The big NSA revelation of last week was that the agency’s multifaceted strategy to read encrypted Internet traffic is generally successful. The story, from the New York Times and ProPublica, described NSA strategies ranging from the predictable—exploiting implementation flaws in some popular crypto products; to the widely-suspected but disappointing—inducing companies to insert backdoors into products; to the really disturbing—taking active steps to weaken public encryption standards. Dan wrote yesterday about how the NSA is defeating encryption.
To understand fully why the NSA’s actions are harmful, consider this sentence from the article:
Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way.
In security, the worst case—the thing you most want to avoid—is thinking you are secure when you’re not. And that’s exactly what the NSA seems to be trying to perpetuate.
Suppose you’re driving a car that has no brakes. If you know you have no brakes, then you can drive very slowly, or just get out and walk. What is deadly is thinking you have the ability to stop, until you stomp on the brake pedal and nothing happens. It’s the same way with security: if you know your communications aren’t secure, you can be careful about what you say; but if you think mistakenly that you’re safe, you’re sure to get in trouble.
So the problem is not (only) that we’re unsafe. It’s that “the N.S.A. wants to keep it that way.” The NSA wants to make sure we remain vulnerable.
Of course, we “have been assured by Internet companies” that we are safe. It’s always wise to be wary of vendors’ security assurances—there’s a lot of snake oil out there—but this news calls for a different variety of skepticism that doubts the assurances of even the most earnest and competent companies. This is going to put U.S. companies at a competitive disadvantage, because people will believe that U.S. companies lack the ability to protect their customers—and people will suspect that U.S. companies may feel compelled to lie to their customers about security.
The worst news of all, in my view, is that the NSA has taken active steps to undermine public encryption standards.
When I teach the history of encryption standards, I talk about the Data Encryption Standard (DES), published by the U.S. government in 1978, which was one of the most commonly used encryption methods for decades. Some aspects of the DES design were mysterious and there were rumors that the NSA had built in secret weaknesses. Years later, researchers discovered a powerful new codebreaking method called differential cryptanalysis—and found that DES was resistant to it. We now know that the NSA had whispered in the ears of the original DES design team to make sure the standard was secure against differential attacks, which NSA had discovered earlier. In other words, the NSA intervened secretly to improve the security of DES.
The successor of DES is the Advanced Encryption Standard (AES), published by the National Institute of Standards and Technology (NIST) in 2001. NIST went to great lengths to make the AES process as open and transparent as possible, and the result was a standard with broad buy-in from cryptographers around the world. Once again, the US government seemed to be doing its best to choose a high-security, trustworthy standard.
At the same time, there have been persistent rumors, and some evidence, over the years that the NSA has been working to undermine certain security standards. Now it seems that these rumors are confirmed, and the NSA has been undermining standards, which makes everyone—including every American—less secure.
How has the NSA sought to undermine standards? I’ll discuss two likely examples in the next post.