RSA Warns Developers Not To Use RSA Products

rroman writes "RSA has recommended developers not to use Dual_EC_DRBG random number generator (RNG), which has been known to be weak and slow since 2006. The funny thing is, that even though this has been known for so long, it is the default RNG in BSafe cryptographic toolkit, which is product of RSA."

Re:No point pussy-footing around

[chill]

Putting it bluntly, you can't.

Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.

This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.

Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a user can specify *which* of those RNGs are actually used. Unlike setting cryptographic algorithms for SSL/TLS, there isn't any frontend for RNGs. They're implemented by the vendors. They're enabled in the products by a simple checkbox setting a registry entry (Windows), a kernel boot parameter (Red Hat) or config setting (most network infrastructure equipment).

Which is your vendor using? Who knows. But if we take the Snowden leaks seriously, the NSA has pressured many major companies to insert "weaknesses" or "backdoors" in various crypto-enabled gear.

Most people are thinking along the lines of "look for malicious code, odd errors or the like". But in the world of crypto, if the RNG isn't R, the entire thing collapsed like a house of cards. All tPutting it bluntly, you can't.

Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.

This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.

Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a user can specify *which* of those RNGs are actually used. Unlike setting cryptographic algorithms for SSL/TLS, there isn't any frontend for RNGs. They're implemented by the vendors. They're enabled in the products by a simple checkbox setting a registry entry (Windows), a kernel boot parameter (Red Hat) or config setting (most network infrastructure equipment).

Which is your vendor using? Who knows. But if we take the Snowden leaks seriously, the NSA has pressured many major companies to insert "weaknesses" or "backdoors" in various crypto-enabled gear.

Most people are thinking along the lines of "look for malicious code, odd errors or the like". But in the world of crypto, if the RNG isn't R, the entire thing collapsed like a house of cards. All the NSA has to do is have essentially a single obfuscated line of code in the RNG. Something along the lines of "if Backdoor then RNG=Dual_EC_DRGB". Hell, in assembly it could probably be a simple JNE instruction.he NSA has to do is have essentially a single obfuscated line of code in the RNG. Something along the lines of "if Backdoor then RNG=Dual_EC_DRGB". Hell, in assembly it could probably be a simple JNE instruction.

The answer is don't use FIPS 140-2 mode, but if you're dealing with the government -- and a huge number Putting it bluntly, you can't.

Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.

This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.

Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a us