What amazes and saddens me about this, though, is that I was one of the people who thought that we could draw a line -- the NSA was obviously going to keep its cryptanalysis techniques secret, they probably listened to everything, but the idea that they were actively sabotaging cryptosystems just seemed like to far-fetched a conspiracy theory. Half their mission is to protect US communications from foreigners, and backdoors are the most obvious way to not achieve that goal.
Yet here we have proof that the NSA is truly in the business of sabotaging cryptosystems that are in general use. Those systems protect US interests as much as foreign interests, and now they are not trustworthy. Now I am left wondering -- PGP, for example, deviates from theoretical constructions of non-malleable encryption; might that have been the NSA's doing? What about the problems in various versions of TLS? Now it is hard to say what is an honest mistake and what is a deliberate effort to undermine computer security.
We are now past the point of not blaming on malice what we can attribute to stupidity, because we have evidence that there is actual malice on a grand scale. It is a truly sad day for this world...
No, that's not NSA's doing. PGP predates the theoretical constructions you're referring to. Bellare/Namprempre was something like 5 years after the first "modern" PGP (IIRC the original PGP used a terribly broken cipher of Zimmerman's own design). Also, malleability is not a particularly lucrative capability for NSA to have, even if you want to assume that the integrity mechanisms in PGP are broken.
I am pretty sure that the OpenPGP standard has been updated since that work, and that it is still not quite following the constructions.
Also, I do not think the NSA would have no interest at all in malleability. Suppose the NSA is trying to track messages sent through anonymous remailers (Type I, maybe because the target is using a nym server) and there is a "Max-Count: 1" header. An easy attack that exploits malleability would be the maul the message somewhere after the headers and see where a mauled messages exits the remailer network. This is probably possible with the NSA's resources and expertise, and the NSA is probably concerned about anonymity systems in general (and perhaps looking for ways to attack them).
My real point, though, is that we need to stop for a moment and re-evaluate pretty much all the cryptography standards we depend on. We really cannot say that these systems have not been deliberately sabotaged by the NSA, not with this latest revelation.
Yet here we have proof that the NSA is truly in the business of sabotaging cryptosystems that are in general use. Those systems protect US interests as much as foreign interests, and now they are not trustworthy. Now I am left wondering -- PGP, for example, deviates from theoretical constructions of non-malleable encryption; might that have been the NSA's doing? What about the problems in various versions of TLS? Now it is hard to say what is an honest mistake and what is a deliberate effort to undermine computer security.
We are now past the point of not blaming on malice what we can attribute to stupidity, because we have evidence that there is actual malice on a grand scale. It is a truly sad day for this world...