Friday, September 6, 2013

Insecurity For Security Reasons - The NSA's backdoors into our privacy

Ok.  I promise I won't post anything else about the NSA for the remainder of this week, unless something else big pops up.

Today, articles from the New York Times, The Guardian, and ProPublica revealed that the NSA and GCHQ (NSA equivalent in the UK) actively attempted to sabotage the cryptography community by inserting standards with backdoors and using supercomputers to crack encryption technologies.  The usage of supercomputers is worrying, but in light of the recent revelations, expected.  However, the insertion of backdoors into our encryption standards (NIST Special Publication 800-90) was not.

In the publication, the inclusion of Dual_EC_DRBG, or Dual Elliptic Curve Deterministic Random Bit Generator was concerning at first, due to concerns about its speed (3x slower than the other two methods listed).  In 2007, it was revealed by a pair of Microsoft (oh the irony) researchers who proved that with the correct set of numbers, the encryption could be cracked in as few as 32 bytes of output (for size comparison, this post up to here contains about 1000 bytes).  This, paired with the NSA's insistence upon a vastly slower algorithm, lead the researchers to believe that the NSA had intentionally inserted this backdoor into our security protocols.

This wasn't the first time the NSA has attempted to do this; in 1994, the agency pushed for "Clipper" chips which would record transmissions from electronic devices.  This was fiercely beaten down in a frenzy by privacy advocates and legal scholars.

On related and totally disturbing news from late August: NSA officers sometimes spy on love interests.  Well, it sort of explains itself.  The backlash against this was quite humorous, sparking poems tagged with #NSAlovepoems and #NSAromcom.  The WSJ has assembled quite a collection linked here.

3 comments:

Anonymous said...

This "insecurity" that the NSA is pushing for, is just another one of the small, but numerous tactics to watch over the lives of the American citizens. I find these methods very clever because they aren't as noticeable as some other, more blatant ways of going about constant monitoring. Although I do find the NSA's spying quite creepy, it does have some beneficial results. It is interesting that their encroachment upon privacy has succeeded so far with the abundant negative responses as seen through the social media posts. The NSA has become somewhat of a subject for humor instead of fierce opposition for the average American. Does this mean that we are generally content with the NSA's actions? A final bit of information that is increasingly disheartening is the ease at which they can crack the encryption. Only 32 bytes of output is a ridiculously tiny amount of data for that caliber of information.

Unknown said...

By modern standards, 100 Gigabits/s is considered the average max throughput of an ethernet cable, 54 mbps for wifi, and this webpage is 251 kilobytes. This means that with the "magic number", a "secure connection" using the compromised Dual Elliptic Curve algorithm would have been broken before this webpage was even fully loaded.

I'm still skeptical of the "benefits" that the NSA surveillance brings, if we were to consider that people are more likely to be killed by freak accidents than by "terrorist attacks"

Unknown said...

In response to Connor's comment, I don't think we are content at all with the NSA's actions. There have been innumerable complaints and outcries about NSA actions since their spying program was first revealed, and each new revelation brings with it a new wave of public protest. Americans justifiably feel indignant about these invasions on their privacy and, in this case about the NSA deliberately weakening security measures, betrayed as well.

One reason why I think people are making jokes about the NSA is that often times, satire and sarcasm are even more stinging than flat-out anger and outrage. Another reason I think contributes to this is that the NSA is very sheltered from the people's will. Despite all the outrage, people can't actually do a whole lot about the NSA and can only rely on the president and the Supreme Court to effect changes. The NSA and its counterpart FISA court were created to avoid being accountable to the people. The chief justice of the Supreme Court appoints the FISA judges, and those judges hold only private hearings with the Justice Department and intelligence agencies. The NSA, similarly, is accountable to the president and US intelligence agencies, so there isn't much people can do in this regard besides pressure the president. The NSA and the FISA court are rather sheltered even from Congress, which hasn't yet been able to take many actions regarding NSA surveillance.

However, in this case regarding data encryption, people can start taking action by developing their own codes and methods for encryption. Unfortunately, cryptographers looking to strengthen data encryption will need to start from scratch because previously they had relied on help from mathematicians and cryptographers from the NSA in trying to develop new and stronger data security measures.