{"id":71472,"date":"2013-09-20T11:43:00","date_gmt":"2013-09-20T10:43:00","guid":{"rendered":"http:\/\/rinf.com\/alt-news\/breaking-news\/deliberately-flawed-rsa-security-tells-customers-to-drop-nsa-related-encryption-algorithm\/71472\/"},"modified":"2013-09-20T13:50:46","modified_gmt":"2013-09-20T12:50:46","slug":"deliberately-flawed-rsa-security-tells-customers-to-drop-nsa-related-encryption-algorithm","status":"publish","type":"post","link":"http:\/\/rinf.com\/alt-news\/latest-news\/deliberately-flawed-rsa-security-tells-customers-to-drop-nsa-related-encryption-algorithm\/","title":{"rendered":"Deliberately flawed? RSA Security tells customers to drop NSA-related encryption algorithm"},"content":{"rendered":"
An encryption algorithm with a suspected NSA-designed backdoor has been declared insecure by the developer after years of extensive use by customers worldwide, including the US federal agencies and government entities.<\/div>\n

Major US computer security company RSA Security, a division of
\nEMC, has privately warned thousands of its customers on Thursday
\nto immediately discontinue using all versions of company’s BSAFE
\ntoolkit and Data Protection Manager (DPM), both using
\nDual_EC_DRNG (Dual Elliptic Curve Deterministic Random Bit
\nGenerator) encryption algorithm to protect sensitive data.<\/p>\n

\u201cTo ensure a high level of assurance in their application, RSA
\nstrongly recommends that customers discontinue use of
\nDual_EC_DRNG<\/i> [cryptographic keys generator] and move to a
\ndifferent PRNG<\/i> [Pseudo-random Number Generator],\u201d<\/i>
\nwarned RSA’s letter, as quoted by The Wall Street Journal.<\/p>\n

In the letter the RSA provided BSAFE Toolkits and DPM customers
\nwith a link to technical guidance to change the PRNG settings in
\ntheir products and promised to update the algorithm library.<\/p>\n

The letter does not mention RSA’s flagship SecurID tokens, used
\nby millions of employees around the world to get secure access to
\ntheir corporate networks.<\/p>\n

In 2006, the US National Institute of Standards and Technology
\n(NIST) followed by the International Organization for
\nStandardization officially endorsed Dual_EC_DRNG, so encryption
\nsoftware base on it was used for years by both private sector and
\nUS government agencies.<\/p>\n

Last week the New York Times published new revelations by former
\nNational Security Agency contractor Edward Snowden, exposing that
\ncrucial encryption algorithm of certain US-developed security
\nsoftware is based on weak mathematical formula intentionally
\ncrippled to facilitate NSA access to encrypted dataflow.<\/p>\n

On Wednesday, ArsTechnica media outlet sent an inquiry to RSA on
\nwhether it is going to alert its customers that company’s BSAFE
\nproduct operates a \u201cdeliberately crippled pseudo random number
\ngenerator (PRNG), which is so weak that it undermines the
\nsecurity of most or all cryptography systems that use it.\u201d<\/i><\/p>\n

A mere 24 hours after that notification, the RSA issued an
\nadvisory to stop using compromised software.<\/p>\n

The RSA letter never mentions the NSA, although \u201cdue to the
\ndebate around the Dual_EC_DRNG standard\u201d<\/i> the company invites
\nexperts to take part in recently reopened public expertise of SP
\n800-90 security standard by the National Institute of Standards
\nand Technology (NIST).<\/p>\n

According to NIST the RSA’s Dual_EC_DRNG tool is used in dozens
\nof third-party products that implement cryptographic functions,
\nsuch as McAfee Firewall Enterprise Control Center.<\/p>\n

Which means that all of them are also using \u2018corrected’ random
\nnumber generator with implanted backdoor used by the NSA; but as
\nArsTechnica suspects \u2014 not only the NSA anymore.<\/p>\n

ArsTechnica claims that an \u201cuntold number\u201d<\/i> of third-party
\nproducts \u201cmay be bypassed not only by advanced intelligence
\nagencies, but possibly by other adversaries who have the
\nresources to carry out attacks.\u201d <\/i> Specially-designed
\nhardware using a simple trial and error method can relatively
\nquickly go through possible keys until the correct one is
\ngenerated.<\/p>\n

What is more significant, ArsTechnica warns, is that the BSAFE
\ntool is the default RNG in a “large number of derivative
\ncrypto systems that are highly susceptible to being broken.\u201d<\/i><\/p>\n

Cryptography experts did not approve of the NIST’s decision to
\nchoose Dual_EC_DRNG as major encrypting tool from the very
\nbeginning and for years speculated over its sluggish performance
\nand the \u2018discrete logarithm’ mathematical basis.<\/p>\n

But a person familiar with the process told Reuters that NIST
\naccepted Dual_EC_DRNG in the first place because many US
\ngovernment agencies were already using it.<\/p>\n

As Professor Mathew Green, a cryptographer at Johns Hopkins
\nUniversity, claims in his latest publication, when NIST embraced
\nDual_EC_DRNG, the tool had no security proof.<\/p>\n

Last week Professor Green told RT<\/a> that the \u201cNSA has
\na hard time breaking encryptions, so what they’ve done is they
\nactually tried to take the products that perform encryptions and
\nmake them worse, make it weaker so it is easier for them to break
\nthat encryption.\u201d<\/i><\/p>\n

\u201c[The] NSA is willing to make the US security a little bit
\nweaker,\u201d<\/i> Green said.<\/p>\n

Just this week Symantec computer security experts maintained
\nthey’ve identified an elite group of Chinese hackers<\/a> who have targeted the systems of US
\nmajor technology companies like Adobe, Dow Chemical, Google,
\nNorthrup Grumman, Yahoo and even Symantec itself since at least
\n2009.<\/p>\n

Earlier in 2013, the NSA was exposed<\/a> as an agency that enjoyed global
\ninternet data flow control for years, using its behemoth PRISM
\nsurveillance program along with other costly projects. But
\ndespite practically limitless web control capabilities, the
\nagency failed to prevent foreign IT experts, particularly from
\nChina<\/a>, performing high-profile hacks of
\nAmerican companies and other entities.<\/p>\n

Copyright: RT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

An encryption algorithm with a suspected NSA-designed backdoor has been declared insecure by the developer after years of extensive use by customers worldwide, including the US federal agencies and government entities. Major US computer security company RSA Security, a division of EMC, has privately warned thousands of its customers on Thursday to immediately discontinue using […]<\/p>\n","protected":false},"author":1,"featured_media":71473,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[487,1614,18],"tags":[],"class_list":{"0":"post-71472","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-breaking-news","8":"category-surveillance-big-brother","9":"category-latest-news"},"_links":{"self":[{"href":"http:\/\/rinf.com\/alt-news\/wp-json\/wp\/v2\/posts\/71472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/rinf.com\/alt-news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/rinf.com\/alt-news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/rinf.com\/alt-news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/rinf.com\/alt-news\/wp-json\/wp\/v2\/comments?post=71472"}],"version-history":[{"count":0,"href":"http:\/\/rinf.com\/alt-news\/wp-json\/wp\/v2\/posts\/71472\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/rinf.com\/alt-news\/wp-json\/wp\/v2\/media\/71473"}],"wp:attachment":[{"href":"http:\/\/rinf.com\/alt-news\/wp-json\/wp\/v2\/media?parent=71472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/rinf.com\/alt-news\/wp-json\/wp\/v2\/categories?post=71472"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/rinf.com\/alt-news\/wp-json\/wp\/v2\/tags?post=71472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}