NSA paid RSA 10 million US-Dollar to use Dual_EC_DRBG in their products, a standard they forced into the standard with lots of known problems, NIST did it anyways.
So yeah they force backdoors.
If you still think you need to defend the NSA, you are not stupid or naive. You are evil.
To the best of my current knowledge, it's at most possible that the NSA backdoored the NIST curves. I'm unaware of anyone in academia positively proving the existence thereof.
If your threat model doesn't include the NSA or other intelligence agency level state actors, ECDSA with NIST P-521 will serve you just fine.
(ECDSA is per se a questionable abuse of elliptic curves born from patent issues now long past, but it's not a real, exploitable security problem, either, if implemented correctly.)
Wasn't this the whole situation with Dual_EC_DRBG? As far as I understand (which may not be that far when it comes to cryptography, admittedly), the NSA has already been caught intentionally weakening cryptographic standards via its influence over the NIST and by paying RSA.
RSA makes Dual_EC_DRBG the default CSPRNG in BSAFE. In 2013, Reuters reports this is a result of a secret $10 million deal with NSA.
According to the New York Times story, the NSA spends $250 million per year to insert backdoors in software and hardware as part of the Bullrun program.
For these ciphers, it seems less likely that NSA has a backdoor that no-one else could find.
Notably in the case of dual-EC there was a recommended curve chosen by the NSA. That was easy to backdoor by knowing how the curve was generated.
As far as I know, there's no concrete evidence that the NSA has compromised the security of the NIST curves. That would be weird for them to do, since they use those curves internally to encrypt data classified at Secret and higher.
Dual_EC_DRBG was a little different. It introduced an asymmetric key that only the NSA had the private key for. So only the NSA was able to exploit it. If they were to make stuff complex generically with the hope of it being buggy, it would lead to bugs that other intelligence agencies could exploit.
Two pieces of information that add up to a larger story:
* The NSA/CSS Commercial Solutions Center (NCSC) is specifically built around Elliptic Curve Cryptography that they acquired from Certicom.
>The NCSC also manages the Elliptic Curve Cryptography (ECC) program on behalf of the NSA/CSS. Elliptic curve provides greater security and more efficient performance than first generation public key techniques currently in use. NSA/CSS purchased a license that covers intellectual property in a restricted field of use to assist in the implementation of elliptic curves to protect U.S. and allied government information. - https://www.nsa.gov/business/programs/ncsc.shtml
* Certicom designed the Elliptic Curve DRBG (Dual_EC) algorithm including the backdoor (Certicom patented the backdoor functionality in 2005)[0]. The NSA then included this algorithm + backdoor into NIST standard and payed RSA 10 million dollars to make it the default DRBG.
Putting these two facts together suggests that the NCSC was responsible for the Dual_EC backdoor.
"Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or “back door” - that allowed the NSA to crack the encryption."
The same way Dual_EC_DRBG became a NIST standard, the NSA pulls the strings.
You can't expect a government department to provide robust security to the masses when the rest of the government is trying the prevent that exact situation.
At this point anything, cryptography related, coming from NIST should be considered compromised.
Nice writeup, this story seems to have gotten limited exposure after being written. Incidentally, these kinds of programs continue to the present:
> "In September 2013, The New York Times reported that internal NSA memos leaked by Edward Snowden indicated that the NSA had worked during the standardization process to eventually become the sole editor of the Dual_EC_DRBG standard,[7] and concluded that the Dual_EC_DRBG standard did indeed contain a backdoor for the NSA.[8] As response, NIST stated that "NIST would not deliberately weaken a cryptographic standard."[9] According to the New York Times story, the NSA spends $250 million per year to insert backdoors in software and hardware as part of the Bullrun program."
There are also notions that the British government ran a similar program after WWII, distributing Enigma machines to all its colonies/ex-colonies, which was part of the reason they kept the codebreaking work on Enigma secret for decades (until the 1970s). I've never seen a similar expose of that, though.
This appears to be a strong denial, which they support by claiming that NSA was successfully promoting Dual EC DRBG as a better RNG to NIST and the tech industry. That is, they were being misled as much as anyone else who believed the NSA regarding Dual EC DRBG.
That sounds good. But the don't even go near the heart of the matter, which, from the Reuters report is:
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
RSA does not deny that they took $10M to use Dual EC DRBG as the default in BSafe. Nor do they say why they did, if there is a reason other than that the NSA paid to make it so. They do not say why they took a sum which boosted their revenue by over 30% in return for no deliverables other than a change in default configuration - a couple minutes of work.
It's slightly more complicated than that: There's 3 parties at play in this story. NSA, RSA, and NIST.
NIST was evaluating dual_ec_drbg for certification for government usage, with people from NSA heavily pushing it. NIST was actively contracting out to RSA to evaluate it for weaknesses. The kicker is here: NSA then secretly paid RSA something like $10M to advocate strongly for dual_ec_drbg, behind the back of NIST. So you have one government agency spending money on a contractor, hoping for an honest expert opinion, then another government agency spending money on a contractor secretly so that the second government agency can sneak something behind the first government agency. It's insanity.
Sure, RSA should not have taken the money from NSA, but given that NIST crypto certification mostly matters to government implementations (and not to the private sector), isn't the bigger problem that NSA is happy to introduce backdoors into crypto exclusively used by other government agencies? It's traitorous.
Thomas Massie offered an amendment in the house to try to stop this. He gave a pretty good overview of the situation (he is an electrical and mechanical engineer from MIT) to the house when the amendment was brought to the floor.
This kind of logic is attractive on message boards but makes little sense in the real world.
What NSA needs are NOBUS ("nobody but us") backdoors. Dual_EC is a NOBUS backdoor because it relies on public key encryption, using a key that presumably only NSA possesses. Any of NSA's adversaries, in Russia or Israel or China or France, would have to fundamentally break ECDLP crypto to exploit the Dual_EC backdoor themselves.
Weak curves are not NOBUS backdoors. The "secret" is a scientific discovery, and every industrialized country has the resources needed to fund new cryptographic discoveries (and, of course, the more widely used a piece of weak cryptography is, the more likely it is that people will discover its weaknesses). This is why Menezes and Koblitz ruled out secret weaknesses in the NIST P-curves, despite the fact that their generation relies on a random number that we have to trust NSA about being truly random: if there was a vulnerability in specific curves NSA could roll the dice to generate, it would be prevalent enough to have been discovered by now.
Clearly, no implementation flaw in Windows could qualify as a NOBUS backdoor; many thousands of people can read the underlying code in Ghidra or IDA and find the bug, once they're motivated to look for it.
Thread by someone directly involved on why the ISO rejected NSA ciphers in the past (hint: they refused to justify design decisions, lied, and attacked the credibility of people who had put out actually-secure crypto):
The NSA will never do that as it would be tipping their hand about whatever novel technique they reveal. In the past the NSA actually did provide some constants that went into DES and people were suspicious as the constants weren't randomly chosen. Later on it came out that differential cryptanalysis would have broken the original constants but the NSA provided ones were chosen to thwart this. They clearly knew about it well ahead of it being discovered in academia. Then you have the NSA's shady dealings around Dual_EC_DRBG where there was speculation that this might be similar to when the NSA secured DES against publicly unknown advanced cryptanalytic attacks. Of course for Dual_EC_DRBG that wasn't the case, it was a malicious backdoor, nothing more.
The question comes down to "Is this a repeat of DES or Dual_EC_DRBG?" and the NSA has poisoned the well with their previous attack on cryptography standards.
In general, I agree. However, as a mild counterpoint, I present Dual_EC_DRBG, where the NSA inserted a private kleptographic backdoor into the standard via the conveniently provided P and Q points.
Brilliantly awful.
You realize, of course, that, of your two choices, the DOJ would probably choose the former (i.e. general insecurity).
"RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue successfully for NIST approval, according to an official familiar with the proceedings."
reply