The NSA has been playing fast and lose with its duty to secure our communications by arranging for backdoors to be inserted into our cryptographic protocols. Everyone familiar with the situation is convinced that the NSA diddled with the Dual_EC_DRBG random number generator, had it vetted by NIST, and then pushed to have it deployed as widely as possible.
Recently, it became known that
- Juniper Networks used the Dual_EC_DRBG RNG in its products but changed the constants that constituted the back door.
- Someone had replaced the Juniper constants with other values presumably opening another backdoor.
- These Juniper devices are widely used throughout the US Government.
As things stand now, someone—believed not to be the NSA—has a backdoor into scores of government networks. This is possible because the NSA valued its ability to spy on everyone more than their duty to help us and the government secure its communications. How does this advance our national security?
There’s a lesson here for everyone who thinks encryption backdoors should be inserted into our communication products. They have a way of circling back and biting you in the butt. Someone always find a way to exploit them and turn them against whoever installed them in the first place.
The NSA and GCHQ internally trumpeted their ability to break into Juniper devices. I bet they’re not high-fiving now.
UPDATE: GCHG → GCHQ