NSA's 'Apology' For Backdooring Crypto Standard Really A 'Sorry We Got Caught' Kind Of Apology

from the not-buying-it dept

Thu, Jan 15th 2015 10:31am — Mike Masnick

Update: While the article in question claimed that Dr. Wertheimer was the Director of Research for the NSA, an email from the NSA alerts us that Wertheimer left the NSA before writing the article.

As you may recall, one of the big Snowden revelations was the fact that the NSA "took control" over a key security standard allowing backdoors to be inserted (or, at least, a weakness that made it easy to crack). It didn't take long for people to realize that the standard in question was Dual_EC_DRBG, or the Dual Elliptic Curve Deterministic Random Bit Generator. It also came out that the NSA had given RSA $10 million to push this compromised random bit generator as the default. That said, as we noted, many had already suspected something was up and had refused to use Dual_EC_DRBG. In fact, all the way back in 2007, there was a widespread discussion about the possibility of the NSA putting a backdoor in Dual_EC_DRBG, which is why so few actually trusted it.

Still, to have the details come out in public was a pretty big deal, so it also seemed like a fairly big deal to see that the Director of Research at the NSA, Dr. Michael Wertheimer (also former Assistant Deputy Director and CTO in the Office of the Director of National Intelligence), had apparently written something of an apology in the latest Notices of the American Mathematical Society. In a piece entitled, "The Mathematics Community and the NSA," Wertheimer sort of apologizes, admitting that mistakes were made. After admitting that concerns were raised by Microsoft researchers in 2007, and again with the Snowden documents (though without saying why they were raised the second time), here's Wertheimer's "apology."

With hindsight, NSA should have ceased supporting the Dual_EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable. The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NIST’s April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the Dual_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to “undermine Internet encryption.” A fair reading of our track record speaks otherwise. Nevertheless, we understand that NSA must be much more transparent in its standards work and act according to that transparency. That effort can begin with the AMS now.

However, as security researcher/professor Matthew Green quickly shot back, this is a bullshit apology, because he's really only apologizing for not dropping the standard when they got caught red handed back in 2007.

The trouble is that on closer examination, the letter doesn't express regret for the inclusion of Dual EC DRBG in national standards. The transgression Dr. Wertheimer identifies is simply the fact that NSA continued to support the algorithm after major questions were raised. That's bizarre.

Green also takes on Wertheimer's weak attempt to still defend pushing the compromised Dual_EC_DRBG as ridiculous. Here were Wertheimer's arguments for why it was still okay:

The Dual_EC_DRBG was one of four random number generators in the NIST standard; it is neither required nor the default.
The NSA-generated elliptic curve points were necessary for accreditation of the Dual_EC_DRBG but only had to be implemented for actual use in certain DoD applications.
The trapdoor concerns were openly studied by ANSI X9F1, NIST, and by the public in 2007.

But, again, those don't make much sense and actually make Wertheimer's non-apology that much worse. As Green notes, even though there were other random number generators, the now infamous RSA deal did lead some to use it since it was the "default" in a popular software library and because NIST had declared the standard safe, meaning that people trusted it. Green also goes into great detail describing how the second point is also incredibly misleading. It's worth reading his full explanation, but the short version is that despite some people fearing the NSA's plan would have a backdoor, the details and the possible "alternatives" to avoid that were completely hidden away and more or less dropped.

And that final point, well... really? Again, that's basically saying, "Well, people thought we might have put in a backdoor, but couldn't prove it, but there, you guys had your chance to debate it." Nevermind the fact that there actually was a backdoor and it wasn't confirmed until years later. And, as Green notes, many of the concerns were actually raised earlier and swept under the rug. Also, the standard was pushed and adopted by RSA as a default long before some of these concerns were raised as well.

This might all be academic, but keep this in mind: we now know that RSA Security began using the Dual EC DRBG random number generator in BSAFE -- as the default, I remind you -- in 2004. That's three years during which concerns were not openly studied by the public.

To state that the trapdoor concerns were 'openly' studied in 2007 is absolutely true. It's just completely irrelevant.

In other words, this isn't an apology. It's an apology that the NSA got caught (and didn't stop pushing things the first time it got caught), and then a weak defense of why they still went ahead with a compromised offering.

Wertheimer complains that this one instance has resulted in distrust from the mathematics and cryptography community. If so, his weak response isn't going to help very much.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: apology, backdoor, cryptography, dual_ec_drbg, elliptic curve, encryption, matthew green, michael wertheimer, nist, nsa, random number generator, standards, surveillance

10 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 15 Jan 2015 @ 10:33am

> Wertheimer complains that this one instance has resulted in distrust from the mathematics and cryptography community.

I wouldn't say that. Just distrust for the *NSA* mathematicians and cryptographers, or any who have been working with NSA.
[ link to this | view in chronology ]
- John Fenderson (profile), 15 Jan 2015 @ 10:50am
  
  Re:
  I think he was complaining that the fiasco resulted in the crypto community distrusting the NSA, not that the people lost trust in the crypto community.
  
  And let's not forget that the NIST has taken a huge blow to their trustworthiness as well, although at least they are taking actual, concrete steps in an attempt to rebuild the lost trust. Unlike the NSA.
  [ link to this | view in chronology ]
- Anonymous Coward, 15 Jan 2015 @ 10:51am
  
  Response to: Anonymous Coward on Jan 15th, 2015 @ 10:33am
  I distrust the entirety of the NSA completely. They are no different than any other historically villain agency in my eyes.
  Any possible gains are completely outweighed by their evil.
  If the NSA disappeared tomorrow, it would be something worthy of a national celebration such as our Independence Day.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 15 Jan 2015 @ 11:13am
    
    Re: Response to: Anonymous Coward on Jan 15th, 2015 @ 10:33am
    Agreed. This is the main problem with the nonapology: given the history of the NSA (in general, but especially recently), I expect that every word they utter is a lie. I am disappointed that this apology was so limp, though. As long as they're lying, they should do a better job of it.
    [ link to this | view in chronology ]
    - Anonymous Coward, 15 Jan 2015 @ 11:30am
      
      Re: Re: Response to: Anonymous Coward on Jan 15th, 2015 @ 10:33am
      > I am disappointed that this apology was so limp, though. As long as they're lying, they should do a better job of it.
      
      Food for thought: what if it was on purpose? What if the one apologizing here is as disgusted with the NSA's actions as us, but doesn't want to pull a Snowden, so the weak apology is his way of leaking how he feels about it?
      
      Or what if that isn't the case, but he's pretending to pretend to do a bad job at an apology so we would think he feels disgusted, when in fact it's some sort of double reverse psychology trick?
      
      Or what if...
      [ link to this | view in chronology ]
      - John Fenderson (profile), 15 Jan 2015 @ 1:02pm
        
        Re: Re: Re: Response to: Anonymous Coward on Jan 15th, 2015 @ 10:33am
        "What if the one apologizing here is as disgusted with the NSA's actions as us, but doesn't want to pull a Snowden, so the weak apology is his way of leaking how he feels about it?"
        
        If so, then I have even less respect for him. If he feels disgusted with the NSA's actions, then he shouldn't be such a coward about expressing it.
        [ link to this | view in chronology ]
Anonymous Coward, 15 Jan 2015 @ 12:56pm

Trying to master the non-apology, apology. And failing miserably at it. I'm sure anyone who questioned if Dual_EC_DRBG had a backdoor in it back in 2007 was labeled a crazy conspiracy nutjob who's simply being paranoid.
[ link to this | view in chronology ]
- Anonymous Coward, 15 Jan 2015 @ 2:55pm
  
  Re:
  Lots of credible people questioned the story in 2007, and were believed. For instance, Bruce Schneier. The problem was that until the Snowden leaks, there wasn't any evidence that the NSA had deliberately sabotaged the standards process. Now we know that the NSA deliberately introduced and promoted a standard that they'd carefully engineered to contain a backdoor. People aren't mad because the NSA "sustained their support for a questionable algorithm", people are mad because the NSA unquestionably knew that the algorithm was insecure and were deliberately poisoning encryption standards with it.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 16 Jan 2015 @ 8:16am
    
    Re: Re:
    Yes, this. Lots of people considered Dual_EC_DRBG to be suspect way back then and avoided using it at all (I'm one of them) without being considered conspiracy nutjobs.
    
    It's one of the fundamental rules of security tools: if you even suspect that a tools may be compromised, then you must treat it as if it definitely is compromised.
    [ link to this | view in chronology ]
BlueLightMemory, 15 Jan 2015 @ 4:13pm

Good Grief
Flip a coin, who's worse with their half assed, driveling confessions, the NSA, the FBI, or the CIA?

None of them are genuinely sorry though.
[ link to this | view in chronology ]