64

The NSA has had a large hand in the design of at least two significant encryption standards: the Digital Encryption Standard, and its successor, the Advanced Encryption Standard.

Because of their involvement, there is much speculation of backdoors. Setting aside our tinfoil hats for a moment, have there been any official statements by the NSA or other involved organizations as to why the NSA have had a part in the encryption standards?

Why it is in their interest to support the encryption of data? Especially when the usage of the encryption standards can't be enforced; the algorithms can be (and are) used by countries and corporations outside of the United States.

IQAndreas
  • 6,557
  • 8
  • 32
  • 51
  • 9
    I mentioned it in the question, but I'll say it again, I'm looking for **official** and **verifiable** information released by the NSA or involved organizations, not speculation or guesswork. – IQAndreas Oct 26 '15 at 16:34
  • 49
    It's a public part of the mandate of the NSA: https://www.nsa.gov/about/mission/index.shtml – schroeder Oct 26 '15 at 16:46
  • 19
    in short: it's their job to define crypto standards – schroeder Oct 26 '15 at 16:46
  • 3
    Let's also not forget that the exportation of cryptography was banned up until about a decade ago. The export grade ciphers continue to exist and be used (For some god awful reason). Ciphers were originally a matter of national defense and the NSA most likely remains due to a carry over of that responsibility. NIST may validate ciphers for public use, but the NSA has the added responsibility to concur that the ciphers can be used in government machines. Government machines must abide by FIPS 140-2. – pr- Oct 26 '15 at 17:04
  • @pr- When was the ban on the exportation on cryptography lifted in relation to the release and standardization of DES and AES? – IQAndreas Oct 26 '15 at 18:00
  • 3
    @IQAndreas DES was developed in the 70s and AES was standardized in the 90s. The Export laws were relaxed to their current status in 2000. (http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/united-states-cryptography-export-import.htm AND https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States) – pr- Oct 26 '15 at 18:27
  • 8
    Don't forget that the NSA is the largest employer of mathematicians and cryptographers in the world. I'de want that defining the standards. – David says Reinstate Monica Oct 26 '15 at 21:02
  • 1
    @DavidGrinberg: the number of mathematicians employed by the NSA is classified. The NSA themselves only claim to be the largest employer of mathematicians _in the USA_, not the whole World -- and, in any case, we only have their word for this. Do you trust the NSA ? (In older times, I would hazard that the Soviet Union actually had a lot more top mathematicians than the NSA or even the USA as a whole, but whether you can be "employed" in a communist system raises some definition issues.) – Thomas Pornin Oct 27 '15 at 00:24
  • I've read the world, and while I have no reference I do consider it common knowledge. I think what your imply is veering slightly into tinfoilhattery. Either way, even if its not the most in the world but the second largest in the US, its a lot of smart people who can back up their claims. I want their input. – David says Reinstate Monica Oct 27 '15 at 00:27
  • 2
    IBM [claims](http://www.computerworlduk.com/news/it-vendors/ibm-boasts-we-employ-most-phd-mathematicians-3338361/) to be the largest employer of mathematicians in the World. Note that this is not incompatible with somebody having the record in the USA, if IBM's mathematicians are not USA-based. – Thomas Pornin Oct 27 '15 at 00:29
  • 2
    @IQAndreas If you're looking for official and verifiable, from one of the more clandestine government agencies in the world, what do you expect to find? Verifiability in their industry may limit your sources to leaked documents, which are not considered official statement by any means. – Cort Ammon Oct 27 '15 at 04:37
  • @schroeder “The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology […]” Ummmm… – Blacklight Shining Oct 27 '15 at 07:18
  • 1
    "Why it is in their interest to support the encryption of data?" Because the National Security Agency also wants to keep its nation's own communication secure. – jamesdlin Oct 28 '15 at 01:46
  • @CortAmmon The NSA isn't some cloak and dagger secret organization that "technically does not exist". They are a branch of the government; they file paperwork, write reports, balance budgets, request grants, hire employees, and release information to the press, just like any other branch of the government or large corporation. They have a website where they post information for the public; I'd wager like most companies they even have a PR department. – IQAndreas Oct 29 '15 at 08:04

2 Answers2

103

The NSA is a composite organization, that comprises several sub-entities called "directorates" with various scopes and goals. The NSA, as a whole, is supposed to have a multitude of roles; its signal intelligence role (often abbreviated as SIGINT, i.e. spying) is the one most people talk about, and is supposed to be handled by the SID (as "Signal Intelligence Directorate"). However, NSA is also supposed to ensure the information safety of US interests, and as such should help federal organizations and also big US private companies apply proper encryption, where encryption is needed. This defensive role falls largely within the scope of the IAD (Information Assurance Directorate).

It is true that within the NSA, the balance of power substantially shifted towards SID after September 2001, but they still maintain a non-negligible defensive role. In any case, both DES and AES were standardized before that date.

In the USA, federal standards are edited and published by a specific agency called NIST. NIST is not the NSA. However, when the NIST people deal with some cryptographic algorithms, they like to get inputs from the NSA because that's where the US government keeps its crypto-aware thinkers. The NSA itself likes to be consulted by NIST because they want to keep track of published cryptographic algorithms, both for attacking and defending (they want to know what algorithms they will be faced with when trying to eavesdrop, and they also want to know what algorithms they should advise big US companies to use to thwart foreign evildoers).

On that subject, you may want to read this article which is about elliptic curves and "post-quantum crypto", and what the NSA says and thinks about it. It highlights that NSA is, first and foremost, a big governmental organization, and thus tends to behave like big governmental organizations do; in particular, some or even most of its actions are related to its own internal politics.

There is quite a gap between "being involved" and "having a part". According to Don Coppersmith (one of the DES designers), the NSA, at some point, interacted with the IBM team, under the avowed goal to strengthen the algorithm. The NSA, at that time, still employed a substantial proportion of available cryptographers (this is no longer true), and had some knowledge of an as yet unpublished attack method, namely differential cryptanalysis. The NSA wanted to make sure that the new algorithm would resist such attacks. It turned out that the IBM team had also conceived the idea of differential cryptanalysis, and had already strengthened their design against it. So the NSA involvement reduced to asking the IBM researchers not to publish their findings.

(As Leibniz would have put it, scientific discoveries are floating in the air, and when you have a new idea, chances are that several other people have the same idea at the same time. It is thus pretty hard to keep ahead of the rest of the World in scientific areas.)

For the AES standardization process, NIST deliberately organized the whole competition as being very open; submitters were encouraged and even requested to publish all design criteria of their candidates. While one cannot logically preclude the possibility of bribery to inject a backdoor in one candidate, because it is very hard to prove a negative (that's the point about conspiracy theories: they cannot be rationally denied because they are beyond logic), most candidates, including the one finally chosen (Rijndael), had all their design elements fully explained, with no undisclosed dark area. Thus, NSA input in that matter was mostly a statement that they found nothing wrong with any candidate.

(Cryptographers are also human beings and, as such, may occasionally indulge in gossip. At that time, the gut feeling of most of them was that if there was an NSA-sponsored candidate, then it was MARS, mostly because that was Don Coppersmith and IBM again. In any case, that algorithm was not very popular because it was overly complex and hard to fathom. Rijndael's structure was a lot more simpler.)

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 2
    Would it be worth noting the concept of a "nothing-up-my-sleeve" number? Such things may not allay conspiracy theories, but they do make them a lot less tenable. – supercat Oct 27 '15 at 21:07
  • 1
    NSA also talked IBM into reducing DES's key size, but that's a front door, not a backdoor. It's as overt as possible. https://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA.27s_involvement_in_the_design – Matt Nordhoff Oct 28 '15 at 04:46
  • @supercat: The concept of "nothing-up-my-sleeve" numbers has some [subtleties](http://crypto.stackexchange.com/a/16366/28). I am not overly fond of NUMS numbers because they seem to provide more security than they actually do. – Thomas Pornin Oct 28 '15 at 16:59
  • @ThomasPornin: It's hard to judge the size of pool from which an NUMS number/sequence was chosen, but something like the fractional parts of the cube roots of primes starting with 2 doesn't seem like something that would have been drawn out of a very large pool of candidates, nor like something that would inherently have an exploitable structure. In any case, it might be worth mentioning the concept. – supercat Oct 28 '15 at 19:57
4

Back in late 1980s the NSA had a branch called the National Computer Security Center (It may still exist today). The job of this "center" was to help enterprises on the budding forefront of information technology stay secure. Some of the main things they did were: test hardware of major vendors for defects that could leave them vulnerable, test software of major vendors for vulnerabilities, and develop encryption techniques for use in the industry. Some of the encryption technology developed by this branch is still in use today. It is also important to note that this branch of the NSA is completely declassified. I highly recommend reading: The Cuckoo's Egg by Clifford Stoll as it goes very far in depth on how this branch of the NSA came about.

kenorb
  • 799
  • 4
  • 8
  • 27
Chad Baxter
  • 632
  • 4
  • 8