NSA Sabatoged the Standard
The New York Times has published further details of last week's leaked documents detailing the NSA's program of sabotage to crypto products and standards. The new report confirms that the standard that the NSA sabotaged was the widely-suspected NIST Dual EC DRBG standard. The Times reports that the NSA then pushed its backdoored standard through the International Organization for Standardization and the Canadian Communications Security Establishment.
Canada Helped
Canada played central role in NSA attempt to crack secure web data
The U.S. National Security Agency has pursued a prolonged strategy to give itself covert, undetectable access to encrypted and private information sent online, such as bank transactions and emails, leaked documents show.
[...]
CSE allowed the U.S. agency to “seize control” of the process, a New York Times report says, a move that allowed the NSA to rewrite the draft code and create a hidden path into data that was protected by the encryption.
After some “behind-the-scenes finessing” with the Canadian team “the stage was set for NSA” to take over authorship of the standard, a classified memo initially leaked by former U.S. contract intelligence worker Edward Snowden says.
The revelation directly links Canadian security officials to the extraordinary and legally dubious efforts by the NSA to capture and monitor an unprecedented amount of communications online through undisclosed programs like the now infamous PRISM initiative.
The Standard
This PRNG has been controversial because it was published in the NIST standard despite being three orders of magnitude slower than the other three standardized algorithms, and containing several weaknesses which have been identified since its standardization.
In August 2007, Dan Shumow and Niels Ferguson discovered the algorithm has a vulnerability which could be used as a backdoor. Given the wide applications of PRNGs in cryptography, this vulnerability could be used to defeat practically any cryptosystem relying on it. The algorithm uses several constants which determine the output; it is possible these constants are deliberately crafted in a way which allows the designer to predict its output.
Warnings came early, but were unheeded. See
The Strange Story of Dual_EC_DRBG
This is scary stuff indeed.
Even if no one knows the secret numbers, the fact that the backdoor is present makes Dual_EC_DRBG very fragile. If someone were to solve just one instance of the algorithm's elliptic-curve problem, he would effectively have the keys to the kingdom. He could then use it for whatever nefarious purpose he wanted. Or he could publish his result, and render every implementation of the random-number generator completely insecure.
Now, Government Announces Steps to Restore Confidence on Encryption Standards
As part of its efforts to foil Web encryption, the National Security Agency inserted a backdoor into a 2006 security standard adopted by the National Institute of Science and Technology, the federal agency charged with recommending cybersecurity standards.
SAN FRANCISCO — The federal agency charged with recommending cybersecurity standards said Tuesday that it would reopen the public vetting process for an encryption standard, after reports that the National Security Agency had written the standard and could break it.
“We want to assure the I.T. cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place,” The National Institute of Standards and Technology said in a public statement. “N.I.S.T. would not deliberately weaken a cryptographic standard.”
The announcement followed reports published by The New York Times, The Guardian and ProPublica last Thursday about the N.S.A.’s success in foiling much of the encryption that protects vast amounts of information on the Web. The Times reported that as part of its efforts, the N.S.A. had inserted a back door into a 2006 standard adopted by N.I.S.T. and later by the International Organization for Standardization, which counts 163 countries as members.