Firsthand account of NSA sabotage of Internet security standards

On the Cryptography mailing list, John Gilmore (co-founder of pioneering ISP The Little Garden and the Electronic Frontier Foundation; early Sun employee; cypherpunk; significant contributor to GNU/Linux and its crypto suite; and all-round Internet superhero) describes his interactions with the NSA and several obvious NSA stooges on the IPSEC standardization working groups at the Internet Engineering Task Force. It's an anatomy of how the NSA worked to undermine and sabotage important security standards. For example, "NSA employees explicitly lied to standards committees, such as that for cellphone encryption, telling them that if they merely debated an actually-secure protocol, they would be violating the export control laws unless they excluded all foreigners from the room (in an international standards committee!)."

* NSA employees participted throughout, and occupied leadership roles in the committee and among the editors of the documents

* Every once in a while, someone not an NSA employee, but who had longstanding ties to NSA, would make a suggestion that reduced privacy or security, but which seemed to make sense when viewed by people who didn't know much about crypto. For example, using the same IV (initialization vector) throughout a session, rather than making a new one for each packet. Or, retaining a way to for this encryption protocol to specify that no encryption is to be applied.

* The resulting standard was incredibly complicated -- so complex that every real cryptographer who tried to analyze it threw up their hands and said, "We can't even begin to evaluate its security unless you simplify it radically". See for example:

That simplification never happened.

The IPSEC standards also mandated support for the "null" encryption option (plaintext hiding in supposedly-encrypted packets), for 56-bit Single DES, and for the use of a 768-bit Diffie-Hellman group, all of which are insecure and each of which renders the protocol subject to downgrade attacks.

* The protocol had major deployment problems, largely resulting from changing the maximum segment size that could be passed through an IPSEC tunnel between end-nodes that did not know anything about IPSEC. This made it unusable as a "drop-in" privacy improvement.

* Our team (FreeS/WAN) built the Linux implementation of IPSEC, but at least while I was involved in it, the packet processing code never became a default part of the Linux kernel, because of bullheadedness in the maintainer who managed that part of the kernel. Instead he built a half-baked implementation that never worked. I have no idea whether that bullheadedness was natural, or was enhanced or inspired by NSA or its stooges.

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN" (via Hacker News)

(Image: John Gilmore, a Creative Commons Attribution (2.0) image from joi's photostream)

Notable Replies

  1. Is it possible to unfuck these standards? Lawyer up and not invite US Gov. to the next meeting? Place some emphasis on peer review. If a large panel of experts can't figure out what lines of code do, then it's automatically assumed to be tainted.

  2. So the government agency that was tasked at keeping US citizens safe in the digital landscape has used that directive as an excuse to weaken US citizens safety in the digital landscape.

    I feel like Obama is daring me to google Ron Paul, but only to record it and hold it against me.

  3. Ygret says:

    Schneier has an article in the Guardian about new best practices in light of all this new shit. If I recall he said to stay away from elliptical curve algos because they used constants and the NSA was involved in defining those constants such that it reduces the complexity of breaking files encrypted in that way. It might not have been in his piece that this was discussed, but here it is:

    Here is another very useful piece that touches on this:

    I find this whole story incredible. The outrageous corruption involved is mindblowing. The NSA has singlehandedly destroyed the US IT industry, just watch. Over the next few years there is going to be a mass exodus away from software designed or built in the US and towards locally built systems. Any software that has a security component is done, at least on the foreign markets, and likely within the US as well. I imagined standards bodies will also become fragmented, with European and Asian standards bodies moving away from international cooperation, especially with the US and UK. This story feels like the first flash of lightning in a storm that will tear the internet and computer technology apart, likely for the rest of our lives.

  4. All rooted in truly epic levels of hubris.

    They thought the internet belongs to the the US, and therefore they can make sure they control it and can read it all. As with all examples of hubristic overreach, they have made it a certainty that the US will, fairly quickly, lose all control of the internet globally speaking.

    Anyone who actually is guilty of something will find ways to hide their stuff, and the only people left for the NSA to spy on effectively will be their own innocent citizens. Needing to justify their existence, we can expect the NSA to start 'finding' potential 'terrorists' - almost certainly all dumb kids who said something in jest or anger on the internet.

  5. Open source and open standards. Its the only way to be sure.

Continue the discussion

48 more replies