With all of the disturbing revelations that have come to light in the last few weeks regarding the NSA’s collection methods and its efforts to weaken cryptographic protocols and security products, experts say that perhaps the most worrisome result of all of this is that no one knows who or what they can trust anymore.

The fallout from the most-recent NSA leaks, which revealed the agency’s ability to subvert some cryptographic standards and its “partnerships” with software and hardware vendors to insert backdoors into various unnamed products, has continued to accumulate over the course of the last couple of weeks. Cryptographers and security researchers have been eager to determine which products and protocols are suspect, and the discussion has veered in a lot of different directions. But one thing that’s become clear is that when the government lost the so-called Crypto Wars in the 1990s, the NSA didn’t just go back to Fort Meade and tend to its knitting.

“The good news, I thought until a couple of weeks ago, is that the government lost that war. What we didn’t realize is that the Crypto Wars never ended, they just moved underground,” Matthew Green, a cryptographer and research professor at Johns Hopkins University, said during a roundtable sponsored by the university on Wednesday. “Some of these standards were actually built to be less secure so that the NSA might be able to spy on us.”

One of the few bits of concrete information that’s emerged in all of this is that a random-number generator developed by NIST several years ago is now in question. Cryptographers have suspected for some time that the Dual_EC_DRBG random-number generator, which is included in some standards, may have been deliberately weakened. NIST issued a statement in the last few days warning people not to use Dual_EC_DRBG.

“Concern has been expressed about one of the DRBG algorithms in SP 800-90/90A and ANS X9.82: the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm. This algorithm includes default elliptic curve points for three elliptic curves, the provenance of which were not described. Security researchers have highlighted the importance of generating these elliptic curve points in a trustworthy way. This issue was identified during the development process, and the concern was initially addressed by including specifications for generating different points than the default values that were provided. However, recent community commentary has called into question the trustworthiness of these default elliptic curve points,” the NIST statement says.

Green said that the recent NSA leaks have reinforced the difficulty of producing good standards and algorithms, never mind trying to do so when the NSA has inserted itself surreptitiously into the process.

“Crypto is incredibly hard to get right when you’re not fighting someone like the NSA. How we deal with that when someone very powerful is going around us to build weaknesses in from the start?” Green said.

“We don’t know how good these standards are. Is there any way to rebuild that trust? How secure are we going to be when every moron in the world starts to build their own standards? If the NSA is doing it, then who knows who else might be doing it.”

Aside from the questions about weak or deliberately compromised protocols, experts also say there could be long-range ramifications for security vendors who are trying to sell their products to a suddenly skeptical customer base.

“Should we accept that being secure is worth the blowback? Should anybody trust us now?” Green said. “If we’re building this technology and exporting it to the rest of the world, why should anybody buy it? I don’t know what the impact is.”

Image from Flickr photos of Sebastien Wiertz

Categories: Cryptography, Government, Web Security

Comments (8)

  1. Wise as serpents
    1

    The US along with the UK have revealed themselves as snakes… not to be trusted. We are ruled by the Serpent people. David Icke was right. Piss them off by deleting all your accounts.

  2. Ferroxian
    2

    Fear NSA? How odd this is! The PLA and Huawei hacked Nortel’s servers, read all their corporate bids and financial reports until they ran that Canadian firm OUT OF BUSINESS. Qinetiq the defense contractor was hacked so badly Chinese agents installed eavesdropping and snooping devices all over the company until they had stolen EVERY single piece of IP the firm had! Who warned Qinetiq that they had been hacked? You guessed it, the good old, NSA through their British contacts. The Comment Crew is literally a part of the PLA…the DOD of China, and all you people can do is lambast and bemoan the NSA!!! Ok, me too! I am mad at the NSA for hiring a snot-job like Snowden. And if the NSA slows down in doing ANYTHING it was doing before and the entire west has another Pearl Harbor moment, they deserve it. Putin launched the Red October massive web hacks late last year and that lasted six months. Does anybody talk about that? Heck no – like a bunch of rabid rats we attack our own guard dog and let the RED fox raid every hen house on the planet. When these two communist nations, China, and Russia (led by Vladimir The-Gay-Impaler Putin) close ranks and share their combined exploits the West will cry… to whom?! The NSA is, IS, our hired gun and I for one want them out there fighting with these criminal nations and pulling up their skirts for what they truly are. Look, there are no VIRGINS in the espionage game, especially not in cyber warfare and there IS a war going on. You cry babies just go on down to Tim Hortons and keep trying to turn into TWO people, meanwhile, I want a lean and mean NSA out there kicking APT butt, oh yeah baby!

    • TheTruth
      3

      I definitely want the NSA taking on the enemy – but I DON’T want them violating my constitutional rights on a daily basis. I am NOT the enemy.

    • RSA
      4

      Listen, Mr./Ms. “oh yeah baby!”, you’re missing one of the primary points to the complaint everyone is raising, which is that the security agencies of The U.S. are violating the constitution, internally declaring the citizens of the United States to be enemies, suspending their rights, and compiling dossiers on them.

      I agree that people waving pointed fingers around angrily about U.S. security departments spying on foreign governments go too far. Foreign intelligence gathered about alien governments (or possibly even entire nations with whom the U.S. is at war) is part of the security game, and U.S. citizens should expect and hope that their agencies excel at that.

      But the crux of the complaint is that the surveillance apparatus is turned on private citizens, who presumably have not been charged with a crime, nor are they under investigation for one. The problem is that it very much seems that the entire U.S. population and indeed the population of the entire planet has illegally been placed under boundless investigation, indefinitely.

  3. BSC
    6

    Certainly “who to trust” leaves out the current and previous POTUSes, who let this unconstitutional subversion of a free society fester. Remember that next time you vote.

  4. kimani west
    7

    Yes the government may be taking drastic measures to keep an eye on foreign governments. But have you considered that other countries have done the same to us?

  5. kimani
    8

    The world has changed dramatically since my inception into this world. While I can’t accurately comment on how it was before, in my opinion it is much more dangerous. There are no lines between “combatants” and “civilians” anymore. If an agency with the push such as the NSA want something, they will do so without the concern of a civilian blowback. Most people would say that everything you do is subject to incursion from a multitude of agencies. To think you can even post on facebook or even on this site and not be somehow monitored is ludicrous. It is sad to see a world coming together that doesn’t care for law and human rights. I’d like to say that there are certain things I can do to protect myself, bit in a digital world where literally everything is done on the internet, you might as well walk around with a giant sign attached to you hashtagging everything you do every minute of your life. If someone like the NSA wants to know something about you then they already know it. The only way to combat these types of incursions is to be informed and inform others. If you don’t know how can you fight it? Gotta inform the world…

Comments are closed.