sign in sign up
<<
Home , Andrew Odlyzko

The Community and the NSA

POST-PUBLICATION EDITOR'S NOTE: This article is a part of the ongoing series "Mathematicians Discuss the Snowden Revelations". At the time of the writing of this piece Michael Wertheimer was the Director of Research at the NSA; he recently retired from that position. He can be reached at [email protected].

This is the latest installment in the Notices discus- Over the past several months a discussion about sion of the National Security Agency (NSA). Previ- the role of mathematics, mathematicians, and ous Notices pieces on this topic are: the activities of the National Security Agency has been hosted on the pages of the Notices. As an “AMS Should Sever Ties with the NSA” (Letter NSA mathematician I would like to provide some to the Editor), by Alexander Beilinson (December context to what has been reported in the press and 2013); “Dear NSA: Long-Term Security Depends share with the American Mathematical Society im- on Freedom”, by Stefan Forcey (January 2014); portant facts and information. In particular I would “The NSA Backdoor to NIST”, by Thomas C. Hales like to address two hot-button issues shaping this (February 2014); “The NSA: A Betrayal of Trust”, by conversation: “weakening” encryption and Keith Devlin (June/July 2014); “The Mathematical impacts of data on privacy. Community and the National Security Agency”, by Andrew Odlyzko (June/July 2014); “NSA and the The US National Institute for Standards and Tech- Snowden Issues”, by Richard George (August 2014); nology (NIST), the American National Standards “The Danger of Success”, by William Binney (Sep- Institute (ANSI), the Internet Engineering Task tember 2014); “Opposing an NSA Boycott” (Letter Force (IETF), and the International Standards Orga- to the Editor), by Roger Schlafly (November 2014). nization (ISO) are the four main bodies with which the NSA participates in developing standards for See also the Letters to the Editor in this issue. . NSA has worked with each of these for over twenty-five years. We value and are com- Unsolicited submissions on this topic are wel- mitted to the important work of these groups in come. Inquiries and submissions may be sent to producing secure cryptographic standards that [email protected]. Articles of 800 words protect global communications. NSA has a long and or less are preferred. Those of 400 words or less documented record of providing security enhance- can be considered as Letters to the Editor and ments to openly published international standards. should be sent to [email protected]. However, recently our work has been questioned in several standards that are elliptic curve based, — Allyn Jackson the most significant of which is an NIST-proposed Notices Deputy Editor random number generator that I discuss below. [email protected] NSA mathematicians remain steadfast in ad- vocating secure international standards. Nev- ertheless, we are mindful that there has been Encryption and considerable discussion regarding NIST publi- cation SP 800-90A. This publication is entitled “Recommendation for Random Number Genera- the NSA Role in tion Using Deterministic Random Bit Generators” and contains specifications for four pseudoran- International Standards dom number generations for use in cryptographic applications. One of these describes a particular Michael Wertheimer random number generator associated with NSA: the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). The discussion centers Michael Wertheimer is Director of Research at the National on NSA’s role in the design and advocacy for this Security Agency. His email address is [email protected]. despite a mathematical demonstration DOI: http://dx.doi.org/10.1090/noti1213 of the potential for a trapdoor.

February 2015 Notices of the AMS 165 A trapdoor, simply put, is information that al- With hindsight, NSA should have ceased sup- lows the inverse of a seemingly one-way function porting the dual EC_DRBG algorithm immediately to be computed easily. In other words, compute x after security researchers discovered the potential from f(x). In cryptographic applications, functions for a trapdoor. In truth, I can think of no better f are specifically designed to make the x to f(x) way to describe our failure to drop support for the computation very fast but the inverse computation Dual_EC_DRBG algorithm as anything other than intractable (hence, the term one-way). If an attacker regrettable. The costs to the Defense Department knows “secret” information about f that allows to deploy a new algorithm were not an adequate an inverse to be calculated, the attacker might reason to sustain our support for a questionable be able to decrypt messages or, in the case of the algorithm. Indeed, we support NIST’s April 2014 Dual_EC_DRBG, predict future outputs. decision to remove the algorithm. Furthermore, we During the development of the ANSI standard realize that our advocacy for the DUAL_EC_DRBG based on the NIST publication, members of X9F1 casts suspicion on the broader body of work NSA (the ANSI-approved working group responsible for has done to promote secure standards. Indeed, cryptographic tools) raised concerns about the po- some colleagues have extrapolated this single ac- tential that elliptic curve points used as parameters tion to allege that NSA has a broader agenda to for the Dual_EC_DRBG could harbor a trapdoor “undermine Internet encryption.” A fair reading secret known only to, and exploitable only by, the of our track record speaks otherwise. Neverthe- person who generated the points. As a result, the less, we understand that NSA must be much more X9F1 committee expanded the standard to include transparent in its standards work and act accord- verifiable random point generation. Since the NSA ing to that transparency. That effort can begin with was using the algorithm at the time and had gen- the AMS now. erated elliptic curve points for protecting Depart- NSA strongly endorses the NIST outline for ment of Defense users, the NSA-generated points cryptographic standards development, which were included in the standard. In other words, can be found at csrc.nist.gov/groups/ST/ any implementation that used the NSA-generated crypto-review/process.html. One significant, points would be deemed compliant. Shortly there- and correct, change is that all NSA comments will after, NIST negotiated with ANSI to use the ANSI be in writing and published for review. In other Random Number Generation Standard as the basis words, we will be open and transparent about our for an NIST Random Number Generation Standard. cryptographic contributions to standards. In ad- ANSI also approved submitting a version of this dition, we will publish before they are standard to the ISO. considered for standardization to allow more time In 2007 several Microsoft researchers, includ- for public scrutiny (as we did recently with the ing Microsoft’s representative to the ANSI X9F1 new SIMON and SPECK algorithms, eprint.iacr. committee that created the ANSI version of the org/2013/404.pdf). With these measures in place, standard, raised concerns in a talk at a crypto- even those not disposed to trust NSA’s motives can graphic conference about the trapdoor potential determine for themselves the appropriateness of in the Dual_EC_DRBG. These concerns were picked our submissions, and we will continue to advocate up by the media and widely disseminated. NIST for better security in open-source software, such as and ANSI reviewed this information and elected to Security Enhancements for Linux and Security En- retain both the verifiable point generation scheme hancements for Android (selinuxproject.org). and the NSA-generated points. We hope this open affirmation and our adher- In 2013 the same concerns were again raised ence to it will chart a course that all mathemati- and promulgated by the media. This time NSA’s cians will agree is appropriate and correct. actions were portrayed as a subversion of stan- dards. However, the facts remain: Data and Privacy •The Dual_EC_DRBG was one of four NSA mathematicians carry on a long and storied random number generators in the NIST tradition of making and breaking codes and ci- standard; it is neither required nor the phers. Perhaps most celebrated are feats that our default. forebearers, American and Allied, made in break- ing German and Japanese ciphers in World War •The NSA-generated elliptic curve II. Ironically, less than 5 percent of the encrypted points were necessary for accreditation material collected during that war was successfully of the Dual_EC_DRBG but only had to decrypted, and of that amount only a scant fraction be implemented for actual use in cer- contributed to any sort of measurable action. Such tain DoD applications. is the nature of intelligence. Today’s communications environment makes •The trapdoor concerns were openly 5 percent appear staggeringly large. The simple studied by ANSI X9F1, NIST, and by the act of using a particular encryption algorithm no public in 2007. longer identifies the sender or receiver (as the

166 Notices of the AMS Volume 62, Number 2 ENIGMA cipher did in World War II); the variety by a complex set of laws, policies, and implement- of protocols, products, and services for secure ing rules. This type of data, lawfully obtained and communications numbers in the thousands; and properly evaluated, helps us to avoid surprise. It the ease and frequency of changing identifiable is used to discover new threats, refine both our features is unprecedented. To achieve our foreign filters and selectors, and ultimately create a rising intelligence mission lawfully and effectively, NSA tide that lifts our intelligence insights and privacy mathematicians lead efforts that determine how protections. Mathematicians are leading the way we “filter,” “select,” and “process” data while to design and implement the algorithms that cre- continuously verifying that our processes and pro- ate this rising tide. Here we share many common cedures adhere to all legal and policy regulations. interests with industry: e.g., big data analytics, Filtering algorithms decide what material is cloud computing, machine learning, and advanced defeated, i.e., neither collected nor stored for search. So-called metadata (intelligence informa- analysis. Using aggregate numbers, of the exceed- tion that can be ascertained without examining ingly small proportion of the world’s foreign com- the actual content of a communication) plays a big munications we access, NSA algorithms filter out role here, as our governing rules generally do not approximately 99.998 percent of the data it sees. permit deep inspection when the aperture into our The importance of these algorithms cannot be data set widens. Getting this right is paramount: overstated: they form the bulwark of the legal and the average NSA mathematician takes fourteen privacy protections in executing our mission. After courses each year to be up-to-date on the proce- the filtering process, surviving data must meet dures that govern these activities. exacting criteria to be “selected” for subsequent Some Parting Thoughts processing and analysis. NSA mathematicians are at the forefront in designing the methods by which I fondly recall the opportunity NSA gave me early in the selection criteria are expressed. The precision my career to return to the University of Pennsylva- and accuracy of these methods are constantly nia and complete my PhD. During those formative improving and with those improvements come years I had many opportunities to present results increased privacy protections. at AMS conferences, and I remember the warm embrace of colleagues who encouraged and sup- I am reminded of an event shortly after the 9/11 ported my studies. I felt then, and I feel now, a con- attacks that may help to impress the importance nection to the mathematics community that goes of getting filtering and selection “right.” Soon after beyond scholarship. That is why NSA Research is allied operations launched in Afghanistan we came a major provider of grants for pure mathematical into possession of laptops left behind by retreat- research, a participant in the National Physical ing Taliban combatants. In one case we were able Sciences Consortium, a sponsor of local high to retrieve an email listing in the customary to/ school teams for the American Regions Mathemat- from/subject/date format. There was only one ics League, and sponsors of both undergraduate English language email listed. The “to” and “from” and graduate summer programs. Our research addresses were nondescript (later confirmed to mathematicians serve on editorial boards, publish be combatants) and the subject line read: CON- papers, teach at universities, and contribute time SOLIDATE YOUR DEBT. It is surely the case that and energy to the AMS. the sender and receiver attempted to avoid allied More broadly, NSA mathematicians are also collection of this operational message by trigger- fighters in the war on international terrorism, ing presumed “spam” filters. Indeed, this is exactly weapons of mass destruction proliferation, narcot- how intelligence and counterintelligence work: an ics trafficking, and piracy. In fact, the overwhelm- escalating series of moves to discover and avoid ing bulk of what we do is universally acknowledged discovery of information. as proper, measured, and important. We do so Adapting our filters and selectors to stay rel- quietly and honorably. evant while always operating within our legal and It is my sincerest hope that the AMS will always policy framework can never be perfect—but it is see NSA mathematicians as an important part of its nearly so. Indeed, in a much-publicized account membership. I further hope that dialogue on im- of 2,776 deviations from the rule set in 2012, a portant issues will always be respectful, informed, full 75 percent of these incidents occurred when and focused on inclusivity. an individual roamed from foreign soil to US soil and we failed to catch the fact in real time. The remaining 25 percent, about 700 in total, were human error (e.g., typing mistakes). Put into perspective, the average analyst at NSA makes a compliance mistake once every ten years. The collection and analysis of data that lie be- tween filtering (what we know we do not want) and selection (what we know we do want) is governed

February 2015 Notices of the AMS 167