‘Regrettable’: NSA mathematician apologizes for agency’s support of flawed security tool

​A top NSA researcher has gone on the record to condemn the agency’s long-standing endorsement of a controversial cryptographic tool even after learning of its flaws – including a vulnerability that could be exploited by hackers and spies.

The National Security Agency’s director of research now says it is “regrettable” that the government continued to support the use of the application in question, which was previously reported to have been pushed on national and international standards groups by the NSA after the agency reportedly paid a leading security firm millions of dollars to make it one of its default programs.

Michael Wetheimer, a cryptologic mathematician who spent two decades at the NSA before becoming in charge of the agency’s research and technology development programs in 2010, all but apologizes in a recently penned journal article concerning the Dual Elliptic Curve Deterministic Random Bit

Generator, or “Dual_EC_DRBG” – a crypto tool long touted by the United States intelligence community as being secure. However, researchers proved it to be deeply flawed; this was detailed in secret documents disclosed in 2013 by former government contractor Edward Snowden.

The NSA and the American public were made aware as early as 2007 that the encryption application was vulnerable to an attack that could open up a “backdoor” and allow a skilled cybersleuth to crack the elliptic curve algorithm intended to secure data through encryption and instead decipher it, rendering the tool seemingly worthless. Wetheimer now acknowledges that it was wrong for the NSA to continue supporting the tool, touting it notwithstanding substantial concerns from the security community.

“With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor,” Wetheimer writes in the February edition of Notices, a publication of the American Mathematical Society. “In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable.”

Nowhere in the posting, however, does Wetherimer answer as to why the NSA not only continued to champion Dual_EC_DRBG, but went as far as to reportedly pay security firm RSA $10 million to make the application the default encryption system used by one of the company’s toolkits, BSafe – used to keep eavesdroppers from prying into commercial and consumer computer products.

In September 2013, documents provided to the media by NSA whistleblower Snowden exposed the scope of the US intelligence community’s efforts to undermine encryption standards, specifically with regards to Dual_EC_DRBG; according to reporting based on those classified files, the NSA pushed the application on the National Institute of Standards and Technology, or NIST, then worked to have it accepted by the International Organization for Standardization.

“Beginning in 2000, as encryption tools were gradually blanketing the Web, the NSA invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own ‘back door’ in all encryption, it set out to accomplish the same goal by stealth,” journalists from ProPublica and The New York Times wrote after reviewing the Snowden files.

Then, three months later, Reuters reported exclusively that RSA received $10 million in a deal that set the NSA endorsed formula as the “preferred, or default, method for number generation in the BSafe software,” and that concerns surrounding suspected vulnerabilities within the application went unanswered because, according to the newswire, “the deal was handled by business leaders rather than pure technologists.”

RSA has subsequently denied claims that it accepted millions of dollars in bribes from the US government to push subverted security software containing backdoors on consumers, and the US NSIT long ago approved Dual_EC_DRBG as being trustworthy – until it decided last April to rescind support of the algorithm in the wake of the Snowden disclosures.

“I wrote about it in 2007 and said it was suspect. I didn’t like it back then because it was from the government,” acclaimed cryptologist Bruce Schneier told Threatpost in September 2013, when the application made headlines after Snowden’s leaks were revealed. “It was designed so that it could contain a backdoor. Back then I was suspicious, now I’m terrified.”

“The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm,” Wetherimer now explains in the AMS publication.

“Indeed, we support NIST’s April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the DUAL_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to ‘undermine Internet encryption.’ A fair reading of our track record speaks otherwise. Nevertheless, we understand that NSA must be much more transparent in its standards work and act according to that transparency.”

In December 2013, a review group assembled by the White House sent US President Barack Obama a report containing dozens of recommendations to be implemented in the wake of the Snowden disclosure, writing that the US government should “fully support and not undermine efforts to create encryption standards” and “not in any way subvert, undermine, weaken or make vulnerable generally available commercial software.”

Hardly a year later, however, the White House is now reportedly on the receiving end of pleas from President Obama’s British counterpart, UK Prime Minister David Cameron, to crack down on encryption in the US after recently advocating for being able to decipher any communications as a supposed counterterrorism solution.

“In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to listen in on mobile communications,” Cameron said in the wake of the recent French terrorist attacks. “The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not.”

According to the Guardian, Cameron is now asking the White House to consider the same course of action.

“The prime minister’s objective here is to get the US companies to cooperate with us more, to make sure that our intelligence agencies get the information they need to keep us safe. That will be his approach in the discussion with President Obama – how can we work together to get them to cooperate more, what is the best approach to encourage them to do more,” the Guardian quoted a source as saying this week.