A Brief History of NSA Backdoors.

In response to the recent revelations about the NSA backdooring RSA libraries I’ve compiled a brief, incomplete, history of NSA backdoors. Help me make it better by emailing corrections and additions to ethan.r.heilman@gmail.com.

Update: added Actel backdoor, Update 2: There is a hackernews thread for discussion. Update 3: Added Newly discovered postal inception backdoor installation.

1946-1970, The Ultra Secret: After WW2, the British Empire sold captured German Enigma cipher machines to many allied countries and former colonies. The US and the UK had broken Enigma but had kept this fact secret so that countries would use these broken ciphers. To clarify: the British sold machines they knew they could break to allied nations, then the US and the UK spied on those countries for nearly 30 years exploiting the weaknesses in those machines.

1957 - Present, The Boris Project: In 1957 William Friedman of the NSA met with his old friend Boris Hagelin. The purpose of their meeting was to begin “the Boris Project”, in which Crypto AG ciphers would be weakened and backdoored so that the NSA could listen to NATO communications (there is some evidence that suggests that the Boris Project predates this meeting). The meeting was first made public in the biography of Friedman, “The Man Who Broke Purple” . Further details were made public with the publication of the “The Puzzle Palace” including letters showing Friedman’s concern about direction of the project. From interviews with ex-employers we know that the addition of backdoors to Crypto AG ciphers occurred no later, and possibility earlier, than the 1970’s and likely continues to the present day. These backdoors included covert channels that allowed full key reconstruction.

Slowly the world figured out that Crypto AG was not a reliable vendor of cryptographic hardware. In 1986 Reagan tipped off the Libyans that the US could decrypt their communications by talking about information he could only get through Libya decrypts on TV. In 1991 the Iranians learned that the NSA could break their diplomatic communications when transcripts of Iranian diplomatic communications ended up in a French court case. In 1992 Iranians got so upset with Crypto AG that they charged a Crypto AG salesman with espionage. Although, despite this evidence, the Iranians appear to have continued to use Crypto AG machines for diplomatic communications until, and perhaps beyond, 2003. In 2004 Ahmed Chalabi was accused of selling the Iranians the methods by which the US was breaking their codes. It is speculated that this might have been information on Crypto AG backdoors or weaknesses.

1979 - Present, DES: The Data Encryption Standard was altered by the NSA to make it harder to mathematically attack but easier to attack via Brute Force methods. The original version of DES, called Lucifer, used a block and key length of 128-bits and was vulnerable to differential cryptanalysis. NSA requested that the already small DES key size of 64-bits be shrunk even more to 48-bits, IBM resisted and they compromised on 56-bits. This key size allowed the NSA to break communications secured by DES.

1993, Clipper Chip: The NSA was deeply concerned with the public adoption by Americans of cryptography that they couldn’t break. In 1993 they proposed that voice communication be secured with an encryption chip called “the Clipper Chip”. The Clipper Chip was backdoored such that the NSA could, at will, break any communication secured by the Clipper Chip. Unlike most of the backdoors in this list the NSA announced that the presence of the backdoor. Due to its known insecurity the Clipper Chip was never widely adopted.

1997 Lotus Notes: The NSA requested that Lotus weaken its cryptography so that the NSA could break documents and emails secured by Lotus notes. This Software was used by citizens, companies and governments worldwide.

200? - Present, Actel ProASIC3 FPGA: In 2012 Skorobogatov and Woods discovered that Actel military grade FPGA’s contained a backdoor. The researchers were able to reverse engineer the key such that they could exploit the backdoor. This chip is used in US weapon systems, nuclear power plants and transportation. All other Actel chips appear to have this backdoor as well. At first there was some concern that the backdoor was planted by a foreign government but it was revealed that Actel, an american company, intentionally added this backdoor.

While there is no smoking gun linking this backdoor to the NSA (at least not yet), it seems implausible to me that a US Company would design a complex backdoor and insert it into chips used in critical US systems without US government approval. Additionally, if Actel had created this backdoor without US approval I would expect more of a response from the US government. The US response has been, to my knowledge, complete silence on the issue.

2004 - 2013, Dual_EC_DRBG: Dual Elliptic Curve Deterministic Random Bit Generator[ or Dual_EC_DRBG is a random number generator created by the NSA. It is designed so that if the NSA selected the internal constants carefully, they could generate a secret key which would allow them to break encryption schemes that relied on Dual_EC_DRBG for security. This property of Dual_EC_DRBG was discovered in 2006 by Brown and rediscovered by Shumow and Ferguson in 2007 leading to public speculation that Dual_EC_DRBG was backdoored. In 2004 the NSA paid RSA security 10 million dollars to add Dual_EC_DRBG as the default choice in some of its libraries. The NSA then used the fact that RSA was using Dual_EC_DRBG to get it approved as a NIST standard.

2013, Enabling for Encryption Chips: In the NSA’s budget request documents released by Edward Snowden, one of the goals of the NSA’s SIGINT project is to fully backdoor or “enable” certain encryption chips by the end of 2013. It is not publicly known to which encryption chips they are referring.

2013, Trusted Computing Platforms/Modules: A resource in the same, previously mentioned, budget request is the exploitation of foreign Trusted Computing Platforms and technologies. There has been some concern expressed in Germany that the Microsoft TCM 2.0 could be backdoored by the NSA.

? - Present, Postal Interception Backdoor Installation: According to a 2010 report leaked to the Guardian, the NSA’s Access and Target Development department routinely intercepts computer equipment being sent through the mail and adds implants. The equipment, which is generally networking devices and servers, is then sent on its way to be used by the targeted individuals and organisations. These implants allow the NSA the ability to connect into airgapped private networks.

I have an older post in which I speculate about designing a cipher with a backdoor.