RSA Warns Developers Not To Use RSA Products

← Back to Stories (view on slashdot.org)

RSA Warns Developers Not To Use RSA Products

Posted by timothy on Saturday September 21, 2013 @09:44AM from the surely-they-have-some-alternatives-to-suggest dept.

rroman writes "RSA has recommended developers not to use Dual_EC_DRBG random number generator (RNG), which has been known to be weak and slow since 2006. The funny thing is, that even though this has been known for so long, it is the default RNG in BSafe cryptographic toolkit, which is product of RSA."

128 comments

Min score:

Reason:

Sort:

Doesn't matter by Anonymous Coward · 2013-09-21 09:47 · Score: 5, Insightful

Surely no-one in their right mind is still using crypto software from US companies? None of it can be trusted any more.
1. Re:Doesn't matter by Anonymous Coward · 2013-09-21 09:57 · Score: 5, Funny
  
  I see that you're not using American software, let's go into this back room and you can tell me why you hate America.
2. Re:Doesn't matter by ColdWetDog · 2013-09-21 11:11 · Score: 0
  
  And here, sports fans, is exactly why we need better controls on firearms and video games in the US.
  
  --
  Faster! Faster! Faster would be better!
3. Re:Doesn't matter by davester666 · 2013-09-21 12:13 · Score: 0
  
  Or some kind of passport to control who is permitted to post on these internets.
  
  --
  Sleep your way to a whiter smile...date a dentist!
4. Re:Doesn't matter by Anonymous Coward · 2013-09-21 12:19 · Score: 0
  
  Yup, certainly following a pattern there, USA. Happy to stay out of both wars and profiteer until your own citizens come under attack. Something I'm sure you can be morally proud of.
5. Re:Doesn't matter by Anonymous Coward · 2013-09-21 12:24 · Score: 0
  
  Actually I can't help but feel this explains something about the American psyche ever since, trying to act as an international police force and not happy to stand back any longer. I think the USes self-serving disinterest was probably historically more successful than its current self-serving overbearing interest, unfortunately.
6. Re:Doesn't matter by Anonymous Coward · 2013-09-21 13:53 · Score: 0
  
  In the USA, your crypto software doesn't trust you.
7. Re:Doesn't matter by Anonymous Coward · 2013-09-21 13:59 · Score: 0
  
  So we SHOULD get involved in wars which don't involve us?
8. Re:Doesn't matter by Anonymous Coward · 2013-09-21 14:27 · Score: 0
  
  Wait, so the US should routinely get involved in wars that don't involve US citizens being attacked?
9. Re: Doesn't matter by Anonymous Coward · 2013-09-21 17:23 · Score: 2, Informative
  
  The "global police force" metaphor is used a lot but it is completely wrong.
  The actions on the international stage are driven entirely by economical and geopolitical interests. If it so happens that the operation appears to "do good" then a media spin will be applied, furthering the "global policeman" illusion.
  On the other hand, operations which topple democratic governments, install anti-leftist dictators, support smaller third world dictatorships in their abuses, grab the resources of a country, fund terrorists to keep on destabilizing a country, etc., etc., these are not mentioned in the policing context.
  The purpose of force projection has been and will be the assertion of a superstate status, though this status has been progressively more and more inapplicable since the fall of the Soviet Union. Without a clearly defined bogeyman, the media spin becomes harder to manufacture.
10. Re:Doesn't matter by runeghost · 2013-09-21 18:10 · Score: 1
  
  In the USA, your crypto software doesn't trust you.
  Ah, that explains TPM.
11. Re: Doesn't matter by Internetuser1248 · 2013-09-21 23:01 · Score: 2
  
  On the other hand, operations which topple democratic governments, install anti-leftist dictators, support smaller third world dictatorships in their abuses, grab the resources of a country, fund terrorists to keep on destabilizing a country, etc., etc., these are not mentioned in the policing context.
  This would be logical. The weird thing is they are. I have seen for example Vietnam, Cuba and Chile used in exactly the context you describe, including here on slashdot. It appears that most people in the US don't actually understand the details of what happened in those cases so people get away with such absurd and outrageous nonsense without being called on it.
12. Re:Doesn't matter by Anonymous Coward · 2013-09-22 00:21 · Score: 0
  
  The answer to your question is simple - no, they should not routinely get involved. Other than that, there are no simple black or white answers; every situation is different, and should be judged appropriately on its own merits. However, since WW2 the US has routinely started wars against countries that have not attacked US citizens, which is what I would say most people have the biggest problem with.
13. Re:Doesn't matter by kthreadd · 2013-09-22 00:27 · Score: 0
  
  Because no one else would. Maybe not always the best thing, but often a lesser bad thing than to stay aside and watch.
14. Re:Doesn't matter by Anonymous Coward · 2013-09-22 01:21 · Score: 0
  
  That is only propaganda. The US were pretty involved in WW2 before the attack on Pearl Harbor. The US was part of an economic blockade against Japan to reduce the resources to their military.
  The attack against Pearl Harbor was supposed to end the US presence in the Pacific but didn't do as much damage as Japan initially thought.
15. Re:Doesn't matter by Anonymous Coward · 2013-09-22 02:14 · Score: 0
  
  Because no one else would. Maybe not always the best thing, but often a lesser bad thing than to stay aside and watch.
  US stays aside and watches:
  - Thousands (perhaps more) civilians tortured in slave camps in north korea, and the rest living like indentured servants;
  - China;
  - The Kurd genocide in turkey;
  - Global human trafficking network;
  - Kony and the alike enslaving children and making them soldiers;
  - Almost every african or asian country that is for all pratical purposes a dictatorship that condemns millions to die of hunger;
  - Women and little girls spanked, mutilated and raped by their families and husbands in most islamic countries;
  - Blood diamonds and bloodier rare earths trade;
  - Liberia and Somalia;
  - Persecution of homossexuals in Russia;
  So tell me again that part about the US not standing aside...
16. Re: Doesn't matter by DEN_GUY · 2013-09-22 06:30 · Score: 1
  
  I guess you can maintain a spurious moral high ground, and allow the US to fight your battles for you, all the while decrying their supposed Colonialism. Go look at the UN funding and see where lion's share of the money, infrastructure and personnel come from.
17. Re:Doesn't matter by Anonymous Coward · 2013-09-22 08:35 · Score: 0
  
  The US began sanctions against Japan to protect its own economic interests in China, and not as a part of the war effort (in fact it had to coerce other nations to impose sanctions). Since Japan was highly reliant on US imports (Japans reason for entering the war in a limited fashion was to secure some resources for itself), it was in the end the precipitating factor for Pearl Harbour.
  A far better argument for US involvement would be the lease-lend agreements that supplied munitions to Allied forces, but your example - not so much.
18. Re:Doesn't matter by CodeBuster · 2013-09-22 08:54 · Score: 2
  
  Why certainly sir! When have you government types ever steered me wrong?
19. Re: Doesn't matter by Anonymous Coward · 2013-09-22 09:41 · Score: 0
  
  Well actually we develop our crypto code in Australia and have done so since Eric Young the original author of what is now know as openssl joined the company. I can assure you there are no back doors in the code and many of our customers buy the source code as well and would see them if they were there. It is unfortunate however that some of our currently released versions do use the ecdrbg as default but it is quite simple to change that and use whatever default you wish.
20. Re: Doesn't matter by lgw · 2013-09-22 10:26 · Score: 1
  
  You seem to have a rather idealized notion of "police". I never saw "global police force" as much of a compliment.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
The obligatory NSA question by hsa · 2013-09-21 09:54 · Score: 5, Interesting

Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?
1. Re:The obligatory NSA question by Jane+Q.+Public · 2013-09-21 10:11 · Score: 4, Interesting
  
  "Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?"
  Evidence very strongly suggests the latter.
2. Re:The obligatory NSA question by KiloByte · 2013-09-21 10:14 · Score: 4, Interesting
  
  Considering the consequences of defying the spooks, they had no real choice but to dig that hole or close the company.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
3. Re:The obligatory NSA question by Billly+Gates · 2013-09-21 10:18 · Score: 5, Informative
  
  Yep NSA did play a hand in this insecure logarithm.
  Sadly just a month ago such a comment would be modded -1 offtopic or -1 flamebait as the equailivant of that crazy guy drunk talking to himself on the subway.
  Slightly different topic, this algorithm seems very strong as it is what slashdotters say is a perfect encryption mathmatical algorithm. It is Elispse based so there are more numbers to guess and the seed process is very stenious to make it harder to crack. It seems like the best one which is why BASE libraries use it just on that evidence. Can a mathmatician or crypto expert explain why this NSA endorsed algorithm has so many problems compared to SHA-2 or BES?
  
  --
  http://saveie6.com/
4. Re:The obligatory NSA question by Anonymous Coward · 2013-09-21 10:44 · Score: 0
  
  Why now though? One may imagine that the NSA has discussed with RSA the possibility that one of Snowden's yet-to-be-leaked documents reveals this coercion. What should RSA do? Nothing is one possibility, but better to limit the damage by announcing this weakness in advance of the leak.
5. Re:The obligatory NSA question by Anonymous Coward · 2013-09-21 10:48 · Score: 1
  
  So where are all those clowns who parroted the "tinfoil hat" comments now, huh? Eating their humble pie, no doubt.
  I TOLD YOU SO!
6. Re:The obligatory NSA question by Anonymous Coward · 2013-09-21 11:06 · Score: 5, Interesting
  
  The problem is that the magic numbers used in the algorithm have no known source so no one in the community can go back and find the justification for them. They are just there. I see the potential vulnerability here is that if you know the base numbers here, and since it is elliptical, that it simplifies the brute-force decryption process. How much? We don't know, yet. The problem is being looked at as I type.
7. Re:The obligatory NSA question by gweihir · 2013-09-21 11:14 · Score: 3, Insightful
  
  The problem is that RSA made the worst generator (in every respect) of several the default. That cannot have been an engineering decision or a business decision in the interest of their customers. It is dead certain that NSA coercion is behind it, anybody that can build a working crypto library cannot be that incompetent.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
8. Re:The obligatory NSA question by AHuxley · 2013-09-21 11:59 · Score: 1
  
  From the 1920's on the ~GCHQ and ~NSA gave UK and US political and military leaders limited and then full plain text about the world.
  With the generational (1950-80's) change from dedicated cryptography machines to the 'internet' that same political and military deal had to be met.
  How do you get the world chatter? You have to create any emerging digital standards. Just as the cryptography machines and telco equipment where interfered with and sold cheap to friendly nations.
  If the UK and US encounter perfect encryption, they get to the firm making it, swap staff, buy in, buy up, create negative press or bolster the prestige of a more tame firm. Product prices can also be fixed until the perfect encryption never makes a profit or has to change methods to keep up.
  
  --
  Domestic spying is now "Benign Information Gathering"
9. Re:The obligatory NSA question by Anonymous Coward · 2013-09-21 12:55 · Score: 0
  
  What do the Russians, Chinese, French, Germans, Japanese, and Italians do? They are all known to have read other people's codes in the past, and many of them in the present. You just keep bringing up the US, and sometimes the UK, and usually ignore the Russians / Soviets and the role they played.
10. Re:The obligatory NSA question by icebike · 2013-09-21 13:19 · Score: 5, Interesting
  
  I've never seen any examples of negative press from government sources.
  More likely the US simply developed an entire line of dedicated processors that can crack almost any code.
  This probably happened about the same time they dropped their designation of encryption as a munition.
  They already had the solution in hand.
  However, when real time continuous encryption started to be the norm, (like encrypted Skype, VPNs in routers, and SSL everywhere)
  they simply bought their way into the companies doing it, and induced them with money and contracts.
  I've stated more than once here that I believe it will be eventually revealed that the NSA fully funded Microsoft's acquisition of SKYPE.
  Probably because EBay was incompetent and not terribly interested in ripping out the un-traceable routing via small
  remotely distributed groups of nodes and many volunteer notes.
  Even if Ebay did provide access to the encryption technology, they couldn't circumvent the routing issues to provide taps.
  The first thing Microsoft did was route all traffic through their servers. No more routing via anonymous "volunteers" or off-shore
  peer-to-peer technology. It now goes direct to Microsoft and then to the other party. There was never a business case to do this.
  It was working just fine, and hasn't improved since Microsoft took over. There was ONLY ever an intelligence case to make this change.
  Why would Microsoft take on that expense for free? Because the NSA bought Skype for them.
  
  --
  Sig Battery depleted. Reverting to safe mode.
11. Re:The obligatory NSA question by AHuxley · 2013-09-21 13:41 · Score: 2
  
  French, Germans, Japanese, and Italians wanted US political aid, trade, mil support, they did what they where 'told' and kept to a US/UK set standard.
  If any national crypto private or public sector standards emerged from with in Asia or the forming NATO/EU the UK and US where quick to request individual firms or nations come back to the set 'NSA/GCHQ' weakened standard.
  How would any nations mil or political leader say 'no' to the full might of NATO or the USA crypto?
  Saying yes to the NSA/GCHQ bought in amazing new tech, local jobs, generational trust and contracting wealth to trusted local ex mil.
  Questions bought in political issues, legal friction, trade issues, treats, cash flow issues, private sector bankruptcy and a loss of standing internationally.
  The Soviet Union went for the human side of US/UK tech and wanted weak/ideological conflicted or cash poor staff to sell out their western govs and where always waiting for the next offer.
  What did the Soviets have? Cuba was safe for a big listening station. Bits of Africa? Asia? South America? Huge spy ships and expensive satellites never gave the results and coverage demanded.
  The UK and US always had the global banking, telco systems and crypto. The Soviet Union had to connect if it wanted to export on NSA terms too :)
  China just sat back and flooded the West with their students and products- learning their way up until they could trade their way to any project at any quality or price. Win contracts or offer aid projects and make friends.
  So really beyond the junk encryption setting NSA and GCHQ you where stuck with age old human spying, spy ships, satellites or doing what you where told by US/UK experts.
  ie the "Russians / Soviets" could not even keep their own crypto traffic safe beyond the 1950's (very wise one time pad use was stopped).
  Their radio and communications networks became huge, sloppy and totally useless into the ~1960-80's.
  The role the Soviet played is a bit like our 'internet' now or Enigma and Germany - back to plain text. China went smart and offered layers of regional and national data - mixed with propaganda, missing data, fake data and politics - good luck with working that out at a spy or database level.
  
  --
  Domestic spying is now "Benign Information Gathering"
12. Re:The obligatory NSA question by omkhar · 2013-09-21 14:25 · Score: 1
  
  for one, SHA-2 is a hashing algorithm, not encryption. Secondly, although the math is sound, the algorithm which generates the seed for the PRNG is allegedly based on constants which make the crypto trivial for the NSA to brute force.That algorithm is known as Dual_EC_BRDG.
13. Re:The obligatory NSA question by Solandri · 2013-09-21 15:07 · Score: 4, Insightful
  
  Up to a month ago such a comment would've been modded to -1 because historically, NSA had helped improve the security of encryption standards. As Schneier has said, the revelations about recent NSA activity has completely evaporated the goodwill NSA earned in the cryptographic community from back then.
14. Re:The obligatory NSA question by jthill · 2013-09-21 16:35 · Score: 5, Insightful
  
  It wasn't RSA. They trusted the NSA, with good reason. The NSA had earned the trust of just about everybody in the community by improving DES with changes nobody understood until fifteen years later.
  Then someone figured out that the way this new RNG is set up, the constants the NSA chose *could be* the public half of an asymmetric key, and if so the RNG's state could be read with very little effort by anyone in possession of the private half. There is no mathematical way at all to tell whether this is the case, but apparently something in the Snowden documents at least strongly suggests the NSA did know about it and did use it.
  It's important to highlight that this isn't the kind of weakness anyone _else_ can take advantage of; a blackhat would still have to discover their private key, the exact same problem he was facing before. The NSA are apparently not dumb enough to rely on keeping math a secret.
  But it seems every successful security service forgets the basic lesson: set up a system with unchecked power, the scum of the earth will eventually take notice. From that moment they'll dedicate their lives to getting control of it. They'll eventually succeed.. Snowden took advantage of criminally slack security in the NSA. Just the the fact that he could reveal the documents he revealed is proof the NSA have already gotten arrogant and sloppy, never mind what's in them.
  
  --
  As always, all IMO. Insert "I think" everywhere grammatically possible.
15. Re:The obligatory NSA question by flyingfsck · 2013-09-21 16:40 · Score: 1
  
  Yeah, well, now they will have close the company anyway, since all their customers are running for the hills. They have already announced lay-offs.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
16. Re:The obligatory NSA question by flyingfsck · 2013-09-21 16:41 · Score: 1
  
  Some smart guys at Microsoft already explained it years ago. A quick Google wil get the info for you.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
17. Re:The obligatory NSA question by kasperd · 2013-09-21 20:55 · Score: 2
  
  The first thing Microsoft did was route all traffic through their servers. No more routing via anonymous "volunteers" or off-shore peer-to-peer technology.
  That's not true. Earlier this month I have seen my Skype calls get routed through peers, who were not participating in the call. That however resulted in very unreliable calls, so I got the machine running Skype onto a public IP address. With that in place I could see the traffic was going directly between me and the IP addresses of the people I was communicating with. At one occasion I did however notice other people's calls getting routed through my computer, now that it had a public IP.
  
  Anybody using Skype can look at their own network traffic to verify my observations.
  
  Why Skype hasn't started supporting IPv6 is beyond me. It is so abundantly clear how Skype user experience is suffering from NAT. They could even have a Teredo client built into the client as a fallback when all other methods fail. Teredo is the only standardized tunnel protocol I know, which can be implemented in user mode without administrator privileges.
  
  --
  
  Do you care about the security of your wireless mouse?
18. Re:The obligatory NSA question by Anonymous Coward · 2013-09-21 20:57 · Score: 1
  
  Of course it is easy to foreign agents to get ahold of any secret. The more info collected into one place, the bigger the carrot.
  They're trained to wrestle information out of government and corporate hands. What will it take? Money? Threats? Violence? Brainwashing?
  Google up how successful China is for instance.
19. Re:The obligatory NSA question by kasperd · 2013-09-21 21:10 · Score: 2
  
  Up to a month ago such a comment would've been modded to -1 because historically, NSA had helped improve the security of encryption standards.
  Schneier has been speculating about the possibility of an NSA planted backdoor in Dual_EC_DRBG since 2007. Which by the way took me a few attempts to find again since there are many hits if you search for NSA backdoor on his site.
  
  As Schneier has said, the revelations about recent NSA activity has completely evaporated the goodwill NSA earned in the cryptographic community from back then.
  Goodwill might be an exaggeration. Learning that NSA had improved security of DES did reduce the distrust in NSA, but it did not eliminate it. The first evidence of the Dual_EC_DRBG probably brought that distrust back to the previous level. By now I guess the trust in NSA is at an absolute low. (If it got any lower you would start trusting anything from the NSA not to be trustworthy.)
  
  --
  
  Do you care about the security of your wireless mouse?
20. Re:The obligatory NSA question by Bert64 · 2013-09-21 22:58 · Score: 1
  
  It's likely that the issues with DES would have been discovered sooner had they not been fixed, after all an actively used system is far more worthy of study than something thats been superseded and is no longer used.
  As for discovering the private key, who's to say Snowden doesn't have a copy of it? And for all we know, that key could have been leaked to others long ago, the US is not the only country that conducts spying...
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
21. Re:The obligatory NSA question by Jane+Q.+Public · 2013-09-21 23:03 · Score: 1
  
  "The NSA had earned the trust of just about everybody in the community by improving DES with changes nobody understood until fifteen years later. "
  Are you being sarcastic? The "improvements" they made are now being looked at, 15 years later, as examples of Government backdoors in their encryption.
  
  (I know it's not every case, but the consensus is that it was in THIS case, and possibly several others. I have friends in the field and they knew about this particular instance of PRNG for elliptiical curve crypto way back when. Few trusted it except, apparently, RSA and its customers.)
  
  So any "improvements" from the NSA have to come with a grain of salt. You might have the best encryption system in the world, but if your credibility is shit (as the NSA's now is), it doesn't matter much because nobody will use it.
22. Re:The obligatory NSA question by jthill · 2013-09-21 23:39 · Score: 1
  
  The "improvements" they made are now being looked at, 15 years later, as examples of Government backdoors in their encryption.
  I suspect you're talking about some other DES.
  
  --
  As always, all IMO. Insert "I think" everywhere grammatically possible.
23. Re:The obligatory NSA question by Goaway · 2013-09-22 00:44 · Score: 1
  
  It's likely that the issues with DES would have been discovered sooner had they not been fixed, after all an actively used system is far more worthy of study than something thats been superseded and is no longer used.
  That is nonsense. The fixed DES was identical to the original DES, with the expectation of a couple of seemingly arbitrary numbers. Nobody's going to stop researching DES because the NSA changed a couple of numbers. In fact, the opposite is far more likely.
24. Re:The obligatory NSA question by Anonymous Coward · 2013-09-22 01:54 · Score: 0
  
  I've also seen Skype work when it shouldn't - behind corporate firewalls that are supposed to be blocking traffic. Probably via a peer that somehow has better access...
  That said, yes I still believe Microsoft has made skype easier to spy on.
25. Re:The obligatory NSA question by kasperd · 2013-09-22 02:57 · Score: 1
  
  I've also seen Skype work when it shouldn't - behind corporate firewalls that are supposed to be blocking traffic.
  When parties on both sides of a firewall are cooperating in getting data through the firewall, there is little you can do to stop them. The solution is to limit what software gets to run on the trusted side of the firewall. If you don't want Skype on your network, then don't install it. Some corporations do use Skype as part of their work. Those corporations are happy that Skype is so easy to get working through their firewall.
  
  The point where it gets difficult to get data through is when there are two firewalls in play, and each of them blocks traffic in opposite directions. The only reason any communication is possible at all in such a scenario is, that somebody between the two firewalls is cooperating with the parties, which want to communicate.
  
  --
  
  Do you care about the security of your wireless mouse?
26. Re:The obligatory NSA question by Jane+Q.+Public · 2013-09-22 05:37 · Score: 1
  
  "I suspect you're talking about some other DES."
  Pardon me. My eyes must have skipped over the DES part. No, of course what I was saying doesn't apply to DES.
  
  On the other hand, this situation has made a lot of people look at any government-approved encryption with a jaundiced eye.
27. Re:The obligatory NSA question by icebike · 2013-09-22 05:48 · Score: 2
  
  I've also seen Skype work when it shouldn't - behind corporate firewalls that are supposed to be blocking traffic. Probably via a peer that somehow has better access...
  That said, yes I still believe Microsoft has made skype easier to spy on.
  Skype has always had great firewall piercing technology, even before Microsoft bought them.
  Skype makes outbound connection(s) to the server. Its as easy as that. When a call comes in, the outbound
  connections are used for bidirectional traffic.
  It can do this on any port, and your corporate firewall can't block all ports
  and still allow things like web browsers work.
  
  --
  Sig Battery depleted. Reverting to safe mode.
RNG by Anonymous Coward · 2013-09-21 09:55 · Score: 0

I suggest randomly selecting which random number generator you use to randomly select things.
No point pussy-footing around by innocent_white_lamb · 2013-09-21 10:00 · Score: 5, Insightful

There's no point in pussy-footing around this. It's obvious that RSA was either forced or "rewarded" into using an insecure method. And that they knew it at the time (because they are cryptographers and because they don't live in the bottom of a well.)
Therefore, RSA has proven themselves untrustworthy at best, corrupt at worst, and quite likely both.
The question is what to do next? Rip out everything RSA in all infrastructure and replace it with something that works appears to be the best approach, but how should that be done and what should it be replaced with? And, most importantly, how can we verify that replacement?

--
If you're a zombie and you know it, bite your friend!
1. Re:No point pussy-footing around by Jane+Q.+Public · 2013-09-21 10:27 · Score: 4, Interesting
  
  "Therefore, RSA has proven themselves untrustworthy at best, corrupt at worst, and quite likely both."
  And don't forget that their "super security" ID dongles were hacked just a year or so ago.
  
  All in all, it's looking like RSA is a corporation to avoid.
2. Re:No point pussy-footing around by mysidia · 2013-09-21 10:28 · Score: 3, Informative
  
  The question is what to do next? Rip out everything RSA in all infrastructure and replace it with something that works appears to be the best approach, but how should that be done and what should it be replaced with?
  I have no need to, because I don't use any of RSA's software toolkits.
  I use Microsoft CryptoAPI, GPG, GnuTLS, and OpenSSL, php-Mcrypt/php-Mhash, and some dedicated non-RSA special purpose libraries, for all my cryptography requirements.
3. Re:No point pussy-footing around by chill · 2013-09-21 10:30 · Score: 1, Redundant
  
  Putting it bluntly, you can't.
  Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.
  This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.
  Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a user can specify *which* of those RNGs are actually used. Unlike setting cryptographic algorithms for SSL/TLS, there isn't any frontend for RNGs. They're implemented by the vendors. They're enabled in the products by a simple checkbox setting a registry entry (Windows), a kernel boot parameter (Red Hat) or config setting (most network infrastructure equipment).
  Which is your vendor using? Who knows. But if we take the Snowden leaks seriously, the NSA has pressured many major companies to insert "weaknesses" or "backdoors" in various crypto-enabled gear.
  Most people are thinking along the lines of "look for malicious code, odd errors or the like". But in the world of crypto, if the RNG isn't R, the entire thing collapsed like a house of cards. All tPutting it bluntly, you can't.
  Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.
  This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.
  Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a user can specify *which* of those RNGs are actually used. Unlike setting cryptographic algorithms for SSL/TLS, there isn't any frontend for RNGs. They're implemented by the vendors. They're enabled in the products by a simple checkbox setting a registry entry (Windows), a kernel boot parameter (Red Hat) or config setting (most network infrastructure equipment).
  Which is your vendor using? Who knows. But if we take the Snowden leaks seriously, the NSA has pressured many major companies to insert "weaknesses" or "backdoors" in various crypto-enabled gear.
  Most people are thinking along the lines of "look for malicious code, odd errors or the like". But in the world of crypto, if the RNG isn't R, the entire thing collapsed like a house of cards. All the NSA has to do is have essentially a single obfuscated line of code in the RNG. Something along the lines of "if Backdoor then RNG=Dual_EC_DRGB". Hell, in assembly it could probably be a simple JNE instruction.he NSA has to do is have essentially a single obfuscated line of code in the RNG. Something along the lines of "if Backdoor then RNG=Dual_EC_DRGB". Hell, in assembly it could probably be a simple JNE instruction.
  The answer is don't use FIPS 140-2 mode, but if you're dealing with the government -- and a huge number Putting it bluntly, you can't.
  Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.
  This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.
  Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a us
  
  --
  Learning HOW to think is more important than learning WHAT to think.
4. Re:No point pussy-footing around by bill_mcgonigle · 2013-09-21 10:31 · Score: 2
  
  what should it be replaced with?
  To be trustable it has to be open source, but to be trustworthy will require both code scrutiny and careful analysis.
  New maxim: you can't keep secrets with secrets.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
5. Re:No point pussy-footing around by Bite+The+Pillow · 2013-09-21 10:39 · Score: 0
  
  No. The entire purpose of RSA is providing security. And plenty of their products do not use this PRNG. If they allow themselves to be tainted, their entire business goes poof and lawsuits ensue.
  Go read up a little more and see if you still think the same thing. I won't even provide links - if you trust CNN, google "RSA Dual_EC_DRNG site:cnn.com" - or choose your own news source. Ars Technica, Fox News, I don't care where. Just go read, and then come back.
  The reason they chose this method is that elliptical curve was in vogue at the time, and hash-based cryptography was coming under attack, like MD5. Especially, this method is a lot slower. Slower to make hopefully meant slower to break.
  This is all on the record, and makes a lot more sense than RSA intentionally breaking security. I have not been convinced, and you're going to have to refute the hash-based attacks, EC being popular, the speed advantage, and the timing of the decisions in order to refute RSA's defense.
  And it is actively telling people not to use it. Sure blame that one on ass-covering. If they were forced, this would be a half-assed attempt, or they would continue to defend it as "not entirely broken" or "no known attacks".
  You're jaded, we get that. But you can't leap to conclusions that otherwise don't make sense just because you are jaded. You have to have something to fall back on.
6. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 10:50 · Score: 0
  
  It's obvious that RSA was either forced or "rewarded" into using an insecure method. And that they knew it at the time (because they are cryptographers and because they don't live in the bottom of a well.)
  Interesting claim, but where is the proof that it is insecure? The most informed commentary that I've seen only says that it might be possible that it is, not that there is actual proof that it is insecure.
7. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 10:53 · Score: 1
  
  Actually this is not true, and it is obvious you have never done any crypto work yourself, having taken graduate level courses on the topic, I can tell you that 1) it is hard to prove that an encryption system (b/c thats what PRNG is at the core) is 'slightly' insecure, Proving glaring obvious faults is easy. 2) not every crypto secret is publicly known, look at DES and EC attacks
  Take AES for example, its the standard that pretty much everything uses for symmetric enrcryption, but it is NOT a feistel cipher, and 'could' in the future have an algebraic solution to it (allowing trivial decryption), but we don't know (publicly) if that is even going to be possible in the future.
  Hell, look at DES, its s:boxs were secure to EC attacks 20+ years before they were publicly known to even exist, b/c the NSA (back when it actually tried to keep encryption secure) and AT&T discovered the system of attacks, and kept the even existence of EC attacks secret, while at the same time picking sboxs for DES that were secure against the EC attacks.
8. Re:No point pussy-footing around by Lumpy · 2013-09-21 10:59 · Score: 1
  
  Screw that. Simple 1 time pad will do the trick. Uncrackable by even the best crypto minds on the planet.
  
  --
  Do not look at laser with remaining good eye.
9. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 10:59 · Score: 0
  
  Yeah, if you're running on Windows, you have no need to worry about RSA backdoors.
10. Re:No point pussy-footing around by Carlos+Dias · 2013-09-21 11:03 · Score: 1
  
  Well if they were forced as you stated, it means they did have no option. In that case you should not blame them for a faulty product.
11. Re:No point pussy-footing around by interval1066 · 2013-09-21 11:09 · Score: 1
  
  Yeah. Good luck with making that a standard. No one wants a standard that has to be re-standardized everytime its used. The obvious answer is using cryptographic methods that are not part of anything to do with RSA. And let the standard play ketchup. I don't give a fuck if its not compliant, I want it to be secure.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
12. Re:No point pussy-footing around by 0123456 · 2013-09-21 11:11 · Score: 1
  
  Screw that. Simple 1 time pad will do the trick. Uncrackable by even the best crypto minds on the planet.
  Not if you use an insecure random number generator (i.e. pretty much anything that's pure software with no hardware component) to generate the pad.
13. Re:No point pussy-footing around by gweihir · 2013-09-21 11:17 · Score: 2
  
  Don't forget that this default also selected the slowest generator and the one with the worst security analysis. There is no way this was an engineering decision. In fact I would not be surprised if some people working on the library resigned right at the time this decision was made...
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
14. Re:No point pussy-footing around by Lumpy · 2013-09-21 11:20 · Score: 1
  
  5, 10 sided dice are kind of hard for the NSA to "tamper with".
  
  --
  Do not look at laser with remaining good eye.
15. Re:No point pussy-footing around by Desler · 2013-09-21 11:23 · Score: 1
  
  Uncrackable by even the best crypto minds on the planet.
  Only theoretically. There are plenty of issues with using one-time pads that can make them suspectible to be cracked.
16. Re:No point pussy-footing around by 93+Escort+Wagon · 2013-09-21 11:39 · Score: 4, Interesting
  
  An interesting scenario just came to mind...
  1) RSA intentionally weakens their crypto at the behest of the NSA (this is fairly certain)
  2) Chinese hack RSA - the only question is just how thoroughly (a known fact)
  Now comes the speculation.
  3) China analyzes what they got from RSA and discover the crypto is weaker than expected.
  4) Quietly, China also begins to take advantage of this breakable crypto the NSA foisted on US companies and citizens.
  5) China deduces why it was done and starts looking for weaknesses in other US crypto products - possibly succeeding, given they have a decent idea what to look for.
  Followed by
  6) China successfully and quietly penetrates most US defense contractors and financial institutions.
  
  --
  #DeleteChrome
17. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 11:44 · Score: 1
  
  I would think that dice qualify as a "hardware component".
18. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 11:57 · Score: 0
  
  "Especially, this method is a lot slower. Slower to make hopefully meant slower to break."
  Nothing in cryptography is ever done "hopefully" (except for crap like using PBKDF for password storage), and just because ECC was hot doesn't mean it was hot for PRNGs. Dual_EC_DRNG is slower because it's a stupid algorithm. You can make PRNGs from RSA or Diffie-Hellman, too, but nobody uses those. And while they're secure and slow, there are lots of slow PRNGs which are completely insecure. Finally, to quote another Anonymous poster, exponents make security, not multipliers (which is why PBKDF is stupid for basic password hashing, as opposed to key material generation).
  No matter how you spin it, RSA was idiotic for making this the default algorithm. There are only two reasonable explanations: either RSA is careless, or RSA was tapped by the NSA.
19. Re:No point pussy-footing around by lennier · 2013-09-21 12:12 · Score: 2
  
  No. The entire purpose of RSA is providing the illusion of security.
  
  Fixed. The problem with security is that you can't actually sell it; the customer has no way to tell if they are really secure, or just feeling secure. But the customer can certainly tell if they feel secure. So all security vendors tend to major on the warm fuzzy feelings. That means a lot of "trust us, we're the experts" and "you don't need to know the details, put your mind at ease" and not a lot of "here is the exact proof that you are secure, including every line of our source code and every mask in our circuitry, run the analysis yourself".
  The other problem is that despite the free-market view that "they wouldn't be in business if they were faulty", proprietary security vendors actually have an extremely strong perverse incentive: the stronger the illusion of security, and the more powerful and secretive the clients, the more gain there is in working with an intelligence organisation to subvert that security. And since, when the clients are nation-states and militaries, working with intelligence agencies may be a requirement for getting the sales contract... and refusing to work with those agencies may result in treason charges and jail time... well, you don't need a doctorate in either cryptoanalysis or economics to see where those incentives might lead.
  It's the classic confidence-trickster problem. You have a secret. You want to keep your secret. To keep your secret and come out ahead of the game you have to deal with someone who has bigger secrets, a bigger bankroll, and is smiling a lot. You sit down at the table, and look around. Do you see who the mark is? Even if you think you do, there's no guarantee that you're not all marks for the house.
  
  And it is actively telling people not to use it.
  
  Sure, now RSA are, now that the beans have been spilled by Edward Snowden and the NIST themselves are reopening the standard for discussion. If they didn't say anything it would look even more suspicious and whatever tattered remnants of trust they had would be gone.
  Unfortunately the illusion's pretty much torn at this point. By the way, how are Crypto AG doing?
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
20. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 12:13 · Score: 0
  
  And don't forget that their "super security" ID dongles were hacked just a year or so ago.
  The dongles weren't hacked. Someone broke into RSA and stole the seed records, which is what goes inside the security dongle (and is supposedly impossible to extract from the dongle).
  A copy of the seed record lets you create a duplicate dongle.
  Of course, once the dongles have been delivered to customers, there is no reason for RSA to keep the seed records - they should have been wiped, let alone be stored on computers with internet connectivity.
21. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 13:07 · Score: 0
  
  Tell that to an auditor who is examining one's business for due diligence with security issues. There is a good chance a company going cowboy and writing their own standards may get their license pulled, or if they are publically traded, may face heavy fines for Sarbanes Oxley violations.
22. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 13:21 · Score: 0
  
  The RSA SecurID source code loss fiasco a few years back (IIRC) didn't affect them in the slightest. What this shows is that a device that has been breached can be possibly sold with many buyers regardless of security issues.
  I could make a device that could use $RANDOM for a RNG and sell one time pads, and likely make tons of money, especially if I'm coy about how things are done and hit anyone snooping on the algorithm on the head with numerous DMCA takedowns. Would I? I like sleeping at night, but I've seen it done. Devices that say they use 4096 bit RSA keys, but use sixty-four 64-bit keys (yep, 64 bits are quite easy to break, so in reality, you are getting a 72 bit key, not a 4096 bit key.) When exposed, nobody stopped buying the problem, nor did they file a lawsuit, because the program still worked, and encrypted text still looks jumbled up.
23. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 13:31 · Score: 0
  
  There is a difference between "you have no need to worry" and "that worry is the least of your concerns."
24. Re:No point pussy-footing around by Pinky's+Brain · 2013-09-21 13:34 · Score: 2
  
  I see some RSA shills repeating this argument ... but I don't see any explanation why they used it as the default after 2006. We really have no greater proof it's backdoor'd now than we had then ... if we didn't have the 2006 analysis of Dual_EC_DRNG then Snowden's leak could be referring to a whole lot of things.
  All that has happened is that the legal threshold of plausible deniability has disappeared ... but the common sense threshold for plausible deniability disappeared in 2006, they knew and they kept it default. Why?
25. Re:No point pussy-footing around by chihowa · 2013-09-21 13:37 · Score: 1
  
  Unless they're perfect dice (and they certainly won't be after generating gigabytes of material), there may still be a bias in the pad you generate with them.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
26. Re:No point pussy-footing around by Pinky's+Brain · 2013-09-21 13:37 · Score: 1
  
  There is no proof outside of mathematics, but it makes no more sense to doubt it than to doubt the sun will come up in the morning.
27. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 14:04 · Score: 1
  
  6) China successfully and quietly penetrates most US defense contractors and financial institutions.
  So, you are saying you think the NSA deliberately weakens an encryption method, then proceeds to use that method itself? Because the NSA sets the standards for the DoD and defense contractors.
  I can't tell, do you think the NSA is brilliant or stupid beyond belief?
28. Re:No point pussy-footing around by Jane+Q.+Public · 2013-09-21 14:31 · Score: 1
  
  "I can't tell, do you think the NSA is brilliant or stupid beyond belief?"
  I'm pretty sure it means a little bit of both.
29. Re:No point pussy-footing around by Jane+Q.+Public · 2013-09-21 14:42 · Score: 1
  
  "The dongles weren't hacked. Someone broke into RSA and stole the seed records, which is what goes inside the security dongle (and is supposedly impossible to extract from the dongle)."
  Technically correct. I almost wrote "but it's a distinction with no difference"... except that's wrong. It's actually WORSE. It means it wasn't just a bug... RSA was woefully irresponsible with vital user data.
30. Re:No point pussy-footing around by wisnoskij · 2013-09-21 14:54 · Score: 1
  
  The more bigger of a threat that China is, and the more hacking groups break into goverment files the more power the NSA is given, and they get the benifit of spying on themselves.
  So it is a win/win to compromise your own systems.
  
  --
  Troll is not a replacement for I disagree.
31. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 16:06 · Score: 0
  
  I use Microsoft CryptoAPI...
  And you feel perfectly secure... Alrighty then.
32. Re:No point pussy-footing around by steelfood · 2013-09-21 16:25 · Score: 1
  
  It certainly explains how they've managed to penetrate so many large corporations, and in such a short window. There was a common weak security element between all these companies, and this was likely it.
  I do remember the RSA was hacked into not so long ago, and a good chunk of their data was stolen. I wonder if they got a dose of their own medicine. In fact, I wonder if they allowed it to happen deliberately, to show the spooks what happens when they try to sabotage everybody indiscriminately.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
33. Re:No point pussy-footing around by flyingfsck · 2013-09-21 16:43 · Score: 1
  
  Yup, all that already happened a few years ago.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
34. Re:No point pussy-footing around by flyingfsck · 2013-09-21 16:47 · Score: 1
  
  One time pads are useless.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
35. Re:No point pussy-footing around by flyingfsck · 2013-09-21 16:52 · Score: 1
  
  No, I still blame them. They should have shut down their shop and moved overseas to a better location. Instead, they chose to defraud all their customers by selling snake oil for millions of dollars. The RSA company is a bunch of immoral fraudsters and they all deserve to be thrown in jail.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
36. Re:No point pussy-footing around by 93+Escort+Wagon · 2013-09-21 18:48 · Score: 3, Interesting
  
  I think the NSA believed it was okay to weaken cryptography because they assumed they would be the only one who knew about what they'd done and specifically how they'd weakened it.
  So really, what I believe is they were very clever and, at the same time, very naive... Or perhaps sophomoric and arrogant would be a better fit.
  
  --
  #DeleteChrome
37. Re:No point pussy-footing around by Anonymous Coward · 2013-09-21 20:19 · Score: 0
  
  There's no pussy-footing around this.
  You post unsubstantiated allegations, backed by no evidence whatsoever, of collusion. You make a statement about the company which is equally unsubstantiated (RSA has very few cryptographers left: it's crypto product line is tiny compared to the remainder of the company).
  You accuse RSA of corruption. Then you spread FUD about the company's products.
  Here's an allegation: you're a fucking moron. Go make another tin-foil hat, but make sure it has a pointy end so when you shove your head up your ass where it belongs, it goes in easier.
  What a dimwit.
38. Re:No point pussy-footing around by Jane+Q.+Public · 2013-09-21 22:49 · Score: 1
  
  I think we're on the same channel here. But the exact mix of brilliance and stupidity is really not so important. Whatever the magnitude of the individual parts, the end result is still that NSA can't be trusted to act in the public good.
39. Re:No point pussy-footing around by Bert64 · 2013-09-21 23:23 · Score: 1
  
  There is no reason for them to provide dongles pre-seeded... And if you buy such devices, you have no proof that the records have been destroyed even if the company claims they have.
  Customers should be able to seed their own dongles.
  Ofcourse i've been saying this for years, asking what happens if rsa get hacked and all the seeds taken... People said that was crazy talk, rsa would never get hacked etc.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
40. Re:No point pussy-footing around by Bert64 · 2013-09-21 23:27 · Score: 1
  
  Well, using a known flawed system is also going to make you in violation of sarbanes-oxley...
  So what do you do?
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
41. Re:No point pussy-footing around by chill · 2013-09-22 00:36 · Score: 1
  
  One of the major reason public key crypto was invented is the difficulty associated with securely distributing symmetric crypto keys.
  A one-time pad is essentially a massive symmetric crypto key, so you're back to square one. And good luck distributing a copy of your one-time pad to everywhere you do e-commerce with, like your bank, Amazon.com and the like.
  
  --
  Learning HOW to think is more important than learning WHAT to think.
42. Re:No point pussy-footing around by Desler · 2013-09-22 02:00 · Score: 1
  
  You make the wrong assumption that the guy read past the part of one-time pad's being "unbreakable" to all the downsides associated with them.
43. Re:No point pussy-footing around by 93+Escort+Wagon · 2013-09-22 06:03 · Score: 1
  
  Yup - I have no argument at all with your statement.
  
  --
  #DeleteChrome
44. Re:No point pussy-footing around by Lumpy · 2013-09-22 06:34 · Score: 1
  
  Like your assumption? as you seem to assume far more than you know.
  It is "unbreakable" and anyone that has a clue about cryptography knows it. Yes there are weaknesses that are always human induced mistakes, like re-using the pad.
  But there are still communications that were send during WW-II that have not been cracked that used a 1 time pad. For very high security it is still used to this day.
  
  --
  Do not look at laser with remaining good eye.
45. Re:No point pussy-footing around by Bite+The+Pillow · 2013-09-22 07:04 · Score: 1
  
  There are two separate points here - one, that RSA did not change the default, and two, that it was at the direction of the NSA. My objection is to the second. Maybe I am misreading, but you are taking the given, that the default was not changed, to mean that it therefore must have been at the request of some government agency. It is a simple and compelling argument to make, but it doesn't stand up given what I understand.
  "RSA shills" are simply pointing out what RSA claimed. I have not seen anything solid to refute that other than finger pointing and name calling. The best takedown I have read basically says "Yes, but the other algorithms do too, so it doesn't make sense why you chose one over the other."
  And I have not seen a really firm explanation of how this is truly insecure until recently. I have read a lot of the news, but few people go beyond "we knew it in 2006". I see a paper from Berry Schoenmakers and Andrey Sidorenko that attacks a claim, but does not substantially prove insecurity. Distinguishable from absolute randomness doesn't mean insecure - predictable output determines if a PRNG is insecure.
  The most concrete statement on predictability in that paper I could find was :
  
  An independent work is done by Gjsteen [4] who shows that there exists an algorithm that predicts the next bit of the DEC PRG with advantage 0.0011. The work by Gjsteen is based on similar ideas to those proposed in this paper.
  That's not a huge advantage.
  In 2007 Shumow and Ferguson said that if you knew some secret numbers, you could predict the next value after only 32 bytes (256 bits). But no way to determine those numbers, meaning that only the people who chose the numbers, if they exist, would be able to attack the PRNG. And discovering the numbers would be a cryptographically hard problem to solve by itself. At the time, it was not obvious that one should distrust the NSA/NIST who would be the only ones to have those numbers, since NSA was helping encryption get better. If they knew the numbers and weren't telling anyone, no harm done at the time, given the purpose of the product.
  The big results in the 2006 paper were predictability after some number of bits, and since the RSA statements mention re-seeding, I can't conclude that the RSA implementation is subject to that prediction attack.
  If you want to stop the RSA shills, we need to find out if RSA used a mitigation strategy or not. If no, the entire company should be wiped off the map. If yes, that would put a great big hole in the "RSA was forced to use it" argument. Until we know that, I'm not taking a side, and I will continue to preach caution on such sweeping conclusions.
  The default can be changed, and a simple advisory to customers really should have been issued to do so, but given the lack of a definitive attack I don't see the necessity. It's obvious now, and they are doing exactly that, but it was not obvious.
  And knowing how business operates, I'm not at all surprised that the cryptographers in the back were not updating the user manual to change the recommendations. This kind of institutional inertia is exactly why no one should be trusting business unquestioningly in the first place. 2006 is coincidentally when it was sold to EMC, which is a sure sign that products would be sold as-is with no one scrutinizing new advances to understand the implications to products that are making money. That's certainly no defense of RSA for the people who relied on its products, but I'm just not seeing the data to make a condemnation. In fact, that supports my understanding that it was corporate ineptitude rather than NSA interference.
  When we answer the mitigation question, if it turns out "no mitigations", every purchase should be refunded. There would be no question at that point that RSA failed to update its products, and sold a known insecure product as a security solution. But we still would not have anything that indicates w
46. Re:No point pussy-footing around by Bite+The+Pillow · 2013-09-22 08:34 · Score: 1
  
  The dongle hack was information about the SecurID token, which does not use the same PRNG. Of course this information is probably from RSA itself since it is sourced anonymously. The SecurID hack was apparently a phishing e-mail exploiting CVE-2011-0609 according to f-secure, so not specifically an RSA failure.
  In other words, not the same crypto in question. Your scenario is probably more like 2 steps:
  1) 2006 papers suggest Dual_EC_DRNG is predictable
  2) China decrypts everything created by BSAFE Toolkits or DPM
  Unlikely that defense contractors and financial institutions are protected by BSAFE or DPM.
47. Re:No point pussy-footing around by daveime · 2013-09-23 22:22 · Score: 1
  
  The AES s:boxes already have an algebraic solution in themselves, as do every step of the process, rotates, xors, sums mod 2^32 etc. The problem is the combinatorial explosion that happens even over the course of one round when you combine all the operations, meaning there's so many simultaneous equations to solve, you'd need huge amounts of plaintext and corresponding cyphertext to even establish a few bits of the key.
It puts EMC in an awkward position by Anonymous Coward · 2013-09-21 10:16 · Score: 0

The problems with that random number generator were known from the start. It put EMC (RSA parent company) in an awkward position because the mistake was either stupid or deliberate. The management might not even know the answer because the NSA plants spies directly within companies to sabotage their products without management approval.
What does this say about other EMC products?
My advise on this is to never pretend to be stupider than you are. If it was deliberate, then it's better to own up and admit it was deliberate and promise to remove any other NSA backdoors. If it was stupid, then admit it and hire external auditors to help you find the other NSA backdoors.
1. Re:It puts EMC in an awkward position by gweihir · 2013-09-21 11:24 · Score: 2
  
  "stupid" is not in the picture. Making the slowest generator, and the one with doubtful security at the same time, the default is not stupid, it has to be deliberate. Now if the NSA people were any good at their business, they would have made sure that their compromised generator was the fastest, so as to give a plausible reason for making it the default. They failed event at this simple Deception-101 idea.
  The more I hear, the more I think the NSA is a ham-handed, incompetent, slow and stupid bureaucracy that survives on sheer power to coerce others to do its bidding and on brute-forcing everything by spending incredible amounts of money.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
2. Re:It puts EMC in an awkward position by AHuxley · 2013-09-21 12:06 · Score: 2
  
  Recall the NSA funding and internal standing in the US gov structure in the 1990's?
  They had to deliver plain text 24/7 or face even less funding or other groups would have offered language contractors and bulk clearances.
  The only trick was keeping the citation needed over generation.
  
  --
  Domestic spying is now "Benign Information Gathering"
In Soviet USA by Anonymous Coward · 2013-09-21 10:26 · Score: 0

Old expats from communist Russia love their new country.
Soviet USA, Soviet USA We love Soviet USA
The other half of the backdoor by l2718 · 2013-09-21 11:15 · Score: 1

When it was discovered in 2007 that the NSA insisted on adding this PRNG to the standard, with constants they chose the general reaction was "so what? after all, this is one of many alternatives, and it is the slowest and least efficient". I assumed their idea was to somehow choose the PRNG in applications where they were one of the parties, but that seemed unlikely.
It's now clear what the idea was: secretly having companies use this PRNG. The original assumption was that companies voluntarily choose what products to put out, and that no-one would choose the obviously worst alternative. But if the NSA chould be the ones choosing ...
Maybe not RSA, but certainly NSA by Frosty+Piss · 2013-09-21 12:28 · Score: 4, Informative

or did NSA tell RSA to slip in a backdoor back in 2006
It's not so much the possibility that the NSA influenced RSA, rather they influenced the standard itself.
Here's the whole story according to Bruce Schneier:
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

--
If you want news from today, you have to come back tomorrow.
RSA is poor quality, as VMware learned by angryargus · 2013-09-21 12:51 · Score: 2

There's the proverb about not attributing to maliciousness that which can be explained by stupidity.
VMware (also an EMC subsidiary) used an RSA implementation for their SSO product. It had a ton of problems and bugs, and each new patch release introduced more bugs. Applying pressure to RSA via EMC didn't help, so VMware ripped out the RSA implementation with a band new in-house implementation.
1. Re:RSA is poor quality, as VMware learned by Anonymous Coward · 2013-09-21 13:00 · Score: 0
  
  regarding sso why do companies constantly reinvent Kerberos in a more buggy less interoperable proprietary way ?
2. Re:RSA is poor quality, as VMware learned by Anonymous Coward · 2013-09-22 07:15 · Score: 0
  
  Because Kerberos requires client-side support. Does your browser support Kerberos tickets?
  Hash-based one-time password (OTP) and time-based one-time password (TOTP) schemes--such as RSA SecureID (TOPT) or Yubikey tokens (HOTP)--don't require client-side support at all.
horrible headline by Anonymous Coward · 2013-09-21 14:13 · Score: 0

The headline is horribly misleading. If you read the RSA communications, it's recommendations to use non-default PRNG where the default is now suspect. It's not about abandoning their own products.
Snarkly headline is off base by Anonymous Coward · 2013-09-21 15:24 · Score: 0

"It's time to upgrade from our old stuff, which is buggy and slow." Microsoft does marketing like that all the time.
Stupid defaults only allowed in open source by radarskiy · 2013-09-21 15:37 · Score: 0

Shipping with config values that are dangerous if you start open source program before edits: the stupid user gets what they deserve!
Shipping with config values that are dangerous if you start closed source program before edits: OMG they're in league with $BAD_GUY.
Holy Shit, This is Stupid by Anonymous Coward · 2013-09-21 15:42 · Score: 0

Do you want to know why PRNG is the default standard in RSA's encryption product? Because US DOD and related companies that sell to and do business with DOD mandate following the encryption standards set by NIST, which is PRNG. I'd have to guess that the companies providing RSA with 90% of their revenue for this product are in that space and thus by making it the default they are serving their market. Meanwhile, blaming RSA for it being the default is as stupid as blaming other software vendors when the Sys Admins don't change the DEFAULT administrator password from 'admin'.
What's a cryptographer to do? by Waikido · 2013-09-21 20:04 · Score: 1

In the article linked to on ArsTechnica a cryptographer wishes to remain anonymous, though his comment is perfectly reasonable and very safe:
"I personally believed that it was some theoretical cryptographer's pet project," one cryptographer who asked not to be named told Ars.
He (or she) is not accusing anyone or suggesting anything. Why the desire to remain anonymous? I bet that many people active in cryptography even in academic circles are afraid. Indeed, chances are that active researchers are being monitored. You know, just in case.
OpenBSD entropy by funkboy · 2013-09-21 22:09 · Score: 4, Informative

Yet another reason that validates OpenBSD developers having spent years improving the quality of random number generation.
Say what you want about Theo, but their developers are top-notch and their stuff really works.
1. Re:OpenBSD entropy by Anonymous Coward · 2013-09-22 00:30 · Score: 0
  
  It also uses Apache 1.3.
2. Re:OpenBSD entropy by Anonymous Coward · 2013-09-22 07:20 · Score: 0
  
  For the record, though, strong and pervasive cryptography is only one of the things they focus on. They mostly focus on fixing bugs--including pre-emptive bug fixing--and re-writing subsystems so they're harder to screw up when configuring, but without hobbling experts.
  Part of the reason PF works so well is because they put a lot of effort into the configuration. Most FOSS developers handle configuration as an afterthought, usually implementing some horribly obtuse key=value system which makes it incredibly difficult to express complex configurations. For example, setting up IPSec tunnels on OpenBSD is an absolute breeze, whether using shared secrets or public-key authentication.
3. Re:OpenBSD entropy by Anonymous Coward · 2013-09-23 11:15 · Score: 0
  
  It also uses Apache 1.3.
  So what? They keep it up to date and secure.
android 2.3? by raymorris · 2013-09-22 02:38 · Score: 1

Was that mess posted with Android 2.3 by chance?
1. Re: android 2.3? by chill · 2013-09-22 03:38 · Score: 1
  
  No, why? Had Android's autocorrect infected my brain where it now reads as normal to me?
  
  --
  Learning HOW to think is more important than learning WHAT to think.
RSA is warning to switch RNGs, not to stop using R by Anonymous Coward · 2013-09-22 06:34 · Score: 0

...lets get the facts straight so false rumors aren't perpetuated. RSA is NOT warning against stopping use of its products; the warning is about ensuring that the Dual EC DRBG RNG is not being used within their BSAFE crypto and DPM key mngt products.
Our... by SpaghettiPattern · 2013-09-22 08:13 · Score: 1

Hearts...
Bleed...

--

I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
Yeah, lots of repeats. Checked in multiple browers by raymorris · 2013-09-22 12:34 · Score: 1

I checked it in a couple of different browsers. Only the Android browser made it look correct, and that was only on the second viewing using that browser.
When I first viewed it, it was broken in Android too. Most lines are repeated three times. For example, the sentence starting with "Here's the problem. Dual_EC_DRGB is flawed" is in there three times. I wonder what you'll see if I repost a copy / paste of the text:
Putting it bluntly, you can't.
Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.
This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.
Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a user can specify *which* of those RNGs are actually used. Unlike setting cryptographic algorithms for SSL/TLS, there isn't any frontend for RNGs. They're implemented by the vendors. They're enabled in the products by a simple checkbox setting a registry entry (Windows), a kernel boot parameter (Red Hat) or config setting (most network infrastructure equipment).
Which is your vendor using? Who knows. But if we take the Snowden leaks seriously, the NSA has pressured many major companies to insert "weaknesses" or "backdoors" in various crypto-enabled gear.
Most people are thinking along the lines of "look for malicious code, odd errors or the like". But in the world of crypto, if the RNG isn't R, the entire thing collapsed like a house of cards. All tPutting it bluntly, you can't.
Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.
This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.
Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a user can specify *which* of those RNGs are actually used. Unlike setting cryptographic algorithms for SSL/TLS, there isn't any frontend for RNGs. They're implemented by the vendors. They're enabled in the products by a simple checkbox setting a registry entry (Windows), a kernel boot parameter (Red Hat) or config setting (most network infrastructure equipment).
Which is your vendor using? Who knows. But if we take the Snowden leaks seriously, the NSA has pressured many major companies to insert "weaknesses" or "backdoors" in various crypto-enabled gear.
Most people are thinking along the lines of "look for malicious code, odd errors or the like". But in the world of crypto, if the RNG isn't R, the entire thing collapsed like a house of cards. All the NSA has to do is have essentially a single obfuscated line of code in the RNG. Something along the lines of "if Backdoor then RNG=Dual_EC_DRGB". Hell, in assembly it could probably be a simple JNE instruction.he NSA has to do is have essentially a single obfuscated line of code in the RNG. Something along the lines of "if Backdoor then RNG=Dual_EC_DRGB". Hell, in assembly it could probably be a simple JNE instruction.
The answer is don't use FIPS 140-2 mode, but if you're dealing with the government -- and a huge number Putting it bluntly, you can't.
Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be
Re:Yeah, lots of repeats. Checked in multiple brow by chill · 2013-09-22 22:31 · Score: 1

Interesting. It was posted in Firefox 24, as it was too long to try and do thru my phone browser (Android 4.2.2). But it looked fine in both. Interesting that you see it differently.
For the longest time I had issues viewing Slashdot in the Android browser. I'd get essentially an infinite loop of comments in a threat. That seems to have been fixed about a month or so ago.
What you copied back in your reply also looks properly formatted to me.

--
Learning HOW to think is more important than learning WHAT to think.
NSA backdoors in algorithms ? I don't think so by GuB-42 · 2013-09-23 06:39 · Score: 1

Why would the NSA deliberately weaken crypto algorithms ?
Sure, that makes spying easier but it is also quite dangerous. Because if the vulnerability is found anyone can access the encrypted data, including the enemies.
Think about it : the NSA releases a "recommended" crypto package. Obviously, US companies will be much more likely to use it than, say, the Chinese. If this package happens to be weak and that the Chinese find out, US companies will be the most affected. Also, to spy on its own citizen, it is more effective to use the legal system than relying on broken algorithms.
To use broken algorithms as a weapon, I think it is much more effective to distribute it undercover as something that is "definitely not from the USA".