New NSA-Approved Encryption Standard May Contain Backdoor

Hugh Pickens writes "Bruce Schneier has a story on Wired about the new official standard for random-number generators the NIST released this year that will likely be followed by software and hardware developers around the world. There are four different approved techniques (pdf), called DRBGs, or 'Deterministic Random Bit Generators' based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. The generator based on elliptic curves called Dual_EC_DRBG has been championed by the NSA and contains a weakness that can only be described as a backdoor. In a presentation at the CRYPTO 2007 conference (pdf) in August, Dan Shumow and Niels Ferguson showed that there are constants in the standard used to define the algorithm's elliptic curve that have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG."

umm

[superwiz]

Don't look for malice where incompetence will do.

-- Napoleon

The answering machine

[Verteiron]

Anyone else reminded of the little Black Box from Sneakers? The one that used a mathematical backdoor to break any encryption based on a certain algorithm that was only used in the USA?

Ummm...encryption standard?

[morgan_greywolf]

Is what is essentially a random number generator really an 'encryption' standard? And if it's really a backdoor, don't you still need to know rather quite a bit more than the random number seeds to break something like AES or RSA?

Re:From TFA:

[Saint Aardvark]

And this bit from Bruce's article:

If this story leaves you confused, join the club. I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.

My recommendation, if you're in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances. If you have to use something in SP 800-90, use CTR_DRBG or Hash_DRBG.

In the meantime, both NIST and the NSA have some explaining to do.

Everyone who is not in NSA...

[SlipperHat]

Should use the one that is hardest to break. If the NSA thinks elliptic curves are the best, only the NSA should use it. Let's see how happy they are having their own "unbreakable" code just for them.

Personally, I wish the NSA was a bit more chivalrous when it comes to these kind of things. If it is your **JOB** to break codes, why whine when people pick the one that is hardest to break. The rest of the world doesn't have the luxury to pick how hard their job gets to be, so why should you?

The NSA is like an anti-virus / a pharmaceutical company where a cure is only good if it's in the company's best interests. Not to say that anti-virus / pharmaceutical companies are not ethical. But there is a saying along the lines of "If you can't come up with the solution, there is good money to be made in the problem."

Re:umm

[someone1234]

The weakness of the encryption is not incompetence.
The incompetence is that they failed to hide it.

I can't be the only one:

[rilister]

I can't be the only one who clicked on the link and was astonished to see:
"On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng - by Dan Shumow, Niels Ferguson, Microsoft"

Microsoft are exposing this? Are they funding the group making these kind of claims? If this was true, wouldn't this intensely annoy the NSA to have this exposed? Am I missing something here? .

- I see the disclaimer ("What we are NOT saying") where they seem to be saying - "No way did the NSA intentionally make this broken - maybe it was an errant developer and maybe they knew what they were doing", but it amounts to the same thing, surely?

Re:The answering machine

[harryHenderson]

Of course the truly paranoid individual would realize that the backdoor in Dual_ECD_RBG was merely an "obvious" decoy designed to herd us all onto the other three which also have backdoors. ;) (not to make light of what Mr. Schneier's point - the NSA has every reason to deny others effective cryptographic tools)

Ummm, parent is right.

[iknownuttin]

But this is the NSA we're talking about... Not the Bush administration.

I wish I could remember the show I saw. But the scientist (MIT, PhD scientist) was amazed at the intellect of the NSA folks who came to see him about his research. I can't remember who it was - it was a NOVA episode (but it stuck in my head because of his fear!). And after talking to friends who work with various internet security companies and defense contractors, I have to reiterate their opinion of these guys - they're really sharp. And as much as I like to disparage Government workers, these guys aren't to be trifled with.

And, as I was previewing, I noticed that the parent was moderated "Offtopic".

As an Offtopic note: 2 out of 3 down mods that I meta mod are unfair. Keep that in mind. It's really pissing me off.

Things we know we don't know.

[ColaMan]

The NSA is a lot more competent than you think.
Go google "NSA DES" sometime.

"The NSA was embroiled in controversy concerning its involvement in the creation of the Data Encryption Standard (DES), a standard and public block cipher used by the US government. During development by IBM in the 1970s, the NSA recommended changes to the algorithm. There was suspicion the agency had deliberately weakened the algorithm sufficiently to enable it to eavesdrop if required. The suspicions were that a critical component -- the so-called S-boxes -- had been altered to insert a "backdoor"; and that the key length had been reduced, making it easier for the NSA to discover the key using massive computing power, although it has since been observed that the changes in fact strengthened the algorithm against differential cryptanalysis, which was not publicly discovered until the late 1980s."

So they made some small changes to DES... then a *decade* later, the rest of the crypto world says, "Huh. We've just done the sums and that actually made it better."

Not to say that in this case they're just screwing with the algorithm though :-P

why put all your eggs in one basket?

[Sloppy]

I see how it could be a problem for embedded work. But on personal computers, which nowdays have tremendously abundant resources, why not use multiple algorithms and entropy sources to build your pool? (Yes, I know some systems already do this.) NSA may be able to predict one sequence, but they sure as hell can't predict a bunch of them, XORed. They'd need mathematicians to crack all the RNGs, have a camera on your lava lamp, a microphone listening to the room, a tap on your power line, etc. By the time they do all of that, they might as well have just asked you what your plaintext is.

alternate explanation for incompetence

[Anonymous Coward]

There is another explanation; difference of opinion between management and staff

- Management wants a backdoor in public standard, orders their very smart math geeks to make it so
- Math geeks say it can't be done
- Management insists
- Math geeks go away and come up with something out of left field that technically fulfils the request of management, knowing it's vulnerabilities. They probably tell management that their solution is the best they could do, but it still has all the following problems (slow, crypto-nerds will see through it sooner or later, etc)
- Management hears the 'best' and 'done' part, discounts possibility of anyone outsmarting their 'uber-elite' NSA math geeks

predictable results follow.

Open Source not enough...

[0ptix]

Open source alone is not enough. In fact these algorithms ARE open source. There even public domain standards!

Crypto is a special case. While it's true that "open source" cryptographic algorithms/protocols tend to be far safer choices then proprietary/secret/home-brew algorithm the problem is that correctness of a cryptographic algorithm is a far stronger notion to achieve and verify then for a normal program. For a normal program "correct" implies producing the right out put. In a cryptographic setting we want the the "correct" output which must be "secure". Precisely understanding the meaning of "secure" for a given app. and context is a central concern of cryptographers.

What is needed for crypto is the next step beyond open source, namely open process. That is along with an algorithm the NSA (or NIST or IBM or whoever) should be publishing a complete security definition, analysis and reasoning behind the design choices. (See The Making of Rijndael [google.com] for example.)

If the NSA had provided ANSI, NIST and the public with such documentation then the problems pointed out by Shumow and Ferguson would not exist. The reasoning behind the choice of all constants would be clear to all.

On a realistic note it's not exactly likely that the an organisation like the NSA would ever do such a thing. Take the case of the DES algorithm developed by IBM with help from the NSA. Only a decade later later when Eli Biham and Adi Shamir published their work on Differential Cryptanalysis did the reasons for the choices of constants in DES become clearer. However at the time of DES's creation this (very powerful) cryptanalytic method was not known to the public. Thus by demanding open process the NSA would effectively have been required to release what was probably one of their most guarded technological advancements.

Thus since it can not be expected that the NSA adhere to open process development I think our best bet is to simply go with another algorithm which does. Like rijndael for example...

Re:Things we know we don't know.

[Deanalator]

The same thing happened with SHA. Even creepier was that they just threw a "leftshift 1" in the middle of the algorithm. This is the difference between SHA0 and SHA1, yet 10 years later new attacks on hashing algorithms emerged that broke SHA0 wide open, but SHA1 was resistant.

This 10 year thing starts to tickle my paranoia. NIST has the stated goal to make all of it's algorithms unbreakable for at least 10 years, and the NSA claims on their website that they are always 10 years ahead of what is known publicly (with respect to computational power and cryptographic research).

Re:Of course! Just look what they did with the tel

[Burz]

Hardware manufacturers? How about certificate authorities? [dailykos.com]

If any of you think this is the least bit specious, the VeriSign website proudly proclaims that they will subcontract to telcos/ISPs that are ordered to eavesdrop in a "legal intercept" capacity. There is no other reason for VeriSign to be in that line of work unless they are using their ability as CA to stage undetectable MITM surveillance attacks.

Why not swap out the broken part then?

[Weaselmancer]

Why not use the encryption as-is, but swap out the random number generator with something else?

I've always wondered why random number generators don't pull values from an A/D converter hooked to a white noise generator or Lorenz attractor or some such.

Don't forget: THANK YOU Bruce Schneier

[KWTm]

Kudos to Bruce Schneier for being a respected voice of reason and (seen to be) a disinterested party to critically analyze the strengths and weaknesses of what will be a backbone of computing (and, indeed, our daily lives).

If I were the NSA trying to work in a back door, instead of coming up with a subtle flaw in the algorithm, I'd get Bruce Schneier to publicly praise an algorithm known to have flaws, while simultaneously offering to pay him a gajillion bucks and threatening his family if he refuses. That would probably derail publicly available encryption for a while. ("Bruce Schneier recommends: WinCrypt Terrorist Edition!")