Last week, RSA, the security division of EMC, recommended that its customers stop using a community-developed encryption algorithm standard known as Dual EC DRBG because the NSA had inserted a backdoor into that cryptographic key creation product. This move by RSA came after the NIST issued a supplemental bulletin [PDF] in which the body “strongly recommend[ed]” that RSA’s product no longer be used. OK, enough alphabet soup and word salad.

What this means is that the NSA unilaterally decided to make it much easier for itself and other intelligence agencies to bypass the security measures developed by RSA. Unfortunately, what makes life easier for the NSA also makes life easier for hackers generally.

The specifics of how RSA’s product works and just how the NSA undermined the product’s function are beyond your author’s comprehension. However, the implications of the NSA’s actions require less technical knowledge and only a bit of history to explore.

Last year, the FBI renewed an initiative to make encryption backdoors (similar to the one used by the NSA here) mandatory among internet-based businesses. At the time, the renewal effort largely centered around pushing Congress to pass legislation. Though the move alarmed those concerned with internet security, one could hardly deny that the FBI sought its ends with politically sound means. So long as the debate remained in Congress, the public remained informed and involved. But, that public involvement meant that the FBI’s initiative largely failed.

Perhaps mindful of the FBI’s difficulties, the NSA took action of a wholly different character. Without any Congressional support, the NSA inserted encryption backdoors, which undermined the integrity of the Dual EC DRBG algorithm so completely that the RSA has essentially conducted a digital-age recall. This secrecy cuts both ways. By not announcing the insertion, the NSA has undercut one of the stronger criticisms of the FBI’s legislative initiative: the de facto announcement to the hacking world that there is now a direct path bypassing digital security measures. Yet, by not pursuing traditional political means, the NSA has also left security providers and citizens in the dark as to whether their protective measures have been compromised.

As one commentator put it, “It’s one thing for the government to require companies to provide access to the information they already collect–but it’s another to tell them how to collect information, that they need to collect more information, or that they need to build in additional data-collection functions (including encryption backdoors).” [Full disclosure: that was me. --Ed.] It’s yet another thing to go behind those companies’ backs and build in additional data-collection functions under cover of darkness. This intersection of compelling national security, personal privacy, and information security interests will certainly be something to watch going forward.

–Jonathan Hoffmann

Image Source

Tagged with:

Comments are closed.