ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying

Experts complain of shoddy tech specs and personal attacks

By Kieren McCarthy in San Francisco


Two new encryption algorithms developed by the NSA have been rejected by an international standards body amid accusations of threatening behavior.

The "Simon" and "Speck" cryptographic tools were designed for secure data to and from the next generation of internet-of-things gizmos and sensors, and were intended to become a global standard.

But the pair of techniques were formally rejected earlier this week by the International Organization of Standards (ISO) amid concerns that they contained a backdoor that would allow US spies to break the encryption. The process was also marred by complaints from encryption experts of threatening behavior from American snoops.

The ISO's meetings are confidential and held behind closed doors, but a number of encryption experts have broken their silence now that the NSA's three-year effort to push has effectively been ended.

How much did NSA pay to put a backdoor in RSA crypto? Try $10m – report


"I worked very hard for this in the last year and a half. Now I can finally tell my story," tweeted one of the experts, Dr Tomer Ashur, who was representing the Belgian delegation.

He then pointed to the NSA's "outrageously adversarial" behavior during the process as a main reason why the two standards were rejected.

When some of the design choices made by the NSA were questioned by experts, Ashur states, the g-men's response was to personally attack the questioners, which included himself, Orr Dunkelman and Daniel Bernstein, who represented the Israeli and German delegations respectively.

Ashur further alleged that the NSA had plied the relevant ISO committee with "half-truths and full lies" in response to concerns, and said that if the American delegation had been "more trustworthy, or at least more cooperative, different alliances would have probably been formed."

Instead, he says, "they chose to try to bully their way into the standards which almost worked but eventually backfired."

Backdoor boys

While no one has directly accused the NSA of inserting backdoors into the new standards, that was the clear suspicion, particularly when it refused to give what experts say was a normal level of technical detail.

Ashur's push back was supported by other delegations from Germany, Japan and Israel. The Israeli delegate – whose expertise was also attacked - Orr Dunkelman, told Reuters last year that he didn't trust the US designers. "There are quite a lot of people in NSA who think their job is to subvert standards," he noted. "My job is to secure standards."

Following an earlier meeting, Germany's delegate Christian Wenzel-Benner, sent an email to cryptography experts noting that he was "very concerned" about the two proposed standards, and referenced the NSA's previous record of purposefully inserting backdoors into new standards.

Documents released by Edward Snowden back in 2013 revealed that the NSA championed what appeared to be a backdoored random number generator, the Dual EC DRBG algorithm, and allegedly paid computer security company RSA to include it in its software.

"How can we expect companies and citizens to use security algorithms from ISO standards if those algorithms come from a source that has compromised security-related ISO standards just a few years ago?" Wenzel-Benner wrote.

Ashur does not say that he found a backdoor in the NSA's proposed standards, but in response to another cryptographer's summary that "the NSA wanted to put into use codes that it developed and in which (apparently) there is a backdoor that will allow the intelligence organization to decipher what is encrypted in them," Ashur responded: "I am Dr Tomer Ashur and I endorse this message."

The Simon and Speck standards were created by the NSA in 2013 – before Snowden's revelations – and are block ciphers specifically designed to work with devices that have limited power and memory. That is perfect for IoT sensors which are typically very small and run off battery power. Simon is optimized for hardware, and Speck for software.

Strike three

Their approval as ISO standards failed three times however. At a meeting in 2016, the NSA failed to get the two-thirds approval by one vote.

That resulted in the NSA finally providing a lengthy technical explanation that experts had been requesting for three years that covered a security analysis and an explanation of their design choices.

The NSA also agreed to drop the "lightweight" version of both standards – which were pitched as less intensive encryption techniques but which experts felt were easily compromised. But it continued pushing its other, stronger versions.

But by then the trust had been undermined and the same block of countries again voted against the standards at a meeting in the US late last year.

That's when things seemingly turned nasty and the NSA started attacking the reputations of those experts who were advising against approving the standards. The full details of the final vote that took place this week are still unknown. But the end result is clear: Simon and Speck have been cancelled by the ISO, which means that they will most likely never be rolled out elsewhere.

Amazingly, Edward Snowden has yet to comment on the rejection. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Leaky Martin will be livin' la vida lockdown: Ex-NSA bod cops to taking home 'up to 50TB' of hush-hush dossiers

'Hoarder' faces up to nine years in the clink for harvesting Uncle Sam's top secrets

Did you know?! Ghidra, the NSA's open-sourced decompiler toolkit, is ancient Norse for 'No backdoors, we swear!'

RSA Reverse-engineering suite now available to download... and maybe run in a VM, eh?

Spotted: Miscreants use pilfered NSA hacking tools to pwn boxes in nuke, aerospace worlds

High-value servers targeted by cyber-weapons dumped online by Shadow Brokers

NSA dev in the clink for 5.5 years after letting Kaspersky, allegedly Russia slurp US exploits

Bloke sent down after spilling Uncle Sam's cyber-weapons

NSA may kill off mass phone spying program Snowden exposed, says Congressional staffer

Special report But really it's just the start of the latest surveillance chess game

Reality Winner, liberty loser: NSA leaker faces 63 months in the cooler

Renegade pantyhose smuggler admits slipping Russian election hacking dossier to hacks

Three in hospital after NSA cops open fire on campus ram-raid SUV

Roses are red, spy agencies are black, US g-men don't fsck around when under attack

Here are another 45,000 reasons to patch Windows systems against old NSA exploits

It's 2018 and UPnP is still opening up networks - this time to leaked SMB cyber-weapons

NSA sought data on 534 MILLION phone calls in 2017

Compared to 151 million in 2016, perhaps due to dupes rather than spy boom

NSA boss: Trump won't pull trigger for Russia election hack retaliation

And Uncle Sam's limp-cock response means Putin will keep on meddling with our affairs