Skip to main content

How far did the NSA go to weaken cryptography standards?

How far did the NSA go to weaken cryptography standards?


As cryptographers come to terms with recent leaks, the government's credibility is at risk

Share this story

PGP encryption key
PGP encryption key

It started with an almost throwaway line in The Guardian's bombshell NSA cryptography story. After pages of shocking revelations, the article revealed one secret document showing that the NSA had "worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006. 'Eventually, NSA became the sole editor,' the document states."

Has the NSA been poisoning the well of cryptography?

The National Institute of Standards and Technology is usually seen as an impartial judge of standards, so this was potentially catastrophic. This week, NIST denied the allegations, saying they would never "deliberately weaken a cryptographic standard," but the damage was done. Had the NSA been poisoning the well of cryptography?

The articles don't name specific programs as a concession to law enforcement, but the program was widely assumed to be a standard called the DUAL_EC_DRBG, which many have suspected of being an NSA plant for years. The algorithm works as a random number generator, but if it doesn’t work as advertised, it could easily serve as a backdoor codebreak for a third party like the NSA. (Most encryption schemes rely on random numbers to foil code-breakers, but if the NSA can guess the "random" string, it makes the code much easier to crack.) Early suspicions were also raised by two Microsoft engineers, John Kelsey and Niels Ferguson, which is consistent with the New York Times' description of the plant. If it's true, it's both good and bad news: the NSA really did get a bad standard approved by one of the most important boards in cryptography, but it probably didn't do them any good.

"If the NSA had $250 billion and this was the best they could do, then we have nothing to fear from them."

Unlike earlier leaks, this one comes with a lot of caveats — starting with the fact that DUAL_EC_DRBG was never widely adopted. When it was approved, it was included among three other standards, all of which were faster and more effective, so the NSA's choice was never a favorite. "I can tell you as a crypto professional, I took one look at it and said, that's gonna be slow, and then forgot about it," says Silent Circle CTO John Callas, who was working on cybersecurity for Apple at the time. When larger concerns were aired, a year after the fact, it was more important to NSA watchers than cryptography pros. For the most part, the standard had already been dropped. As Callas put it, "If the NSA had $250 billion for cryptography backdoors and the best they could do was Dual_EC, then we have nothing to fear from them."

The NSA's involvement in the standard was clear from the beginning

It's also unlikely that NIST's own working group was compromised by any NSA covert action. Miles Smid was on the NIST working group that approved the standard and has since moved on to private contracting. He says any NSA involvement was fully disclosed, and happened before the group ever convened. "I don't recall that there was anything shadowy having to do with it," Smid recalls. "NIST is part of the government and so is the NSA. The NSA has submitted candidate algorithms in the past, and NIST treats them like any other submissions."

According to Smid, when NIST saw the standard had already been approved by a banking-industry trade group, they bundled it with the other recommendations and moved on. More importantly, the NSA's involvement in the standard was clear from the beginning. The two groups are known for working closely together and, as today’s statement pointed out, NIST is required by statute to consult with the NSA, which is still the government’s authority in all things crypto. DUAL_EC_DRBG was known from the start to have been coauthored by the NSA, and what The Guardian described as "working covertly" may have simply been the NSA openly lobbying for their in-house standard.

If NSA standards can't be trusted, many of the tools of modern cryptography will have to be rewritten

It's still unclear just how alarmed the crypto world should be. On some level, the community's safeguards worked: a bad standard was identified early and kept out of products. NIST may not have caught the problem, but the bad standard also didn't spread very far beyond the organization. With enough eyes on the problem and enough skepticism, a faulty random-number generator was never going to get very far.

But at the same time, the problem is much bigger than a single bad standard. Because of Snowden, we now have confirmation that the NSA purposefully spread a bad algorithm, which calls into question much more than just a single program. NSA algorithms are the basis for lots of products, many of which guard sensitive government information. There's no reason to doubt any particular one, but after this latest leak, they'll all be called into question. If NSA standards can't be trusted, many of the tools of modern cryptography will have to be rewritten. The biggest problem is that cryptographers don’t yet know how widespread the issue really is.

Today’s Storystream

Feed refreshed 9 minutes ago Striking out

The Verge
Andrew Webster9 minutes ago
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Andrew Webster1:05 PM UTC
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.

A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.

Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.

External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.

External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.

Spain’s Transports Urbans de Sabadell has La Bussí.

Once again, the US has fallen behind in transportation — call it the Bussí gap. A hole in our infrastructure, if you will.

External Link
Jay PetersSep 23
Doing more with less (extravagant holiday parties).

Sundar Pichai addressed employees’ questions about Google’s spending changes at an all-hands this week, according to CNBC.

“Maybe you were planning on hiring six more people but maybe you are going to have to do with four and how are you going to make that happen?” Pichai sent a memo to workers in July about a hiring slowdown.

In the all-hands, Google’s head of finance also asked staff to try not to go “over the top” for holiday parties.

External Link
Insiders made the most money off of Helium’s “People’s Network.”

Remember Helium, which was touted by The New York Times in an article entitled “Maybe There’s a Use for Crypto After All?” Not only was the company misleading people about who used it — Salesforce and Lime weren’t using it, despite what Helium said on its site — Helium disproportionately enriched insiders, Forbes reports.

James VincentSep 23
Nvidia’s latest AI model generates endless 3D models.

Need to fill your video game, VR world, or project render with 3D chaff? Nvidia’s latest AI model could help. Trained on 2D images, it can churn out customizable 3D objects ready to import and tweak.

The model seems rudimentary (the renders aren’t amazing quality and seem limited in their variety), but generative AI models like this are only going to improve, speeding up work for all sorts of creative types.