NSA Cryptography

From SI410
Revision as of 03:00, 23 April 2018 by Sbrav (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Nsa.png

The National Security Agency (NSA) is an intelligence agency of the Executive Branch of the United States of America. The NSA describes itself as leading the U.S. Government in cryptology as well as Signals Intelligence which allows the nation to gain an advantage in decisions [1]. The NSA is also responsible for protecting U.S communication and information systems from foreign intrusions. [2]

NSA and NIST

The National Institute of Standards and Technology (NIST) is an agency of the United which as part of its duties, creates, certifies, and releases a set of cryptographic standards for use within U.S Government agencies as well to be used to secure systems worldwide. Most importantly in this standard is the Random Bit Generators which are used to create the keys used to secure communication on the web in a number of widely used applications and protocols. [3]

Since the inception of NIST cryptographic standards, the NSA worked closely with NIST to give direct input into their creation. In May of 2014 the U.S House of Representatives passed an amendment to the Frontiers in Innovation, Research, Science and Technology Act, or FIRST Act which removes the requirement that the NSA be involved in the development of standards. [4]

Dual_EC_DRBG

Dual_EC_DRBG was a cryptographically secure pseudorandom number generator (PRNG) that was published by and standardized by NIST with the input of the NSA in June 2006 until it was redacted in early 2014. Early on in its lifetime, Dual_EC_DRBG had a number of critics, as it was three orders of magnitude slower than the other PRNGs, and it was the only one based upon elliptic curves. These elliptic curve algorithms have a published constant Q which all users of the algorithm must know. In August 2007 at the CRYPTO conference two security researchers from Microsoft described a way in property unique to elliptic curve PRNGs [5]. Elliptic Curve algorithms have a public initialization factor Q If one knows the prime factorization of that constant Q, one could gain insight into the next numbers to be generated using the algorithm. Q is so impossibly large that no adversary could factor it even with all the computer power on earth. However, these researchers posited that the creators of the algorithm could’ve crafted Q in such a way that they know the factors which make it up, allowing them insight into any random bits generating using the algorithm.

Edward Snowden

In June 2013, a former NSA contractor and CIA employee Edward Snowden released thousand of classified NSA documents to a number of journalists. Among these documents were goal, technical, and financial details on a number of classified surveillance and encryption cracking programs. Many of the technical details of these programs have to be speculated on since Snowden did not have the high level of security clearance necessary to gain access to those documents. [6]

BULLRUN

Among these documents was details on a highly classified encryption cracking program called BULLRUN. The program’s goal was to mass decrypt internet traffic en-masse. It detailed many of the agreements the NSA had with telecom companies such as Room 641A in AT&T’s switching center, which gives the NSA access to much of the internet traffic AT&T routes around the globe. [7]

Allegations of backdoors

Following the release of documents by Edward Snowden. A number of allegations have been made against the NSA for putting explicit vulnerabilities (commonly known as backdoors) into encryption algorithms published by various national standards bodies and independent researchers.

According to a Reuters report, the NSA paid RSA, an influential security research company, $10 MIllion USD to use the NSA-designed, later to be found to have a potential backdoor , Dual_EC_DRBG by default in their prolific cryptography library RSA BSAFE. After the release of the report, RSA recommended that users change their settings and use another random number generator. [8]

NSA and ISO

The International Organization for Standardization (ISO) is an international standards body which certifies and publishes standards. ISO is composed of representatives from national standards bodies. The United States’ Representative to ISO is ANSI, NIST recognizes and works with ANSI on technological standards. In September 2017 ISO rejected two NSA-designed encryption algorithms. Many delegates chimed in to respond. The delegate from Israel, Orr Dunkelman, said about the NSA, “I don't trust the designers, there are quite a lot of people in NSA who think their job is to subvert standards. My job is to secure standards." [9]

References

  1. Cryptography. (2018, April 18). Retrieved April 19, 2018, from https://en.wikipedia.org/wiki/Cryptography
  2. NSA Frequently Asked Questions. (n.d.). Retrieved April 19, 2018, from https://www.nsa.gov/about/faqs/
  3. Huergo, J. (2018, January 08). NIST Releases New Document on its Cryptographic Standards and Guidelines Process. Retrieved April 19, 2018, from https://www.nist.gov/news-events/news/2016/03/nist-releases-new-document-its-cryptographic-standards-and-guidelines
  4. Hagemann, R. (2016, February 09). The NSA and NIST: A Toxic Relationship. Retrieved April 19, 2018, from https://niskanencenter.org/blog/the-nsa-and-nist-a-toxic-relationship/
  5. Shumow, D., Ferguson, N., & M. (2007, August 21). On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng (Tech.). Retrieved April 19, 2018, from Crypto 2007 Conference website: http://rump2007.cr.yp.to/15-shumow.pdf
  6. Edward Snowden. (2018, February 06). Retrieved April 19, 2018, from https://www.biography.com/people/edward-snowden-21262897
  7. Schneier, B. (2013, September 5). The NSA Is Breaking Most Encryption on the Internet [Web log post]. Retrieved April 18, 2018, from https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
  8. Menn, J. (2014, March 31). Exclusive: NSA infiltrated RSA security more deeply than thought -... Retrieved April 19, 2018, from https://www.reuters.com/article/us-usa-security-nsa-rsa/exclusive-nsa-infiltrated-rsa-security-more-deeply-than-thought-study-idUSBREA2U0TY20140331
  9. Schneier, B. (2017, September 21). ISO Rejects NSA Encryption Algorithms [Web log post]. Retrieved April 18, 2018, from https://www.schneier.com/blog/archives/2017/09/iso_rejects_nsa.html