In
interviews and emails seen by Reuters, academic and industry experts
from countries including Germany, Japan and Israel worried that the U.S.
electronic spy agency was pushing the new techniques not because they
were good encryption tools, but because it knew how to break them.
The
NSA has now agreed to drop all but the most powerful versions of the
techniques - those least likely to be vulnerable to hacks - to address
the concerns.
The dispute, which has played out
in a series of closed-door meetings around the world over the past
three years and has not been previously reported, turns on whether the
International Organization of Standards should approve two NSA data
encryption techniques, known as Simon and Speck.
The
U.S. delegation to the ISO on encryption issues includes a handful of
NSA officials, though it is controlled by an American standards body,
the American National Standards Institute (ANSI).
The
presence of the NSA officials and former NSA contractor Edward
Snowden’s revelations about the agency’s penetration of global
electronic systems have made a number of delegates suspicious of the
U.S. delegation’s motives, according to interviews with a dozen current
and former delegates.
A number of them voiced
their distrust in emails to one another, seen by Reuters, and in written
comments that are part of the process. The suspicions stem largely from
internal NSA documents disclosed by Snowden that showed the agency had
previously plotted to manipulate standards and promote technology it
could penetrate. Budget documents, for example, sought funding to
“insert vulnerabilities into commercial encryption systems.”
More
than a dozen of the experts involved in the approval process for Simon
and Speck feared that if the NSA was able to crack the encryption
techniques, it would gain a “back door” into coded transmissions,
according to the interviews and emails and other documents seen by
Reuters.
“I don’t trust the designers,”
Israeli delegate Orr Dunkelman, a computer science professor at the
University of Haifa, told Reuters, citing Snowden’s papers. “There are
quite a lot of people in NSA who think their job is to subvert
standards. My job is to secure standards.”
The
NSA, which does not confirm the authenticity of any Snowden documents,
told Reuters it developed the new encryption tools to protect sensitive
U.S. government computer and communications equipment without requiring a
lot of computer processing power.
NSA
officials said via email they want commercial technology companies that
sell to the government to use the techniques, and that is more likely to
happen when they have been designated a global standard by the ISO.
Asked if it could beat Simon and Speck encryption, the NSA officials said: “We firmly believe they are secure.”
THE CASE OF THE DUAL ELLIPTIC CURVE
ISO,
an independent organization with delegations from 162 member countries,
sets standards on everything from medical packaging to road signs. Its
working groups can spend years picking best practices and technologies
for an ISO seal of approval.
As the fight over Simon and Speck played out, the ISO twice voted to delay the multi-stage process of approving them.
In
oral and written comments, opponents cited the lack of peer-reviewed
publication by the creators, the absence of industry adoption or a clear
need for the new ciphers, and the partial success of academics in
showing their weaknesses.
Some ISO delegates
said much of their skepticism stemmed from the 2000s, when NSA experts
invented a component for encryption called Dual Elliptic Curve and got
it adopted as a global standard.
FILE
PHOTO - An aerial view shows the National Security Agency (NSA)
headquarters in Ft. Meade, Maryland, U.S. on January 29, 2010.
REUTERS/Larry Downing/File Photo
ISO’s
approval of Dual EC was considered a success inside the agency,
according to documents passed by Snowden to the founders of the online
news site The Intercept, which made them available to Reuters. The
documents said the agency guided the Dual EC proposal through four ISO
meetings until it emerged as a standard.
In
2007, mathematicians in private industry showed that Dual EC could hide a
back door, theoretically enabling the NSA to eavesdrop without
detection. After the Snowden leaks, Reuters reported that the U.S.
government had paid security company RSA $10 million to include Dual EC
in a software development kit that was used by programmers around the
world.
The ISO and other standards groups subsequently retracted their endorsements of Dual EC. The NSA declined to discuss it.
In
the case of Simon and Speck, the NSA says the formulas are needed for
defensive purposes. But the official who led the now-disbanded NSA
division responsible for defense, known as the Information Assurance
Directorate, said his unit did not develop Simon and Speck.
“There
are probably some legitimate questions around whether these ciphers are
actually needed,” said Curtis Dukes, who retired earlier this year.
Similar encryption techniques already exist, and the need for new ones
is theoretical, he said.
ANSI, the body that
leads the U.S. delegation to the ISO, said it had simply forwarded the
NSA proposals to the organization and had not endorsed them.
FROM JAIPUR TO HAMILTON
When
the United States first introduced Simon and Speck as a proposed ISO
standard in 2014, experts from several countries expressed reservations,
said Shin’ichiro Matsuo, the head of the Japanese encryption
delegation.
Some delegates had no objection.
Chris Mitchell, a member of the British delegation, said he supported
Simon and Speck, noting that “no one has succeeded in breaking the
algorithms.” He acknowledged, though, that after the Dual EC
revelations, “trust, particularly for U.S. government participants in
standardization, is now non-existent.”
At a
meeting in Jaipur, India, in October 2015, NSA officials in the American
delegation pushed back against critics, questioning their expertise,
witnesses said.
A German delegate at the
Jaipur talks, Christian Wenzel-Benner, subsequently sent an email
seeking support from dozens of cryptographers. He wrote that all seven
German experts were “very concerned” about Simon and Speck.
“How
can we expect companies and citizens to use security algorithms from
ISO standards if those algorithms come from a source that has
compromised security-related ISO standards just a few years ago?”
Wenzel-Benner asked.
Such views helped delay
Simon and Speck again, delegates said. But the Americans kept pushing,
and at an October 2016 meeting in Abu Dhabi, a majority of individual
delegates approved the techniques, moving them up to a
country-by-country vote.
There, the proposal fell one vote short of the required two-thirds majority.
Finally,
at a March 2017 meeting in Hamilton, New Zealand, the Americans
distributed a 22-page explanation of its design and a summary of
attempts to break them - the sort of paper that formed part of what
delegates had been seeking since 2014.
Simon
and Speck, aimed respectively at hardware and software, each have robust
versions and more “lightweight” variants. The Americans agreed in
Hamilton to compromise and dropped the most lightweight versions.
Opponents
saw that as a major if partial victory, and it paved the way to
compromise. In another nation-by-nation poll last month, the sturdiest
versions advanced to the final stage of the approval process, again by a
single vote, with Japan, Germany and Israel remaining opposed. A final
vote takes place in February.Source