Reuters: RSA Weakened Encryption For $10M From NSA

Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"

RSA sold you out

The NSA sold its own customers out to the US government for the price of an NYC apartment.

That's a tiny number

[bob_super]

Considering that this kind of revelations could cause massive exodus of all RSA's non-US (and many US) customers, that's a surprisingly low number.

Re:That's a tiny number

Considering that this kind of revelations could cause massive exodus of all RSA's non-US (and many US) customers, that's a surprisingly low number.

A massive exodus to where exactly?

When an organization like the RSA can be bought, what in the hell makes you think the rest aren't too, regardless of country.

Re:That's a tiny number

[gmuslera]

Companies/organizations from other countries aren't forced by law to both do it, and not tell that they did it. Even if you includes countries like UK, Sweden, South Korea and a few others as compromised, there is plenty of room for independent development. And, of course, open source solutions indepently reviewed. But the point is, if you want security, don't buy anything from US companies. Weakening crypto means that not only NSA can access it.

Re:That's a tiny number

[TheGratefulNet]

if you want security, don't buy anything from US companies

I'm both sad and PISSED OFF that the nsa has fucked america in such a way.

this has clearly hurt (and will continue to hurt) our economy.

isn't the current theme "its the economy, stupid!" ?

if so, then we really should make the nsa pay for this loss of stature in the world, loss of trust and loss of business.

dare I say it, its border-line treason. there should be mass jailings for all who had anything to do with SEVERLY DAMAGING OUR ECONOMY in this way.

Re:That's a tiny number

[manquer]

what makes you think that foreign Governments didn't have already access to the information?,

if Snowden could get access so easily to so much without getting noticed, what makes you think any state couldn't have just easily bribed any other sysadmin and kept getting the same info?

You should really question the NSA security policies, for an organization which infiltrates networks regularly to have such poor security is appalling.

Surprisingly that doesn't seem to come up in this whole dialog about Snowden leaks. Everyone seems to think NSA is some all knowing efficient organization, the perfect big brother.

To me it seems they are woefully incompetent in even keeping basic access control policies in place.

Before anyone starts explaining about how it is difficult not to give root access to sys admins etc, it is not exactly rocket science to have peer reviewed access control polices even for sys admins, and alert systems in place depending on the amount of data being accessed over a period of time etc. if I think of 5 different measures of the cuff, I am sure any serious security consultant worth his fees should be able to do much much better.

I cannot stress this enough if a company losses data like this as happening fairly frequently these days, while worrying, I can on some level understand that it is not their core business, and perhaps they didn't spend enough on security and missed a step or two, but for an organization whose main objective is to do break into networks, this is plain stupid.

RSA Stock

RSA is publicly traded, is it not? Reuters is giving them a full weekend to come up with a PR response before the markets open on Monday.

-Also, that wasn't my initial reaction. My initial reaction was to pick my jaw up off the floor. And I thought it couldn't get much worse. Edward Snowden for man of the year.

Re:RSA Stock

[Billly+Gates]

oh, that figures! emc is a bunch of asswipes. what I saw during an interview there made me walk^H, no, run away from that place.

Did you see what they did to the inventor and founder of VMWare? They paid her only 6 figures with no fucking stock options..?!

When she complained and threatened to sue they fired her. They said .. but but we have her a 100k a bonus! Meanwhile the CEO of EMC got huge bonuses from vmware revenue.

What douchbags. I got angry and wished she would ahve hired a better lawyer before the acquisition. But her investors forced in and EMC took advantage. They are greedy self centered assholes.

"We have established what you are, madam. ..."

[bill_mcgonigle]

"... We are now merely haggling over the price."

Oh, no, wait, it's $10M.

(apologies to George Bernard Shaw)

P.S. - AC, yes, if you used an RSA CA appliance with the default Dual EC DRBG PRNG configuration, your private key is probably easy to break and your traffic easy to intercept/decrypt if you're not using perfect forward secrecy (assuming that's not on an RSA appliance).

SSL Security

[Vellmont]

"If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
No. SSL doesn't specify the method to produce random numbers. Why would it? The NIST method is very very slow, so I'd be surprised if any browsers or servers used it as the random number source.

Not a surprise, but still...

[surfdaddy]

I mean, what the FUCK? The land of freedom and liberty. That's what I was always taught. We have a Constitution, which includes protections against unreasonable search. And now my FUCKING GOVERNMENT is doing pretty much anything you can conceive of in the name of spying on everybody including the people of the United States. They are so FUCKING PARANOID that EVERYTHING is on the table, including the privacy and liberty of the citizens. I lower my head in FUCKING SHAME as to what has become of this country.

Re:Not a surprise, but still...

[Mr.+Shotgun]

The NSA is doing everything it can to save your ass.

No, fuck you. You do not save this country by pissing on the document that created it. Violating the trust and privacy of the citizens is not the way to save them. This country was made great by holding to the standards of freedom and justice, although there were missteps along the way. But we tried to hold firm to that which made us great.

But lately it has been acting like a scared child jumping at shadows in the kitchen. They have been selling everyone out and violating every protection in the constitution. All for NOTHING. There is no boogy man in the closet, no monster under the bed. The greatest enemy this country faces right now is this "War on terror", because it is destroying us faster and more thoroughly than anyone else could ever hope to do. And apologists like you are helping them right along.

Re:Not a surprise, but still...

[jonwil]

Maybe if the government spent less money on intelligence, data collection, spying, law enforcement (war on drugs, war on "illegal" fireworks, war on "terrorists" etc), fancy expensive military hardware, bailouts/handouts/subsidies/etc for the big end of town etc and either spent less in total (shoring up the budget) or spent that money on things designed to stimulate the economy and produce stable long term economic growth, the US wouldn't be in so much trouble.

Re:Not a surprise, but still...

[artor3]

This country was made great by holding to the standards of freedom and justice,

lol

They teach you that in grade school? Where was the freedom and justice for the natives, or the slaves, or the women, or the non-Protestants? Where was freedom for the interned Japanese, or justice for people accused of Communism during the red scare? Where was the freedom and justice for all the South Americans and Middle Easterners, as they were ruled by our blood-thirsty puppets?

Fuck, was there ever even a single ten year period in which this country "held to the standards of freedom and justice"?

No. There never was. This country is great because it was founded by people who could easily slaughter their only nearby opponents. It's great because after slaughtering the natives, there were ample resources to go around. It's great because our ancestors were immoral enough to build an economy on the backs of slaves, and later on the backs of immigrants who worked themselves to death in hopes of attaining a wealth that none would ever see. It's great because we were left nearly untouched while the rest of the developed world was bombed to ash during WWII. It's great by accident.

Don't blame the NSA for ruining the Land of the Free. That place never existed outside of storybooks. Reality has always been a lot messier, you're just noticing it for the first time.

Re:Not a surprise, but still...

[cbhacking]

Even ignoring the highly questionable aspects of the pledge which you carefully omitted from your quote, nationalism is just the grotesquely overgrown brother of tribalism, itself a badly flawed concept. At least within a tribe, it's hard to keep secrets or conceal abuses of power. It still promotes an unthinking herd behavior, a sense of "us vs. them, and clearly they're worse than us or they'd be part of us". At the national level, it fuels wars and xenophobia. It is the tools of propagandists and of those who would re-write history and get away with it (as you yourself noted, with regard to Jackson).

I find it disgusting that a nation which arose out of a rebellion against government mistreatment tries to brainwash its children into giving their allegiance to anything so inherently flawed as a human government. Would you have supported colonial children in the 1770s being required to stand up every day in school, and swear allegiance to the Union Jack, and the monarchy for which it stands? Do you think it's cool that there are probably kids right now swearing their allegiance to the People's Republic of [Korea|China|the Congo|whatever] and the glorious freedom and representation that their government bestows upon them?

Liberty and justice for all? Give me a break! Pure propaganda, and you don't even need to be *that* smart or well-educated to see it for the lie it is; you just need to start from the assumption that the American Way is *not* The One True Way, and look up some facts. Facts like per-capita prison population, or the breakdown of said population relative to the populace at large. Facts like the mere existence of places like Gitmo. Facts like the government's treatment of Snowden, and their hasty effort to scrub from their websites, etc. all mention of the Obama administration's moral and righteous promises to protect and support whistleblowers. Or how about the states where gays, or transgender people, are forced to live as second-class citizens (and, in a handful of very backward parts of the country, criminals)? The very concept that there exists "one nation, under God, indivisible, with liberty and justice for all" is a tremendous lie. Teaching our children that such a thing not only exists, but that they live in it; forcing them to chant those lines every weekday of their young lives to the point that they absorb it before they're even old enough to know that sometimes the things you're taught are wrong? That is beyond the pale. It is despicable and deplorable.

Now, actually pledging liberty and justice, that's not so awful. It should still be taught as a *concept* and not as a mantra, but pledging to protect liberty and promote justice is a noble and virtuous thing to say. Too bad that's nowhere in the pledge of allegiance as it stands today, though. No, we were told to pledge allegiance to a flag and a nation, not a concept. We didn't even pledge to uphold the constitution, the way so many civil servants are required to do.

Catastrophic

Wow. With one single contract, RSA just destroyed their whole business. A company in the trust business cannot allow themselves to lose their customers' trust.

No RSA product can ever be trusted again.

Re:Catastrophic

[swillden]

Wow. With one single contract, RSA just destroyed their whole business. A company in the trust business cannot allow themselves to lose their customers' trust.

No RSA product can ever be trusted again.

Except that RSA destroyed their whole business a couple of years ago when it was found that they'd left the root keys for their SecureID tokens on an unsecured, network-connected machine. After that no one could trust them again.

But people did, and they'll continue doing so after this, watch and see.

Regarding the anonymous reader

TLS's current big problems are:
- RC4, which is actually crackable given a few bytes of known-plaintext prefix (like "GET /") by a Nation State Adversary in real time; NSA secretly control PCI DSS standard and used the excuse of the BEAST attack (CVE-2011-3389) to push RC4 as solution for PCI compliance, instead of TLS 1.2
- The CA PKI letting any CA impersonate any and every site; we need at minimum certificate transparency, DANE, and maybe something more
- The unencrypted ClientHello, which is what makes the FLYING PIG metadata trawling possible (nothing you couldn't do with Snort, in fact, it IS done with Snort)

All of these are going to be addressed by the TLS WG going forward: most urgently, RC4, which will be replaced with djb's ChaCha20_Poly1305 ciphersuite, courtesy of agl (live on Google servers and with Chrome dev and canary builds right now). More secure than AES-128-GCM or AES-256-GCM, I think - certainly has a higher security margin against both confidentiality and integrity.

The problem of the curves is a big problem, but what makes those curves (specifically Jerry Solinas @ NSA generated the SHA-1 hash seeds for Certicom) bad is mostly implementation choices: bad random numbers for DSA & ECDSA (hello Sony attack), which this subversion massively helps with, and non-constant-time addition ladders and lack of curve point validation, which can result in practical timing attacks and partial key disclosure leaks. djb & Lange already have a group of Safecurves which avoid all of these attacks and which are incidentally incredibly fast, and EdDSA's nonces are deterministic so no entropy needed during signatures, only keygen.

Oh, and - in similar news, which in other circumstance, I would have submitted, and might if for some crazy reason this gets ignored by the IETF chair, but I doubt it - there have been strong calls for the head of the co-chair of the crypto advisory board at the IRTF. He (openly) works for the NSA, which is now clearly a conflict of interest, and we caught him pushing a similarly-backdoored PAKE standard, which the TLS WG resoundingly rejected.
http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html

*EMC Corp* now

They're owned by EMC now, all that data held on EMC kit and in EMC 'clouds' secured by RSA software. Or rather *not* secured by *NSA* software so the NSA can break in easier.

Wow, that is trillions in damage even before we get to the criminal law book.

How is this not criminal fraud on RSA's part?

[JoeyRox]

They advertised and sold a product promising to secure customers' data yet they intentionally put an algorithmic backdoor inside that could be used not only by the US government but also discovered and used by hackers to compromise customers' security.

Playing Devil's Advocate

What if the NSA had gone to RSA in the past to get them to do what this Reuters article claims, and RSA did indeed say no?

And what if, since many things about the NSA are coming out anyway, the NSA went to Reuters (or used some in-between person or persons) to plant the false story that RSA is in NSAs pocket -- in order to punish them for their earlier refusal? Because they know that you, and most others reading this, will believe that RSA products are infected by NSA backdoors, and not use RSA products... whether the backdoors, or weaknesses, or whatever, are there or not. I mean, it's not like Reuters fact-checks their shit anymore, and the press can get a "deal they can't refuse" just as easily as any other company.

In that kind of scenario, RSA could be telling the absolute truth... and no one will believe them.

They didn't know!

[hawguy]

"They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption."

Right, the NSA, known to be codebreakers, paid them $10M to include their "special" algorithm, and no one had any idea that it could be compromised. Right. Why else would they pay them to use it?

Re:They didn't know!

[edelbrp]

A different era. They might have actually thought the NSA were honestly helping. Back then the NSA was probably perceived as being as much about hardening encryption as breaking it.

TYPO: you mean RSA sold out its customers

TYPO: you mean RSA sold out its customers

This Is Not Acceptable.

I've followed the Snowden releases, curious as anyone else as to the ways and means of the NSA. Until now, the only real 'news' for me was the incredible scope of the NSA's reach and their staggering, seemingly unlimited budget. But this crosses the line. This little stunt has mammoth, wide reaching and enduring ramifications. This is beyond just storing "metadata", hooking in to Google's pipes or recording German heads of state. This action by the NSA is egregiously unethical on so many levels. There is no legitimate justification for intentionally weakening security of this nature. They might as well have gone to Schlage and told them that, from now on, they may only build deadbolts out of cheap low-grade plastic with a faux metal finish.

The actions of the NSA carry immense potential risks for millions of people. Exploitation of the RSA weakness could lead to completely unnecessary breaches of privacy, political manipulation, loss of safety or financial loss. All in the name of protecting the country. The burden of risk created by weakening RSA is ultimately placed largely on the public. What benefit do we gain from this?

This is not how I want my country to be governed

It's not the crypto, it's the RNG

[kriston]

Having worked with pre-2000 versions of RSA BSAFE, the thing that the NSA paid RSA to do was to change the default selection of the random number generator with a weaker one. Nobody had to use the default version--it was just picked if you didn't specify one (or a callback to your own RNG). We had our own multi-threaded rendezvous noise generator thing since this was back before hardware entropy engines.

Oh, and before that, the NSA had unsuccessfully tried to get RSA to tell people that 512-bit keys were safe enough. It wasn't successful mostly because the old guard was still running the company then.

NSA gave them an offer they could not refuse.

[enigmatic]

The sum of money does seem low, but when an agency like the NSA
comes calling, I have a feeling that it they make you a proposal you
cannot refuse.

(Or you can do what Lavabit did, and just shut it down)

The end of personal privacy and of private life

[matbury]

Christopher Hitchens, in his inimitable style, tried to get across what makes states like North Korea, Iran, and Iraq (under the Ba'ath party) so... well... indescribably unpleasant to live in. One of the cornerstones of such states is that they eradicate privacy and private life (a core theme of Orwell's 1984). Here's Hitch's attempt to describe it on Fora.tv: https://www.youtube.com/watch?v=Z-rTT8TPcck (Running time 1:00:52). The USA is assembling the infrastructure for the mother of all totalitarian states. They can do it better than anyone else in history, ...ever.

Voting systems too.

A while back Ron Rivest (the R in RSA) announced the Three Ballot cryptography for voting systems which was touted a system that would let voters check if their ballot was counted without jeopardizing the anonymity of the secret ballot. The really cool thing about it was that the crypto was a one-way system without any key at all. So it seemed to be uncrackable since there was no trusted key-keeper.

  Shortly before the publication was accepted, Andrew Appel at Princeton University and Charles Strauss at Los Alamos National Laboratory published articles showing it was invertable and not anonymous in practical election situations.

http://www.cs.princeton.edu/~appel/papers/DefeatingThreeBallot.pdf

http://www.cs.princeton.edu/~appel/voting/Strauss-ThreeBallotCritique2v1.5.pdf

  Imagine if that had been adopted... Sort of makes you wonder about everything RSA has touched including SSL.

Re:Voting systems too.

[cryptizard]

That is how academia works. You can never be 100% sure that something is secure without extensive evaluation and peer review. Ron Rivest has published hundreds of papers, it's guaranteed that some of them contain mistakes. Insinuating that he did it because the NSA told him too is patently ridiculous.

The RSA they use is different from the RSA we use

[Taco+Cowboy]

NSA has customers? Surely not the voters

The other intelligence agencies within the government are considered "customers" of NSA products.

You guys have missed one important aspect of the RSA operation.

NSA gave RSA 10 million to weaken/broken the RSA encryption that they sold to US. The "US" here means the non-NSA non-GCHQ based customers.

And spook agencies such as NSA themselves do need to encrypt their OWN secret files too, and surely they are not that stupid to use the same weaken and/or broken encryption algo on their own files.

In other words, NSA and GCHQ (and some of the "trustworthy" spooks from the other 3 countries in the "five eyes" pact) do employ RSA in their day to day encryption, but THEIR version of RSA is the unbroken/unweaken one - unlike the broken version that the RSA sold to the rest of the world.