The National Security Agency (NSA) has been dealt a humiliating blow after an international standards body rejected two if their proposed encryption techniques in a decision which highlights just how little trust there is in the global community in US online privacy and security measures.
The NSA had submitted three separate data encryption techniques to the International Organization of Standards (IOS) in an attempt to get them recognised as global industry standard encryption methods. But the overwhelmingly negative response they received from academics and industry experts from a range of different countries has forced them to withdraw two of their proposed techniques from the process already.
The concerns over Simon and Speck
The two techniques in question are known as Simon and Speck and they were put forward to the ISO by the American delegation, which is mostly made up of American National Standards Institute (ANSI) officials, although it does also include a handful of NSA representatives too.
The techniques have been under discussion amongst ISO officials for the past three years or so, but now a series of emails have been leaked to Reuters which, along with interviews, have revealed that the two techniques in question have been rejected because delegates questions the motivations behind the NSA putting them forward.
The gist of their response has been that they believe the NSA is putting Simon and Speck forward not because they are good encryption techniques, but because they are techniques the NSA knows how to crack.
Orr Dunkelman, an Israeli delegate to the ISO, who is a Professor of Computer Science at the University of Haifa, summed up the feelings of many delegates when he said, ““I don’t trust the designers… There are quite a lot of people in NSA who think their job is to subvert standards. My job is to secure standards.”
Dunkelman was not alone. Christian Wenzel-Benner, a German ISO delegate said in an email that all seven German delegates were “very concerned” about Simon and Speck.
Concerns about NSA intentions well-founded
It is obviously a deeply political issue to reject encryption techniques put forward by a body such as the NSA, given that the ISO has many American allies amongst its 162-member countries. This is no doubt why the decision on Simon and Speck was delayed several times and eventually the NSA was persuaded to drop efforts to get approval for the two weakest versions of the techniques and instead pursue just the strongest ones.
But delegate suspicion about the NSA’s intentions is well-founded. The Edward Snowden revelations back in 2013 revealed that it was an active NSA strategy to try and subvert standards and promote encryption technology that it could break. In NSA budgetary documents, for example, there were specific funding requests to “insert vulnerabilities into commercial encryption systems.”
Then there was the case of the Dual Elliptic Curve encryption component, which they managed to get successfully adopted as a global standard in the 2000’s. However, in 2007, it was found that Dual Elliptic Curve was able to hide a backdoor which would allow the NSA to access any content encrypted by it.
It was then further revealed that the US Government had then paid online security company RSA $10 million to put Dual Elliptic Curve into one of their software development kits which were sold around the world.
When this came to light in the wake of Snowden, the ISO rescinded Dual Elliptic Curve’s endorsement and it should come as no surprise that having been burnt once, they are wary of the NSA’s intentions again.
NSA’s offers little reassurance
For their part, the NSA says the new encryption technique has been developed to protect US Government data and equipment and is also intended for commercial companies that sell into US Government departments.
They have always refused to confirm the authenticity of anything that Edward Snowden released. But when questioned about whether they could break the encryption of Simon and Speck, their response was noticeably evasive, merely saying “We firmly believe they are secure.”
The refusal of the ISO to recognise the techniques is embarrassing for the NSA. But it is clear in many other policy areas that the US Government believes accessing encrypted content is in their interests. The NSA has a track-record of doing just that. Which means why should the ISO, or anyone else now trust them on encryption.
The only people who should be using Simon, Speck, or any other encryption technology developed by US Government sources, are those who are happy for US intelligence agencies to take a look at everything they are doing. But for everyone else, the story just goes to emphasise how important independent encryption really is.