Slashdot Mirror
Reuters: RSA Weakened Encryption For $10M From NSA
Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
The NSA sold its own customers out to the US government for the price of an NYC apartment.
Considering that this kind of revelations could cause massive exodus of all RSA's non-US (and many US) customers, that's a surprisingly low number.
RSA is publicly traded, is it not? Reuters is giving them a full weekend to come up with a PR response before the markets open on Monday.
-Also, that wasn't my initial reaction. My initial reaction was to pick my jaw up off the floor. And I thought it couldn't get much worse. Edward Snowden for man of the year.
"... We are now merely haggling over the price."
Oh, no, wait, it's $10M.
(apologies to George Bernard Shaw)
P.S. - AC, yes, if you used an RSA CA appliance with the default Dual EC DRBG PRNG configuration, your private key is probably easy to break and your traffic easy to intercept/decrypt if you're not using perfect forward secrecy (assuming that's not on an RSA appliance).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
"If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
No. SSL doesn't specify the method to produce random numbers. Why would it? The NIST method is very very slow, so I'd be surprised if any browsers or servers used it as the random number source.
AccountKiller
I mean, what the FUCK? The land of freedom and liberty. That's what I was always taught. We have a Constitution, which includes protections against unreasonable search. And now my FUCKING GOVERNMENT is doing pretty much anything you can conceive of in the name of spying on everybody including the people of the United States. They are so FUCKING PARANOID that EVERYTHING is on the table, including the privacy and liberty of the citizens. I lower my head in FUCKING SHAME as to what has become of this country.
Wow. With one single contract, RSA just destroyed their whole business. A company in the trust business cannot allow themselves to lose their customers' trust.
No RSA product can ever be trusted again.
TLS's current big problems are: /") by a Nation State Adversary in real time; NSA secretly control PCI DSS standard and used the excuse of the BEAST attack (CVE-2011-3389) to push RC4 as solution for PCI compliance, instead of TLS 1.2
- RC4, which is actually crackable given a few bytes of known-plaintext prefix (like "GET
- The CA PKI letting any CA impersonate any and every site; we need at minimum certificate transparency, DANE, and maybe something more
- The unencrypted ClientHello, which is what makes the FLYING PIG metadata trawling possible (nothing you couldn't do with Snort, in fact, it IS done with Snort)
All of these are going to be addressed by the TLS WG going forward: most urgently, RC4, which will be replaced with djb's ChaCha20_Poly1305 ciphersuite, courtesy of agl (live on Google servers and with Chrome dev and canary builds right now). More secure than AES-128-GCM or AES-256-GCM, I think - certainly has a higher security margin against both confidentiality and integrity.
The problem of the curves is a big problem, but what makes those curves (specifically Jerry Solinas @ NSA generated the SHA-1 hash seeds for Certicom) bad is mostly implementation choices: bad random numbers for DSA & ECDSA (hello Sony attack), which this subversion massively helps with, and non-constant-time addition ladders and lack of curve point validation, which can result in practical timing attacks and partial key disclosure leaks. djb & Lange already have a group of Safecurves which avoid all of these attacks and which are incidentally incredibly fast, and EdDSA's nonces are deterministic so no entropy needed during signatures, only keygen.
Oh, and - in similar news, which in other circumstance, I would have submitted, and might if for some crazy reason this gets ignored by the IETF chair, but I doubt it - there have been strong calls for the head of the co-chair of the crypto advisory board at the IRTF. He (openly) works for the NSA, which is now clearly a conflict of interest, and we caught him pushing a similarly-backdoored PAKE standard, which the TLS WG resoundingly rejected.
http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html
They're owned by EMC now, all that data held on EMC kit and in EMC 'clouds' secured by RSA software. Or rather *not* secured by *NSA* software so the NSA can break in easier.
Wow, that is trillions in damage even before we get to the criminal law book.
"amirite?"
This wouldn't have been posted 10, or even 5, years ago. I don't want to see it. Please don't lower your standards.
I'm assuming for the moment that this evidence is, in fact, legitimate. Given how heinous the NSA's actions have been lately, it seems completely in character, which makes that likely a safe assumption. However, just to give them the benefit of the doubt, everyone involved should receive a fair trial. With that said, everyone involved should be tried for high crimes against the United States and its allies. These are accusations of very serious crimes.
Deliberately compromising the secure communications of hundreds of millions of computers all around the world just so a bunch of pencil-dicked asshats can play their little spy games goes so far beyond unconscionability that it borders on a crime against humanity. Such ends-justify-means thinking is fundamentally incompatible with any form of liberty or justice. Our data is fundamentally easier to crack not just by our own government, but also by organized crime syndicates, foreign governments, and even terrorist groups. In all likelihood, even military communications gear is less secure, which means our troops are at elevated risk during a time of war as a direct result of their actions. That's treason, even by the absolute strictest definition thereof. Further, such deliberate weakening of crypto endangers the lives of dissidents in countries with oppressive regimes, many of which are considered our enemies—an act that could also be considered treason.
Their actions, if true, clearly constitute providing material support to terrorists and treason by means of providing material aid to our enemies in a time of war. Therefore, according to U.S. law, everyone involved should be immediately treated as enemy combatants, deported to an appropriate holding facility outside our borders—preferably the one affectionately known as "Gitmo"—and tried before a military tribunal.
In addition to prosecution of individuals, there should be consequences for the groups involved. RSA should be immediately dissolved and all its assets destroyed. Further, at this point, it should be abundantly clear to anyone with even the slightest understanding of crypto that nothing short of the complete and total elimination of the NSA and a constitutional amendment clearly and plainly banning any similar organization from ever existing in the future can even begin to restore trust in cryptography and computers. That organization is fundamentally malevolent, and its very existence is inherently incompatible with the very concepts of security and privacy. No matter what successes they may have had, nothing can possibly even come close to justifying such a heinous breach of the public's trust.
Check out my sci-fi/humor trilogy at PatriotsBooks.
The NIST/SECP curves are NOT safe. They were generated by the NSA, and they need replacing. http://safecurves.cr.yp.to/
We probably don't know the full extent of the 'trapdoors' left by Jerry. What we do know is that unless you're using Brier-Joye's (very, very slow) constant-time short-Weierstrass curve, a timing attack is possible, and probably practical; many of the routines are incomplete or wrongly-implemented, because they're very complex, and the curves aren't complete; some don't even check if the point is on the curve, and if it isn't, we're basically leaking private data; secp256k1 has a complex-multiplication field discriminant of just -3, which may make it more susceptible to one attack and very possible to one extended one we don't know about; and secp224r1 (P-224) definitely has an insecure twist. Something may well be wrong with secp256r1 and the others, but if so, we don't know what it is. Either way, we know the NSA generated it to ostensibly be random but really satisfy some very specific unknown conditions: that alone is reason enough to not trust it.
They advertised and sold a product promising to secure customers' data yet they intentionally put an algorithmic backdoor inside that could be used not only by the US government but also discovered and used by hackers to compromise customers' security.
djb's funded by a NIST grant or two, but they're actually furious that, for example, he's running a crypto competition without telling them. Dude is a professor with tenure, and does what the fuck he wants, and is a great example why such things can sometimes be brilliant for science. (There are plenty of people who don't like him because of his personality and penchant for unusual decisions, but these decisions are often for very sound reasons.) I've checked his stuff out extensively, and this is great.
Similarly, I've been through Adam Langley's stuff on this draft with a fine-toothed comb, and it's fine. ChaCha20's great, we analysed it and its variant as part of the BLAKE hash in SHA-3 competition; best attack 7/20, which makes it slightly better than the eSTREAM winner Salsa20 (best attack 8/20).
Many cryptographers have worked together on all this stuff. Some of them are American. Bruce Schneier is American, but I don't think the NSA have subverted him. Quite the opposite.
It says a lot about the NSA's actions that they've irrevocably damaged the US's national interests by providing some very strong reasons for everyone else not to trust them, though. You're right not to put trust in people you don't know. You don't know me. Weigh in yourself, check this stuff, if you have better ideas, please contribute them, and at the very least feel free to provide oversight, please!
What if the NSA had gone to RSA in the past to get them to do what this Reuters article claims, and RSA did indeed say no?
And what if, since many things about the NSA are coming out anyway, the NSA went to Reuters (or used some in-between person or persons) to plant the false story that RSA is in NSAs pocket -- in order to punish them for their earlier refusal? Because they know that you, and most others reading this, will believe that RSA products are infected by NSA backdoors, and not use RSA products... whether the backdoors, or weaknesses, or whatever, are there or not. I mean, it's not like Reuters fact-checks their shit anymore, and the press can get a "deal they can't refuse" just as easily as any other company.
In that kind of scenario, RSA could be telling the absolute truth... and no one will believe them.
"They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption."
Right, the NSA, known to be codebreakers, paid them $10M to include their "special" algorithm, and no one had any idea that it could be compromised. Right. Why else would they pay them to use it?
No, it also takes a seller of such weapons. And there aren't any, or we'd have been sweeping up the remains of some city, political center, or major chunk of infrastructure by now. The whole "terrorists and nuclear weapons" is a total mind job done on you and yours by your government. One thing to to keep in mind: Nukes are very difficult and expensive to manufacture, and pretty damned difficult to lose track of.
Civilization isn't likely to die due to nuclear weapons. We've set off well over a thousand of them already, and there's no particular notable effects other than the low hum of hysteria at the intersection of the set of the ill-informed and the paranoid.
Also, Chemical weapons are a lot less "mass" than nukes are, barring very sophisticated delivery systems, which again, aren't available to religious tools. Bacterial weapons are vaguely possible (although still very, very technical), but incorporate the downside of most likely eventually killing everyone everywhere instead of just the target(s), and so not even your average superstition-addled dingbat seriously considers them.
If you are a US citizen, If you want to worry about civilization, you should be worrying about the decay of our government from one authorized by the constitution into a form exclusively controlled by corporate and political groups. Because unlike the "nuclear threat", said decay is real and ongoing and has already screwed things up immensely: almost 100% loss of manufacturing capacity and so also jobs, crippling inflation, loss of citizen's rights, usurpation of article five powers by the judiciary, illegal legislation that spans almost the entire bill of rights to ex post facto laws to the complete inversion of the commerce clause, promulgation of multiple very expensive, ultimately useless wars... the problem isn't terrorists. The problem is our federal government. The whole terrorist thing is to keep the citizens looking the wrong way.
I've fallen off your lawn, and I can't get up.
We can't really recommend RSA 3072 bits now, 4096 for being safe. We're approaching the limits where RSA is going to become prohibitively slow - same for standard D-H. If we need more security but keep similar mechanics, representing the discrete log algorithms with a different field is definitely the way to go.
As far as practical quantum computers, it's hard to predict timescales. They'll probably mash all discrete log and polynomial/factoring algorithms into pulp - but we don't have any reason to suspect any NSA is THAT far ahead. That would be a phenomenal cryptanalytic and mathematical advance. I'd estimate we still have 20 years, but I'm plucking numbers out of the air here.
As far as post-quantum encryption goes, we're looking too far ahead, it's not developed enough yet to have anything good to switch to. Hash-based signatures which are a possibility, but two-key ciphers are a big problem: the few which have been proposed are often based, on, say, lattice algorithms (such as NTRU, although I have a hunch the NSA have a hand in that one, purely because it's a public key standard, it's American and it's patented; it's had bad security reviews too, with some key leakage with signatures) and linear codes (like Goppa codes with McEliece signatures, the drawback of these systems being the keys are REALLY BIG). Worst, we don't have any proof quantum computers are actually bad at solving these either: in fact, I think they ought to be really good at solving lattice algorithms, we just don't have an algorithm that we know of that would allow them to do it yet. We need another decade's research; we need something to switch to FOR that decade, first.
Yes, using TLS 1.2's AES-128-CCM or AES-128-GCM or CAMELLIA equivalents or something would have been more rational. That's why NSA convinced PCI DSS to recommend RC4.
I wouldn't recommend Blowfish nowadays, not when Twofish exists, at least. And 3DES? No. Way too old and creaky. Didn't you want to use a cipher they hadn't co-designed?
TYPO: you mean RSA sold out its customers
I've followed the Snowden releases, curious as anyone else as to the ways and means of the NSA. Until now, the only real 'news' for me was the incredible scope of the NSA's reach and their staggering, seemingly unlimited budget. But this crosses the line. This little stunt has mammoth, wide reaching and enduring ramifications. This is beyond just storing "metadata", hooking in to Google's pipes or recording German heads of state. This action by the NSA is egregiously unethical on so many levels. There is no legitimate justification for intentionally weakening security of this nature. They might as well have gone to Schlage and told them that, from now on, they may only build deadbolts out of cheap low-grade plastic with a faux metal finish.
The actions of the NSA carry immense potential risks for millions of people. Exploitation of the RSA weakness could lead to completely unnecessary breaches of privacy, political manipulation, loss of safety or financial loss. All in the name of protecting the country. The burden of risk created by weakening RSA is ultimately placed largely on the public. What benefit do we gain from this?
This is not how I want my country to be governed
Having worked with pre-2000 versions of RSA BSAFE, the thing that the NSA paid RSA to do was to change the default selection of the random number generator with a weaker one. Nobody had to use the default version--it was just picked if you didn't specify one (or a callback to your own RNG). We had our own multi-threaded rendezvous noise generator thing since this was back before hardware entropy engines.
Oh, and before that, the NSA had unsuccessfully tried to get RSA to tell people that 512-bit keys were safe enough. It wasn't successful mostly because the old guard was still running the company then.
Kriston
Because the people behind CryptoLocker (who are probably from Russia or China or some other country that isn't exactly best buddies with the US) are likely smart enough not to trust US-made off-the-shelf cryptography.
Their TOTP generator is well known and secure. The problem with TOTP and HOTP systems, though, is that it still requires a shared secret at both ends. The secret in the token is fairly secure, but even if it weren't it doesn't matter much because there's only one secret per token.
The server end, however, needs to store _all_ the secrets. Some dedicated solutions store the secrets on an HSM (hardware security module), which if designed correctly has no way to actually emit the secret--it'll only take a signed message and tell you whether it's authentic. This is what Yubico's HSM module does.
What RSA did for their TOTP service, however, was to put all those secrets into a big database on commodity hardware. In other words, it was hackable through software. And no matter how many firewalls you throw up in front of something, if it's on the network and "secured" by software, it'll be hacked eventually. That was sheer stupidity. There are other services that also do this, like LastPassword and a few others.
At one time nobody would believe that RSA was that stupid. But those days are long gone.
The sum of money does seem low, but when an agency like the NSA
comes calling, I have a feeling that it they make you a proposal you
cannot refuse.
(Or you can do what Lavabit did, and just shut it down)
..do I need an "EC PRNG",if any symmetric cipher and a simple couter is sufficient to generate PR numbers ?
I seriously would like to know !
If that were true, you would not. However, its not established that's true. Some believe iterative hashing is the best way because hashes are explicitly designed to be one-way functions, meaning they are intrinsically not reversible. That is believed to make hash-based PRNGs more resistant to attack. However, on the flip-side cipher-based PRNGs have the advantage that ciphers have been more closely studied, and are likely more resistant to attack because of that. That's why 800-90 specifies both hash-based and cipher-based PRNG algorithms.
The logic behind EC was based on the belief that ECs are more resistant to attack because they are based on different mathematical problems than most hash and cipher algorithms, and therefore are less vulnerable to the current state of the art in attacks designed to attack hashes and ciphers. That assertions seems to be false based on research done in the mid 2000s, but the general answer to your question is that no one is certain that, say, AES-based stream cipher PRNGs are certain to be uncrackable, and so people are always looking for alternatives. In fact, the *strongest* PRNG that I can think of is one that simultaneously generates SHA, AES, *and* EC random streams and XORs them together. To break that random stream, you would have to be able to break all three simultaneously. Even if EC had a backdoor in it, that would not help you at all to break a random stream with its contents XORed into two other generators.
So the general answer to the question of why you'd need anything other than a cipher PRNG is that a) no one knows if your preferred cipher PRNG might be broken tomorrow, and b) having multiple kinds of generators based on entirely different math opens the door to creating stronger generators that are a combination of all of them. And by the way, a cipher-based generator that was the XOR of two different cipher-based generators is not guaranteed to be twice as strong.
EC is a bad candidate in general for this kind of RNG hardening (because of its speed and its poorly understood backdoor possibilities), but we only knew that after it had been studied. If it was faster, and its constants were initialized by another PRNG guaranteed to not include the backdoor, it could serve as a PRNG hardener in theory, since its strength relies on an independent problem from hashes and traditional block ciphers.
Google has an interest in proper encryption. They can only sell your data if the potential buyer cannot acquire it without paying them.
Sigh.
Google does not sell data, at least not in any form other than anonymized and aggregated, and not very much even that way. Google makes money from using your data itself (to target ads to you), not from selling it to others.
FWIW, I work for Google, on crypto security stuff, and Google does have a strong interest in proper encryption, because it's the right thing to do. It allows people to control their data. With respect to Google's business, Google would like you to choose to provide your data because you think it's a good trade for Google's services, but wants you to have the ability to make the choice not to provide your data. To anyone, if that's what you want.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Christopher Hitchens, in his inimitable style, tried to get across what makes states like North Korea, Iran, and Iraq (under the Ba'ath party) so... well... indescribably unpleasant to live in. One of the cornerstones of such states is that they eradicate privacy and private life (a core theme of Orwell's 1984). Here's Hitch's attempt to describe it on Fora.tv: https://www.youtube.com/watch?v=Z-rTT8TPcck (Running time 1:00:52). The USA is assembling the infrastructure for the mother of all totalitarian states. They can do it better than anyone else in history, ...ever.
> Dude ... does what the fuck he wants, and is a great example why such things can sometimes be brilliant for science.
> (There are plenty of people who don't like him because of his personality and penchant for
> unusual decisions, but these decisions are often for very sound reasons.
Having had the honor and the curse of working with him, I whole-heartedly agree.
Daniel J Berstein can be counted on to never do what anyone tells him to do.
It's rather annoying. It makes him hard to deal with, and it means if NSA asked him to do something he'd almost surely do the opposite - loudly.
I am appalled.
RSA had, for a long time, an antagonistic relationship with the NSA; we wanted to push good crypto to the world, and the USG felt otherwise.
I knew the people involved, and I don't think any of the original RSA Labs (which was what the RSA Data Security Inc people became) would have compromised their integrity in this manner. What's more, BSAFE (the SW library compromised), became more or less a dead duck after 2000, when the patent on the RSA algorithm expired; free libraries such as BouncyCastle became much more viable.
After RSADSI was bought by Security Dynamics (which later renamed itself RSA Security), there was a gradual Borgification of RSA Labs, with it being assimilated more and more into the mother company (SecurID was always the main source of revenue, not RSA encryption).
I haven't been able to find the date at which the bribe took place, but 10 million seems very low. If Coviello approved this, I hope he's sued by stockholders.
ce
A while back Ron Rivest (the R in RSA) announced the Three Ballot cryptography for voting systems which was touted a system that would let voters check if their ballot was counted without jeopardizing the anonymity of the secret ballot. The really cool thing about it was that the crypto was a one-way system without any key at all. So it seemed to be uncrackable since there was no trusted key-keeper.
Shortly before the publication was accepted, Andrew Appel at Princeton University and Charles Strauss at Los Alamos National Laboratory published articles showing it was invertable and not anonymous in practical election situations.
http://www.cs.princeton.edu/~appel/papers/DefeatingThreeBallot.pdf
http://www.cs.princeton.edu/~appel/voting/Strauss-ThreeBallotCritique2v1.5.pdf
Imagine if that had been adopted... Sort of makes you wonder about everything RSA has touched including SSL.
NSA has customers? Surely not the voters
The other intelligence agencies within the government are considered "customers" of NSA products.
You guys have missed one important aspect of the RSA operation.
NSA gave RSA 10 million to weaken/broken the RSA encryption that they sold to US. The "US" here means the non-NSA non-GCHQ based customers.
And spook agencies such as NSA themselves do need to encrypt their OWN secret files too, and surely they are not that stupid to use the same weaken and/or broken encryption algo on their own files.
In other words, NSA and GCHQ (and some of the "trustworthy" spooks from the other 3 countries in the "five eyes" pact) do employ RSA in their day to day encryption, but THEIR version of RSA is the unbroken/unweaken one - unlike the broken version that the RSA sold to the rest of the world.
Muchas Gracias, Señor Edward Snowden !
All the successful companies do U-turns to stay in business. Bill Gates did a U-turn on the Internet, Steve Jobs did a U-turn on the iPhone. IBM did several U-turns in its long history, they didn't even make computers when they were founded. And that's just U-turns, then there's acquisitions. When Larry Ellison buys Google in the next 10 years, do you think he'll have any qualms about selling peoples' data to anybody?
Google is Evil because they Built The Dataset. This data is so valuable and comprehensive, and the pioneering of the techniques to do it over and over again, ever more efficiently and cheaply, that people without scruples want it now, will want it in the future, and will eventually control it. That it certain, and you helped make it happen.
Following this. This headline is not exactly true. 1) RSA was paid 10M to make the NSA algo the default in their bSecure product. We have no direct evidence that RSA (now owned by EMC) KNEW the RNG (random number generator) in the NSA compromised algo had been compromised. This is 20/20 hindsight.
2) at the time, *some* people were suspiious generally of work done by NSA cryptographers for a variety of reason- the NSA had fought for the Clippe r Chip in the 90s ; the NSA was generally hsotile to strong encryption for civiliians etc. However, those opinions were countered by the majority of people who plausibly considered that the NSA had a real interest in seeing real encryption be used by US corporations etc. We now know who was right, the skeptics, but we didn't know that at the time that deal went down.
This is what's called "plausible deniability" or "cover" in intelligence circles and everywhere else now but that's the point- it IS plausible, entirely, that RSA was taking money (and not a lot to RSA) to make it the default because they believed the NSA.
Overall, at the time, the people who believed the NSA participated in encryption with the public out of a concern to see it done right were the majority.
Just keeping the story as straight as possible because what we're interested in is the truth as far as we can discern it, right?