NSA is schizophrenic in that regard. Remember that one of the things it does besides looking in everyone's underwear drawers is it also advises US govt (3 letter agencies, military) on what crypto to use. In other words it tells Uncle Sam how to lock his underwear drawers so other agencies don't peek in there.
It is always interesting to see what they say there. Because if they know, for example, one type of crypto technique or implementation is vulnerable will they still recommend it for TS classified material storage? Will they recommend for US military or diplomatic service? If they don't, it might leave that open to attack, and they are not doing their job. If they do say "don't use this combination of AES, prime numbers, or OpenSSL implementations", that also gives something away.
I wonder if people people who make these recommendations even talk to people who discover, exploit, and actively penetrate systems? Because everything is very compartmentalized, they actually might not be able to.
That is why they are probably very interested (like we saw) in somehow subverting or weakening some algorithms and implementation so they are the only ones that have a key (Dual_EC_DRBG) , or they are the only ones that potentially have a computational capacity to exploit (DES).
NSA themselves have used Dual_EC_DRBG (which can be distinguished from a PRF even if you don't have the 'backdoor key': it's not just backdoored and slow, it's bad - and they know that). GCHQ behaves even worse and is at this point almost entirely out of control.
In either case, I feel information assurance and signals intelligence arms really should never have been the same agency: they are roles entirely at odds with each other and do not seem to even have their own governments' equities properly balanced, nor their recommendations always having been given in good faith. So be cautious drawing any conclusions from their advice.
Unfortunately, that is not the sort of 'reform' that either government is interested in, particularly my own. It's quite depressing, really.
That actually makes sense because of the way it was backdoor-ed. What they did there is the golden standard of subverting and backdoor-ing a crypto algorithm: go through a standards body, backdoor-ed it by using a public-private key. They hold the private key. Encourage others to use the system as much as they can (which includes showing the world that they themselves use it).
NSA have been having dreams of key escrow forever. It seems since the 90s, that dream was further and further from reality. But they didn't completely give it up. Dual_EC_DRBG was effectively becoming that key escrow they wanted for all the system that used it and they got to keep the private key and thus have a high enough assurance others won't use their backdoor.
Whoever was in charge of that operation, was probably patting themselves on the back every morning after waking up.
It is always interesting to see what they say there. Because if they know, for example, one type of crypto technique or implementation is vulnerable will they still recommend it for TS classified material storage? Will they recommend for US military or diplomatic service? If they don't, it might leave that open to attack, and they are not doing their job. If they do say "don't use this combination of AES, prime numbers, or OpenSSL implementations", that also gives something away.
I wonder if people people who make these recommendations even talk to people who discover, exploit, and actively penetrate systems? Because everything is very compartmentalized, they actually might not be able to.
That is why they are probably very interested (like we saw) in somehow subverting or weakening some algorithms and implementation so they are the only ones that have a key (Dual_EC_DRBG) , or they are the only ones that potentially have a computational capacity to exploit (DES).