Details Reveal Crypto Standard Controlled By NSA; And How Canada Helped
from the international-cooperation dept
After the revelations of how the NSA basically authored a crypto standard surreptitiously with obligatory backdoors, plenty of people started exploring exactly which standard it was -- and called on the various reporters with access to Snowden's documents to come clean, mainly to protect people who were now using insecure crypto. Buried in a blog post that focuses more on the NIST's non-response to the news, the NY Times finally revealed both what standard it was, the Dual EC DRBG standard, and how Canadian intelligence basically was the cover, helping to hide the NSA's efforts:But internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a back door for the N.S.A. In publishing the standard, N.I.S.T. acknowledged “contributions” from N.S.A., but not primary authorship.That same article notes that people inside NIST "feel betrayed by their colleagues at the NSA," but I wonder if NIST will ever be able to regain any real sense of trust with the crypto community.
Internal N.S.A. memos describe how the agency subsequently worked behind the scenes to push the same standard on the International Organization for Standardization. “The road to developing this standard was smooth once the journey began,” one memo noted. “However, beginning the journey was a challenge in finesse.”
At the time, Canada’s Communications Security Establishment ran the standards process for the international organization, but classified documents describe how ultimately the N.S.A. seized control. “After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft,” the memo notes. “Eventually, N.S.A. became the sole editor.”
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, canada, cyrpto, dual ec drbg, encryption, nist, nsa, nsa surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
This raises a seriously disturbing question
NSA personnel (and ex-NSA personnel) have been involved in US-based crypto in government, industry and academic for decades. They've been part of the work done on the math, the standards, the software, the hardware, the procedures, everything.
Should we conclude that they've only done this once?
[ link to this | view in chronology ]
Re: This raises a seriously disturbing question
[ link to this | view in chronology ]
My detailed Canadian perspective on this
[ link to this | view in chronology ]
Re: My detailed Canadian perspective on this
[ link to this | view in chronology ]
Re: Re: My detailed Canadian perspective on this
[ link to this | view in chronology ]
EC DRBG = Evil Canadian DiRtBaGs.
(Of course, the C could also stand for Corrupt.)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Blackball NSA personnel and alumni
The real lesson is to trust no one.
You must assume everyone is cheating and trying to slip a fast one by. Because some of them are, and you'll never know which ones.
[ link to this | view in chronology ]
Re: Re: Blackball NSA personnel and alumni
[ link to this | view in chronology ]
Re: Even open source isn't completely safe if the NSA is running the show
For example, look at the SELinux mandatory access control system built into the Linux kernel. It was primarily written by the NSA. Do we trust it? Yes, because the simple mention of those three letters “NSA” was already enough to attract a whole lot of extra scrutiny and suspicion.
[ link to this | view in chronology ]
Re: Re: Even open source isn't completely safe if the NSA is running the show
[ link to this | view in chronology ]
Canada
But nobody will listen. Even their healthcare is sinister.
[ link to this | view in chronology ]
Re: Canada
[ link to this | view in chronology ]
US corporations are going to pay a heavy price for this co-operation voluntary or involuntary before it is all over with. Every release reveals more things that need to be looked into.
The NSA has no real place to hide anymore in the sense of just how deep they've been into gaining access to near everything.
[ link to this | view in chronology ]
No Big Surprise
[ link to this | view in chronology ]
It's time we start adopting standards that are crafted, discussed in the open and enabled by everyone and nobody at the same time. Because that's what the Internet is, open and for all.
[ link to this | view in chronology ]
EC DRBG
What are the odds that NSA had a role in the design of Bitcoin?
[ link to this | view in chronology ]
Maybe Canadians should just put DRM on all their online communications -- maybe then finally some spooks would go to jail. (Sorry, I was briefly indulging in the old school fantasy that the laws in a democracy apply to everyone. Forgive me naivete but I am, after all, over 40...)
[ link to this | view in chronology ]
Weird thought.
Perhaps we should remove that law from the books.
[ link to this | view in chronology ]
The NSA "finessed" their way to the destruction of not only their own credibility, but also the credibility of NIST.
Guess that's what happens when you're ball and chained to an organization such as the NSA.
[ link to this | view in chronology ]
[ link to this | view in chronology ]