The latest revelations from the Snowden files confirm what many have suspected for more than 35 years: The NSA knows it is easier to break a code if someone gives you the keys.
Distrust of the National Security Agency has deep roots. As far back as 1976 many believed that the code-breaking agency had slipped a backdoor into the new Data Encryption Standard, the approved algorithm for government encryption. For years, the suspicions were met with stony silence. Then, 35 years later, the NSA came clean.
The agency contributed changes to the proposed design, but left no backdoors or other surprises, Richard “Dickie” George, then technical director of NSA’s information assurance directorate, told an audience at the RSA Conference in 2011. “We’re actually pretty good guys,” George said. “We wanted to make sure we were as squeaky clean as possible.”
Now some of the squeak is wearing off that clean. No one doubts that the NSA is good at breaking codes. But the latest revelations from the Snowden files seem to confirm what many have long suspected: The NSA knows that it is easier to break a code when someone gives you the keys. Documents published by the New York Times describe a Signals Intelligence program to “actively engage the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs.”
A goal of the program is to “insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets,” and to “influence policies, standards and specifications for commercial public-key technologies.”
In other words, to install backdoors in commercial products.
There is a lot of outrage about the disclosure, but little surprise. Few people have taken theNSA’s assertions of the sanctity of commercial products seriously. The NSA seems proud of its efforts at subverting the security of personal communications. The project is in line with the Comprehensive National Cybersecurity Initiative, NSA said in its 2013 budget request, because it invests in corporate partnerships and cuts costs by exploiting existing sources of intelligence.
Most of us assumed that the public-private partnerships advocated in the CNCI were intended to strengthen cybersecurity and privacy. Live and learn.
To Chris Wysopal, chief technology officer at the application security company Veracode, what is surprising about the latest revelations is not so much that the NSA apparently is tampering with products. Everyone expects them to do that, he said. “What is eye-opening is that they are tampering with standards.” That would weaken all technology built to those standards, including that used by the U.S. government.
Although the NSA has expressed its desire to weaken standards, there is little evidence to date that it has managed to do so, Wysopal said. But there may be some evidence. In 2007 weaknesses were found in a pseudorandom number generator published by the NSA and included as a cryptographic standard for government use. It was immediately suspected that the flaw could have been intentional. Intentional or not, “in this case, it was detected and not used,” Wysopal said.
Since then there have not been similar discoveries in public crypto standards. And that underlines the greatest challenge in inserting backdoors through standards. As Dickie George told his audience of crypto professionals in 2011, “I don’t think we were good enough to sneak things in that you guys wouldn’t have found.”
Still, absence of evidence is not evidence of absence. We don’t know what we still don’t know.