Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Encryption Privacy

RSA Warns Developers Not To Use RSA Products 128

Posted by timothy from the surely-they-have-some-alternatives-to-suggest dept.
rroman writes "RSA has recommended developers not to use Dual_EC_DRBG random number generator (RNG), which has been known to be weak and slow since 2006. The funny thing is, that even though this has been known for so long, it is the default RNG in BSafe cryptographic toolkit, which is product of RSA."
This discussion has been archived. No new comments can be posted.

RSA Warns Developers Not To Use RSA Products More

RSA Warns Developers Not To Use RSA Products

Comments Filter:

  • The obligatory NSA question (Score:5, Interesting)

    by hsa ( 598343 ) on Saturday September 21, 2013 @05:54PM (#44913753)

    Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?

  • Re:The obligatory NSA question (Score:5, Interesting)

    by Jane Q. Public ( 1010737 ) on Saturday September 21, 2013 @06:11PM (#44913827)

    "Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?"

    Evidence very strongly suggests the latter.

  • Re:The obligatory NSA question (Score:5, Interesting)

    by KiloByte ( 825081 ) on Saturday September 21, 2013 @06:14PM (#44913839)

    Considering the consequences of defying the spooks, they had no real choice but to dig that hole or close the company.

  • Re:No point pussy-footing around (Score:5, Interesting)

    by Jane Q. Public ( 1010737 ) on Saturday September 21, 2013 @06:27PM (#44913901)

    "Therefore, RSA has proven themselves untrustworthy at best, corrupt at worst, and quite likely both."

    And don't forget that their "super security" ID dongles were hacked just a year or so ago.

    All in all, it's looking like RSA is a corporation to avoid.

  • Re:The obligatory NSA question (Score:5, Interesting)

    by Anonymous Coward on Saturday September 21, 2013 @07:06PM (#44914111)
    The problem is that the magic numbers used in the algorithm have no known source so no one in the community can go back and find the justification for them. They are just there. I see the potential vulnerability here is that if you know the base numbers here, and since it is elliptical, that it simplifies the brute-force decryption process. How much? We don't know, yet. The problem is being looked at as I type.

  • Re:No point pussy-footing around (Score:5, Interesting)

    by 93 Escort Wagon ( 326346 ) on Saturday September 21, 2013 @07:39PM (#44914315)

    An interesting scenario just came to mind...

    1) RSA intentionally weakens their crypto at the behest of the NSA (this is fairly certain)
    2) Chinese hack RSA - the only question is just how thoroughly (a known fact)

    Now comes the speculation.

    3) China analyzes what they got from RSA and discover the crypto is weaker than expected.
    4) Quietly, China also begins to take advantage of this breakable crypto the NSA foisted on US companies and citizens.
    5) China deduces why it was done and starts looking for weaknesses in other US crypto products - possibly succeeding, given they have a decent idea what to look for.

    Followed by

    6) China successfully and quietly penetrates most US defense contractors and financial institutions.

  • Re:The obligatory NSA question (Score:5, Interesting)

    by icebike ( 68054 ) on Saturday September 21, 2013 @09:19PM (#44914771)

    I've never seen any examples of negative press from government sources.

    More likely the US simply developed an entire line of dedicated processors that can crack almost any code.
    This probably happened about the same time they dropped their designation of encryption as a munition.
    They already had the solution in hand.

    However, when real time continuous encryption started to be the norm, (like encrypted Skype, VPNs in routers, and SSL everywhere)
    they simply bought their way into the companies doing it, and induced them with money and contracts.

    I've stated more than once here that I believe it will be eventually revealed that the NSA fully funded Microsoft's acquisition of SKYPE.
    Probably because EBay was incompetent and not terribly interested in ripping out the un-traceable routing via small
    remotely distributed groups of nodes and many volunteer notes.
    Even if Ebay did provide access to the encryption technology, they couldn't circumvent the routing issues to provide taps.

    The first thing Microsoft did was route all traffic through their servers. No more routing via anonymous "volunteers" or off-shore
    peer-to-peer technology. It now goes direct to Microsoft and then to the other party. There was never a business case to do this.
    It was working just fine, and hasn't improved since Microsoft took over. There was ONLY ever an intelligence case to make this change.
    Why would Microsoft take on that expense for free? Because the NSA bought Skype for them.

  • Re:No point pussy-footing around (Score:4, Interesting)

    by 93 Escort Wagon ( 326346 ) on Sunday September 22, 2013 @02:48AM (#44916097)

    I think the NSA believed it was okay to weaken cryptography because they assumed they would be the only one who knew about what they'd done and specifically how they'd weakened it.

    So really, what I believe is they were very clever and, at the same time, very naive... Or perhaps sophomoric and arrogant would be a better fit.

Slashdot Top Deals

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein

Close