spying on the Kyiv police?

The publicly known attacks are recent, yes.

I know some group had it pwned at least 2010-ish. But won't elaborate.

And I'm sure they weren't the first, nor the only ones.

> And yet this one lasted 30 years.

Main goal of security through obscurity is the hindrance. Make it slower and harder to to detect possible vulnerabilities.

So indeed, there is something to debate.

But I guess it helps only against those with limited resources, not against nation states.

This is analogous to physical security doors. They are considered passive security, since they are a deterrent, and are rated by the numbers of hours they are expected to hold up against hand tools.

Is it still true that nation states are at the forefront of innovation and the largest security threats? At least in the United States, I'd be surprised to learn that their best and brightest minds are working in three letter government agencies when they can work in industry for more money and less bureaucracy.

Does one need the best and brightest minds to break crypto? Or does it just take a lot of full-time regular minds?

Because the academic/opensource communities famously don't have many hours to dedicate to the cause.

> Because the academic/opensource communities famously don't have many hours to dedicate to the cause.

People in academics dedicate their lifes for this. Who has more time?

Yes. Additionally, there are extensive public/private partnerships.

> No, the main goal is to obfuscate just how incompetent the authors of the spec are

If you agree that it obfuscates the meaning of the author’s work, then it also slows down other things recursively…

Obscurity should never replace security, but it can and does augment security by increasing the cost to even study the security.

The bigger issue here is that there's an intentional vulnerability.

Security has many layers. Obscurity can be one of them.

Obscurity can certainly be part of defense in depth, but it unequivocally does not make anything more (meaningfully) secure.

For example, hiding the fact that your data is encrypted with AES doesn’t make an attacker any more likely to be able to break AES. Similarly, hiding the fact that you use a weak encryption algorithm doesn’t keep an attacker from breaking it.

You can't easily put backdoors in cryptographic algorithms that can be audited

You certainly can.

^ this post brought to you by RSA, ANSI, ISO, NIST, the NSA, and the authors of DUAL_EC_DRBG

/s

... Which iirc was immediately identified as suspicious during auditing.

And yet became a official standard anyway, and was occasionally actually used, despite the fact that is was obviously backdoored to anyone who knew anything about (elliptic-curve) cryptography. (It's literally a textbook-exercise leaky RNG, of the sort that you would find under "Exercise: create a elliptic-curve-based RNG that leaks seed bits within N bytes of random data." in a actual cryptography textbook.)

You don't really need to understand elliptic curves to understand Dual EC. It's a public key RNG. The vulnerability is that there's a matching private key.

True, but my parenthetical was covering the opposite issue: it's possible to not realise DUAL_EC_DRBG is broken (rather than impossible to realise it) if your only knowledge of cryptography is, say, hash functions and stream ciphers (so you don't recognise public key cryptography from looking at it). It's unlikely, because DUAL_EC_DRBG is really obviously broken, but I wouldn't fault someone who knew nothing about elliptic-curve cryptography for missing it, even if they were familiar with other types of cryptography. (I would fault them for claiming that it's secure, rather than recognizing that they don't know enough to evaluate its security, but you can't conclude something's backdoored just from that.)

The assertion I was refuting was that they couldn't be easily inserted into an audited library, not that they wouldn't be detected.