RSA Warns Developers Not To Use RSA Products 128
rroman writes "RSA has recommended developers not to use Dual_EC_DRBG random number generator (RNG), which has been known to be weak and slow since 2006. The funny thing is, that even though this has been known for so long, it is the default RNG in BSafe cryptographic toolkit, which is product of RSA."
The obligatory NSA question (Score:5, Interesting)
Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?
Re:The obligatory NSA question (Score:5, Interesting)
"Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?"
Evidence very strongly suggests the latter.
Re:The obligatory NSA question (Score:5, Interesting)
Considering the consequences of defying the spooks, they had no real choice but to dig that hole or close the company.
Re:No point pussy-footing around (Score:5, Interesting)
"Therefore, RSA has proven themselves untrustworthy at best, corrupt at worst, and quite likely both."
And don't forget that their "super security" ID dongles were hacked just a year or so ago.
All in all, it's looking like RSA is a corporation to avoid.
Re:The obligatory NSA question (Score:5, Interesting)
Re:No point pussy-footing around (Score:5, Interesting)
An interesting scenario just came to mind...
1) RSA intentionally weakens their crypto at the behest of the NSA (this is fairly certain)
2) Chinese hack RSA - the only question is just how thoroughly (a known fact)
Now comes the speculation.
3) China analyzes what they got from RSA and discover the crypto is weaker than expected.
4) Quietly, China also begins to take advantage of this breakable crypto the NSA foisted on US companies and citizens.
5) China deduces why it was done and starts looking for weaknesses in other US crypto products - possibly succeeding, given they have a decent idea what to look for.
Followed by
6) China successfully and quietly penetrates most US defense contractors and financial institutions.
Re:The obligatory NSA question (Score:5, Interesting)
I've never seen any examples of negative press from government sources.
More likely the US simply developed an entire line of dedicated processors that can crack almost any code.
This probably happened about the same time they dropped their designation of encryption as a munition.
They already had the solution in hand.
However, when real time continuous encryption started to be the norm, (like encrypted Skype, VPNs in routers, and SSL everywhere)
they simply bought their way into the companies doing it, and induced them with money and contracts.
I've stated more than once here that I believe it will be eventually revealed that the NSA fully funded Microsoft's acquisition of SKYPE.
Probably because EBay was incompetent and not terribly interested in ripping out the un-traceable routing via small
remotely distributed groups of nodes and many volunteer notes.
Even if Ebay did provide access to the encryption technology, they couldn't circumvent the routing issues to provide taps.
The first thing Microsoft did was route all traffic through their servers. No more routing via anonymous "volunteers" or off-shore
peer-to-peer technology. It now goes direct to Microsoft and then to the other party. There was never a business case to do this.
It was working just fine, and hasn't improved since Microsoft took over. There was ONLY ever an intelligence case to make this change.
Why would Microsoft take on that expense for free? Because the NSA bought Skype for them.
Re:No point pussy-footing around (Score:4, Interesting)
I think the NSA believed it was okay to weaken cryptography because they assumed they would be the only one who knew about what they'd done and specifically how they'd weakened it.
So really, what I believe is they were very clever and, at the same time, very naive... Or perhaps sophomoric and arrogant would be a better fit.