26

There was a lot of suspicion around the design of the Data Encryption Standard (DES) encryption algorithm, which is not used any more for its lack of security, regarding the NSA's involvement in its design and whether they had implemented any back doors to be able to crack the encryption at their own will.

Is there any evidence that exists that suggests that the NSA have implemented back doors into modern encryption algorithms?

ike
  • 4,950
  • 1
  • 20
  • 52
jazzdawg
  • 471
  • 4
  • 9
  • 3
    Not really an answer, but: One thing most people forget is that the NSA puts these algorithms forward for internal government and military as well as civilian use. If there are backdoors in them, they are taking a huge risk in doing so. Cryptography is blindly democratic - with sufficient analysis anyone could find the backdoor, and that is not in the best interests of the NSA. –  Apr 10 '11 at 12:56
  • 2
    The way I remember it, the story runs like this: the NSA insisted on tweaking the s-boxes a little. Much later the ones the NSA provided were found to be strong against one attack not know to academic cryptographers at the time of DES's design, but surprisingly weak against *another* (mathematically more complicated) attack not known in academic circles at the time. One can then **speculate** that the NSA knew about both attacks and designed the s-boxes so that they could crack some messages while the cipher remained strong against techniques likely to be widely known for a while. – dmckee --- ex-moderator kitten Apr 10 '11 at 20:24
  • dmckee: The NSA's involvement in _strengthening_ the DES cipher against attacks that would not be known outside of the NSA for 20 years (differential cryptanalysis) is well-documented, but I have never heard that second part. S-boxes existed, in a form, before NSA involvement, and afaik the attacks discovered later (linear cryptanalysis) did not hinge on the NSA's changes - i.e. the NSA only made it stronger. The NSA did push for a smaller key size, but the implications of that were well-understood. Again, the NSA was using these techniques for government data as well. –  Apr 11 '11 at 13:51
  • @Joe: Sure. The conspiracy theory requires that we believe in a NSA both hyper-competent and confident enough of the timescale over which their lead would be maintained to deploy a cipher they knew to be weak; all for a limited gain (to let them read a subset of message by means almost but not quite as hard as a exhaustive search). I didn't say that I believed it, just that the story making the rounds had a particular form. – dmckee --- ex-moderator kitten Apr 11 '11 at 19:54
  • Again, I've _never_ heard that story. Do you have any record of someone saying it? I'm not sure if the second crack you are talking about is linear cryptanalysis, because even that was not the downfall of DES. And again, in your version, they did _not_ build a backdoor into the algorithm, they just merely failed to close it. –  Apr 11 '11 at 19:57
  • Very good question –  Jun 10 '13 at 16:31

1 Answers1

26

According to Bruce Schneier, one of the world's most renowned cryptographers, there are some suspicions around the involvement of NSA with the NIST standard Dual_EC_DRBG:

But today there's an even bigger stink brewing around Dual_EC_DRBG. In an informal presentation at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson showed that the algorithm contains a weakness that can only be described as a backdoor.
source

In the same essay, Schneier warns us against jumping to conclusions:

Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants -- and has the secret numbers. We don't know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does.
We don't know where the constants came from in the first place. We only know that whoever came up with them could have the key to this backdoor. And we know there's no way for NIST -- or anyone else -- to prove otherwise.
This is scary stuff indeed.

As a side note: in cryptography it is beneficial to be a bit paranoid or to have the mindset of a conspiracy theorist. In the world of cryptography, who did it effectively doesn't matter. If the algorithm is weak, you should assume the worst: that the NSA (or the bad guys) can crack it, and move to something else.

Sklivvz
  • 78,578
  • 29
  • 321
  • 428
  • 1
    not properly researched, one person's opinion isn't an answer :) – jwenting Apr 10 '11 at 05:45
  • 15
    It's a mathematical proof - not an opinion. Schneier is just translating it into English :-) – Sklivvz Apr 10 '11 at 09:10
  • 1
    That was a very interesting essay, thanks for the link. You hit the nail on the head with that last paragraph we should always err on the side of caution when dealing with cryptography and pick the most reliable algorithm very carefully. I guess we can't tell for certain whether the NSA specifically has access to the backdoor but the research presentable seems pretty clear cut the the algorithm is unrealiable and open to abuse. – jazzdawg Apr 10 '11 at 10:08
  • 5
    *Bruce Schneier doesn't need facts. With one roundhouse-kick he can generate a formal proof for whatever he needs.* ([source](http://www.schneierfacts.com/fact/137)) – mmyers Apr 11 '11 at 18:47
  • 6
    Closing the loop on this one. In 2013, [The New York Times reported](http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/?_r=0) that internal NSA memos leaked by Edward Snowden suggest an RNG generated by the NSA which was used in the Dual_EC_DRBG standard does indeed contain a backdoor for the NSA. – jazzdawg Dec 08 '13 at 10:56
  • 8
    Some argue that the "or" in the parenthesis of the last sentence should not be there. ;) – Brian M. Hunt Mar 04 '14 at 20:39
  • "the NSA (or the bad guys)" - Charitable (and not sufficiently paranoid) to assume that those are necessarily independent groups. – aroth Apr 16 '20 at 12:10