The NSA Review Group’s Non-Denial Denial on Encryption
As part of a section on “Technical Measures to Increase Security and User Confidence,” Recommendation 29 of the NSA Review Group is, in part, the following:
We recommend that, regarding encryption, the US Government should:
(1) fully support and not undermine efforts to create encryption standards;
(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software;
Several paragraphs into this section, the Group with no tech experts asserts,
Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data. Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability, or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access.
This appears to be based on an Appendix provided by NSA addressing the reliability of certain encryption systems. I’m not competent to assess the claims or comprehensiveness of that presentation and eagerly await some reviews of this report from the tech experts. [Update: William Ockham notes the Appendix doesn’t include the standard NSA is accused of weakening.]
The very next paragraph, with bullet points, reads,
Nonetheless, it is important to take strong steps to enhance trust in this basic underpinning of information technology. Recommendation 32 is designed to describe those steps. The central point is that trust in encryption standards, and in the resulting software, must be maintained. Although NSA has made clear that it has not and is not now doing the activities listed below, the US Government should make it clear that:
- NSA will not engineer vulnerabilities into the encryption algorithms that guard global commerce;
- The United States will not provide competitive advantage to US firms by the provision to those corporations of industrial espionage;
- NSA will not demand changes in any product by any vendor for the purpose of undermining the security or integrity of the product, or to ease NSA’s clandestine collection of information by users of the product; and
- NSA will not hold encrypted communication as a way to avoid retention limits.
I consider myself a bit of an aficionado in NSA claims, and I can only think of one place where they’ve made even some of these claims, sort of: the obviously bogus talking points NSA sent home at Thanksgiving. That document made a similar caveated comment about industrial espionage and assured that NSA will not demand changes by any vendor, noting it did not have the authority to do so. I pointed out some of the loopholes to those claims here.
I don’t think they have said anything about engineering vulnerabilities into encryption standards; in any case, the allegation was that they inserted vulnerabilities into certain standards through persuasion, not engineering. Besides, ODNI General Counsel Robert Litt has stated explicitly (and not all that surprisingly) that cracking encryption is their job.
Finally, I don’t think the NSA has ever addressed the fact that their minimization standards clearly allow them to keep encrypted communication forever. They like to lie about that one instead. To place in their mouth a claim that they won’t do so to get around retention limits (particularly followed, as it is, by a recommendation for how not to do this) is thin comfort coming from an agency that considers encryption possible evidence of terrorism.
I doubt this assertion that NSA doesn’t try to weaken encryption is fooling anyone. Indeed, it appears less than 30 pages after the Report states, in justifying moving Information Assurance out of NSA,
When the offensive personnel find some way into a communications device, software system, or network, they may be reluctant to have a patch that blocks their own access.
So it’s hard to treat this entire passage as anything else but the “strong step to enhance trust” they say is necessary within it.
The NSA Review Group makes worthwhile recommendations on a reorganization of NSA–the most aggressive one of which — to split the DIRNSA from the CyberCommand position — Obama already pre-empted. Moving Information Assurance out of NSA would also create a champion for privacy, albeit a hopelessly weak one (they even state it should be moved to DHS, but Congress would never agree to do so).
But ultimately on this and some other cybersecurity related issues (including its toothless recommendation on Zero Days that immediately follows this section), the Report serves only to pretend the US doesn’t engage in weakening security as part of its offensive attacks using the Internet.
Update: Oh, as to that Appendix that doesn’t include the standard everyone has been worried about? Someone’s just found a fatal bug in the standard.
An advisory published Thursday warns that a “FIPS module” of the widely used OpenSSL library contained a “fatal bug” in its implementation of Dual EC_DRBG. Credible doubts about the trustworthiness of the deterministic random bit generator surfaced almost immediately after National Security Agency (NSA) officials shepherded it through an international standards body in 2006. In September, those fears were rekindled when The New York Times reported the algorithm may contain an NSA-engineered backdoor that makes it easier for government spies to decode encrypted communications.
The fatal Dual EC_DRBG bug resides in the FIPS Object Module v2.0, an optional OpenSSL library used to build crypto apps that are certified by the US government’s Federal Information Processing Standards. When using the module’s implementation of Dual EC_DRBG, the application crashes and can’t be recovered. That’s an amazing discovery for an application that had to undergo countless hours of testing to be certified by the government of the world’s most powerful country.
Standards are like zoning regulations. They are politically arrived at documents of specifications engineers to work from. The evidence is that NSA used its influence as members of committees of NIST to set up encryption standards to be exploited by NSA and made technical assurances that certain cryptological techniques were stronger than they were in fact.
That had the effect of planting a vulnerability for every corporation that decided to use that approach to that standard.
At a basic professional level it is a dishonest and corrupt action.
This immaculate hacking of encryption is a barrel of laughs.
It’s right up there with the claims that the Chinese had a backdoor in all electronics in order to take down US economy.
Um, right…like PRC’s Lenovo building computers to US-NIST standards which included the NSA-compromised encryption.
Talk about projection, much.
No problem. Their retention standard on encrypted data is already “forever”.
Send them something they can read and they may eventually get shed of it if it’s not worth the storage space. Encrypted stuff they’ll hang onto until they can read it, until someone convinces them otherwise. I’m sure DiFi will get around to that real soon now.
I think you’ve got to unpack pieces of this to tease out what’s being claimed.
Appendix E talks about standards and algorithms and asserts that, for the algorithms listed, the NSA either didn’t contribute to them in any way or that they’ve been thoroughly analyzed by others. The exclusion of Dual_EC_DRBG can be taken as confirmation that the NSA did exactly what the Snowden documents allege, that is, weaken Dual_EC_DRBG.
The claim that the government hasn’t inserted any vulnerabilities into commercial software is a different claim. These are implementations, not algorithms. One can insert vulnerabilities into commercial software that would allow backdoor access without weakening or subverting the underlying cryptography.
(As a very minor point, I think the difference between “engineering” a vulnerability or “persuading” people to include a vulnerability is, in this context, a distinction without a difference. The NSA engineered the standard to have a backdoor, then included it through persuasion. Potato, potahto.)
This is December, I am impressed that they moved so quickly to acknowledge the cat was purring by the side of the bag. Here is a sample of what was going around back in September:
Why does this remind me of the DOD/DOJ and their “the US does not torture — we interrogate with enhanced methods” mess?
another fine examination of “what they say vs. whatthey do,” emptywheel.
have you looked into my request for a user-friendly format for mobile phones? i.e. publish w/o word wrap so articles fit the screen? perhaps emptywheel.net/mobile? i really miss visiting on a regular basis.
Merry Christmas to you, bmaz, Jim and all your readers/commenters that enjoy your safaris into the weeds.
One thing to note about the encryption recommendations for protecting NSA data is that they talked about Type 2 encryption schemes and using private sector solutions. However, the government has Type 1 encryption algorithms that are not available commercially. The NSA uses such encryption schemes and the specialized hardware and software necessary. It is silly to think that the government would move away from these specialized non-public schemes. Much of the documents if they were to be encrypted would be classified above the level of any Type 2 encryption scheme and a Type 1 scheme would have to be used. This would mean that their entire discussion on using software like in private companies and such was a complete waste of words and paragraphs.
Encrypting the actual data the systems hold would be ridiculous. The computational cost of decrypting the data to respond to queries or other processing would be a thousand times or more expensive than it is now.
Saul could you explain this more?:
” One can insert vulnerabilities into commercial software that would allow backdoor access without weakening or subverting the underlying cryptography”
Does this mean remote access or something?
The usual terminology is ‘trojan horses’, or ‘trojans’ for short. Something that, given the right key, will allow access without going through the normal procedures.