NSA's 'Apology' For Backdooring Crypto Standard Really A 'Sorry We Got Caught' Kind Of Apology
from the not-buying-it dept
Update: While the article in question claimed that Dr. Wertheimer was the Director of Research for the NSA, an email from the NSA alerts us that Wertheimer left the NSA before writing the article.As you may recall, one of the big Snowden revelations was the fact that the NSA "took control" over a key security standard allowing backdoors to be inserted (or, at least, a weakness that made it easy to crack). It didn't take long for people to realize that the standard in question was Dual_EC_DRBG, or the Dual Elliptic Curve Deterministic Random Bit Generator. It also came out that the NSA had given RSA $10 million to push this compromised random bit generator as the default. That said, as we noted, many had already suspected something was up and had refused to use Dual_EC_DRBG. In fact, all the way back in 2007, there was a widespread discussion about the possibility of the NSA putting a backdoor in Dual_EC_DRBG, which is why so few actually trusted it.
Still, to have the details come out in public was a pretty big deal, so it also seemed like a fairly big deal to see that the Director of Research at the NSA, Dr. Michael Wertheimer (also former Assistant Deputy Director and CTO in the Office of the Director of National Intelligence), had apparently written something of an apology in the latest Notices of the American Mathematical Society. In a piece entitled, "The Mathematics Community and the NSA," Wertheimer sort of apologizes, admitting that mistakes were made. After admitting that concerns were raised by Microsoft researchers in 2007, and again with the Snowden documents (though without saying why they were raised the second time), here's Wertheimer's "apology."
With hindsight, NSA should have ceased supporting the Dual_EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable. The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NIST’s April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the Dual_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to “undermine Internet encryption.” A fair reading of our track record speaks otherwise. Nevertheless, we understand that NSA must be much more transparent in its standards work and act according to that transparency. That effort can begin with the AMS now.However, as security researcher/professor Matthew Green quickly shot back, this is a bullshit apology, because he's really only apologizing for not dropping the standard when they got caught red handed back in 2007.
The trouble is that on closer examination, the letter doesn't express regret for the inclusion of Dual EC DRBG in national standards. The transgression Dr. Wertheimer identifies is simply the fact that NSA continued to support the algorithm after major questions were raised. That's bizarre.Green also takes on Wertheimer's weak attempt to still defend pushing the compromised Dual_EC_DRBG as ridiculous. Here were Wertheimer's arguments for why it was still okay:
- The Dual_EC_DRBG was one of four random number generators in the NIST standard; it is neither required nor the default.
- The NSA-generated elliptic curve points were necessary for accreditation of the Dual_EC_DRBG but only had to be implemented for actual use in certain DoD applications.
- The trapdoor concerns were openly studied by ANSI X9F1, NIST, and by the public in 2007.
And that final point, well... really? Again, that's basically saying, "Well, people thought we might have put in a backdoor, but couldn't prove it, but there, you guys had your chance to debate it." Nevermind the fact that there actually was a backdoor and it wasn't confirmed until years later. And, as Green notes, many of the concerns were actually raised earlier and swept under the rug. Also, the standard was pushed and adopted by RSA as a default long before some of these concerns were raised as well.
This might all be academic, but keep this in mind: we now know that RSA Security began using the Dual EC DRBG random number generator in BSAFE -- as the default, I remind you -- in 2004. That's three years during which concerns were not openly studied by the public.In other words, this isn't an apology. It's an apology that the NSA got caught (and didn't stop pushing things the first time it got caught), and then a weak defense of why they still went ahead with a compromised offering.
To state that the trapdoor concerns were 'openly' studied in 2007 is absolutely true. It's just completely irrelevant.
Wertheimer complains that this one instance has resulted in distrust from the mathematics and cryptography community. If so, his weak response isn't going to help very much.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: apology, backdoor, cryptography, dual_ec_drbg, elliptic curve, encryption, matthew green, michael wertheimer, nist, nsa, random number generator, standards, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
I wouldn't say that. Just distrust for the *NSA* mathematicians and cryptographers, or any who have been working with NSA.
[ link to this | view in chronology ]
Re:
And let's not forget that the NIST has taken a huge blow to their trustworthiness as well, although at least they are taking actual, concrete steps in an attempt to rebuild the lost trust. Unlike the NSA.
[ link to this | view in chronology ]
Response to: Anonymous Coward on Jan 15th, 2015 @ 10:33am
Any possible gains are completely outweighed by their evil.
If the NSA disappeared tomorrow, it would be something worthy of a national celebration such as our Independence Day.
[ link to this | view in chronology ]
Re: Response to: Anonymous Coward on Jan 15th, 2015 @ 10:33am
[ link to this | view in chronology ]
Re: Re: Response to: Anonymous Coward on Jan 15th, 2015 @ 10:33am
Food for thought: what if it was on purpose? What if the one apologizing here is as disgusted with the NSA's actions as us, but doesn't want to pull a Snowden, so the weak apology is his way of leaking how he feels about it?
Or what if that isn't the case, but he's pretending to pretend to do a bad job at an apology so we would think he feels disgusted, when in fact it's some sort of double reverse psychology trick?
Or what if...
[ link to this | view in chronology ]
Re: Re: Re: Response to: Anonymous Coward on Jan 15th, 2015 @ 10:33am
If so, then I have even less respect for him. If he feels disgusted with the NSA's actions, then he shouldn't be such a coward about expressing it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
It's one of the fundamental rules of security tools: if you even suspect that a tools may be compromised, then you must treat it as if it definitely is compromised.
[ link to this | view in chronology ]
Good Grief
None of them are genuinely sorry though.
[ link to this | view in chronology ]