Whistleblower Investigative Report on NSA Suite B Cryptography

The NSA has been abandoning secret and proprietary cryptographic algorithms in favor of commercial public algorithms, generally known as "Suite B." In 2010, an NSA employee filed some sort of whistleblower complaint, alleging that this move is both insecure and wasteful. The US DoD Inspector General investigated and wrote a report in 2011.

The report -- slightly redacted and declassified -- found that there was no wrongdoing. But the report is an interesting window into the NSA's system of algorithm selection and testing (pages 5 and 6), as well as how they investigate whistleblower complaints.

Posted on November 9, 2016 at 12:00 PM • 19 Comments

Comments

zNovember 9, 2016 3:01 PM

The complaint seems to have been about ECDH since AES and SHA-2 aren't mentioned except in a reference table. Could it have been that he/she didn't like the dropping of ECMQV in favor of just ECDH? The NSA seems to emphasize that ECDH would never be deployed alone and that the whole implementation would have to be approved, so I wonder if his/her concern about losing the authentication provided by ECMQV.

John J FoelsterNovember 9, 2016 6:14 PM

I'm reaching out to Dr. Schneier:

I hope you read this. It's in regards to the Washington Post article about your speech on attacks on our voting machines. I had already sent an email on the subject but it may have gone to spam. I may attempt to reach you by phone at your offices tomorrow.

I am deathly terrified that you may have been right. (Not entirely true, I'm more afraid that I'm wrong and that this is actually the will of the people. I'm slightly less afraid that we're both right but the apparent results will stand because of my incompetence and, eventually, lead to a second civil war.) I'm under an immense burden because I, by the most ridiculous of coincidences, have a very clear idea who hacked this election. And I don't know what to do.

I'm an out of work database geek who has been spinning his wheels researching hacked voting machines in Alaska in the 2008 and 2014 General Elections. I'd been trying to craft into a case with academic level precision, which of course also means that no one is interested in trying to read it. Planning... Worked myself to near breakdown trying and failing to get it published the week before the election.

I think I have a fairly complete case on the 2008 Alaska hack and the Palin resignation that it caused. I know who did the programming for it and the 2014 Alaska attack, and we have to assume he could have done it again. But I have no contacts in law enforcement, the Democratic Party, the media or... Well to be perfectly frank I actually am an obsessed loner with far too much free time and no social outlets, which is something I need to work on.

And the practical upshot is that I know who the hacker is and I think I can get someone else who knows too, the Director of Elections who caught him and precipitated the Palin resignation to give criminal evidence against him once she knows all the facts.

I really need to lay it all out for an expert. Actually two sets of experts. One on election results analysis, one on voting machine technology. Probably some forensic programmers, criminal detectives.

If you have the time to help me out please respond to this comment, and we can figure something out.

ThothNovember 9, 2016 8:34 PM

@John J Foelster
Use the Squid Post / Off-Topic thread for non-related topic to main subject to avoid post removal by @Moderator.

Clive RobinsonNovember 9, 2016 10:39 PM

Hmm,

After starting to read the document I get as far as page five and have a WTF monent,

One of the "whistleblower's" complaints was that the strongest algorithm had been replaced with the weakest...

And on page five they specifically say that they did not investigate this...

So they appear to have quite deliberately not investigated the "whistleblower's" complaint by just ignoring the substantive part of it...

If that is indicative of how they investigate complaints, is it any surprise people think the system is broken, thus avoide it...

But worse is the bit about the reprisals, part of the reason the whistleblower made the complaint the way they did was documrnted as because they already claimed they were suffering reprisals... Saddly we don't know if managment "snowed that as well" because they say it was dealt with under seperate cover...

John J FoelsterNovember 10, 2016 12:01 AM

Oh, my apologies.

I think I may be a bit confused as to how the blog works.

I was assuming most recent was most pertinent.

ab praeceptisNovember 10, 2016 12:06 AM

Clive Robinson

Yes! I was amazed (or should I say flabbergasted?) too. One point that made laugh out loud was where they stated that they did not examine the crypto but rather the process of chosing/deciding/etc for the crypto.

In other words "Feel free to chose a weakened MD5 but, damnit, to it in an orderly fashion following the laws of bureaucracy to the letter!"

Talking about processes, another point that I liked a lot was the whistleblowing process (that was so bluntly demonstrated by that case).

Somewhere at the outer edge of that image with all those big fat instituational boxes there is a small one, the whistelblower. And the process is? It pretty much comes down to "if it's not (understood, in the first place and) accepted and signed of by the defense secretary at the minimum, than just forget about it". On the other hand the "forget about it" part can be decided by pretty much each of the levels.

Not per se in the document but virtually certain -> "It's got a fips stamp so it must be good and that whistleblower is just an annoyance making noise and disturbing our sleep".

As for the reprisals: What do you think an "annoying, noise making" employee is to expect?

But then, I'm not from over there and don't know much. Maybe the "i" in "oig" isn't for investigation but for idiocy and hence that whole issue actually is a major success story ...

John J FoelsterNovember 10, 2016 12:07 AM

I'm so very, VERY sorry, I'm not sure how to do what you just asked.

It looks like there's a squid topic tag, but there are 58 pages in it. Is there a specific "off topic" post in one of them?

I. M. GrouchyNovember 10, 2016 4:52 AM

There ought to be a law prohibiting critical infrastructure from being connected to the internet, and in particular "the grid".

We got along fine without computer controlled street lights, we can still do it.

Who?November 11, 2016 4:56 AM

I fear I do not understand the analysis of this report. As I understand it the complainant alleges that replacing a portion of the CIS's algorithmic suite for securing specific types of information (Suite B) with another algorithms weakens encryption; he alleges that such modifications had "incumbent security flaws and operational weaknesses." Does it mean that Suite B has been compromised by replacing certain algorithms with weak counterparts?

I understand the latter ("had operational weaknesses") as lack of strong authentication and non-repudiation, that turns otherwise good algorithms into weak ones for the purpose of protecting certain classified information. What worries me is the former ("incumbent security flaws").

Does it mean dropping ECMQV, effectively electing to solely using ECDH for Suite B compliance, was done with the only goal of weakening encryption? Does it mean ECDH has security flaws added to make it cryptographically weak? (perhaps anything "EC" currently in use on "compliant environments" has been weakened.)

Who?November 11, 2016 5:02 AM

...in this case, how can we trust on other parts of the Suite B? Let us say, AES and even hash algorithms like SHA.

ab praeceptisNovember 11, 2016 5:30 AM

Who?

I suggest, you trust [insert crypto algo] based on provable properties and its track record in cryptanalysis - and not based on any kind of nsa bla bla be it official or be it from a whistleblower.

Otherwise I suggest to be panically worried about *implementations* of software around those algorithms (which themselves are usually at least not coded in lousy quality).

Who?November 11, 2016 5:54 AM

@ ab praeceptis

From the report I understand the NSA employee knows some some of backdoor added to the commercial-targeted Suite B cryptography.

ab praeceptisNovember 11, 2016 7:16 AM

Who?

Not really. The gist was that nsa used *allegedly* much weaker algorithms with Suite B than what they had used before.

That does *not* mean that B is tainted or backdoored. It may, but that's a rather remote possibility.

What it suggests in my eyes is that (before) nsa had supposedly higher sec. algorithms. This, however can mean a lot. "public algorithms", as opposed to secret internal algorithms, can - and IMO likely does - mean that before they used e.g. non-public curves and maybe larger bit sizes.

A similar concern is also often brought forward by many others when they ask, how some ecc algo can be secure when the curve is publicly known?

From that nsa employees (assumedly somewhat more knowledgable) perspective one worry might have been that an unknown algorithm can't be cracked; one can not develop cryptattacks against an algo one doesn't know, and hence, so I assume his worry, using public algos and curves increases risk and decreases security.

What makes me think that?

Well, the are quite many cryptologists out there who are not exactly idiots. Moreover (attention, pun) crypto often has one-way properties or, if you prefer is NP. Means: The hard part is designing a good algo or a good curve or ... checking whether its solid, however, is "easy". So even if the nsa had a room full of super-cryptologists (frankly, I think that's hollywood to a large degree anyway) then mere moral (but bright) crpytologists still could verify whether the publicly known algos, curves, etc. are shitty or not.

Short, if a couple dozen of the brightest cryptologists in the world try their damn best to even just weaken, say aes, over months and months and they fail then you may be pretty sure that aes won't be suddenly broken tomorrow morning (and that there is no secret backdoor in it).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.