Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Encryption Privacy

RSA Warns Developers Not To Use RSA Products 128

rroman writes "RSA has recommended developers not to use Dual_EC_DRBG random number generator (RNG), which has been known to be weak and slow since 2006. The funny thing is, that even though this has been known for so long, it is the default RNG in BSafe cryptographic toolkit, which is product of RSA."
This discussion has been archived. No new comments can be posted.

RSA Warns Developers Not To Use RSA Products

Comments Filter:
  • Doesn't matter (Score:5, Insightful)

    by Anonymous Coward on Saturday September 21, 2013 @04:47PM (#44913709)

    Surely no-one in their right mind is still using crypto software from US companies? None of it can be trusted any more.

    • by Anonymous Coward on Saturday September 21, 2013 @04:57PM (#44913771)

      I see that you're not using American software, let's go into this back room and you can tell me why you hate America.

  • by hsa ( 598343 ) on Saturday September 21, 2013 @04:54PM (#44913753)

    Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?

    • by Jane Q. Public ( 1010737 ) on Saturday September 21, 2013 @05:11PM (#44913827)

      "Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?"

      Evidence very strongly suggests the latter.

      • by jthill ( 303417 ) on Saturday September 21, 2013 @11:35PM (#44915683)

        It wasn't RSA. They trusted the NSA, with good reason. The NSA had earned the trust of just about everybody in the community by improving DES with changes nobody understood until fifteen years later.

        Then someone figured out that the way this new RNG is set up, the constants the NSA chose *could be* the public half of an asymmetric key, and if so the RNG's state could be read with very little effort by anyone in possession of the private half. There is no mathematical way at all to tell whether this is the case, but apparently something in the Snowden documents at least strongly suggests the NSA did know about it and did use it.

        It's important to highlight that this isn't the kind of weakness anyone _else_ can take advantage of; a blackhat would still have to discover their private key, the exact same problem he was facing before. The NSA are apparently not dumb enough to rely on keeping math a secret.

        But it seems every successful security service forgets the basic lesson: set up a system with unchecked power, the scum of the earth will eventually take notice. From that moment they'll dedicate their lives to getting control of it. They'll eventually succeed.. Snowden took advantage of criminally slack security in the NSA. Just the the fact that he could reveal the documents he revealed is proof the NSA have already gotten arrogant and sloppy, never mind what's in them.

        • by Anonymous Coward

          Of course it is easy to foreign agents to get ahold of any secret. The more info collected into one place, the bigger the carrot.
          They're trained to wrestle information out of government and corporate hands. What will it take? Money? Threats? Violence? Brainwashing?

          Google up how successful China is for instance.

        • by Bert64 ( 520050 )

          It's likely that the issues with DES would have been discovered sooner had they not been fixed, after all an actively used system is far more worthy of study than something thats been superseded and is no longer used.

          As for discovering the private key, who's to say Snowden doesn't have a copy of it? And for all we know, that key could have been leaked to others long ago, the US is not the only country that conducts spying...

          • by Goaway ( 82658 )

            It's likely that the issues with DES would have been discovered sooner had they not been fixed, after all an actively used system is far more worthy of study than something thats been superseded and is no longer used.

            That is nonsense. The fixed DES was identical to the original DES, with the expectation of a couple of seemingly arbitrary numbers. Nobody's going to stop researching DES because the NSA changed a couple of numbers. In fact, the opposite is far more likely.

        • "The NSA had earned the trust of just about everybody in the community by improving DES with changes nobody understood until fifteen years later. "

          Are you being sarcastic? The "improvements" they made are now being looked at, 15 years later, as examples of Government backdoors in their encryption.

          (I know it's not every case, but the consensus is that it was in THIS case, and possibly several others. I have friends in the field and they knew about this particular instance of PRNG for elliptiical curve crypto way back when. Few trusted it except, apparently, RSA and its customers.)

          So any "improvements" from the NSA have to come with a grain of sal

          • by jthill ( 303417 )

            The "improvements" they made are now being looked at, 15 years later, as examples of Government backdoors in their encryption.

            I suspect you're talking about some other DES [wikipedia.org].

            • "I suspect you're talking about some other DES."

              Pardon me. My eyes must have skipped over the DES part. No, of course what I was saying doesn't apply to DES.

              On the other hand, this situation has made a lot of people look at any government-approved encryption with a jaundiced eye.

    • by KiloByte ( 825081 ) on Saturday September 21, 2013 @05:14PM (#44913839)

      Considering the consequences of defying the spooks, they had no real choice but to dig that hole or close the company.

      • Yeah, well, now they will have close the company anyway, since all their customers are running for the hills. They have already announced lay-offs.
    • by Billly Gates ( 198444 ) on Saturday September 21, 2013 @05:18PM (#44913861) Journal

      Yep NSA did play a hand in this insecure logarithm [arstechnica.com].

      Sadly just a month ago such a comment would be modded -1 offtopic or -1 flamebait as the equailivant of that crazy guy drunk talking to himself on the subway.

      Slightly different topic, this algorithm seems very strong as it is what slashdotters say is a perfect encryption mathmatical algorithm. It is Elispse based so there are more numbers to guess and the seed process is very stenious to make it harder to crack. It seems like the best one which is why BASE libraries use it just on that evidence. Can a mathmatician or crypto expert explain why this NSA endorsed algorithm has so many problems compared to SHA-2 or BES?

      • by Anonymous Coward

        So where are all those clowns who parroted the "tinfoil hat" comments now, huh? Eating their humble pie, no doubt.

        I TOLD YOU SO!

      • by Anonymous Coward on Saturday September 21, 2013 @06:06PM (#44914111)
        The problem is that the magic numbers used in the algorithm have no known source so no one in the community can go back and find the justification for them. They are just there. I see the potential vulnerability here is that if you know the base numbers here, and since it is elliptical, that it simplifies the brute-force decryption process. How much? We don't know, yet. The problem is being looked at as I type.
      • by AHuxley ( 892839 )
        From the 1920's on the ~GCHQ and ~NSA gave UK and US political and military leaders limited and then full plain text about the world.
        With the generational (1950-80's) change from dedicated cryptography machines to the 'internet' that same political and military deal had to be met.
        How do you get the world chatter? You have to create any emerging digital standards. Just as the cryptography machines and telco equipment where interfered with and sold cheap to friendly nations.
        If the UK and US encounter pe
        • by icebike ( 68054 ) on Saturday September 21, 2013 @08:19PM (#44914771)

          I've never seen any examples of negative press from government sources.

          More likely the US simply developed an entire line of dedicated processors that can crack almost any code.
          This probably happened about the same time they dropped their designation of encryption as a munition.
          They already had the solution in hand.

          However, when real time continuous encryption started to be the norm, (like encrypted Skype, VPNs in routers, and SSL everywhere)
          they simply bought their way into the companies doing it, and induced them with money and contracts.

          I've stated more than once here that I believe it will be eventually revealed that the NSA fully funded Microsoft's acquisition of SKYPE.
          Probably because EBay was incompetent and not terribly interested in ripping out the un-traceable routing via small
          remotely distributed groups of nodes and many volunteer notes.
          Even if Ebay did provide access to the encryption technology, they couldn't circumvent the routing issues to provide taps.

          The first thing Microsoft did was route all traffic through their servers. No more routing via anonymous "volunteers" or off-shore
          peer-to-peer technology. It now goes direct to Microsoft and then to the other party. There was never a business case to do this.
          It was working just fine, and hasn't improved since Microsoft took over. There was ONLY ever an intelligence case to make this change.
          Why would Microsoft take on that expense for free? Because the NSA bought Skype for them.

          • by kasperd ( 592156 )

            The first thing Microsoft did was route all traffic through their servers. No more routing via anonymous "volunteers" or off-shore peer-to-peer technology.

            That's not true. Earlier this month I have seen my Skype calls get routed through peers, who were not participating in the call. That however resulted in very unreliable calls, so I got the machine running Skype onto a public IP address. With that in place I could see the traffic was going directly between me and the IP addresses of the people I was commu

      • by omkhar ( 167195 )

        for one, SHA-2 is a hashing algorithm, not encryption. Secondly, although the math is sound, the algorithm which generates the seed for the PRNG is allegedly based on constants which make the crypto trivial for the NSA to brute force.That algorithm is known as Dual_EC_BRDG.

      • by Solandri ( 704621 ) on Saturday September 21, 2013 @10:07PM (#44915265)
        Up to a month ago such a comment would've been modded to -1 because historically, NSA had helped improve [schneier.com] the security of encryption standards. As Schneier has said, the revelations about recent NSA activity has completely evaporated the goodwill NSA earned in the cryptographic community from back then.
        • by kasperd ( 592156 )

          Up to a month ago such a comment would've been modded to -1 because historically, NSA had helped improve [schneier.com] the security of encryption standards.

          Schneier has been speculating [schneier.com] about the possibility of an NSA planted backdoor in Dual_EC_DRBG since 2007. Which by the way took me a few attempts to find again since there are many hits if you search for NSA backdoor on his site.

          As Schneier has said, the revelations about recent NSA activity has completely evaporated the goodwill NSA earned in the cryptographic comm

      • Some smart guys at Microsoft already explained it years ago. A quick Google wil get the info for you.
    • by gweihir ( 88907 ) on Saturday September 21, 2013 @06:14PM (#44914179)

      The problem is that RSA made the worst generator (in every respect) of several the default. That cannot have been an engineering decision or a business decision in the interest of their customers. It is dead certain that NSA coercion is behind it, anybody that can build a working crypto library cannot be that incompetent.

    • by Frosty Piss ( 770223 ) * on Saturday September 21, 2013 @07:28PM (#44914543)

      or did NSA tell RSA to slip in a backdoor back in 2006

      It's not so much the possibility that the NSA influenced RSA, rather they influenced the standard itself.

      Here's the whole story according to Bruce Schneier:

      http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 [wired.com]

  • by innocent_white_lamb ( 151825 ) on Saturday September 21, 2013 @05:00PM (#44913785)

    There's no point in pussy-footing around this. It's obvious that RSA was either forced or "rewarded" into using an insecure method. And that they knew it at the time (because they are cryptographers and because they don't live in the bottom of a well.)

    Therefore, RSA has proven themselves untrustworthy at best, corrupt at worst, and quite likely both.

    The question is what to do next? Rip out everything RSA in all infrastructure and replace it with something that works appears to be the best approach, but how should that be done and what should it be replaced with? And, most importantly, how can we verify that replacement?

    • by Jane Q. Public ( 1010737 ) on Saturday September 21, 2013 @05:27PM (#44913901)

      "Therefore, RSA has proven themselves untrustworthy at best, corrupt at worst, and quite likely both."

      And don't forget that their "super security" ID dongles were hacked just a year or so ago.

      All in all, it's looking like RSA is a corporation to avoid.

      • by 93 Escort Wagon ( 326346 ) on Saturday September 21, 2013 @06:39PM (#44914315)

        An interesting scenario just came to mind...

        1) RSA intentionally weakens their crypto at the behest of the NSA (this is fairly certain)
        2) Chinese hack RSA - the only question is just how thoroughly (a known fact)

        Now comes the speculation.

        3) China analyzes what they got from RSA and discover the crypto is weaker than expected.
        4) Quietly, China also begins to take advantage of this breakable crypto the NSA foisted on US companies and citizens.
        5) China deduces why it was done and starts looking for weaknesses in other US crypto products - possibly succeeding, given they have a decent idea what to look for.

        Followed by

        6) China successfully and quietly penetrates most US defense contractors and financial institutions.

        • by Anonymous Coward

          6) China successfully and quietly penetrates most US defense contractors and financial institutions.

          So, you are saying you think the NSA deliberately weakens an encryption method, then proceeds to use that method itself? Because the NSA sets the standards for the DoD and defense contractors.

          I can't tell, do you think the NSA is brilliant or stupid beyond belief?

          • "I can't tell, do you think the NSA is brilliant or stupid beyond belief?"

            I'm pretty sure it means a little bit of both.

            • by 93 Escort Wagon ( 326346 ) on Sunday September 22, 2013 @01:48AM (#44916097)

              I think the NSA believed it was okay to weaken cryptography because they assumed they would be the only one who knew about what they'd done and specifically how they'd weakened it.

              So really, what I believe is they were very clever and, at the same time, very naive... Or perhaps sophomoric and arrogant would be a better fit.

              • I think we're on the same channel here. But the exact mix of brilliance and stupidity is really not so important. Whatever the magnitude of the individual parts, the end result is still that NSA can't be trusted to act in the public good.
          • The more bigger of a threat that China is, and the more hacking groups break into goverment files the more power the NSA is given, and they get the benifit of spying on themselves.

            So it is a win/win to compromise your own systems.

        • It certainly explains how they've managed to penetrate so many large corporations, and in such a short window. There was a common weak security element between all these companies, and this was likely it.

          I do remember the RSA was hacked into not so long ago, and a good chunk of their data was stolen. I wonder if they got a dose of their own medicine. In fact, I wonder if they allowed it to happen deliberately, to show the spooks what happens when they try to sabotage everybody indiscriminately.

        • Yup, all that already happened a few years ago.
        • The dongle hack was information about the SecurID token, which does not use the same PRNG. Of course this information is probably from RSA itself since it is sourced anonymously. The SecurID hack was apparently a phishing e-mail exploiting CVE-2011-0609 according to f-secure, so not specifically an RSA failure.

          In other words, not the same crypto in question. Your scenario is probably more like 2 steps:

          1) 2006 papers suggest Dual_EC_DRNG is predictable
          2) China decrypts everything created by BSAFE Toolkits

    • by mysidia ( 191772 ) on Saturday September 21, 2013 @05:28PM (#44913907)

      The question is what to do next? Rip out everything RSA in all infrastructure and replace it with something that works appears to be the best approach, but how should that be done and what should it be replaced with?

      I have no need to, because I don't use any of RSA's software toolkits.

      I use Microsoft CryptoAPI, GPG, GnuTLS, and OpenSSL, php-Mcrypt/php-Mhash, and some dedicated non-RSA special purpose libraries, for all my cryptography requirements.

    • Re: (Score:1, Redundant)

      by chill ( 34294 )

      Putting it bluntly, you can't.

      Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.

      This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juni

      • Was that mess posted with Android 2.3 by chance?

        • No, why? Had Android's autocorrect infected my brain where it now reads as normal to me?

          • I checked it in a couple of different browsers. Only the Android browser made it look correct, and that was only on the second viewing using that browser.
            When I first viewed it, it was broken in Android too. Most lines are repeated three times. For example, the sentence starting with "Here's the problem. Dual_EC_DRGB is flawed" is in there three times. I wonder what you'll see if I repost a copy / paste of the text:

            Putting it bluntly, you can't.

            Here's the problem. Dual_EC_DRGB is flawed, but is *required*

            • by chill ( 34294 )

              Interesting. It was posted in Firefox 24, as it was too long to try and do thru my phone browser (Android 4.2.2). But it looked fine in both. Interesting that you see it differently.

              For the longest time I had issues viewing Slashdot in the Android browser. I'd get essentially an infinite loop of comments in a threat. That seems to have been fixed about a month or so ago.

              What you copied back in your reply also looks properly formatted to me.

    • what should it be replaced with?

      To be trustable it has to be open source, but to be trustworthy will require both code scrutiny and careful analysis.

      New maxim: you can't keep secrets with secrets.

      • by Lumpy ( 12016 )

        Screw that. Simple 1 time pad will do the trick. Uncrackable by even the best crypto minds on the planet.

        • Yeah. Good luck with making that a standard. No one wants a standard that has to be re-standardized everytime its used. The obvious answer is using cryptographic methods that are not part of anything to do with RSA. And let the standard play ketchup. I don't give a fuck if its not compliant, I want it to be secure.
        • by 0123456 ( 636235 )

          Screw that. Simple 1 time pad will do the trick. Uncrackable by even the best crypto minds on the planet.

          Not if you use an insecure random number generator (i.e. pretty much anything that's pure software with no hardware component) to generate the pad.

        • by Desler ( 1608317 )

          Uncrackable by even the best crypto minds on the planet.

          Only theoretically [wikipedia.org]. There are plenty of issues with using one-time pads that can make them suspectible to be cracked.

        • One time pads are useless.
        • by chill ( 34294 )

          One of the major reason public key crypto was invented is the difficulty associated with securely distributing symmetric crypto keys.

          A one-time pad is essentially a massive symmetric crypto key, so you're back to square one. And good luck distributing a copy of your one-time pad to everywhere you do e-commerce with, like your bank, Amazon.com and the like.

          • by Desler ( 1608317 )

            You make the wrong assumption that the guy read past the part of one-time pad's being "unbreakable" to all the downsides associated with them.

            • by Lumpy ( 12016 )

              Like your assumption? as you seem to assume far more than you know.

              It is "unbreakable" and anyone that has a clue about cryptography knows it. Yes there are weaknesses that are always human induced mistakes, like re-using the pad.

              But there are still communications that were send during WW-II that have not been cracked that used a 1 time pad. For very high security it is still used to this day.

    • by Anonymous Coward

      Actually this is not true, and it is obvious you have never done any crypto work yourself, having taken graduate level courses on the topic, I can tell you that 1) it is hard to prove that an encryption system (b/c thats what PRNG is at the core) is 'slightly' insecure, Proving glaring obvious faults is easy. 2) not every crypto secret is publicly known, look at DES and EC attacks

      Take AES for example, its the standard that pretty much everything uses for symmetric enrcryption, but it is NOT a feistel ciphe

      • The AES s:boxes already have an algebraic solution in themselves, as do every step of the process, rotates, xors, sums mod 2^32 etc. The problem is the combinatorial explosion that happens even over the course of one round when you combine all the operations, meaning there's so many simultaneous equations to solve, you'd need huge amounts of plaintext and corresponding cyphertext to even establish a few bits of the key.
    • Well if they were forced as you stated, it means they did have no option. In that case you should not blame them for a faulty product.
      • No, I still blame them. They should have shut down their shop and moved overseas to a better location. Instead, they chose to defraud all their customers by selling snake oil for millions of dollars. The RSA company is a bunch of immoral fraudsters and they all deserve to be thrown in jail.
    • by gweihir ( 88907 )

      Don't forget that this default also selected the slowest generator and the one with the worst security analysis. There is no way this was an engineering decision. In fact I would not be surprised if some people working on the library resigned right at the time this decision was made...

    • There's the proverb about not attributing to maliciousness that which can be explained by stupidity.

      VMware (also an EMC subsidiary) used an RSA implementation for their SSO product. It had a ton of problems and bugs, and each new patch release introduced more bugs. Applying pressure to RSA via EMC didn't help, so VMware ripped out the RSA implementation with a band new in-house implementation.

  • When it was discovered in 2007 that the NSA insisted on adding this PRNG to the standard, with constants they chose the general reaction was "so what? after all, this is one of many alternatives, and it is the slowest and least efficient". I assumed their idea was to somehow choose the PRNG in applications where they were one of the parties, but that seemed unlikely.

    It's now clear what the idea was: secretly having companies use this PRNG. The original assumption was that companies voluntarily choose what

  • In the article linked to on ArsTechnica a cryptographer wishes to remain anonymous, though his comment is perfectly reasonable and very safe:

    "I personally believed that it was some theoretical cryptographer's pet project," one cryptographer who asked not to be named told Ars.

    He (or she) is not accusing anyone or suggesting anything. Why the desire to remain anonymous? I bet that many people active in cryptography even in academic circles are afraid. Indeed, chances are that active researchers are being

  • OpenBSD entropy (Score:5, Informative)

    by funkboy ( 71672 ) on Sunday September 22, 2013 @05:09AM (#44916697) Homepage

    Yet another reason that validates OpenBSD developers having spent years improving the quality of random number generation [openbsd.org].

    Say what you want about Theo, but their developers are top-notch and their stuff really works.

  • Hearts...

    Bleed...

  • Why would the NSA deliberately weaken crypto algorithms ?
    Sure, that makes spying easier but it is also quite dangerous. Because if the vulnerability is found anyone can access the encrypted data, including the enemies.

    Think about it : the NSA releases a "recommended" crypto package. Obviously, US companies will be much more likely to use it than, say, the Chinese. If this package happens to be weak and that the Chinese find out, US companies will be the most affected. Also, to spy on its own citizen, it is

Keep up the good work! But please don't ask me to help.

Working...