NSA paid $10 millions to RSA to use backdoored cipher as default

/209922

  • "Extended Random" further weakens “Dual Elliptic Curve”
    NSA pays for two backdoors weakening RSA

    http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

    Elliptic Curve was already an NSA-sponsored random generator, but researchers at John Hopkins University now discovered Extended Random is part of the “BSafe” security toolkit which uses Elliptic Curve. RSA has not acknowledged nor declined this.

    The academic researchers said it took about an hour to crack a free version of BSafe for Java using about $40,000 worth of computer equipment. It would have been 65,000 times faster in versions using Extended Random, dropping the time needed to seconds, according to Stephen Checkoway of Johns Hopkins.

    #NSA
    #RSA
    #privacy
    #security
    #BSafe

    • Exclusive : NSA infiltrated RSA security more deeply than thought - study | Reuters

      Ce sont des gentils garçons les spécialistes de RSA. Tant que les clients sont naïfs, pas de souci…

      The company said it had not intentionally weakened security on any product and noted that Extended Random did not prove popular and had been removed from RSA’s protection software in the last six months.

      We could have been more skeptical of NSA’s intentions,” RSA Chief Technologist Sam Curry told Reuters. “We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure.

      Curry declined to say if the government had paid RSA to incorporate Extended Random in its BSafe security kit, which also housed Dual Elliptic Curve.

      (…)

      If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline,” Green said.

      The NSA played a significant role in the origins of Extended Random. The authors of the 2008 paper on the protocol were Margaret Salter, technical director of the NSA’s defensive Information Assurance Directorate, and an outside expert named Eric Rescorla.

      Rescorla, who has advocated greater encryption of all Web traffic, works for Mozilla, maker of the Firefox web browser. He and #Mozilla declined to comment. Salter did not respond to requests for comment.

    • L’info de décembre http://seenthis.net/messages/209922

      La présentation du papier
      On the Practical Exploitability of Dual EC in TLS Implementations
      http://dualec.org

      Summary of our results

      We analyzed the use of Dual EC in four recent TLS/SSL library implementations: RSA BSAFE Share for C/C++, RSA BSAFE Share for Java, Microsoft SChannel, and OpenSSL. Our major findings are as follows:

      • The RSA BSAFE implementations of TLS make the Dual EC back door particularly easy to exploit compared to the other libraries we analyzed. The C version of BSAFE makes a drastic speedup in the attack possible by broadcasting long contiguous strings of random bytes and by caching the output from each generator call. The Java version of BSAFE includes fingerprints in connections, making it relatively easy to identify them in a stream of network traffic.
      • SChannel does not implement the current Dual EC standard: it omits one step of the Dual EC algorithm. We show that this omission does not prevent attacks; in fact, it makes them slightly faster.
      • We discovered in OpenSSL a previously unknown bug that prevented the library from running when Dual EC is enabled. It is still conceivable that someone is using Dual EC in OpenSSL, since the bug has an obvious and very easy fix, so we applied this fix and evaluated the resulting version of OpenSSL, which we call “OpenSSL-fixed.” OpenSSL-fixed turns out to provide additional entropy (“additional input”) with each call to the library. In practice, this additional input can make attacks significantly more expensive than for the other libraries.

      Avec lien vers le papier technique http://dualec.org/DualECTLS.pdf

  • Une faille de sécurité dans OpenSSL injectée par la NSA

    OpenSSL mit kaputter Hintertür | heise online
    http://www.heise.de/newsticker/meldung/OpenSSL-mit-kaputter-Hintertuer-2072370.html

    Bei OpenSSL wurde Dual EC DRBG für einen ungenannten Sponsor eingebaut, der die komplette Umsetzung des NIST-Zufallszahlen-Standards SP800-90A (PDF) beaufragte. Er war jedoch nie voreingestellt. Der erst jetzt gefundene Fehler soll auch nicht mehr behoben werden, erklären die Entwickler. In kommenden OpenSSL-Versionen wird Dual EC DRBG statt dessen entfernt.

    On devine qui est le sponsor ayant financé l’introduction du générateur de chiffres aléatoires défaillant. Ne produisant qu’un message d’erreur il ne fut utilisé par personne.

    Pourtant la nouvelle nous impose une question connue déjà des opposant en Allemagne de l’Est / RDA : Qui parmi nous travaille pour la #STASI ? Nous n’aurons jamais de réponse crédible, mais nous pouvons employer un workaround pour resoudre le problème :

    Tant que la totalité de notre code et de nos activités logicielles seront publiées et visibles pour le monde entier, nous pourrons compter sur l’engagement et la solidarité de nos collègues et camarades pour nous prévenir des attaques éventuelles.

    #open_source