Daily Archives: January 15, 2015

It was a mistake for the National Security Agency to support a critical cryptographic function after researchers presented evidence that it contained a fatal flaw that could be exploited by US intelligence agents, the agency's research director said.

The comments by NSA Director of Research Michael Wertheimer were included in an article headlined The Mathematics Community and the NSA published this week in a publication called Notices. The article responds to blistering criticism from some mathematicians, civil liberties advocates, and security professionals following documents provided by former NSA subcontractor Edward Snowden showing that the agency deliberately tried to subvert widely used crypto standards. One of those standards, according to The New York Times, was a random number generator known as Dual EC_DRBG, which was later revealed to be the default method for generating crucial random numbers in the BSAFE crypto toolkit developed by EMC-owned security firm RSA.

"With hindsight, NSA should have ceased supporting the dual _EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor," Wertheimer wrote. "In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable."

He went on to defend the NSA and deny accusations that it tried to subvert crypto standards. Dual EC_DRBG was one of four random number generators included in the larger standard known as SP 800-90A,he pointed out, and the NSA-generated points were necessary for accreditation and had to be implemented only for actual use in certain Defense Department applications.

Wertheimer wrote:

The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NISTs April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the DUAL_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to "undermine Internet encryption." A fair reading of our track record speaks otherwise. Nevertheless, we understand that NSA must be much more transparent in its standards work and act according to that transparency. That effort can begin with the AMS [American Mathematical Society] now.

In the future, Wertheimer promised, NSA officials will be more transparent in the way they support fledgling technologies being considered as widely used standards. All NSA comments will be in writing and published for review. Additionally, the NSA will publish algorithms before they're considered so that the public has more time to scrutinize them.

"With these measures in place, even those not disposed to trust NSA's motives can determine for themselves the appropriateness of our submissions, and we will continue to advocate for better security in open-source software, such as Security Enhancements for Linux and Security Enhancements for Android (selinuxproject.org)," he wrote.

Update: Critics are already characterizing Wertheimer's letter as a non-apology apology that only deepens the divide. In the blog A Few Thoughts on Cryptographic Engineering, for instance Matt Green, a Johns Hopkins university professor specializing in cryptography, wrote:

The trouble is that on closer examination, the letter doesn't express regret for the inclusion of Dual EC DRBG in national standards. The transgression Dr. Wertheimer identifies is simply the fact that NSA continued to support the algorithm after major questions were raised. That's bizarre.

The rest is here:
NSA official: Support of backdoored Dual_EC_DRBG was regrettable

Jasper Rietman

Ever since Edward Snowden handed thousands of National Security Agency documents over to filmmaker Laura Poitras and writer Glenn Greenwald in a Hong Kong hotel room, the NSAs mass surveillance of domestic phone calls and Internet traffic has been widely compared to the abuses of East Germanys secret police, the Stasi.

The communist republic may have imploded in 1989, but it has nonetheless become synonymous with a smothering, all-knowing spy apparatus.

A year ago, President Obama himself cited East Germany as a cautionary tale of what could happen when vast, unchecked surveillance turned citizens into informers and persecuted people for what they said in the privacy of their own homes. He was responding to accusations that just such a vast, unchecked effort to collect data has metastasized on his watch.

It was no coincidence that Poitras chose Leipzig, a city in the heart of the former East Germany, for the recent German debut of her documentary Citizenfour, about Snowden and the NSA. If the government is doing that kind of surveillance, it has a corrosive effect on democracy and society, Poitras said after the premiere. People who lived through it can tell you what it was like.

Indeed. When it was revealed that the NSA had been listening to her cell phone calls, German chancellor Angela Merkelwho came of age in communist East Germany, under the Stasis watchful eyetold President Obama, This is just like the Stasi. In an interview last year, NSA whistle-blower and Poitras source William Binney likened the agency to the Stasi on supersteroids.

Theyre wrong. In crucial ways, the two agencies are very different. In its effort to control East Germany, the Stasi made its presence felt in every sphere of life. Its power rested not only in the information its surveillance yielded but in the fear and distrust that collection instilled. The NSA, on the other hand, operates best in the dark, its targets unaware of its existence, let alone its dragnet data-gathering. Even Poitras, when asked, acknowledged a line between the two. The NSAs broad, mass collection is fundamentally different than what the Stasi did, she said in Leipzig.

Calling the Stasi secret police is misleading. The name is an abbreviation of STAatsSIcherheit, or State Security. Founded in 1950 as the East German Communist Partys sword and shield, it never hid the fact that it was spying. By the late 1980s, more than 260,000 East Germans1.6 percent of all adults in the countryworked for the organization, either as agents or as informants. (If the NSA employed as many analysts to spy on 320 million Americans, it would have 5 million people on the payroll.) It wanted you to constantly wonder which of your friends was an informant and, ideally, tempt or pressure you into the role of snitch too.

At times, the scrutiny reached absurd proportions. Every apartment building and workplace had a designated informer. Spies used specially built equipment to steam open mail; a Division of Garbage Analysis was on the lookout for suspect trash. Stasi agents let the air out of targets bicycle tires and rearranged the pictures in their apartments in an effort to drive class enemies crazy.

Cooperation was often a prerequisite for career advancement, academic success, even a new apartment. The Stasi had the power to take your children away or keep you from getting into a university. Its visibility and ubiquity forced East Germans to make moral choices every day: Collaborate with an unjust, undemocratic system or suffer the consequences.

View post:
No, the NSA Isnt Like the StasiAnd Comparing Them Is Treacherous

The NSA's director of research Michael Wertheimer says it's "regrettable" that his agency continued to support Dual EC DRBG even after it was widely known to be hopelessly flawed.

Writing in Notices, a publication run by the American Mathematical Society, Wertheimer outlined the history of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), and said that an examination of the facts made it clear no malice was involved.

Dual EC DRBG is a random number generator championed by the NSA in the 2000s. Number generators are an essential component of encryption systems; a weak generator will leave encrypted data vulnerable to decoding by an attacker.

This random number generator was eventually approved as a trustworthy algo by the US National Institute of Standards and Technology (NIST), despite concerns that it could be faulty, and RSA made it the default encryption systems in its BSAFE toolkits. A subsequent report suggested the NSA paid RSA $10m to include the flawed algorithm a claim RSA denies.

In 2007 two Microsoft security researchers, Dan Shumow and Niels Ferguson, pointed out that there were serious flaws with Dual EC DRBG, and that using it with elliptic curve points generated by the NSA could create a "trap door" that would allow encryption to be easily broken.

"With hindsight, NSA should have ceased supporting the Dual EC DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual EC DRBG algorithm as anything other than regrettable," Wertheimer wrote [PDF].

"The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NIST's April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the Dual EC DRBG casts suspicion on the broader body of work NSA has done to promote secure standards."

The case doesn't prove the NSA is actively trying to subvert crypto standards, Wertheimer argued, merely that a mistake had been made and then rectified. He pointed out that the NSA was keen to fund more mathematical research and post September 11 this work was vitally needed.

But Wertheimer's version of events isn't sitting well with some experts in the field. Assistant research professor Matthew Green of Johns Hopkins University Information Security Institute in Maryland has written a rebuttal to Wertheimer, pointing out several holes in his story.

For a start, Prof Green said problems with Dual EC DRBG systems that used the NSA's elliptic curve points were first noticed way back in 2004 by members of an ANSI standards committee, when NIST was still considering backing the algorithm. Someone on the panel even went as far as to file a patent on breaking encryption using the system.

Read the original post:
NSA: SO SORRY we backed that borked crypto even after you spotted the backdoor