Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA Warns Developers Not To Use RSA Products

Posted by timothy on from the surely-they-have-some-alternatives-to-suggest dept.

rroman writes "RSA has recommended developers not to use Dual_EC_DRBG random number generator (RNG), which has been known to be weak and slow since 2006. The funny thing is, that even though this has been known for so long, it is the default RNG in BSafe cryptographic toolkit, which is product of RSA."

3 of 128 comments (clear)

  1. The obligatory NSA question by hsa · · Score: 5, Interesting

    Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?

    1. Re:The obligatory NSA question by Anonymous Coward · · Score: 5, Interesting

      The problem is that the magic numbers used in the algorithm have no known source so no one in the community can go back and find the justification for them. They are just there. I see the potential vulnerability here is that if you know the base numbers here, and since it is elliptical, that it simplifies the brute-force decryption process. How much? We don't know, yet. The problem is being looked at as I type.

    2. Re:The obligatory NSA question by icebike · · Score: 5, Interesting

      I've never seen any examples of negative press from government sources.

      More likely the US simply developed an entire line of dedicated processors that can crack almost any code.
      This probably happened about the same time they dropped their designation of encryption as a munition.
      They already had the solution in hand.

      However, when real time continuous encryption started to be the norm, (like encrypted Skype, VPNs in routers, and SSL everywhere)
      they simply bought their way into the companies doing it, and induced them with money and contracts.

      I've stated more than once here that I believe it will be eventually revealed that the NSA fully funded Microsoft's acquisition of SKYPE.
      Probably because EBay was incompetent and not terribly interested in ripping out the un-traceable routing via small
      remotely distributed groups of nodes and many volunteer notes.
      Even if Ebay did provide access to the encryption technology, they couldn't circumvent the routing issues to provide taps.

      The first thing Microsoft did was route all traffic through their servers. No more routing via anonymous "volunteers" or off-shore
      peer-to-peer technology. It now goes direct to Microsoft and then to the other party. There was never a business case to do this.
      It was working just fine, and hasn't improved since Microsoft took over. There was ONLY ever an intelligence case to make this change.
      Why would Microsoft take on that expense for free? Because the NSA bought Skype for them.

      --
      Sig Battery depleted. Reverting to safe mode.