NSA official: Support of backdoored Dual_EC_DRBG was regrettable

It was a mistake for the National Security Agency to support a critical cryptographic function after researchers presented evidence that it contained a fatal flaw that could be exploited by US intelligence agents, the agency's research director said.

The comments by NSA Director of Research Michael Wertheimer were included in an article headlined The Mathematics Community and the NSA published this week in a publication called Notices. The article responds to blistering criticism from some mathematicians, civil liberties advocates, and security professionals following documents provided by former NSA subcontractor Edward Snowden showing that the agency deliberately tried to subvert widely used crypto standards. One of those standards, according to The New York Times, was a random number generator known as Dual EC_DRBG, which was later revealed to be the default method for generating crucial random numbers in the BSAFE crypto toolkit developed by EMC-owned security firm RSA.

"With hindsight, NSA should have ceased supporting the dual _EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor," Wertheimer wrote. "In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable."

He went on to defend the NSA and deny accusations that it tried to subvert crypto standards. Dual EC_DRBG was one of four random number generators included in the larger standard known as SP 800-90A,he pointed out, and the NSA-generated points were necessary for accreditation and had to be implemented only for actual use in certain Defense Department applications.

Wertheimer wrote:

The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NISTs April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the DUAL_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to "undermine Internet encryption." A fair reading of our track record speaks otherwise. Nevertheless, we understand that NSA must be much more transparent in its standards work and act according to that transparency. That effort can begin with the AMS [American Mathematical Society] now.

In the future, Wertheimer promised, NSA officials will be more transparent in the way they support fledgling technologies being considered as widely used standards. All NSA comments will be in writing and published for review. Additionally, the NSA will publish algorithms before they're considered so that the public has more time to scrutinize them.

"With these measures in place, even those not disposed to trust NSA's motives can determine for themselves the appropriateness of our submissions, and we will continue to advocate for better security in open-source software, such as Security Enhancements for Linux and Security Enhancements for Android (selinuxproject.org)," he wrote.

Update: Critics are already characterizing Wertheimer's letter as a non-apology apology that only deepens the divide. In the blog A Few Thoughts on Cryptographic Engineering, for instance Matt Green, a Johns Hopkins university professor specializing in cryptography, wrote:

The trouble is that on closer examination, the letter doesn't express regret for the inclusion of Dual EC DRBG in national standards. The transgression Dr. Wertheimer identifies is simply the fact that NSA continued to support the algorithm after major questions were raised. That's bizarre.

The rest is here:
NSA official: Support of backdoored Dual_EC_DRBG was regrettable