Details Reveal Crypto Standard Controlled By NSA; And How Canada Helped
from the international-cooperation dept
After the revelations of how the NSA basically authored a crypto standard surreptitiously with obligatory backdoors, plenty of people started exploring exactly which standard it was — and called on the various reporters with access to Snowden’s documents to come clean, mainly to protect people who were now using insecure crypto. Buried in a blog post that focuses more on the NIST’s non-response to the news, the NY Times finally revealed both what standard it was, the Dual EC DRBG standard, and how Canadian intelligence basically was the cover, helping to hide the NSA’s efforts:
But internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a back door for the N.S.A. In publishing the standard, N.I.S.T. acknowledged “contributions” from N.S.A., but not primary authorship.
Internal N.S.A. memos describe how the agency subsequently worked behind the scenes to push the same standard on the International Organization for Standardization. “The road to developing this standard was smooth once the journey began,” one memo noted. “However, beginning the journey was a challenge in finesse.”
At the time, Canada’s Communications Security Establishment ran the standards process for the international organization, but classified documents describe how ultimately the N.S.A. seized control. “After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft,” the memo notes. “Eventually, N.S.A. became the sole editor.”
That same article notes that people inside NIST “feel betrayed by their colleagues at the NSA,” but I wonder if NIST will ever be able to regain any real sense of trust with the crypto community.
Filed Under: backdoors, canada, cyrpto, dual ec drbg, encryption, nist, nsa, nsa surveillance
Comments on “Details Reveal Crypto Standard Controlled By NSA; And How Canada Helped”
I hope not. Better start fresh with a new international body with ZERO influence from governments.
Re: Re:
nah, open source is the only bet. no closed room shit, all out in the open and count on China/Russia/USA to point out all the weaknesses they dont want the enemy to exploit.
Re: Re:
zero influence from governments? good luck with that.
This raises a seriously disturbing question
We’re now looking at an existence proof that the NSA has deliberately interfered with a cryptographic standards/development process in order to weaken/backdoor it.
NSA personnel (and ex-NSA personnel) have been involved in US-based crypto in government, industry and academic for decades. They’ve been part of the work done on the math, the standards, the software, the hardware, the procedures, everything.
Should we conclude that they’ve only done this once?
Re: This raises a seriously disturbing question
I wondered that very thing the first time I heard that AES was approved by the NSA.
My detailed Canadian perspective on this
Sorry.
Re: My detailed Canadian perspective on this
You mean, “Sow-ry”.
Re: Re: My detailed Canadian perspective on this
We have ways of making you pronounce the letter “o.”
It’s all right there in the name, hidden in plain sight.
EC DRBG = Evil Canadian DiRtBaGs.
(Of course, the C could also stand for Corrupt.)
Re: Re:
That was me, Anonymous, who posted that BTW.
Even open source isn’t completely safe if the NSA is running the show (in the sense it might take much longer than it otherwise would for the duplicity to be uncovered). The answer is at a minimum to blackball NSA personnel and alumni.
Re: Blackball NSA personnel and alumni
No, don’t blackball them. They’ll just go undercover.
The real lesson is to trust no one.
You must assume everyone is cheating and trying to slip a fast one by. Because some of them are, and you’ll never know which ones.
Re: Re: Blackball NSA personnel and alumni
Why should we trust you? Oh wait, you already said we shouldn’t. But if we are to trust you, then we can’t trust you, so how…oh great, I can see I won’t be getting any sleep tonight…
Re: Even open source isn't completely safe if the NSA is running the show
We have an old saying in Open Source: ?many eyes make all bugs shallow?. This whole Dual EC DRBG debacle never got trusted to the point where it could do much damage, simply because there are too many smart people outside the NSA nowadays, who will find holes no matter how cunningly hidden.
For example, look at the SELinux mandatory access control system built into the Linux kernel. It was primarily written by the NSA. Do we trust it? Yes, because the simple mention of those three letters ?NSA? was already enough to attract a whole lot of extra scrutiny and suspicion.
Re: Re: Even open source isn't completely safe if the NSA is running the show
really? who did the ‘whole lot of extra scrutiny and suspicion’ – not the NSA plant i hope?
Canada
Been saying for years: Canada is evil.
But nobody will listen. Even their healthcare is sinister.
Re: Canada
Blame Canada, blame Canada. They are not a real country anyway.
As more is revealed, there are probably other standards that they’ve had their fingers in. There will be fallout for all the revelations that have come from the Snowden releases.
US corporations are going to pay a heavy price for this co-operation voluntary or involuntary before it is all over with. Every release reveals more things that need to be looked into.
The NSA has no real place to hide anymore in the sense of just how deep they’ve been into gaining access to near everything.
No Big Surprise
If this was NSA?s best attempt to subvert public security standards, it?s been a complete failure. It was obvious to experts in the field that there was something fishy about Dual EC DRBG from the beginning. With new developments in encryption, it?s very much a case of ?worthless until proven worthy?: nobody takes a new idea seriously until it has survived multiple serious hammerings. And this one never quite made it beyond the worthless stage.
In the end maybe it’s a good thing that all this shit has happened and hit the fan. Think about it for a while. You have a Govt espionage agency involved in crafting encryption standards. It’s bound to be abused at some point even though that agency actually helps at first. That’s why everything must be designed thinking of abuse because times change, people in charge change and at some point there will be abuse. I suspect this will spill over a myriad of stuff that really needs to be decentralized and taken away from the US (and any central country for the matter) such as ICANN and the likes.
It’s time we start adopting standards that are crafted, discussed in the open and enabled by everyone and nobody at the same time. Because that’s what the Internet is, open and for all.
EC DRBG
I’m sure it’s been said before, but isn’t the kludginess of EC DRBG in and of itself a red flag? It’s as if they wanted it to be suspect and thus avoided in favor of another encryption which didn’t appear to be compromised but, in fact, was. “Pay no attention to the man behind the curtain,” and all that. I simply assume we’re being herded towards their “preferred” solution.
What are the odds that NSA had a role in the design of Bitcoin?
So let me get this straight. Canada, which recently passed a new copyright law OUTLAWING the public from cracking DRM encryption for ANY purpose on penalty of IMPRISONMENT — at the direct behest (according to leaked docs) OF the U.S. governemt — has been secretly cracking the public’s encryption FOR the U.S. government.
Maybe Canadians should just put DRM on all their online communications — maybe then finally some spooks would go to jail. (Sorry, I was briefly indulging in the old school fantasy that the laws in a democracy apply to everyone. Forgive me naivete but I am, after all, over 40…)
Weird thought.
I think making it illegal to break encryption was a way for the NSA to prevent people from finding the flaws that they themselves created.
Perhaps we should remove that law from the books.
I read the NIST statement. It didn’t reassure me in the least. I’m sure it didn’t reassure 99% of the other countries in the world either.
The NSA “finessed” their way to the destruction of not only their own credibility, but also the credibility of NIST.
Guess that’s what happens when you’re ball and chained to an organization such as the NSA.
It’s like Dan Brown’s Digital Fortress.