NSA's 'Apology' For Backdooring Crypto Standard Really A 'Sorry We Got Caught' Kind Of Apology
from the not-buying-it dept
Update: While the article in question claimed that Dr. Wertheimer was the Director of Research for the NSA, an email from the NSA alerts us that Wertheimer left the NSA before writing the article.
As you may recall, one of the big Snowden revelations was the fact that the NSA “took control” over a key security standard allowing backdoors to be inserted (or, at least, a weakness that made it easy to crack). It didn’t take long for people to realize that the standard in question was Dual_EC_DRBG, or the Dual Elliptic Curve Deterministic Random Bit Generator. It also came out that the NSA had given RSA $10 million to push this compromised random bit generator as the default. That said, as we noted, many had already suspected something was up and had refused to use Dual_EC_DRBG. In fact, all the way back in 2007, there was a widespread discussion about the possibility of the NSA putting a backdoor in Dual_EC_DRBG, which is why so few actually trusted it.
Still, to have the details come out in public was a pretty big deal, so it also seemed like a fairly big deal to see that the Director of Research at the NSA, Dr. Michael Wertheimer (also former Assistant Deputy Director and CTO in the Office of the Director of National Intelligence), had apparently written something of an apology in the latest Notices of the American Mathematical Society. In a piece entitled, “The Mathematics Community and the NSA,” Wertheimer sort of apologizes, admitting that mistakes were made. After admitting that concerns were raised by Microsoft researchers in 2007, and again with the Snowden documents (though without saying why they were raised the second time), here’s Wertheimer’s “apology.”
With hindsight, NSA should have ceased supporting the Dual_EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable. The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NIST?s April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the Dual_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to ?undermine Internet encryption.? A fair reading of our track record speaks otherwise. Nevertheless, we understand that NSA must be much more transparent in its standards work and act according to that transparency. That effort can begin with the AMS now.
However, as security researcher/professor Matthew Green quickly shot back, this is a bullshit apology, because he’s really only apologizing for not dropping the standard when they got caught red handed back in 2007.
The trouble is that on closer examination, the letter doesn’t express regret for the inclusion of Dual EC DRBG in national standards. The transgression Dr. Wertheimer identifies is simply the fact that NSA continued to support the algorithm after major questions were raised. That’s bizarre.
Green also takes on Wertheimer’s weak attempt to still defend pushing the compromised Dual_EC_DRBG as ridiculous. Here were Wertheimer’s arguments for why it was still okay:
- The Dual_EC_DRBG was one of four random number generators in the NIST standard; it is neither required nor the default.
- The NSA-generated elliptic curve points were necessary for accreditation of the Dual_EC_DRBG but only had to be implemented for actual use in certain DoD applications.
- The trapdoor concerns were openly studied by ANSI X9F1, NIST, and by the public in 2007.
But, again, those don’t make much sense and actually make Wertheimer’s non-apology that much worse. As Green notes, even though there were other random number generators, the now infamous RSA deal did lead some to use it since it was the “default” in a popular software library and because NIST had declared the standard safe, meaning that people trusted it. Green also goes into great detail describing how the second point is also incredibly misleading. It’s worth reading his full explanation, but the short version is that despite some people fearing the NSA’s plan would have a backdoor, the details and the possible “alternatives” to avoid that were completely hidden away and more or less dropped.
And that final point, well… really? Again, that’s basically saying, “Well, people thought we might have put in a backdoor, but couldn’t prove it, but there, you guys had your chance to debate it.” Nevermind the fact that there actually was a backdoor and it wasn’t confirmed until years later. And, as Green notes, many of the concerns were actually raised earlier and swept under the rug. Also, the standard was pushed and adopted by RSA as a default long before some of these concerns were raised as well.
This might all be academic, but keep this in mind: we now know that RSA Security began using the Dual EC DRBG random number generator in BSAFE — as the default, I remind you — in 2004. That’s three years during which concerns were not openly studied by the public.
To state that the trapdoor concerns were ‘openly’ studied in 2007 is absolutely true. It’s just completely irrelevant.
In other words, this isn’t an apology. It’s an apology that the NSA got caught (and didn’t stop pushing things the first time it got caught), and then a weak defense of why they still went ahead with a compromised offering.
Wertheimer complains that this one instance has resulted in distrust from the mathematics and cryptography community. If so, his weak response isn’t going to help very much.