Slashdot Mirror
Reuters: RSA Weakened Encryption For $10M From NSA
Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
RSA is publicly traded, is it not? Reuters is giving them a full weekend to come up with a PR response before the markets open on Monday.
-Also, that wasn't my initial reaction. My initial reaction was to pick my jaw up off the floor. And I thought it couldn't get much worse. Edward Snowden for man of the year.
TLS's current big problems are: /") by a Nation State Adversary in real time; NSA secretly control PCI DSS standard and used the excuse of the BEAST attack (CVE-2011-3389) to push RC4 as solution for PCI compliance, instead of TLS 1.2
- RC4, which is actually crackable given a few bytes of known-plaintext prefix (like "GET
- The CA PKI letting any CA impersonate any and every site; we need at minimum certificate transparency, DANE, and maybe something more
- The unencrypted ClientHello, which is what makes the FLYING PIG metadata trawling possible (nothing you couldn't do with Snort, in fact, it IS done with Snort)
All of these are going to be addressed by the TLS WG going forward: most urgently, RC4, which will be replaced with djb's ChaCha20_Poly1305 ciphersuite, courtesy of agl (live on Google servers and with Chrome dev and canary builds right now). More secure than AES-128-GCM or AES-256-GCM, I think - certainly has a higher security margin against both confidentiality and integrity.
The problem of the curves is a big problem, but what makes those curves (specifically Jerry Solinas @ NSA generated the SHA-1 hash seeds for Certicom) bad is mostly implementation choices: bad random numbers for DSA & ECDSA (hello Sony attack), which this subversion massively helps with, and non-constant-time addition ladders and lack of curve point validation, which can result in practical timing attacks and partial key disclosure leaks. djb & Lange already have a group of Safecurves which avoid all of these attacks and which are incidentally incredibly fast, and EdDSA's nonces are deterministic so no entropy needed during signatures, only keygen.
Oh, and - in similar news, which in other circumstance, I would have submitted, and might if for some crazy reason this gets ignored by the IETF chair, but I doubt it - there have been strong calls for the head of the co-chair of the crypto advisory board at the IRTF. He (openly) works for the NSA, which is now clearly a conflict of interest, and we caught him pushing a similarly-backdoored PAKE standard, which the TLS WG resoundingly rejected.
http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html
They're owned by EMC now, all that data held on EMC kit and in EMC 'clouds' secured by RSA software. Or rather *not* secured by *NSA* software so the NSA can break in easier.
Wow, that is trillions in damage even before we get to the criminal law book.
They advertised and sold a product promising to secure customers' data yet they intentionally put an algorithmic backdoor inside that could be used not only by the US government but also discovered and used by hackers to compromise customers' security.
What if the NSA had gone to RSA in the past to get them to do what this Reuters article claims, and RSA did indeed say no?
And what if, since many things about the NSA are coming out anyway, the NSA went to Reuters (or used some in-between person or persons) to plant the false story that RSA is in NSAs pocket -- in order to punish them for their earlier refusal? Because they know that you, and most others reading this, will believe that RSA products are infected by NSA backdoors, and not use RSA products... whether the backdoors, or weaknesses, or whatever, are there or not. I mean, it's not like Reuters fact-checks their shit anymore, and the press can get a "deal they can't refuse" just as easily as any other company.
In that kind of scenario, RSA could be telling the absolute truth... and no one will believe them.
A different era. They might have actually thought the NSA were honestly helping. Back then the NSA was probably perceived as being as much about hardening encryption as breaking it.
I've followed the Snowden releases, curious as anyone else as to the ways and means of the NSA. Until now, the only real 'news' for me was the incredible scope of the NSA's reach and their staggering, seemingly unlimited budget. But this crosses the line. This little stunt has mammoth, wide reaching and enduring ramifications. This is beyond just storing "metadata", hooking in to Google's pipes or recording German heads of state. This action by the NSA is egregiously unethical on so many levels. There is no legitimate justification for intentionally weakening security of this nature. They might as well have gone to Schlage and told them that, from now on, they may only build deadbolts out of cheap low-grade plastic with a faux metal finish.
The actions of the NSA carry immense potential risks for millions of people. Exploitation of the RSA weakness could lead to completely unnecessary breaches of privacy, political manipulation, loss of safety or financial loss. All in the name of protecting the country. The burden of risk created by weakening RSA is ultimately placed largely on the public. What benefit do we gain from this?
This is not how I want my country to be governed
The sum of money does seem low, but when an agency like the NSA
comes calling, I have a feeling that it they make you a proposal you
cannot refuse.
(Or you can do what Lavabit did, and just shut it down)
Maybe if the government spent less money on intelligence, data collection, spying, law enforcement (war on drugs, war on "illegal" fireworks, war on "terrorists" etc), fancy expensive military hardware, bailouts/handouts/subsidies/etc for the big end of town etc and either spent less in total (shoring up the budget) or spent that money on things designed to stimulate the economy and produce stable long term economic growth, the US wouldn't be in so much trouble.
A while back Ron Rivest (the R in RSA) announced the Three Ballot cryptography for voting systems which was touted a system that would let voters check if their ballot was counted without jeopardizing the anonymity of the secret ballot. The really cool thing about it was that the crypto was a one-way system without any key at all. So it seemed to be uncrackable since there was no trusted key-keeper.
Shortly before the publication was accepted, Andrew Appel at Princeton University and Charles Strauss at Los Alamos National Laboratory published articles showing it was invertable and not anonymous in practical election situations.
http://www.cs.princeton.edu/~appel/papers/DefeatingThreeBallot.pdf
http://www.cs.princeton.edu/~appel/voting/Strauss-ThreeBallotCritique2v1.5.pdf
Imagine if that had been adopted... Sort of makes you wonder about everything RSA has touched including SSL.
NSA has customers? Surely not the voters
The other intelligence agencies within the government are considered "customers" of NSA products.
You guys have missed one important aspect of the RSA operation.
NSA gave RSA 10 million to weaken/broken the RSA encryption that they sold to US. The "US" here means the non-NSA non-GCHQ based customers.
And spook agencies such as NSA themselves do need to encrypt their OWN secret files too, and surely they are not that stupid to use the same weaken and/or broken encryption algo on their own files.
In other words, NSA and GCHQ (and some of the "trustworthy" spooks from the other 3 countries in the "five eyes" pact) do employ RSA in their day to day encryption, but THEIR version of RSA is the unbroken/unweaken one - unlike the broken version that the RSA sold to the rest of the world.
Muchas Gracias, Señor Edward Snowden !