NSA Official: Supporting Backdoored Random Number Generator Was "Regrettable"

Trailrunner7 writes In a new article in an academic math journal, the NSA's director of research says that the agency's decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a "regrettable" choice. Michael Wertheimer, the director of researcher at the National Security Agency, wrote in a short piece in Notices, a publication of the American Mathematical Society, that even during the standards development process for Dual EC many years ago, members of the working group focused on the algorithm raised concerns that it could have a backdoor in it. The algorithm was developed in part by the NSA and cryptographers were suspect of it from the beginning. "With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable," Wertheimer wrote in a piece in Notices' February issue.

Re:No admission of guilt

[DoofusOfDeath]

I wonder if it would have been a security violation for him to admit it, so this is the best he can do?

Re:he SAID "after it was discovered"

[msauve]

IOW, he wants the perception to be that they wouldn't do the same again. Because, it's lowered their credibility. That doesn't mean they wouldn't do the same thing again, they just want you to think they wouldn't.

("Please don't look for more holes in stuff we support. Ignore the man behind the curtain. We're from the government, and we're here to help.")

Re:Wait, which part is he sorry about now?

[rtb61]

Worse than they, they had intended to use the power they control to attempt to force the use of it. The real question is how long before other people discovered the flaw were they aware of it and was it the only reason they supported it in the first place. This makes far more sense when you consider they still pushed it once the flaw was discovered, they were already heavily invested in pushing it onto the public exactly because of that flaw, they wanted that flaw. So who originated the work and thus who can not now be trusted as they are very likely an under cover NSA agent. Which brings to the point how many others are out there, how many others are working to break your security, how many others are out there working on entrapment and extortion plans and how many others can not be trusted to touch your hardware because they will touch it in a very naughty way.

Brings to mind the penalties private corporations have been paying when they have failed to secure the privacy of the public, how many of those were as a direct result of an incursion led by the NSA and basically leaving holes which others have then exploited. Just like the FBI and Lulzsec, most of the damage was done after the FBI took over and were seeking to groom minors into a life of crime, supply the resource, the technology and the targets, so they could what prosecute them or recruit them or as it seems most likely, both.

The NSA and the FBI and all the rest are going to run into the exact same problem, they are going to end up recruiting privacy invasive perverts who get a kick out of invading the private lives of others, creating that perverted delusion of control over others and that will inevitably reflect upon how the agencies carry out their activities. How the individuals within them will get a sexual kick about invading the privacy of others and how given time that kick will demand greater and greater control and express itself as schemes of extortion, whether to break into other secure data stores, whether to profit or whether to extend that sexual perversion into direct personal molestation.

Re:Wait, which part is he sorry about now?

[BenJeremy]

The later, obviously. And "I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable" What about "criminal"?

I think the proper word is "Treasonous"

In the DoD, the NSA-backed algorithms have been used without question, and in creating a backdoor'd generator, they've compromised our national security.

Re:As a mathematician...

NO_ONE that works in cryptography should EVER publish in the US, as OFTEN, their work NEVER sees the light of day. The NSA frequently silence any publication, including your thesis, under "national security".
Anyone with half a brain publishes in places like Germany, where "other" stakeholders help neutralize US bastardry.

And then...

[wonkey_monkey]

NSA Official: Supporting Backdoored Random Number Generator Was "Regrettable"

He then steepled his fingers and muttered "mwuhaha" under his breath.

Isn't "regrettable" how Bond villains usually refer to their gruesome murders of formerly trusted employees?

Re:No admission of guilt

[gnasher719]

Parse his words carefully. He never admits that the NSA actually engineered the backdoor into the algorithm, he only states that he regrets supporting the algorithm after other people pointed out it was backdoored.

This is basically equivalent to the mealy-mouthed apologies you hear from young children after they've done something wrong but absolutely refuse to fess up about it.

And you don't understand what actually happened. There is no evidence and there never was evidence that the algorithm had a backdoor. There is evidence that _if_ the NSA had known about the possibility of a backdoor early enough, they _could_ have added a backdoor. There is no evidence that they knew about it early enough, and there is no evidence that they added a backdoor. The NSA _does_ know that nobody else added a backdoor. So they either added a backdoor, or they didn't and know there is no backdoor. There is no evidence either way.

So nobody has any evidence that they have done anything wrong. They supported this standard for too long, and there are two logical explanations for this: Either because they had added a backdoor and wanted to use it, or because they knew for a fact that there is no backdoor (because only the NSA could have added it and they know they didn't) and therefore knew that the algorithm was safe.