RSA Warns Developers Not To Use RSA Products

rroman writes "RSA has recommended developers not to use Dual_EC_DRBG random number generator (RNG), which has been known to be weak and slow since 2006. The funny thing is, that even though this has been known for so long, it is the default RNG in BSafe cryptographic toolkit, which is product of RSA."

Doesn't matter

Surely no-one in their right mind is still using crypto software from US companies? None of it can be trusted any more.

Re:Doesn't matter

I see that you're not using American software, let's go into this back room and you can tell me why you hate America.

Re: Doesn't matter

The "global police force" metaphor is used a lot but it is completely wrong.

The actions on the international stage are driven entirely by economical and geopolitical interests. If it so happens that the operation appears to "do good" then a media spin will be applied, furthering the "global policeman" illusion.

On the other hand, operations which topple democratic governments, install anti-leftist dictators, support smaller third world dictatorships in their abuses, grab the resources of a country, fund terrorists to keep on destabilizing a country, etc., etc., these are not mentioned in the policing context.

The purpose of force projection has been and will be the assertion of a superstate status, though this status has been progressively more and more inapplicable since the fall of the Soviet Union. Without a clearly defined bogeyman, the media spin becomes harder to manufacture.

Re: Doesn't matter

[Internetuser1248]

On the other hand, operations which topple democratic governments, install anti-leftist dictators, support smaller third world dictatorships in their abuses, grab the resources of a country, fund terrorists to keep on destabilizing a country, etc., etc., these are not mentioned in the policing context.

This would be logical. The weird thing is they are. I have seen for example Vietnam, Cuba and Chile used in exactly the context you describe, including here on slashdot. It appears that most people in the US don't actually understand the details of what happened in those cases so people get away with such absurd and outrageous nonsense without being called on it.

Re:Doesn't matter

[CodeBuster]

Why certainly sir! When have you government types ever steered me wrong?

The obligatory NSA question

[hsa]

Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?

Re:The obligatory NSA question

[Jane+Q.+Public]

"Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?"

Evidence very strongly suggests the latter.

Re:The obligatory NSA question

[KiloByte]

Considering the consequences of defying the spooks, they had no real choice but to dig that hole or close the company.

Re:The obligatory NSA question

[Billly+Gates]

Yep NSA did play a hand in this insecure logarithm.

Sadly just a month ago such a comment would be modded -1 offtopic or -1 flamebait as the equailivant of that crazy guy drunk talking to himself on the subway.

Slightly different topic, this algorithm seems very strong as it is what slashdotters say is a perfect encryption mathmatical algorithm. It is Elispse based so there are more numbers to guess and the seed process is very stenious to make it harder to crack. It seems like the best one which is why BASE libraries use it just on that evidence. Can a mathmatician or crypto expert explain why this NSA endorsed algorithm has so many problems compared to SHA-2 or BES?

Re:The obligatory NSA question

The problem is that the magic numbers used in the algorithm have no known source so no one in the community can go back and find the justification for them. They are just there. I see the potential vulnerability here is that if you know the base numbers here, and since it is elliptical, that it simplifies the brute-force decryption process. How much? We don't know, yet. The problem is being looked at as I type.

Re:The obligatory NSA question

[gweihir]

The problem is that RSA made the worst generator (in every respect) of several the default. That cannot have been an engineering decision or a business decision in the interest of their customers. It is dead certain that NSA coercion is behind it, anybody that can build a working crypto library cannot be that incompetent.

Re:The obligatory NSA question

[icebike]

I've never seen any examples of negative press from government sources.

More likely the US simply developed an entire line of dedicated processors that can crack almost any code.
This probably happened about the same time they dropped their designation of encryption as a munition.
They already had the solution in hand.

However, when real time continuous encryption started to be the norm, (like encrypted Skype, VPNs in routers, and SSL everywhere)
they simply bought their way into the companies doing it, and induced them with money and contracts.

I've stated more than once here that I believe it will be eventually revealed that the NSA fully funded Microsoft's acquisition of SKYPE.
Probably because EBay was incompetent and not terribly interested in ripping out the un-traceable routing via small
remotely distributed groups of nodes and many volunteer notes.
Even if Ebay did provide access to the encryption technology, they couldn't circumvent the routing issues to provide taps.

The first thing Microsoft did was route all traffic through their servers. No more routing via anonymous "volunteers" or off-shore
peer-to-peer technology. It now goes direct to Microsoft and then to the other party. There was never a business case to do this.
It was working just fine, and hasn't improved since Microsoft took over. There was ONLY ever an intelligence case to make this change.
Why would Microsoft take on that expense for free? Because the NSA bought Skype for them.

Re:The obligatory NSA question

[AHuxley]

French, Germans, Japanese, and Italians wanted US political aid, trade, mil support, they did what they where 'told' and kept to a US/UK set standard.
If any national crypto private or public sector standards emerged from with in Asia or the forming NATO/EU the UK and US where quick to request individual firms or nations come back to the set 'NSA/GCHQ' weakened standard.
How would any nations mil or political leader say 'no' to the full might of NATO or the USA crypto?
Saying yes to the NSA/GCHQ bought in amazing new tech, local jobs, generational trust and contracting wealth to trusted local ex mil.
Questions bought in political issues, legal friction, trade issues, treats, cash flow issues, private sector bankruptcy and a loss of standing internationally.
The Soviet Union went for the human side of US/UK tech and wanted weak/ideological conflicted or cash poor staff to sell out their western govs and where always waiting for the next offer.
What did the Soviets have? Cuba was safe for a big listening station. Bits of Africa? Asia? South America? Huge spy ships and expensive satellites never gave the results and coverage demanded.
The UK and US always had the global banking, telco systems and crypto. The Soviet Union had to connect if it wanted to export on NSA terms too :)
China just sat back and flooded the West with their students and products- learning their way up until they could trade their way to any project at any quality or price. Win contracts or offer aid projects and make friends.
So really beyond the junk encryption setting NSA and GCHQ you where stuck with age old human spying, spy ships, satellites or doing what you where told by US/UK experts.
ie the "Russians / Soviets" could not even keep their own crypto traffic safe beyond the 1950's (very wise one time pad use was stopped).
Their radio and communications networks became huge, sloppy and totally useless into the ~1960-80's.
The role the Soviet played is a bit like our 'internet' now or Enigma and Germany - back to plain text. China went smart and offered layers of regional and national data - mixed with propaganda, missing data, fake data and politics - good luck with working that out at a spy or database level.

Re:The obligatory NSA question

[Solandri]

Up to a month ago such a comment would've been modded to -1 because historically, NSA had helped improve the security of encryption standards. As Schneier has said, the revelations about recent NSA activity has completely evaporated the goodwill NSA earned in the cryptographic community from back then.

Re:The obligatory NSA question

[jthill]

It wasn't RSA. They trusted the NSA, with good reason. The NSA had earned the trust of just about everybody in the community by improving DES with changes nobody understood until fifteen years later.

Then someone figured out that the way this new RNG is set up, the constants the NSA chose *could be* the public half of an asymmetric key, and if so the RNG's state could be read with very little effort by anyone in possession of the private half. There is no mathematical way at all to tell whether this is the case, but apparently something in the Snowden documents at least strongly suggests the NSA did know about it and did use it.

It's important to highlight that this isn't the kind of weakness anyone _else_ can take advantage of; a blackhat would still have to discover their private key, the exact same problem he was facing before. The NSA are apparently not dumb enough to rely on keeping math a secret.

But it seems every successful security service forgets the basic lesson: set up a system with unchecked power, the scum of the earth will eventually take notice. From that moment they'll dedicate their lives to getting control of it. They'll eventually succeed.. Snowden took advantage of criminally slack security in the NSA. Just the the fact that he could reveal the documents he revealed is proof the NSA have already gotten arrogant and sloppy, never mind what's in them.

Re:The obligatory NSA question

[kasperd]

The first thing Microsoft did was route all traffic through their servers. No more routing via anonymous "volunteers" or off-shore peer-to-peer technology.

That's not true. Earlier this month I have seen my Skype calls get routed through peers, who were not participating in the call. That however resulted in very unreliable calls, so I got the machine running Skype onto a public IP address. With that in place I could see the traffic was going directly between me and the IP addresses of the people I was communicating with. At one occasion I did however notice other people's calls getting routed through my computer, now that it had a public IP.

Anybody using Skype can look at their own network traffic to verify my observations.

Why Skype hasn't started supporting IPv6 is beyond me. It is so abundantly clear how Skype user experience is suffering from NAT. They could even have a Teredo client built into the client as a fallback when all other methods fail. Teredo is the only standardized tunnel protocol I know, which can be implemented in user mode without administrator privileges.

Re:The obligatory NSA question

[kasperd]

Up to a month ago such a comment would've been modded to -1 because historically, NSA had helped improve the security of encryption standards.

Schneier has been speculating about the possibility of an NSA planted backdoor in Dual_EC_DRBG since 2007. Which by the way took me a few attempts to find again since there are many hits if you search for NSA backdoor on his site.

As Schneier has said, the revelations about recent NSA activity has completely evaporated the goodwill NSA earned in the cryptographic community from back then.

Goodwill might be an exaggeration. Learning that NSA had improved security of DES did reduce the distrust in NSA, but it did not eliminate it. The first evidence of the Dual_EC_DRBG probably brought that distrust back to the previous level. By now I guess the trust in NSA is at an absolute low. (If it got any lower you would start trusting anything from the NSA not to be trustworthy.)

Re:The obligatory NSA question

[icebike]

I've also seen Skype work when it shouldn't - behind corporate firewalls that are supposed to be blocking traffic. Probably via a peer that somehow has better access...

That said, yes I still believe Microsoft has made skype easier to spy on.

Skype has always had great firewall piercing technology, even before Microsoft bought them.

Skype makes outbound connection(s) to the server. Its as easy as that. When a call comes in, the outbound
connections are used for bidirectional traffic.

It can do this on any port, and your corporate firewall can't block all ports
and still allow things like web browsers work.

No point pussy-footing around

[innocent_white_lamb]

There's no point in pussy-footing around this. It's obvious that RSA was either forced or "rewarded" into using an insecure method. And that they knew it at the time (because they are cryptographers and because they don't live in the bottom of a well.)

Therefore, RSA has proven themselves untrustworthy at best, corrupt at worst, and quite likely both.

The question is what to do next? Rip out everything RSA in all infrastructure and replace it with something that works appears to be the best approach, but how should that be done and what should it be replaced with? And, most importantly, how can we verify that replacement?

Re:No point pussy-footing around

[Jane+Q.+Public]

"Therefore, RSA has proven themselves untrustworthy at best, corrupt at worst, and quite likely both."

And don't forget that their "super security" ID dongles were hacked just a year or so ago.

All in all, it's looking like RSA is a corporation to avoid.

Re:No point pussy-footing around

[mysidia]

The question is what to do next? Rip out everything RSA in all infrastructure and replace it with something that works appears to be the best approach, but how should that be done and what should it be replaced with?

I have no need to, because I don't use any of RSA's software toolkits.

I use Microsoft CryptoAPI, GPG, GnuTLS, and OpenSSL, php-Mcrypt/php-Mhash, and some dedicated non-RSA special purpose libraries, for all my cryptography requirements.

Re:No point pussy-footing around

[bill_mcgonigle]

what should it be replaced with?

To be trustable it has to be open source, but to be trustworthy will require both code scrutiny and careful analysis.

New maxim: you can't keep secrets with secrets.

Re:No point pussy-footing around

[gweihir]

Don't forget that this default also selected the slowest generator and the one with the worst security analysis. There is no way this was an engineering decision. In fact I would not be surprised if some people working on the library resigned right at the time this decision was made...

Re:No point pussy-footing around

[93+Escort+Wagon]

An interesting scenario just came to mind...

1) RSA intentionally weakens their crypto at the behest of the NSA (this is fairly certain)
2) Chinese hack RSA - the only question is just how thoroughly (a known fact)

Now comes the speculation.

3) China analyzes what they got from RSA and discover the crypto is weaker than expected.
4) Quietly, China also begins to take advantage of this breakable crypto the NSA foisted on US companies and citizens.
5) China deduces why it was done and starts looking for weaknesses in other US crypto products - possibly succeeding, given they have a decent idea what to look for.

Followed by

6) China successfully and quietly penetrates most US defense contractors and financial institutions.

Re:No point pussy-footing around

[lennier]

No. The entire purpose of RSA is providing the illusion of security.

Fixed. The problem with security is that you can't actually sell it; the customer has no way to tell if they are really secure, or just feeling secure. But the customer can certainly tell if they feel secure. So all security vendors tend to major on the warm fuzzy feelings. That means a lot of "trust us, we're the experts" and "you don't need to know the details, put your mind at ease" and not a lot of "here is the exact proof that you are secure, including every line of our source code and every mask in our circuitry, run the analysis yourself".

The other problem is that despite the free-market view that "they wouldn't be in business if they were faulty", proprietary security vendors actually have an extremely strong perverse incentive: the stronger the illusion of security, and the more powerful and secretive the clients, the more gain there is in working with an intelligence organisation to subvert that security. And since, when the clients are nation-states and militaries, working with intelligence agencies may be a requirement for getting the sales contract... and refusing to work with those agencies may result in treason charges and jail time... well, you don't need a doctorate in either cryptoanalysis or economics to see where those incentives might lead.

It's the classic confidence-trickster problem. You have a secret. You want to keep your secret. To keep your secret and come out ahead of the game you have to deal with someone who has bigger secrets, a bigger bankroll, and is smiling a lot. You sit down at the table, and look around. Do you see who the mark is? Even if you think you do, there's no guarantee that you're not all marks for the house.

And it is actively telling people not to use it.

Sure, now RSA are, now that the beans have been spilled by Edward Snowden and the NIST themselves are reopening the standard for discussion. If they didn't say anything it would look even more suspicious and whatever tattered remnants of trust they had would be gone.

Unfortunately the illusion's pretty much torn at this point. By the way, how are Crypto AG doing?

Re:No point pussy-footing around

[Pinky's+Brain]

I see some RSA shills repeating this argument ... but I don't see any explanation why they used it as the default after 2006. We really have no greater proof it's backdoor'd now than we had then ... if we didn't have the 2006 analysis of Dual_EC_DRNG then Snowden's leak could be referring to a whole lot of things.

All that has happened is that the legal threshold of plausible deniability has disappeared ... but the common sense threshold for plausible deniability disappeared in 2006, they knew and they kept it default. Why?

Re:No point pussy-footing around

[93+Escort+Wagon]

I think the NSA believed it was okay to weaken cryptography because they assumed they would be the only one who knew about what they'd done and specifically how they'd weakened it.

So really, what I believe is they were very clever and, at the same time, very naive... Or perhaps sophomoric and arrogant would be a better fit.

Re:It puts EMC in an awkward position

[gweihir]

"stupid" is not in the picture. Making the slowest generator, and the one with doubtful security at the same time, the default is not stupid, it has to be deliberate. Now if the NSA people were any good at their business, they would have made sure that their compromised generator was the fastest, so as to give a plausible reason for making it the default. They failed event at this simple Deception-101 idea.

The more I hear, the more I think the NSA is a ham-handed, incompetent, slow and stupid bureaucracy that survives on sheer power to coerce others to do its bidding and on brute-forcing everything by spending incredible amounts of money.

Re:It puts EMC in an awkward position

[AHuxley]

Recall the NSA funding and internal standing in the US gov structure in the 1990's?
They had to deliver plain text 24/7 or face even less funding or other groups would have offered language contractors and bulk clearances.
The only trick was keeping the citation needed over generation.

Maybe not RSA, but certainly NSA

[Frosty+Piss]

or did NSA tell RSA to slip in a backdoor back in 2006

It's not so much the possibility that the NSA influenced RSA, rather they influenced the standard itself.

Here's the whole story according to Bruce Schneier:

http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

RSA is poor quality, as VMware learned

[angryargus]

There's the proverb about not attributing to maliciousness that which can be explained by stupidity.

VMware (also an EMC subsidiary) used an RSA implementation for their SSO product. It had a ton of problems and bugs, and each new patch release introduced more bugs. Applying pressure to RSA via EMC didn't help, so VMware ripped out the RSA implementation with a band new in-house implementation.

OpenBSD entropy

[funkboy]

Yet another reason that validates OpenBSD developers having spent years improving the quality of random number generation.

Say what you want about Theo, but their developers are top-notch and their stuff really works.