Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Official: Supporting Backdoored Random Number Generator Was "Regrettable"

Posted by samzenpus on from the if-we-had-to-do-it-over-again dept.

Trailrunner7 writes In a new article in an academic math journal, the NSA's director of research says that the agency's decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a "regrettable" choice. Michael Wertheimer, the director of researcher at the National Security Agency, wrote in a short piece in Notices, a publication of the American Mathematical Society, that even during the standards development process for Dual EC many years ago, members of the working group focused on the algorithm raised concerns that it could have a backdoor in it. The algorithm was developed in part by the NSA and cryptographers were suspect of it from the beginning. "With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable," Wertheimer wrote in a piece in Notices' February issue.

17 of 106 comments (clear)

  1. Wait, which part is he sorry about now? by Narcocide · · Score: 5, Insightful

    Is he sorry that they created a monster or is he just sorry that they got caught and now their credibility is in the trash can?

    1. Re:Wait, which part is he sorry about now? by Anonymous Coward · · Score: 4, Insightful

      The later, obviously. And "I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable" What about "criminal"?

    2. Re:Wait, which part is he sorry about now? by penguinoid · · Score: 5, Insightful

      "Words cannot express how sorry we are. Next time, we will make sure the backdoor is much less obvious."

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    3. Re:Wait, which part is he sorry about now? by Narcocide · · Score: 1, Insightful

      No, I think you both still miss the point. I was "first post" before this article, Snowden, or anyone else. I was saying this was happening before even Slashdot's founding. I simply guessed it, well over a decade ago by following the money. Only then I wasn't rated "+5 Insightful" I was rated by my peers as "-5 crazy for saying the emperor is naked."

    4. Re:Wait, which part is he sorry about now? by davester666 · · Score: 5, Insightful

      "Words cannot express how sorry we are. The next time, we made sure the backdoor was much less obvious"

      FTFY

      --
      Sleep your way to a whiter smile...date a dentist!
  2. That's why we gave EMC money by Anonymous Coward · · Score: 2, Insightful

    To ensure it's inclusion as default in RSA products.

    1. Re:That's why we gave EMC money by Anonymous Coward · · Score: 5, Insightful

      The reason this back door was acceptable to them was they essentially convinced the world to use their public key as the standard seed for the algorithm. It's like putting your account information on random deposit slips at the bank. It's not the sort of "hack" that compromises your own security as long as your "private key" remains secret.

      Contrast this with DES/AES, where they have fought to make the algorithms more secure. Not because they want what's best for everyone, but because those vulnerabilities were something that an adverse nation state could potentially independently discover where they didn't have an exclusive ability to exploit the weakness.

      Now their intentions are clear: they aren't enlightened good guys. They're just pragmatic attackers. An exploit that is just as likely to benefit China or Russia is worse than no exploit at all. An exploit that only they can benefit from is golden. At least now we know where to look when doing our code audits.

  3. Re:other descriptions... by Anonymous Coward · · Score: 5, Insightful

    how about "works as intended"

  4. Why is it regrettable? by DoofusOfDeath · · Score: 5, Insightful

    I'd like to hear him explain his regret in a little more detail. Was it morally wrong? Was it against civil ethics? Was it anti-democratic? Was it illegal? Or was it that they got caught?

    Also, "is regrettable" is basically the passive tense. Does he regret it? Does he thing that the congressional oversight committees are morally culpable for not having stopped it?

  5. Interesting wording by Excelcia · · Score: 3, Insightful

    I find it very interesting the wording. They think that they should have "ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor" and that their failure to do so was regrettable. What about their helping to develop the algo with a back door to begin with?

    They are essentially coming out and admitting they are sorry that they didn't drop support, because if they had dropped support at least they would have been able to cover up the fact they intentionally create algorithms with flaws to begin with.

    1. Re:Interesting wording by AHuxley · · Score: 3, Insightful

      It was regrettable security researchers, brands, firms, academics and other experts failed to find, did not look, did not ask, did not consider, did not want to understand, where not interested or collaborated in placing so many trap doors and backdoors in international crypto standards over the years.
      Just getting weak crypto created and set as a standard is the first part. Keeping it as a standard for some time was the real trick. At lot of smart people and top brands had to stay tame and look the other way on that aspect over the years.
      The good news is people can just move back to number stations and only use one time pads once.
      The intentionally create algorithms seemed to go back to the 1950's as the Martin and Mitchell defection hinted in the early 1960's
      https://en.wikipedia.org/wiki/...
      "Our main dissatisfaction concerned some of the practices the United States uses in gathering intelligence information ... deliberately violating the airspace of other nations ... intercepting and deciphering the secret communications of its own allies ..."

      --
      Domestic spying is now "Benign Information Gathering"
  6. The NSA has nothing to regret. by fustakrakich · · Score: 3, Insightful

    Nothing happened. The spying continues as if nobody said a thing. It had no effect on the election, and it won't have any effect in the next one. Whatever the NSA does from here on out cannot be blamed on anybody but the voters. It's extremely simple.

    --
    “He’s not deformed, he’s just drunk!”
  7. That's not an apology. by steelfood · · Score: 4, Insightful

    That's no apology, it's that's just expressing regret.

    If they really wanted to apologize, they should be apologizing for subverting the standards process in the first place. Both RSA's and NIST's credibility are in the crapper thanks to them, though it's admittedly RSA's own fault for taking the $10 million.

    But there's no point in apologizing to the crypto community or even to any subset of it. This behavior by the NSA was almost expected, and it would be stupid to not believe it given all the pre-Snowden evidence. In fact, it validates a lot of people's conclusion that funny-looking and funny-smelling things should generally be avoided.

    --
    "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  8. Fuck you, Mike! by Anonymous Coward · · Score: 4, Insightful

    It was "regrettable" that, after the whole community cast aspersions at your intentionally-broken algorithm, you didn't drop your own support for it? Go eat a fucking dick.

    What you should have done, instead of "dropping your support", was come clean and say "sorry guys, that was a shitty thing to do and we should not have done it. This algorithm was in fact sabotaged by us and it should never be used for anything other than a case study for cryptographers learning to detect shitty things like this being done to algorithms in plain sight. We ought to using better tools to catch bad guys rather than intentionally breaking encryption for everyone."

    Asshole. Dual-use technologies work both ways, smarty-pants: if you break the algorithm, it's broken for the good guys, too, and the bad guys pwn everyone who thinks they are safe.

    Seriously, fuck you.

  9. As a mathematician... by wickerprints · · Score: 5, Insightful

    I find Werthiemer's characterization of this gross oversight to be..."regrettable."

    Let's remind the reader and put the role of NSA mathematicians in context: In the world of mathematical research, what the NSA knows is by construction a superset of what the academic community knows. That is to say, NSA researchers have at their disposal the body of all published mathematical literature, in addition to any discoveries they have made internally, whereas non-NSA mathematicians do not have access to the latter. If a flaw in a commonly used cryptographic scheme is discovered by the NSA but is unknown in the public arena, this immediately leads to an exploitable situation.

    Thus, when outside researchers discover an issue, this tells us NOTHING about if or when the NSA knew about the same flaw. It also means nothing for NSA mathematicians to apologize or write in public correspondence what their version of events was. Their lack of credibility does not stem from the existence of such flaws; no. Neither does it necessarily follow from the lies they have told in other respects. On this point I must be completely clear. Their lack of credibility stems from the aforementioned and inherent information asymmetry. To attempt to infer the sincerity of the message based on indirect evidence, past behavior, and allusions to glorious historical efforts is to be misled from the fundamental reality, which is that the NSA and its mathematicians are under no obligation to tell the truth because they undoubtedly possess mathematical secrets that the public does not.

    That said, I am gratified that many preeminent mathematicians working in the fields of number theory, cryptography, algebra, combinatorial analysis, and cryptanalysis do not choose to work for the NSA and instead remain in the academic community, on the premise that the advancement of humankind necessitates the openness of the process of discovery and the unrestricted dissemination of mathematical research.

  10. "Regrettable" =/= "Regretted" by Anonymous Coward · · Score: 2, Insightful

    "It's something We should feel ashamed about. We DON'T feel ashamed, though." Big big difference.

  11. Re:No admission of guilt by stoborrobots · · Score: 3, Insightful

    He never admits that the NSA actually engineered the backdoor into the algorithm, he only states that he regrets supporting the algorithm after other people pointed out it was backdoored.

    It's entirely possible that they did not engineer the backdoor - that might have come from the original creator.

    It's further possible (although I would hope it's not the case) that they did not find the backdoor before it was publicly disclosed.

    Either way, they should have stopped endorsing the algorithm as soon as they knew it was weak, whether that was at public disclosure or earlier.

    That they continued to claim it was secure after it was publicly known to be weak is a complete failure on their part, and they are DEFINITELY culpable for that.

    We BELIEVE that they probably put it there, in which case, they're even more culpable, but we don't know that for certain...

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco