back to article NSA: SO SORRY we backed that borked crypto even after you spotted the backdoor

The NSA's former director of research Michael Wertheimer says it's "regrettable" that his agency continued to support Dual EC DRBG even after it was widely known to be hopelessly flawed. Writing in Notices, a publication run by the American Mathematical Society, Wertheimer outlined the history of the Dual Elliptic Curve …

  1. Cipher

    Wertheimer:

    "... In truth, I can think of no better way to describe our failure to drop support for the Dual EC DRBG algorithm as anything other than regrettable,"

    Regrettable that the flaw was found is what you really mean, correct?

    1. Eddy Ito

      Hmm, here I was thinking the message was more like - while backing the flawed algorithm was regrettable, they don't particularly regret backing it. In the vein of "please forgive us even if we aren't sorry". Meh, six vs half dozen, I suppose.

    2. Michael H.F. Wilkinson Silver badge
      Facepalm

      Well ....

      "... In truth, I can think of no better way to describe our failure to drop support for the Dual EC DRBG algorithm as anything other than regrettable,"

      I can think of better ways, in fact we are spoiled for choice:

      "Cynical" immediately springs to mind

      "Amateurish" given the way they handled it

      "Wannabe Machiavellian" because it blew up in their faces, as was always likely

      and many, many more

  2. Graham Marsden
    Thumb Up

    What a...

    ... Hoopy Frood!

    1. Mephistro
      Angel

      Re: What a...

      "... Hoopy Frood!"

      Doesn't that sound a bit like "Happy Fraud"?

      1. Sacioz

        Re: What a...

        Ice pose it doz ...)))

  3. asdf

    Anybody seen the Southpark with the former CEO of BP? Its coming.

    Looks like the NSA getting the cold shoulder they deserve from the standard bodies and industry groups is finally starting to bother them. If this is the start of charm offensive its off on the wrong foot.

    PS: This dude in a few months when he gets desperate nobody is buying his bullshit.

    http://www.youtube.com/watch?v=9u0EL_u4nvw

    1. This post has been deleted by its author

    2. Captain DaFt

      Re: Anybody seen the Southpark with the former CEO of BP? Its coming.

      Nah, this one seems more accurate:

      https://www.youtube.com/watch?v=h6BJJe9JV_A

    3. Anonymous Coward
      Anonymous Coward

      Re: cold?

      Looks like the NSA getting the cold shoulder they deserve from the standard bodies

      er..to be Frank, I haven't noticed any particular shift (yet) in the co-operation of some standard bodies with those members *known* to have multiple affiliations...it's completely business as usual

      politically the Snowden allegations are still just allegations, and standards bodies are quite politically driven, thankfully, recently the UK Intelligence & Security Committee (ISC) did harrumph something relevant.

      http://www.thebureauinvestigates.com/2015/01/11/thatcher-and-blair-cabinet-secretary-intelligence-committee-has-helped-public-by-confirming-gchqs-internet-tap-tempora-powers/

      Lord (Sir Robin) Butler, said the ISC had “helped the public” by officially confirming what GCHQ repeatedly refuses to confirm or deny…

      ...the first official confirmation of GCHQ’s powers came only in November 2014, contained in the fine details of an ISC report into the death of Lee Rigby….The ISC has helped the public by putting a description of GCHQ’s capability in the public domain.

      The Lord refused to talk about TEMPORA: “It seems to me that it is the capability which is the important matter for people to know rather than its codename.”

      Lord Butler, was Cabinet Secretary & head of the Civil Service from 1988 to 1998, confirmed the committee had discussed GCHQ’s “no comment” policy with the spy agency, but declined to say anything further. Derek Smith, Cabinet Office press spokesman for the ISC also said the committee “will not be drawn” on the subject of the policy.

      The ISC report says: “GCHQ … has access to communications as they move over the internet via the major internet cables. This provides the capability to intercept a small proportion of internet traffic.” The proportion of traffic accessed and processed by the agency is redacted.

      Of course, the actual GCHQ intercept code-name is irrelevant as as soon as the public get to know it, then it is immediately changed. But as the dear Lord above has mentioned, you now OFFICIALLY know that your data might be stored in Cheltenham.

    4. Fungus Bob

      Re: the start of charm offensive

      Well, it _is_ offensive...

  4. Anon5000
    Big Brother

    What....

    ....a complete load of utter bollocks spoken by that man.

    We have the Snowden files that show the NSA is actively trying to subvert crypto standards so who is he trying to fool? Oh, the mathematicians that for some reason he thinks are stupid enough to believe anything the NSA says again.

  5. Anonymous Coward
    Anonymous Coward

    Ok, he's a liar. And that's part of his job.

    But here he seems like an incompetent liar - are we meant to think that he thinks he's sold this version?

    "whoopsie, it was flawed and even though we hire more mathematicians than anyone else and pay well to get the best ones and historically have been years ahead of the disclosed state-of-the-art and were part of the committee discussing the flaws we somehow didn't notice them, our bad..." (blushes winsomely)

    Presuming not, what's the real message being sold? We're not so ominous really, look how we do pratfalls like your drunk uncle? Ok, here's your excuse and no we *don't* give a shit because prior experience shows it doesn't matter what we say, the Admin/Congress won't reign us in?

  6. Destroy All Monsters Silver badge
    Facepalm

    His excellency regrets.....

    Wertheimer argued:

    The case doesn't prove the NSA is actively trying to subvert crypto standards, merely that a mistake had been made and then rectified.

    It's like I'm really at the OJ Simpson trial.

    He pointed out that the NSA was keen to fund more mathematical research

    Of course.

    and – post September 11 – this work was vitally needed

    Because the Saudi trolls used hard crypto to run their show. It was totally not due to the utter ineptitude of the infighting TLA salad of the Heimland. Also, Saddam gassed his own people.

    Carry on.

    1. Michael Wojcik Silver badge

      Re: His excellency regrets.....

      The case doesn't prove the NSA is actively trying to subvert crypto standards, merely that a mistake had been made and then rectified.

      It's either malice or incompetence. As soon as Dual-EC DRBG was published, people pointed out that it had lousy performance and no known advantages over any of the other strong cryptographic PRNGs in use, even if it wasn't backdoored. So it was either deliberately broken or obviously substandard. It shouldn't have been published in the first place, and there aren't any circumstances under which the NSA could have continued to support it innocently, backdoor or no.

      The same applies to RSADSI's inclusion of it (with the default points) in BSAFE. There simply isn't any excuse - it's complicity or failure to be sufficiently diligent.

  7. Anonymous Coward
    Anonymous Coward

    Too little, too late.

  8. TonyK

    Misnegation or obfuscation?

    "In truth, I can think of no better way to describe our failure to drop support for the Dual EC DRBG algorithm as anything other than regrettable."

    You might want to run that through your internal parser a few times. It is a syntax error; but if it means anything, it means that he has no regrets at all over the failure to drop support for the rogue algorithm.

    1. DropBear

      Re: Misnegation or obfuscation?

      Didn't anyone tell him that the whole world is aware that ANY sentence beginning with "In truth" is definitely a lie, no exceptions?!?

      1. Pascal Monett Silver badge

        In truth, I totally agree with you.

        1. Sir Runcible Spoon

          To be perfectly honest, I don't.

  9. Anonymous Coward
    Anonymous Coward

    After carefully considering all the evidence...

    I've arrived at the conclusion that the people that work for the NSA are simply not very bright.

    Is there another secret NSA where all the clever people are hiding, or is this as good as it gets in terms of America's national security?

    1. P. Lee

      Re: After carefully considering all the evidence...

      Since no-one is ever going to believe or use NSA stuff ever again, I doubt it matters.

      Presumably, even the NSA doesn't use its proposed standards.

      1. Michael Wojcik Silver badge

        Re: After carefully considering all the evidence...

        no-one is ever going to believe or use NSA stuff ever again

        Except everyone who's required to use FIPS-compliant cryptographic systems.

    2. Captain DaFt

      Re: After carefully considering all the evidence...

      "Is there another secret NSA where all the clever people are hiding, or is this as good as it gets in terms of America's national security?"

      It's the age old problem of no one smart enough to do the job properly is dumb enough to work for'em.

  10. dan1980

    "As a record of history, Dr Wertheimer's letter leaves much to be desired, and could easily lead people to the wrong understanding . . ."

    Sorry, what's the "wrong understanding"? I think it is leading people to the exactly correct "understanding" - that the NSA had whole fists in this pie and their actions were deliberate and the consequences (for the strength of the crypto) well understood.

    Nothing - nothing - Wertheimer has said convinces me that this episode was a 'mistake' or indeed anything other than a deliberate attempt weaken (or provide outright back doors to) a cryptographic standard that was to be used by numerous companies and individuals. The relative crudeness of this activity can be seen as arrogance in a pre-Snowden world. Certainly the idea that a group so apparently committed to "advocating secure international standards" ignored research of their peers for some benign reason is laughable - or proves gross incompetence.

    What we need to know to have even the slightest inclination to believe this drivel is the following:

    • Were the NSA mathematicians aware of the potential problem before it was revealed in 2004 and proven in 2007?
    • If not, were the NSA mathematicians aware of the research and publications/presentations where these flaws were shown?
    • If not, why not?
    • If they were aware, did they bring this to the attention of the relevant people?
    • If so, what action was taken?
    • Given the algorithm was not dropped, who made the decision that the revealed - and proven - flaws were not sufficient grounds to do so?
    • What was the reasoning for not acting?

    "In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable."

    If he is really, really telling the truth (this time, trust us) then I can think of a better word: incompetent. Massively, unforgivably incompetent. If the goal was really to provide as secure a cryptographic standard as possible then it's just not believable that the mathematicians, on learning of these flaws, wouldn't have informed the relevant people at the NSA. I believe that the mathematicians the NSA hires are very good indeed - they have to be - so I just can't see them not understanding the flaws. Therfore, the incompetence is squarely on those people who took that information and did nothing with it.

    Again, that's if Wertheimer is indeed telling the truth.

    More amusing is:

    "Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to “undermine Internet encryption.” A fair reading of our track record speaks otherwise."

    Clipper anyone?

    1. Pascal Monett Silver badge

      "A fair reading of our track record"

      A fair reading of your rack record clearly indicates that you have no regard either for the Constitution of your own country or for any sense or moral at all. You are just the visible tip of the iceberg of paranoia and ends-justify-the-means attitude that has forgotten what made the USA a great country and has brought it to a state one step above African dictatorships.

      1. Sir Runcible Spoon
        Coat

        Re: "A fair reading of our track record"

        "We didn't do nuffin' wrong really"

        <swish>

        "The next time my hand flies, for where I come from there are penalties when a state sponsored spook lies. Oh, wait, wrong universe...as you were."

        <shuffles off to build a web site>

  11. erikj

    The NSA has no real standing on helping secure anything

    I'm not an expert on technical aspects, but I don't see why anyone would see the NSA (or any similar agency) as having any role in ensuring any data can be sent with absolute security. If the NSA knows some crypto is truly secure, they will never admit publically such a method is safe. So, any method the NSA recommend *has* to have been broken. It's that simple. I'm guessing RSA incorporated NSA-approved crypto components mainly to secure government business -- a win-win for the NSA.

    The NSA's (and some of Congress') public comments are exemplary in their ability to say something while saying nothing. The massive data vault being assembled in (I think) Utah (and probably elsewhere) is absolutely designed to capture every packet of digital communications transmitted from all points of the world. The encrypted bits will get summarily decrypted and indexed, either through vulnerabilities or by brute force, in advance of any potential warrant for the content. The NSA likely thinks they can do this even with domestic communications because the end result is sealed from outside investigators until a warrant is presented (and it's a pretty low bar to get one). Meanwhile, I recall it only takes a 50.1% likelihood that the communications qualifies as domestic to give that modicum of protection.

    I don't envy the NSA's mission though. They are trying to operate in a world where the public demands both absolute privacy and protection from destructive actors using these same protections to help execute truly evil things. But the laws protecting privacy (for U.S. citizens, at least) are just plain hollow. Our protections are in the hands of a few secretly appointed judges who do not understand what they are being asked and have no real public oversight. I doubt they've rejected a single application for a warrant. This is my biggest problem with the whole situation. The Congress also needs to stop being toothless, ignorant enablers of this secret court -- but Congress' credibility is nothing to crow about either.

    The NSA should just stay out of the commercial security business and stay away from academic contributions because they have no standing or credibility. They should quietly listen on targets identified by a (eventual) transparent oversight process and make it easier for the constituent agencies to obey the law. As things stand today, there is *nothing* these agencies can't get away with. And that's probably what they all want.

    1. Yet Another Anonymous coward Silver badge

      Re: The NSA has no real standing on helping secure anything

      Because the NSA's other major role is to advise its client - the US government and its armed forces.

      Telling the chiefs of staff that the codes they use to protect their troops are faulty, you knew they were faulty or deliberately made them faulty in order to spy on facebook - is likely to get a response a little stronger than 'regrettable'

      1. dan1980

        Re: The NSA has no real standing on helping secure anything

        @YAAC

        But this is the thing - this conflict was understood and that's why this area is the domain of NIST. The idea was to have a civilian organisation dealing with civilian matters - which government is. NIST sets the standards for the protection of government information, which is civilian information.

        NSA is there for the armed forces.

        The problem came when the Memorandum of Understanding was signed in n 1989, which had the effect of inserting the NSA into this process, specifically requiring NIST to consult NSA and, for all intents and purposes, rubber-stamp the recommendations of the NSA as though they were from NIST themselves.

        That arrangement needs to end. Right now. If not sooner.

        1. Sir Runcible Spoon

          Re: The NSA has no real standing on helping secure anything

          Thanks for that enlightening insight into the ever deepening corruption of our political system.

          I can't think why radicals from a backwards culture think we are all corrupt. Until they wise-up, the public will always be in the firing line from both sides.

  12. Anonymous Coward
    Facepalm

    And this year's nominees for "Understatement of the Year" include:

    "Furthermore, we realize that our advocacy for the Dual EC DRBG casts suspicion on the broader body of work NSA has done to promote secure standards."

    Gee, you think?

    1. dan1980

      Re: And this year's nominees for "Understatement of the Year" include:

      @Marketing Hack

      Actually I submit it's the opposite; I would suggest that the "broader body of work [the] NSA has done" is what "casts suspicion" on their "advocacy for the Dual EC DRBG".

  13. Anonymous Coward
    Anonymous Coward

    Re: This post has been deleted by its author

    We have a copy and we know who you are.

    Sincerely,

    NSA

  14. Crisp

    "I can think of no better way to describe our failure..."

    Then Michael Wertheimer simply isn't trying hard enough. I can think of three better ways and I've not even had breakfast yet.

  15. Trigonoceps occipitalis

    Cammeron Crypto Ban

    Now I see. The commercial crypto systems are so borked that I am pleased that he has banned them. I can't place any reliance on them so can't now be caught out when banking, buying, investing, etc.

  16. Gary Bickford

    NSA is not just one institution

    It is a mistake to paint all of NSA with one brush. The Signals Intelligence Division is the 'spooks' that we tend to think of. The IT Division is the computer jocks. And the Information Assurance Division is responsible for protecting US business and government from attackers of all kinds. To an extent, from what 8ve learned, IAD works somewhat at cross-purposes to SID. IAD really, really wants to make sure encryption is strong and systems are secure. I think they are the ones behind SE Linux, for example. And I think that division is also the one doing the research on new encryption methodology. Including a back door in the tools used by government, banks, the military, etc. is just asking for a foreign governed to discover and exploit it, which makes no sense whatsoever. So belief that NSA does this is probably more conspiracy theory and less rational observation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like