CyberEye

Blog archive
Man standing at open back door

The NSA wants to be your backdoor man

Distrust of the National Security Agency has deep roots. As far back as 1976 many believed that the code-breaking agency had slipped a backdoor into the new Data Encryption Standard, the approved algorithm for government encryption. For years, the suspicions were met with stony silence. Then, 35 years later, the NSA came clean.

The agency contributed changes to the proposed design, but left no backdoors or other surprises, Richard “Dickie” George, then technical director of NSA’s information assurance directorate, told an audience at the RSA Conference in 2011. “We’re actually pretty good guys,” George said. “We wanted to make sure we were as squeaky clean as possible.”

Now some of the squeak is wearing off that clean. No one doubts that the NSA is good at breaking codes. But the latest revelations from the Snowden files seem to confirm what many have long suspected: The NSA knows that it is easier to break a code when someone gives you the keys. Documents published by the New York Times describe a Signals Intelligence program to “actively engage the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs.”

A goal of the program is to “insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets,” and to “influence policies, standards and specifications for commercial public-key technologies.”

In other words, to install backdoors in commercial products.

There is a lot of outrage about the disclosure, but little surprise. Few people have taken theNSA’s assertions of the sanctity of commercial products seriously. The NSA seems proud of its efforts at subverting the security of personal communications. The project is in line with the Comprehensive National Cybersecurity Initiative, NSA said in its 2013 budget request, because it invests in corporate partnerships and cuts costs by exploiting existing sources of intelligence.

Most of us assumed that the public-private partnerships advocated in the CNCI were intended to strengthen cybersecurity and privacy. Live and learn.

To Chris Wysopal, chief technology officer at the application security company Veracode, what is surprising about the latest revelations is not so much that the NSA apparently is tampering with products. Everyone expects them to do that, he said. “What is eye-opening is that they are tampering with standards.” That would weaken all technology built to those standards, including that used by the U.S. government.

Although the NSA has expressed its desire to weaken standards, there is little evidence to date that it has managed to do so, Wysopal said. But there may be some evidence. In 2007 weaknesses were found in a pseudorandom number generator published by the NSA and included as a cryptographic standard for government use. It was immediately suspected that the flaw could have been intentional. Intentional or not, “in this case, it was detected and not used,” Wysopal said.

Since then there have not been similar discoveries in public crypto standards. And that underlines the greatest challenge in inserting backdoors through standards. As Dickie George told his audience of crypto professionals in 2011, “I don’t think we were good enough to sneak things in that you guys wouldn’t have found.”

Still, absence of evidence is not evidence of absence. We don’t know what we still don’t know.

Posted by William Jackson on Sep 06, 2013 at 11:58 AM


Reader Comments

Mon, Sep 9, 2013 Flonkbob

I'm pretty sure that no one with any intelligence (the real sort, not the NSA variety) trusts the NSA. Or the government. Or politicians...in fact I think we can pretty much wipe clean the expectation that the Bill of Rights has any impact on official thinking. Welcome to the death of the USA.

Sun, Sep 8, 2013 Tom

In the company I work for, the IT Security was set on using a approved standard for transferring information. Due to it's nature I refused and pre-encrypted the data before sending it. considering PGP pulled it's email service due to not wanting to be compromised, it seems like they would not have allowed a back door. TrueCrypt has the human element in installing a cypher key. (mouse movement) in the end any large corporate structure tends to be set in standards, and that's always a risk. Most Viruses were written for Windows because it was more profitable in terms of machines compromised. Standards and consolidation to a single set norm in the end make it easier, but less secure.

Fri, Sep 6, 2013 Brandt Hardin United States

The dystopian fantasies of yesteryear are now a reality. We’ve allowed the coming of an age where the civil liberties our forefathers fought so hard for are being eroded by the day. Freedom of Press, Freedom of Speech and Freedom of Assembly are mere ghostly images of their original intent. We’ve woken up to an Orwellian Society of Fear where anyone is at the mercy of being labeled a terrorist for standing up for rights we took for granted just over a decade ago. Read about how we’re waging war against ourselves at http://dregstudiosart.blogspot.com/2011/09/living-in-society-of-fear-ten-years.html

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities