Congress: Protect the integrity of standards

Congress: Protect the integrity of standards

Summary: One of the disturbing actions of the NSA in recent years was their attempt to subvert a NIST cryptography standard in order to insert a back door. I call on Congress to end this.

SHARE:
11

I have decided to pick out one specific, very disturbing tactic used by the NSA in recent years to facilitate surveillance and make a Federal issue of it. As I detailed last week, back in 2007 the NSA submitted an algorithm for random number generation to NIST (the National Institute of Standards and Technology) which contained a "back door" to allow them to crack encrypted communications which employed the standard.

This is disturbing in many ways and I suspect that very few people would defend it out in the open. I have sent the letter below to the members of Congress named in it, explaining what happened and why they must pass a law clearly and unambiguously barring such activities. Perhaps it's not just government agencies which should be so prohibited, but anyone, anywhere.

If you agree or disagree with the sentiment in the letter you can tell your own Congressperson and Senators. Find your Congressperson at this page and pick your Senators out of the list on this page.


To:

House Permanent Select Committee on Intelligence
    Chair Mike Rogers
    Ranking Member C.A. Dutch Ruppersberger
House Committee on Science, Space, and Technology
    Chair Lamar Smith
    Ranking Member Eddie Bernice Johnson
Senate Committee on Commerce, Science and Transportation
    Chair Jay Rockefeller
    Ranking Member John Thune
Senate Select Committee on Intelligence
    Chair Diane Feinstein
    Ranking Member Saxby Chambliss

Subject: The subversion of standards by the NSA

I write this letter to call on Congress to outlaw one specific, especially disturbing technique used by the National Security Agency in their efforts at surveillance on the Internet: the subversion of standards established by other government bodies.

In 2007, NIST (the National Institute of Standards and Technology) approved an algorithm promoted by the NSA (Dual_EC_DRBG or Dual Elliptic Curve Deterministic Random Bit Generator) as part of a standard (SP 800-90) for random number generation. Random number generation is an important part of secure cryptography and a difficult problem, so established and reliable standards are to the benefit of all. Due to their renowned expertise in the field, NSA had participated extensively in standards processes and gained a great deal of respect for it.

Unfortunately, before too long, researchers at Microsoft found and published details on a vulnerability in the algorithm that could function as a "back door" to allow a third party to predict values and use the fact to compromise encrypted data. Many concluded at the time that the NSA had put the back door in deliberately to facilitate surveillance. The latest revelations from NSA documents leaked by Edward Snowden confirm this suspicion: the NSA intentionally introduced a weakness into a government-published standard in order to exploit it.

Standards such as SP 800-90 are relied upon by parties the world over, not least of which are other agencies of the US government, many of them involved in defense and intelligence, as well as protecting the privacy of innocent citizens.

The role of NIST is pursuant to a clear and uncontroversial exercise of authority granted Congress in Article I section 8 of the US Constitution: "The Congress shall have Power To … fix the Standard of Weights and Measures". In this role, NIST and other US bodies have led the world in the establishment of standards which facilitate the development and interoperability of technology. It is a function that has been to the benefit of the whole world.

The role of the US government should be to protect the integrity of those standards rather than to weaken them. Certainly NSA is not the only organization attempting to subvert important standards like Dual_EC_DRBG. But it's hard to get outraged by foreign powers working to compromise our technology when our own government is doing it too. The argument I've heard that such a ban would be “unilateral disarmament” doesn't stand up to scrutiny; our own abuses of Internet standards do not, in any meaningful way, combat the same abuses by other parties. They just compound the problem of a loss of trust in basic technological areas in which the US has long been the world leader.

I therefore respectfully suggest that a law be passed which clearly and unambiguously prohibits such actions by agencies of the US government. It may be worth banning such actions by anyone, private or public, foreign or domestic.

Larry Seltzer
Contributing Editor, ZDNet
Maplewood, NJ

References:

cc: Dr. Patrick Gallagher (Director, NIST)


Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Timeline of the next five years...

    Sometime next year - congress will publicly pass the laws that you request.

    Sometime within five years, someone else will discover that the NSA's actions haven't changed.

    Unfortunately, the NSA and other government departments appear to be exempt from certain laws and possibly even your constitution. Passing yet another law in congress isn't exactly going to make a difference here.
    daftkey
    • Because once people get to congress they start getting non public info

      about how many tens of thousands of American lives have been saved each year by decrypting communications. And callous as it may sound, more importantly, how many times it's prevented economically crushing events from happening like airport attacks, stadium event attacks, etc. that would have had 911 like economic consequences. Contrasting that with providing encryption that prevents basically everybody except the NSA from decrypting it and you start to see that yeah, that level of encryption is "good enough" for the average consumer and business.
      Johnny Vegas
      • Attacks

        And all these attempted attacks only started to appear after gouvernment internet surveillance was in effect. That explains why there was no actual drop in number of successful events.
        Sacr
      • Hyperbole

        "tens of thousands of American lives have been saved each year by decrypting communications"

        Give me a break!! I dounbt that the real number is in the dozens or possibly hundreds for non military personnel.
        jnowski
      • "I dounbt that the real number"

        I meant to say, "I'd guess that the real number"
        jnowski
      • Ah yes, the old boogieman strategy.

        Certainly does remind me of all the other garbage authorities have claimed to have accomplished throughout history, any time the citizens' rights are compromised by those same authorities. And can there be any doubt that these fantasy culprits come from the same playbook. Gee, bet old Hitler and Goebbles were saying exactly the same things to their subjects about their justifications for extermination of the Jews, Poles, Gypsies, Gays, and just about anyone who wasn't pure Aryan. Or how about Nero, or Pharaoh, or Genghis Khan, or Hirohito, or, well, you get the picture. The list is nearly endless and even if it weren't, there's still all the minions who follow these b'tards without questioning any pretext. Hmm, suppose Bush/Cheney and their claims of WMDs qualify?

        SPLF
        spixleatedlifeform
      • Yeah, sure Johnny...

        ..that pablum your gubment's been feeding you still palatable?

        I'm reminded of a certain parable regarding tigers on a train...
        daftkey
      • Re: how many tens of thousands of American lives have been saved each year

        Where are the prosecutions? Or are these crims simply being let off scot-free to plan even more heinous crimes?
        ldo17
  • I Don't Think The NSA Has Been Very Successful At This

    Their attempt at promulgating a crap pseudorandom number generator set off so many alarm bells that I doubt anybody seriously uses it. Back in the early days of DES, their attempt to shorten the key length from 128 to 56 bits similarly only encouraged lots of people to come up with alternative, stronger encryption methods.

    I doubt they have managed to hide anything else better than this.
    ldo17
  • Insufficient

    I like the idea a little ... but it isn't vicious enough.

    1. Why you choose to write respectfully is beyond me: I would write with 'extreme contempt for the betrayal of American values and reckless endangerment of global operations'.

    2. Is there not a law of criminal neglect, malfeasance or some such with which to start action now?

    3. Having locked up the guilty parties, announce a public enquiry to last a suitably long time. In the interim pass laws which will make sure the perpetrators forfeit their wealth and go to prison for a very long time, maybe life.

    4. The trouble with the present regime is that watchdogs and laws always follow the crimes with no reparations for the injured parties. Their needs to be a process whereby transgressors are punished retrospectively ... or else they will simply calculate the cost of punishment/bad press and break the law.

    No, you've got to do a whole lot better than an appeal to another bunch with vested interests.
    jacksonjohn
    • If you want to see vicious ...

      ... have a look at my treatment of Gewirtz's latest post.
      jacksonjohn