The Debate is Over: the NSA is Weakening Encryption

Thibault Serlet



Is the NSA weakening encryption? Numerous cybersecurity professionals and enthusiasts have asked themselves that question for years. Nobody really knows the NSA’s true motives. Even post-Snowden, most of the organization’s methods are a mystery to the general public.

Motives

Terrorists, dissidents, and politicians which the NSA may be interested in spying on clearly use cryptography.

Furthermore, the FBI is known to oppose cryptography. The Guardian has alleged that the NSA spends $250 million per year weakening cryptography. The basis for the Guardian’s claims come from this document.

The Clipper Chip

In the 1990s, the NSA developed a small chip known as the clipper chip. It was to be inserted into every single audio telecommunications device, and automatically bypass all encrypted communications. News of the clipper chip was made public after a series of declassified and top secret memos were made public.

The Electronic Privacy Information Center and EFF fought a 6 year long legal battle, and eventually defeated the NSA.

The clipper chip used the Skipjack algorithm to break encryption. The chip would suck the private keys out of the device into which it was built.

Due to security vulnerabilities exposed by legendary cypherpunk Matt Blaze, the government abandoned its clipper chip program in 1996.

RSA and NSA

A Snowden document revealed that in 2004 or 2005 the NSA paid RSA 10 million dollars to insert a backdoor into its BSAFE algorithm.

Long before the Snowden leaked the document explaining the $10 million dollar deal, various security experts raised the possibility several RSA algorithms had been compromised. In 2007, Microsoft security researchers Dan Shumow and Niels Ferguson released a report suggesting a backdoor.

Security company Cloudflare detailed the technical details such a backdoor might entail.

RSA has denied that it intended to weaken BSAFE. Despite this, following the revelations of backdoors, RSA has since told its customers to stop using its compromised algorithms. Numerous disgruntled developers have left the company to look for less corrupt pastures.

The RSA incident doesn’t appear to be an isolated one; the New York Times brought to light a secret document detailing government plans to insert vulnerabilities into IT security and encryption systems.

NIST

The NSA has been watching us since at least the late 1990s. After the unwinding of the first crypto war, the NSA funded NIST (National Institute of Standards in Technology) hosted a series of contests to see who could develop the most secure cryptographic algorithms. In most of these contests, the seemingly most secure algorithms would win.

During the Advanced Encryption Standard process contests from 1997 until 2000, NIST made several odd choices of winners.

Ultimately, NIST chose the now widely-used AES algorithm. Another encryption algorithm, SERPENT, was proven during the contest to be less vulnerable to XSL attacks. Moreover, security experts have argued that SERPENT is more secure than AES. NIST argued that AES had higher performance speeds when compared to SERPENT, and that is why they chose it.

Some have argued that NSA’s involvement in NIST’s standard creation poses a conflict of interest. Considering the AES fiasco, this appears to be the case. NIST itself found that the NSA’s influence over the organization was detrimental to cryptography.

Icing on the Cake

Perhaps the most alarming piece of evidence concerning the NSA’s role in weakening cryptography is Suite A Cryptography. The NSA uses its own top secret encryption algorithms which are unknown to the general public. If the NSA is truly weakening encryption, then they wouldn’t use any publicly available cryptography.

Pushback

This year, a large group of security experts wrote the NSA an open letter warning about the national security and human rights risks of waking cryptography.

The Presidential Panel on “Liberty and Security in a Changing World” recommended that the NSA immediately halt any efforts to undermine cryptography. The panel recommended: “(1) fully support and not undermine efforts to create encryption standards;

(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and

(3) increase the use of encryption, and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.”

The House Committee has already decided to start the process of separating NIST from the NSA.

Not all encryption appears to be compromised, and there also is a growing push-back against the NSA and DHS. One can only hope that the government adapts to the new changing world we live in.

Follow our Facebook and Twitter.

