It was a mistake for the National Security Agency to support a critical cryptographic function after researchers presented evidence that it contained a fatal flaw that could be exploited by US intelligence agents, the agency's research director said.
The comments by NSA Director of Research Michael Wertheimer were included in an article headlined The Mathematics Community and the NSA published this week in a publication called Notices. The article responds to blistering criticism from some mathematicians, civil liberties advocates, and security professionals following documents provided by former NSA subcontractor Edward Snowden showing that the agency deliberately tried to subvert widely used crypto standards. One of those standards, according to The New York Times, was a random number generator known as Dual EC_DRBG, which was later revealed to be the default method for generating crucial random numbers in the BSAFE crypto toolkit developed by EMC-owned security firm RSA.
NSA officials shepherded Dual EC_DRBG through the National Institute of Standards and Technology (NIST) in 2006. A year later, researchers from Microsoft presented evidence that the number generator contained a type of backdoor known to cryptographers as a "trap door." The weakness, the researchers said, allowed those who knew the specific NSA-generated points on the standard's elliptic curve to work backward to guess any crypto key created by the generator. Despite widespread coverage of the research and concern expressed by security experts, the NSA continued to support Dual EC_DRBG. It wasn't until September 2013—six years after the research came to light—that RSA advised customers to stop using the NSA-influenced code. Last year, NIST also advised against its use.