NSA Official: Supporting Backdoored Random Number Generator Was "Regrettable" 106
Trailrunner7 writes In a new article in an academic math journal, the NSA's director of research says that the agency's decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a "regrettable" choice. Michael Wertheimer, the director of researcher at the National Security Agency, wrote in a short piece in Notices, a publication of the American Mathematical Society, that even during the standards development process for Dual EC many years ago, members of the working group focused on the algorithm raised concerns that it could have a backdoor in it. The algorithm was developed in part by the NSA and cryptographers were suspect of it from the beginning. "With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable," Wertheimer wrote in a piece in Notices' February issue.
Wait, which part is he sorry about now? (Score:5, Insightful)
Is he sorry that they created a monster or is he just sorry that they got caught and now their credibility is in the trash can?
Re:Wait, which part is he sorry about now? (Score:4, Insightful)
The later, obviously. And "I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable" What about "criminal"?
Re:Wait, which part is he sorry about now? (Score:5, Insightful)
"Words cannot express how sorry we are. Next time, we will make sure the backdoor is much less obvious."
Re:Wait, which part is he sorry about now? (Score:5, Insightful)
"Words cannot express how sorry we are. The next time, we made sure the backdoor was much less obvious"
FTFY
Re:Wait, which part is he sorry about now? (Score:5, Informative)
It's worse than that. The NSA is demonstrating how incredibly arrogant it is. The apology is for not dropping support once the flaws become public knowledge. The implicit assumption is that it was secure before the flaw was made public, which shows how little the NSA thinks of foreign intelligence agencies. Clearly there was no way one of them could have found it and been exploiting it for years.
Re:Wait, which part is he sorry about now? (Score:4, Interesting)
The later, obviously. And "I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable" What about "criminal"?
I think the proper word is "Treasonous"
In the DoD, the NSA-backed algorithms have been used without question, and in creating a backdoor'd generator, they've compromised our national security.
Re: (Score:2)
Re: (Score:1)
They got it added to NIST. So it's essentially a REQUIREMENT for many Federal agencies (and whoever else wants to follow suit) to implement this!!!!!
That's not true anymore. NIST removed that recommendation. They now only recommend aes128 192 or 256.
Re:Wait, which part is he sorry about now? (Score:5, Informative)
The correct term is Sedition [wikipedia.org].
Note the boldface. In this case the "established order" is the rule of law enshrined in the constitution. The NSA has subverted the constitution with warrantless mass surveillance. The Department of Homeland Security (aka Department of Homeland Pork) has ignored the constitutional right to due process with the "no fly list": there is no official way to find out if you are on it or to be removed from the list.
These actions, along with many current policies, are absolutely unconstitutional. In short, sedition. They betray the constitutional rule of law. Treason typically is the betrayal of one's country to another sovereign entity.
he SAID "after it was discovered" (Score:2)
He said:
NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor.
Re:he SAID "after it was discovered" (Score:5, Interesting)
("Please don't look for more holes in stuff we support. Ignore the man behind the curtain. We're from the government, and we're here to help.")
Re: (Score:3)
Exactly. This is not an apology. I read TFA. Somehow, they want to put the horse back in the barn. There was a time that they had a mission to develop technology that was useful to US government agencies, industry, banking interests, etc. I truly respect people who were doing honest work at securing US interests. But there is just no going back, all that work is forever tainted.
Re:Wait, which part is he sorry about now? (Score:4)
Is he sorry that they created a monster or is he just sorry that they got caught and now their credibility is in the trash can?
He's sorry that they continued supporting it after the flaws were discovered. He regrets that they were so obvious.
Re:Wait, which part is he sorry about now? (Score:4, Interesting)
Worse than they, they had intended to use the power they control to attempt to force the use of it. The real question is how long before other people discovered the flaw were they aware of it and was it the only reason they supported it in the first place. This makes far more sense when you consider they still pushed it once the flaw was discovered, they were already heavily invested in pushing it onto the public exactly because of that flaw, they wanted that flaw. So who originated the work and thus who can not now be trusted as they are very likely an under cover NSA agent. Which brings to the point how many others are out there, how many others are working to break your security, how many others are out there working on entrapment and extortion plans and how many others can not be trusted to touch your hardware because they will touch it in a very naughty way.
Brings to mind the penalties private corporations have been paying when they have failed to secure the privacy of the public, how many of those were as a direct result of an incursion led by the NSA and basically leaving holes which others have then exploited. Just like the FBI and Lulzsec, most of the damage was done after the FBI took over and were seeking to groom minors into a life of crime, supply the resource, the technology and the targets, so they could what prosecute them or recruit them or as it seems most likely, both.
The NSA and the FBI and all the rest are going to run into the exact same problem, they are going to end up recruiting privacy invasive perverts who get a kick out of invading the private lives of others, creating that perverted delusion of control over others and that will inevitably reflect upon how the agencies carry out their activities. How the individuals within them will get a sexual kick about invading the privacy of others and how given time that kick will demand greater and greater control and express itself as schemes of extortion, whether to break into other secure data stores, whether to profit or whether to extend that sexual perversion into direct personal molestation.
Re: (Score:1, Insightful)
No, I think you both still miss the point. I was "first post" before this article, Snowden, or anyone else. I was saying this was happening before even Slashdot's founding. I simply guessed it, well over a decade ago by following the money. Only then I wasn't rated "+5 Insightful" I was rated by my peers as "-5 crazy for saying the emperor is naked."
Re: (Score:1)
No, I think you both still miss the point. I was "first post" before this article, Snowden, or anyone else. I was saying this was happening before even Slashdot's founding. I simply guessed it, well over a decade ago by following the money. Only then I wasn't rated "+5 Insightful" I was rated by my peers as "-5 crazy for saying the emperor is naked."
Will the real first post please stand up.
Re: (Score:2)
our failure to drop support (Score:2)
"describe our failure to drop support for the Dual_EC_DRBG algorithm" = as designed
That's why we gave EMC money (Score:2, Insightful)
To ensure it's inclusion as default in RSA products.
Re:That's why we gave EMC money (Score:5, Informative)
To ensure it's inclusion as default in RSA products.
Yup. $10M to use it as the default encryption mode. They also tried to require it for FIPS certification so pardon my gasps of disbelief.
Re: (Score:1)
I guess from their perspective that really does make such software "safer"
I always wonder why the NSA/CIA, etc think that it's ok if they have backdoor keys into encryption when it's pretty obvious that that backdoor will leak eventually and be used by criminal or terrorist actors. Maybe that's the point -- if the NSA can keep everyone frightened then they can continue with the program.
But they must realize that it really makes everyone less secure in the long run.
maybe that's what this article is about -- they realize their cover is blown and their goals are obviously exposed n
Re:That's why we gave EMC money (Score:5, Insightful)
The reason this back door was acceptable to them was they essentially convinced the world to use their public key as the standard seed for the algorithm. It's like putting your account information on random deposit slips at the bank. It's not the sort of "hack" that compromises your own security as long as your "private key" remains secret.
Contrast this with DES/AES, where they have fought to make the algorithms more secure. Not because they want what's best for everyone, but because those vulnerabilities were something that an adverse nation state could potentially independently discover where they didn't have an exclusive ability to exploit the weakness.
Now their intentions are clear: they aren't enlightened good guys. They're just pragmatic attackers. An exploit that is just as likely to benefit China or Russia is worse than no exploit at all. An exploit that only they can benefit from is golden. At least now we know where to look when doing our code audits.
Re: (Score:1)
other descriptions... (Score:3)
Re:other descriptions... (Score:5, Insightful)
how about "works as intended"
Why is it regrettable? (Score:5, Insightful)
I'd like to hear him explain his regret in a little more detail. Was it morally wrong? Was it against civil ethics? Was it anti-democratic? Was it illegal? Or was it that they got caught?
Also, "is regrettable" is basically the passive tense. Does he regret it? Does he thing that the congressional oversight committees are morally culpable for not having stopped it?
Re: (Score:1)
Yeessss... let the Microsoft grammar checker flow through you...
Re: (Score:2)
I'd like to hear him explain his regret in a little more detail. Was it morally wrong? Was it against civil ethics? Was it anti-democratic? Was it illegal? Or was it that they got caught?
Also, "is regrettable" is basically the passive tense. Does he regret it? Does he thing that the congressional oversight committees are morally culpable for not having stopped it?
Here is the video: https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
I'd like to hear him explain his regret in a little more detail. Was it morally wrong? Was it against civil ethics? Was it anti-democratic? Was it illegal? Or was it that they got caught?
He regrets it like he regrets eating that hot chili cheese burrito.
Re: (Score:2)
Also, "is regrettable" is basically the passive tense.
At best it's deagentization. Syntax-wise, I don't see anything passive about copulative sentences.
Re: (Score:2)
With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable. The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NIST’s April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the DUAL_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to “undermine Internet encryption.” A fair reading of our track record speaks otherwise.
No admission of guilt (Score:5, Informative)
Parse his words carefully. He never admits that the NSA actually engineered the backdoor into the algorithm, he only states that he regrets supporting the algorithm after other people pointed out it was backdoored.
This is basically equivalent to the mealy-mouthed apologies you hear from young children after they've done something wrong but absolutely refuse to fess up about it.
Re:No admission of guilt (Score:4, Interesting)
I wonder if it would have been a security violation for him to admit it, so this is the best he can do?
Re:No admission of guilt (Score:4, Insightful)
It's entirely possible that they did not engineer the backdoor - that might have come from the original creator.
It's further possible (although I would hope it's not the case) that they did not find the backdoor before it was publicly disclosed.
Either way, they should have stopped endorsing the algorithm as soon as they knew it was weak, whether that was at public disclosure or earlier.
That they continued to claim it was secure after it was publicly known to be weak is a complete failure on their part, and they are DEFINITELY culpable for that.
We BELIEVE that they probably put it there, in which case, they're even more culpable, but we don't know that for certain...
Re:No admission of guilt (Score:4, Interesting)
Parse his words carefully. He never admits that the NSA actually engineered the backdoor into the algorithm, he only states that he regrets supporting the algorithm after other people pointed out it was backdoored.
This is basically equivalent to the mealy-mouthed apologies you hear from young children after they've done something wrong but absolutely refuse to fess up about it.
And you don't understand what actually happened. There is no evidence and there never was evidence that the algorithm had a backdoor. There is evidence that _if_ the NSA had known about the possibility of a backdoor early enough, they _could_ have added a backdoor. There is no evidence that they knew about it early enough, and there is no evidence that they added a backdoor. The NSA _does_ know that nobody else added a backdoor. So they either added a backdoor, or they didn't and know there is no backdoor. There is no evidence either way.
So nobody has any evidence that they have done anything wrong. They supported this standard for too long, and there are two logical explanations for this: Either because they had added a backdoor and wanted to use it, or because they knew for a fact that there is no backdoor (because only the NSA could have added it and they know they didn't) and therefore knew that the algorithm was safe.
Re: (Score:2)
There is no need to wait for non-circumstantial evidence. The government likes to use lessor evidence standards than beyond a reasonable doubt so lets follow their example.
What is more likely than not? That the NSA missed a public/private key based backdoor designed into an algorithm, strongely supported it after it was revealed that such existed, and bribed RSA over it? Or that NSA designed it in from the start and through a fit of managerial incompetence, trashed any trust they had accumulated with non
Interesting wording (Score:3, Insightful)
I find it very interesting the wording. They think that they should have "ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor" and that their failure to do so was regrettable. What about their helping to develop the algo with a back door to begin with?
They are essentially coming out and admitting they are sorry that they didn't drop support, because if they had dropped support at least they would have been able to cover up the fact they intentionally create algorithms with flaws to begin with.
Re:Interesting wording (Score:4, Insightful)
Just getting weak crypto created and set as a standard is the first part. Keeping it as a standard for some time was the real trick. At lot of smart people and top brands had to stay tame and look the other way on that aspect over the years.
The good news is people can just move back to number stations and only use one time pads once.
The intentionally create algorithms seemed to go back to the 1950's as the Martin and Mitchell defection hinted in the early 1960's
https://en.wikipedia.org/wiki/... [wikipedia.org]
"Our main dissatisfaction concerned some of the practices the United States uses in gathering intelligence information
The NSA has nothing to regret. (Score:3, Insightful)
Nothing happened. The spying continues as if nobody said a thing. It had no effect on the election, and it won't have any effect in the next one. Whatever the NSA does from here on out cannot be blamed on anybody but the voters. It's extremely simple.
Re: (Score:3)
It isn't even just a case of voters ignoring the issue; countless people directly support the unconstitutional freedom-violating mass surveillance. So yeah, it's definitely the fault of voters, and a lot of them love it.
Re: (Score:1)
Yes, I did fail to bring up the fact that most people want this. We truly do have a very representative government in the US.
Re: (Score:2)
Nothing happened. The spying continues as if nobody said a thing. It had no effect on the election, and it won't have any effect in the next one. Whatever the NSA does from here on out cannot be blamed on anybody but the voters. It's extremely simple.
Wow, you mean we get to vote for the chief executive, who is the boss of executive agencies like the NSA?
That's good to know. I wonder who most of those complaining about the NSA supported and opposed the last time they had the chance?
Everybody regrets getting caught (Score:3)
With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor
So really he regrets they got caught trying to insert a backdoor and wishes they would have handled the after math of being busting in a way that might have won back some undeserved trust, but he does not regret attempting back door the algorithm in the first. I read this as "would do it again".
That's not an apology. (Score:5, Insightful)
That's no apology, it's that's just expressing regret.
If they really wanted to apologize, they should be apologizing for subverting the standards process in the first place. Both RSA's and NIST's credibility are in the crapper thanks to them, though it's admittedly RSA's own fault for taking the $10 million.
But there's no point in apologizing to the crypto community or even to any subset of it. This behavior by the NSA was almost expected, and it would be stupid to not believe it given all the pre-Snowden evidence. In fact, it validates a lot of people's conclusion that funny-looking and funny-smelling things should generally be avoided.
Re: (Score:1)
it validates a lot of people's conclusion that funny-looking and funny-smelling things should generally be avoided.
You mean like how AES is a curiously simplistic untested algorithm that somehow got standardized?
Fuck you, Mike! (Score:4, Insightful)
It was "regrettable" that, after the whole community cast aspersions at your intentionally-broken algorithm, you didn't drop your own support for it? Go eat a fucking dick.
What you should have done, instead of "dropping your support", was come clean and say "sorry guys, that was a shitty thing to do and we should not have done it. This algorithm was in fact sabotaged by us and it should never be used for anything other than a case study for cryptographers learning to detect shitty things like this being done to algorithms in plain sight. We ought to using better tools to catch bad guys rather than intentionally breaking encryption for everyone."
Asshole. Dual-use technologies work both ways, smarty-pants: if you break the algorithm, it's broken for the good guys, too, and the bad guys pwn everyone who thinks they are safe.
Seriously, fuck you.
Re: (Score:1)
My sentiments exactly. This post deserves to be heard. It deserves more than a 0 score.
Re: (Score:2)
Re: (Score:2)
Dual-use technologies work both ways, smarty-pants: if you break the algorithm, it's broken for the good guys, too, and the bad guys pwn everyone who thinks they are safe.
The cleverness of Dual_EC_DRBG is that it really is broken in a limited way. It produces numbers that are random to everyone who doesn't know the seed or a particular private key, which we assume only the NSA has. It's just as secure as using any "good" random number generator and then sending the seed to the NSA using public key encryption.
Failure of imagination (Score:2)
Re: (Score:2)
I would go so far as to say its basically theft, since in doing this (along with so many similar actions) they've basically done the exact opposite of the task to which they were assigned when we handed over our tax dollars to fund them.
As a mathematician... (Score:5, Insightful)
I find Werthiemer's characterization of this gross oversight to be..."regrettable."
Let's remind the reader and put the role of NSA mathematicians in context: In the world of mathematical research, what the NSA knows is by construction a superset of what the academic community knows. That is to say, NSA researchers have at their disposal the body of all published mathematical literature, in addition to any discoveries they have made internally, whereas non-NSA mathematicians do not have access to the latter. If a flaw in a commonly used cryptographic scheme is discovered by the NSA but is unknown in the public arena, this immediately leads to an exploitable situation.
Thus, when outside researchers discover an issue, this tells us NOTHING about if or when the NSA knew about the same flaw. It also means nothing for NSA mathematicians to apologize or write in public correspondence what their version of events was. Their lack of credibility does not stem from the existence of such flaws; no. Neither does it necessarily follow from the lies they have told in other respects. On this point I must be completely clear. Their lack of credibility stems from the aforementioned and inherent information asymmetry. To attempt to infer the sincerity of the message based on indirect evidence, past behavior, and allusions to glorious historical efforts is to be misled from the fundamental reality, which is that the NSA and its mathematicians are under no obligation to tell the truth because they undoubtedly possess mathematical secrets that the public does not.
That said, I am gratified that many preeminent mathematicians working in the fields of number theory, cryptography, algebra, combinatorial analysis, and cryptanalysis do not choose to work for the NSA and instead remain in the academic community, on the premise that the advancement of humankind necessitates the openness of the process of discovery and the unrestricted dissemination of mathematical research.
Re: (Score:1)
The problem here is not that the NSA "discovered" the flaw and kept quiet, but rather the appearance that they could have engineered a backdoor into the protocol that giving them a backdoor that no-one else had. NSA is claiming they didn't realize their insistence upon using a specific vector set of their choosing would give them this advantage. The Snowden revelations make that claim of ignorance very suspect given the high level of efforts at the time to infiltrate all forms of encrypted communications.
Re: (Score:2, Interesting)
NO_ONE that works in cryptography should EVER publish in the US, as OFTEN, their work NEVER sees the light of day. The NSA frequently silence any publication, including your thesis, under "national security".
Anyone with half a brain publishes in places like Germany, where "other" stakeholders help neutralize US bastardry.
Re: (Score:2)
Modulo pub net (aka Brewsky's) and "unpublished communication".
But apparently you subscribe to the the maxim that the "publish or perish" edict is axiomatically tantamount to "no unpublished thought" which I find interesting, because stuffy academic writing hardly strikes me as Truman Burbank's brainstem Twitter feed.
Not that this is a subject matter where we should stray into the kin
In other news... (Score:1)
I don't get it. (Score:2)
Why not use a real random number generator (such as avalanche noise in a semiconductor junction) to generate a key instead of a pseudorandom number generated by software that can be back-doored?
Re: (Score:1)
Think - why is the "standard" C library random number limited for 48 bits, rather than 64?
The standard C library's random number generator (RNG) was never designed for security applications. Even if it were increased to 64 bits, it would still be a terrible RNG to use for cryptography. It was designed to be "good enough" for things like Monte Carlo simulations and other similar math problems. Many problems require a RNG that can generate a lot of numbers very quickly, but only require the number stream to be "random enough" according to certain statistical measures. The C library is often good e
Re: I don't get it. (Score:1)
True random generators are not certifiable because no matter how long you run them you can never be sure that the randomness is evenly distributed. PRNGs can be tested and verified.
"Regrettable" =/= "Regretted" (Score:2, Insightful)
"It's something We should feel ashamed about. We DON'T feel ashamed, though." Big big difference.
And then... (Score:4, Interesting)
NSA Official: Supporting Backdoored Random Number Generator Was "Regrettable"
He then steepled his fingers and muttered "mwuhaha" under his breath.
Isn't "regrettable" how Bond villains usually refer to their gruesome murders of formerly trusted employees?
Didnt they themselves choose the seed table? (Score:1)
Mathew Green's take (Score:2)
Obligatory Dilbert (Score:2)
DROPPED PANTS (Score:1)