yeah, hard to believe that anyone unimaginative to work for them got EVERYTHING wrong.
Necessary question: Has anyone actually confirmed that these flaws do exist in the product? Until then, the proper description would be “report” or “claim” or “assert” rather than “reveal”.
Not that I doubt the NSA would be delighted to create a back door, especially in anything destined for export… but vaporware and/or “concept” documents are easy to create, and don’t necessarily mean the idea was practical or implemented. Worth checking, certainly, but I do want to see confirmation before I assume it’s any more real than the Amazon drones.
There was a research paper from Microsoft in 2008 that showed it was possible to hide a secret key in the Dual EC Random Number Generator that the NSA promoted - if you know the secret key, you’re able to predict the random number generator given only a few bytes of output - an Initialisation Vector for instance - if you don’t know the secret key, the bits produced appear random. The complexity (number of guesses) needed to predict the random number generator is ~216 if you know the secret key, and ~280 if you don’t.
Around 2008 it was known that there was theoretically a backdoor - but it wasn’t clear that the NSA as a whole knew about the backdoor - perhaps they created the random number algorithm by accident and didn’t realise it was possible to include a backdoor there - perhaps only one guy in the NSA knew about the backdoor and the rest of the agency was in the dark, etc.
The suggestion at the time was - don’t use this algorithm because it could support a backdoor.
The subsequent leaks from Snowden confirmed that a) the NSA does have the secret key for the Dual EC Random Number Generator, and now b) they were paying erstwhile trustworthy companies to use their weakened random number generator as the default way of creating ‘random’ numbers, against the advice of people like Bruce Schneier and the Microsoft researchers who discovered the backdoor originally.
The performance of the Dual EC Random number generator is somewhat worse than other approaches for generating random numbers (e.g. it’s 1000 times slower than named-brand competitors), so there’s apparently no sensible reason to favour it if you’re in a hurry, but is has the ideal properties for a spy agency: The NSA publish a set of preferred constants via NIST that define the elliptic curve used in the algorithm. If you use their constants, you get a ‘strong’ random number generator with good statistical randomness, that the only the NSA knows how to predict. If you throw out the NSA preferred constants and pick your own, you get a weak random number generator that’s easy for everyone to predict. So in a sense the NSA were protecting people against foreign spying whilst ensuring that they could spy on anyone they chose to target. Elegant.
This revelation is mainly damaging for RSA. They accepted a $10M bribe to use a bugged protocol that they must (or should) have been aware was likely to include a backdoor. It doesn’t matter if the NSA duped them into using the backdoored protocol or whether they knowingly accepted the bribe contract - either way RSA is untrustworthy - either because they sold out, or because they’re incompetent. I personally would never use their products given this revelation.
I suspect the news will wipe more than $10M off the value of their shares - their reputation will be shredded by this - cautionary tale about accepting the NSA’s 30 pieces of silver. I wonder who else was bought off by the NSA?
I think the question on everyone’s mind now is:
If RSA is compromised, is SSL compromised?
SSL uses public key cryptography which was created in the 1970s, and the comany went bad seemingly post 2000, so no relation here. I don’t know if you could use this flaw in your SSL, however.
RSA the company is compromised. RSA the public key encryption algorithm is not.
SSL, however, is awfully broken and has been for years, but the reason is nothing to to with RSA (company or algorithm) - the problem is the simple-minded certificate authority trust model.
I can’t help feeling “man there’s nobody left to trust”, and I guess that is exactly what the NSA wants me to feel.
If you use the BSafe crypto libraries with software defaults as a basis for your SSL implementation, or if for whatever reason your SSL implementation uses dual-EC-DRBG as its random number source, then yes, your SSL implementation is hosed.
One more reason to use ROT13 or, if you need something really secure, ROT26.
According to the (dubiously veracious; but what else are you going to do?) reports, RSA’s original core team of cypherpunk crypto types was more or less gutted, either left or consigned to smaller roles, as they moved into selling fancy enterprise solutions and eventually folded into EMC.
I’d be surprised if they were actually told ‘Hey, backdoor your product for $10 million’. That’s kind of a pathetic bribe; but apparently they’d been largely brain-drained of the sort of people who made RSA a hotbed of anti-clipper sentiment back in the day, who would have been suitably suspicious of such an arrangement.
(Also, if you want reasons to not deal with RSA, aside from their products, this is arguably Major Fuckup #2: The embarassing little incident where it was revealed that they (A) stored the seed values for all the RSA fobs they sold and (B) had those values stolen by parties unknown, who proceeded to go on a major-defense-contractor owning spree, says all you need to know about the wisdom of trusting their goods. In retrospect, one wonders if those seed values were being stored…for the convenience of certain friends…)
RSA should just start hiring more lawyers now. It’s going to be a nasty 2014 for them and I don’t think they will survive this.
I find I doubt the completeness of this reporting. It really has little to do with RSA or this latest, though. In 1998, a military friend had attended a conference in VA, and returned telling me he had witnessed a full demonstration of cracking the best encryption available (at that time). We were busy doing some coursework together, and that information flew in the face of everything we were being told. But I trusted his word on that, because we had done other work in common, and I knew others in his outfit.
We had idly wondered one day how certain hackers had been caught so easily, given the tech available. After looking at the information we had available, I posited that identifying information was being stored within Microsoft Office documents they had used without the end-user’s knowledge or consent. That turned out to be the case - and later that year, others noticed and Microsoft got called out on it publicly.
So, I had gotten to know my friend’s manner of thought and knew his skill levels - far better than mine, as security was not my specialty. I believe his story about the encryption demonstration. He had no reason to lie (though every reason to keep it quiet). That was the level of trust. I think there is a good deal more to this than the RSA story alone. What I heard predates RSA’s involvement, so I question NSA having any goal beyond simply making it easier to crack encryption they were already capable of cracking, as another poster had mentioned above. That doesn’t let RSA off the hook, but does show that NSA’s intents precede 9-11 by quite a stretch.
Quote from the linked Reuters article:
“They did not show their true hand,” one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption.
Hello? Hello? Anybody home? Huh? Think, RSA. Think! A government agency paying you $10M for no apparent reason or not wanting something in return? All that internal paperwork to process the payment just for fun? You didn’t really think about that? Did ya? Did ya?
This sort of thing goes back to the times when crypto machines were like typewriters from outer space, i.e. pure hardware.
A lot of smaller countries simply do not have the resources to develop their own crypto infrastructure so they buy it on the open market.
Just one example:
Like I said, this goes way back and is sort of known, but it’s always nice to get confirmation.
It is laughable to suggest that this isn’t real. There hasn’t been a single scrap from the Snowden trove that has been proven to be false, and a huge portion of it has been confirmed not just by secondary sources, but by the government itself. The NSA poisoning public crypto is hardly the most damning or unbelievable thing to be revealed. Every sane cryptologist already suspected that RSA had been poisoned just on the pre-Snowden circumstantial evidence alone; the Snowden leak just proves what people had already suspected.
Let me guess you work for the government or in in the “private” sector in the hilariously named “defense” industry? Sorry bro, you are working for the villains. Trash your conscience or get a new job doing something honest.
wut? No, srsly - wut?
TGA has proven many times to be a valuable asset on these forums (to me, ymmv). For example if I would like someone to explain in simple terms why RSA security being compromised is a big deal or not, depending - right, I would be looking for a technogeekagain post among a small number of others. To just launch into tieing anyone into US govt misconduct and painting them with that brush for saying what techno did is laughable.
Craven or inept?
Wait! This is a both/and situation!
The attackers spoofed the e-mail to make it appear to come from a “web master” at Beyond.com, a job-seeking and recruiting site. Inside the e-mail, there was just one line of text: “I forward this file to you for review. Please open and view it.” This was apparently enough to get the intruders the keys to RSAs kingdom.