Secret contract tied NSA and RSA via CSPRNG backdoor

This story shows why prevention of side channel attacks is so critical.

Implementations must evade sabotage by state and non-state entities, where motivations are always cloaked in secrecy, and sometimes even actors themselves are oblivious to their own part in the subversion.

“As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry”

“Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products

“Most of the dozen current and former RSA employees interviewed said that the company erred in agreeing to such a contract, and many cited RSA’s corporate evolution away from pure cryptography products as one of the reasons it occurred.”

"An algorithm called Dual Elliptic Curve, developed inside the agency, was on the road to approval by the National Institutes of Standards and Technology as one of four acceptable methods for generating random numbers. NIST’s blessing is required for many products sold to the government and often sets a broader de facto standard.

RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue successfully for NIST approval, according to an official familiar with the proceedings.

RSA’s contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit. No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.

“The labs group had played a very intricate role at BSafe, and they were basically gone,” said labs veteran Michael Wenocur, who left in 1999.

Within a year, major questions were raised about Dual Elliptic Curve. Cryptography authority Bruce Schneier wrote that the weaknesses in the formula “can only be described as a back door.”


Abstract: Revelations over the past couple of years highlight the importance of understanding malicious and surreptitious weakening of cryptographic systems. We provide an overview of this domain, using a number of historical examples to drive development of a weaknesses taxonomy. This allows comparing different approaches to sabotage. We categorize a broader set of potential avenues for weakening systems using this taxonomy, and discuss what future research is needed to provide sabotage-resilient cryptography.

Understanding NSA Malware

If the NSA has been hacking everything, how has nobody seen them coming?

The purpose of this post isn’t to discuss the legality of the NSA’s actions or the morality of the leaks, what we are trying to answer is: “Why did we never see it coming?”

We think that the following reasons help to explain how this mass exploitation remained under the radar for so long:

  1. Amazing adherence to classification/secrecy oaths;
  2. You thought they were someone else;
  3. You were looking at the wrong level;
  4. Some beautiful misdirection;
  5. They were playing chess & you were playing checkers;
  6. Your “experts” failed you miserably.