Opening Discussion: Speculation on "BULLRUN"
Speaking as someone who followed the IPSEC IETF standards committee pretty closely, while leading a group that tried to implement it and make so usable that it would be used by default throughout the Internet, I noticed some things:* NSA employees participted throughout, and occupied leadership rolesin the committee and among the editors of the documents* Every once in a while, someone not an NSA employee, but who hadlongstanding ties to NSA, would make a suggestion that reducedprivacy or security, but which seemed to make sense when viewedby people who didn't know much about crypto. For example,using the same IV (initialization vector) throughout a session,rather than making a new one for each packet. Or, retaining away to for this encryption protocol to specify that no encryptionis to be applied.* The resulting standard was incredibly complicated -- so complexthat every real cryptographer who tried to analyze it threw uptheir hands and said, "We can't even begin to evaluate itssecurity unless you simplify it radically".
Ted.