
Did NSA Put a Secret Backdoor in New Encryption Standard? (2007) - Jach
http://www.schneier.com/essay-198.html
======
danielweber
Back when DES was being designed, IBM had a bunch of values in their S-boxes.
NSA told them "don't use those values; use these values instead." People
freaked that it was a backdoor the NSA put in.

About 15 years later, differential cryptoanalysis was publicly discovered. The
original S-box values would have been very vulnerable to the attack, but the
ones the NSA used were resistant, suggesting that NSA knew about differential
cryptoanalysis way ahead of time and were suggesting ways to protect the
public against its eventual discovery.

It is _possible_ that there is still some magic in there to let the NSA
magically defeat DES, but we still haven't found it. Similarly, it's
_possible_ that this random number generator exists for some nefarious
purpose, but we have no evidence for it.

Also, this article is 5 years old (the headline didn't say so when I first
read this). Schneier was in pretty big self-promotion mode at that time.

~~~
CWuestefeld
I can't find the citation right now, so treat this as apocryphal, but...

I've read an explanation that the USA's focus on security has changed in the
days since 9/11/2001. At one time, the philosophy was that the country was
more secure when we could all be assured that the privacy of our
communications was intact.

But in the last decade we've changed that philosophy. The government's
security philosophy now is that the most important thing is for the government
to be able to tell what's going on.

So it may be that the parent post's anecdote is quite correct, and reflects
the policy _of that time_. But in the days of the War On Terror, we can't
trust that anymore.

(And OT, I believe it reflects a fundamental change in the philosophy of
governance that is against the founding principles of the country, and a
pretty bad thing. I believe that our strength derives from ... us -- we the
people. And so strengthening the government by weakening us in fact weakens
the nation.)

EDIT: fix date. Thanks, Retric.

~~~
dpark
> _At one time, the philosophy was that the country was more secure when we
> could all be assured that the privacy of our communications was intact._

That's never really been the view of the U.S. government. It's always been the
view that you should be able to have communications with your neighbor that
are secure from everyone _except_ the US government, who obviously need to
snoop in order to protect us all.

The security agencies and the police agencies have always pushed for more
comprehensive and more invasive surveillance. We've had wiretapping for as
long as we've had wires to tap. We crippled Internet security for years. I
remember the days of separate US and international Netscape releases, due to
crypto export restrictions. It wasn't until 2000 that the restrictions were
truly relaxed.

~~~
pgeorgi
US and international Netscape releases (as well as Windows and various other
tools) rather indicate that the US govt was interested in secure communication
for US citizens and corporations, while being able to snoop on the rest of the
world.

If you need an example, pick the Clipper chip - and even that doesn't _quite_
work out, given how publically that proposal was shot down.

~~~
dpark
I think it's rather an example of how the Judicial branch keeps the other
branches in check. If the NSA had its way, they'd be able to listen in on
every conversation you ever have, track every site you visit, record every
communication you ever make. They would do the same for everyone
internationally as well. The difference is that we have the Supreme Court
protecting US citizens to some extent, so the NSA cannot legally wiretap your
phone just for kicks, but the Supreme Court doesn't extend the same protection
to citizens of other countries.

~~~
dreamdu5t
And you believe the NSA when you can't see the warrants, know who issued them,
what they contain, etc.? How would we know they weren't tapping domestic
communication? You wouldn't. Any whistleblowers would be roughed-up or locked-
up... much like Thomas Drake.

[https://en.wikipedia.org/wiki/Thomas_Andrews_Drake#2007_FBI_...](https://en.wikipedia.org/wiki/Thomas_Andrews_Drake#2007_FBI_raids)

[https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_c...](https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy#Trailblazer_and_whistleblowing_prosecution)

~~~
dpark
I said that the judicial branch keeps the other branches is check. I didn't
say that are completely effective or that their checks are sufficient. And I
certainly didn't say that the NSA wasn't engaging in any domestic wiretapping.

~~~
jacobrobbins
Yes, I think the key word in that sentence is "legally". The following article
describes the situation re: warrantless monitoring of u.s. citizens by the
NSA:
[http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_...](http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_mayer?currentPage=all)

The thing is that they can not bring the result of this warrantless
wiretapping into court. But they probably don't want to.

From what I've seen the FBI is a lot more vocal in complaining about the
impact of encryption because their mandate involves bringing cases to court so
they want a formalized, legitimate way of breaking encryption when they have
warrants. They would also love to have the dragnet that the NSA has to know
who to watch, and I don't know to what extent they do, but the bigger
difference that I see is that the NSA is not interested in launching court
battles (any more) whereas that is the primary endgame for the FBI.

The problem of course is that an encryption system which can be broken in a
formalized way is open to the possibility of being broken by the wrong people.
You can't have your cake and eat it too by having strong encryption that can
be broken by the "right" people because there is no way to theoretically
describe who the "right" people are. The encryption has to work the same for
everyone.

Like all big issues in society there are competing rights; the need for law
enforcement bumps up against the freedom of the individual. I believe that we
are comfortable enough pushing this balance more heavily towards the freedom
of the individual in America that a policy of embracing strong encryption is
in the best interests of everyone, but I am aware that I don't have as much
knowledge about this issue as some others.

~~~
gizmo686
You can have an encryption system that can only be broken by the 'right'
people. We already have crypto systems where any 1 of n people can decrypt the
message. If you embed a public key into the algorithm, then only the
algorithm's designers would know the private key needed for decryption.

Doing this in a non-obvious way seems much more difficult, but if the NSA did
have a weakness to DES, it could very possibly require knowing a secret key.

------
anonymouz
This is quite interesting, as the NSA on the one hand needs to provide secure
algorithms for the public to use, but on the other hand has an interest in
being able to break algorithms.

IIRC, during the standarization of DES, the NSA has also modified some S-Boxes
without giving any explanation. Only later, when differential cryptoanalysis
became known to the public, it was clear that this was to strengthen DES
against this particular attack (which was already known to the NSA).

The case here is more interesting though: It seems like you need to know some
secret numbers (a sort of "private key" if you will) to be able to attack the
PRNG. So it seems that the NSA could place a "safe" backdoor that even an
attacker with the same cryptography knowledge as they have cannot break unless
he himself possesses the "private key".

~~~
tptacek
What sense does it make to backdoor an RNG that no normal system is ever going
to use, and to do so in a public standard, and further to do so by using
deliberately broken curve parameters?

It was an interesting story because it was so weird. But even had Dual EC
_not_ become known to the world exclusively as "the CSPRNG with the backdoor
in it", nobody would have used it anyways.

~~~
anonymouz
Yeah that is rather weird. A botched attempt maybe?

~~~
tptacek
No.

------
tptacek
Nobody used this random number generator.

~~~
javert
Perhaps the government required defense contractors to use this one in
products sold to other countries?

I don't have any evidence for that, just speculation on one reason the NSA
might insist on including something like this in the spec.

------
delinka
"In the meantime, both NIST and the NSA have some explaining to do."

Not happening. Hasn't yet, nor will it. NSA just keeps quite and watches for
someone to use their particular algorithm. We should assume malicious intent
and take Schneier's advice: "My recommendation, if you're in need of a random-
number generator, is not to use Dual_EC_DRBG under any circumstances."

And if you "don't have anything to hide," then I propose you've given up
already and cryptography is useless to you.

~~~
lmm
Not entirely. While the best cryptography is that which is secure against
everyone (duh), there are a vast number of perfectly legitimate use cases for
cryptography where it doesn't matter if the NSA can read your encrypted data.

~~~
nathan_long
I can't imagine any legitimate use case for crappy cryptography, and any
crypto with a backdoor is crappy. If the door is there, anyone with the key
can open it. How can you be sure who will get the key, or what their motives
will be?

Good, modern cryptography offers a level of security unparalleled in the
physical world, and at a processing cost which any computer can handle. Why
would you intentionally choose something inferior?

~~~
DanBC
The example often given is "MILITARY GRADE ENCRYPTION" - if tank driver Bob is
given commands to shell a target those commands only need to be secret for a
short length of time. It doesn't matter if the enemy can decrypt them by
taking a week's time, because Bob will have attacked the target and gone by
then.

This is, obviously, a really old example, because modern hardware makes
encrypting things quick and easy, and decrypting things quick and easy. But
imagine strong encryption in the 1980s - you had to balance strength with time
with size and then try to cram it into low-specced hardware.

~~~
nathan_long
OK, yes, there is such a thing as "strong enough crypto for your purposes",
and there are tradeoffs for computing power, etc.

My point was that there's no point in picking something with a known back door
when there are perfectly good, non-compromised alternatives.

------
lucaspiller
Interesting... Was there any code written to demonstrate the attack?

~~~
delinka
That's a good question. I suspect if so, it was alongside an academic paper
and this stuff just doesn't get attention from journalists. I'd be curious to
find out but I don't have the skills to pore over the material myself.

~~~
danielweber
Do you really think "academic finds back door in NSA's random number
generator" wouldn't get headlines? Remember how people freaked over the mere
mention of the name of "NSAKEY" freaked everyone out?

------
gmoore
Not exactly current - the article is something like 5 years old....

~~~
delinka
You'll notice the "[2007]" in the post title.

~~~
jimktrains2
Apparently the mods added it later. There really should be some way to tell
what the mods have and haven't done.

~~~
SquareWheel
Something like mouse-over for original title would be great.

~~~
antidoh
Excellent idea. I just submitted the feature request:

<https://news.ycombinator.com/item?id=4580886>

