In December we reported how US security giant RSA, the company behind the world’s most commonly used encryption toolkit, had been caught with its hand in the cookie jar, and had accepted a $10 million payment from the NSA to not only include the NSA engineered Dual Elliptic Curve algorithm into its products, but had also made it the default random number generator, fully incorporating it into the Bsafe software tool which also forms the basis of many other security products widely used to protect sensitive information.
So far so bad, and many disgusted security experts very publically decided to boycott the usually prestigious RSA Conference in January this year, to hold their own conference over the street. None of this can be good for RSA’s sales, so they must have groaned when security researchers from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere, this week announced a second major NSA security flaw in RSA software,
The flaw has been placed into the ‘Extended Random’ TLS extension found in RSA's Bsafe encryption libraries, and rather than adding extra randomness to encryption (as it is supposed to), it actually makes the encryption easier to crack - and when combined with the earlier discovered NSA backdoor in RSAs Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), this is by a factor of up to 65 thousand!
The researchers explain that,
‘The C version of BSAFE makes a drastic speedup in the attack possible by broadcasting long contiguous strings of random bytes and by caching the output from each generator call. The Java version of BSAFE includes fingerprints in connections, making it relatively easy to identify them in a stream of network traffic.’
Or more bluntly, as one researcher told Reuters,
‘If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline.’
When contacted by Reuters, RSA did not dispute the research, saying they had not themselves deliberately weakened the security of their products, but had put too much trust in the NSA,
‘We could have been more skeptical of NSA's intentions. We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure.’
When asked whether the NSA had paid RSA to include Extended Random in its BSafe security kit, RSA refused to comment, and the NSA has refused to discuss the subject entirely.
The research paper found that the attack could be performed quickly (‘The BSAFE-C attack is practically instantaneous, even on an old laptop’), making it ideal for mass deployment, and recommends a move away Dual_EC_DRBG,
‘Our work further emphasizes the need to deprecate the [Dual EC] algorithm as soon as possible.’