Wednesday, September 25, 2013

NSA's backdoor in all the worlds devices: Dual EC DRBG




Introduction

In the wonderful world of computers and technology, cryptography is necessary. Cryptography is the field of science that transforms clear messages into something incomprehensible which can only be decoded at the other end of the line. It then allows a "secure" communication and makes it impossible for someone in the middle to eavesdrop on your Skype conversations or to intercept your credit card's PIN number when you're buying groceries at your local supermarket.

Most people don't hear about cryptography or computer security on a daily basis but it is present everywhere and very much needed. Here are a few places where cryptography is used:

  • Credit-card paying devices
  • websites with an address starting with https (webmail, online stores, websites with registration)
  • smartphones, for updating apps
  • feature phones, keeping your conversations private
  • privates companies' intranets and servers (including data storage and email)
  • cars, using electronic keys
  • DVD and Bluray players, checking that you're not using a pirate copy of the movie
  • HDMI televisions and computer monitors
  • Microsoft Windows, for Microsoft updates and all of the networking functionalities
  • Online banking, if your bank provided you with a calculator-like device that provides an identification code valid for a few seconds only
  • Video-on-demand
  • "secure" ID documents and passports
  • "secure" communications as needed by military forces, diplomats, and other political personnel


In short, cryptography is everywhere and it's there to prevent chaos.


NSA's egotistic madness putting the world at risk

One of the things that NSA does is eavesdropping. When you simply listen to people talking in the open, it's fair game. But when you aggressively attempt to crack codes and spy on every person on the planet including the countries who are supposed to be your allies, this is illegal and it can even be considered an act of war. And if the USA didn't have the biggest guns in the world (which they won't keep forever), it would certainly have deservedly received a few missiles and all its political leaders of the past 70 years would be rotting in jail for crimes against humanity.

So, the NSA does some spying, which is a difficult job. NSA's leaders are bad guys whom I would gladly see locked up for life like James Clapper or Keith Alexander, but the small guys... the people doing the technical job deserve credit for doing hard work.

Aside from this hard job, NSA also decided to take it easy by corrupting the core algorithms used to make cryptography secure. If cryptography is made insecure for everybody, then it will be easier for the NSA to crack codes. And that's exactly what they did.

What makes cryptography secure is mathematics. To put it simply, cryptography is like opening a safe: either you know the combination or you have to try every possible combination until you find the one that works. And in order to create secure combinations, cryptography uses "random numbers generators" (RNG). If you can corrupt the RNG, then you can lower the difficulty of cracking encryption. In the case revealed by Edward Snowden, the algorithm thus corrupted is called Dual EC DRBG.

Even though the standard is published by NIST, the corrupted algorithm was pushed for standardization by the NSA in order to have a wide range of companies and products using weak cryptography. At first glance, one might think that it is a smart move because indeed it will make NSA's job easier. But there are big problems associated to this. Weaker cryptography for everyone means weaker security for everyone and easier cracking for all crackers.

Some countries like China are often seen as unfriendly by Americans. Well... their equivalent of the NSA will also have an easier job cracking codes. And if there's other countries you're concerned by... their job will also be easier for cracking everybody's codes.

Another side effect is that it puts private companies at risk. Their emails and private data, trade secrets, their research and development, their new products are more likely to be cracked and accessed by thieves and competitors. It is widely known that the USA have used the NSA's capability to steal secrets of foreign companies and give an unfair advantage through illegal spying to American companies. With weakened cryptography, such trade secrets will be more easily stolen by any country or criminal organization, let alone the occasional hackers who intercept confidential information and blackmail private companies for money.

Finally, cryptography is also used to offer protection to human rights activists and dissidents who oppose dictatorial regimes. This includes gay-rights activists in Russia, China, and some African countries. It also includes journalists who try and uncover the dirty secrets of politicians.


Conclusion

The USA and the NSA do their lot of spying like every other country does. It's not nice but everybody understands why it's done: to a small extent, it's intended to fight terrorism, and to a huge extent, it's intended to steal secrets and steal the money that these secrets will bring through industry or blackmail. But in this case, the NSA went too far by globally weakening the security of everybody and exposing everybody to a greater risk.

No comments:

Post a Comment

Creative Commons License
Erik Lallemand's blog by Erik Lallemand is licensed under
a Creative Commons Attribution 3.0 Unported License.