Reuters: RSA Weakened Encryption For $10M From NSA 464
Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
SSL Security (Score:5, Informative)
"If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
No. SSL doesn't specify the method to produce random numbers. Why would it? The NIST method is very very slow, so I'd be surprised if any browsers or servers used it as the random number source.
Re:Let me say this from Germany: (Score:3, Informative)
djb's funded by a NIST grant or two, but they're actually furious that, for example, he's running a crypto competition without telling them. Dude is a professor with tenure, and does what the fuck he wants, and is a great example why such things can sometimes be brilliant for science. (There are plenty of people who don't like him because of his personality and penchant for unusual decisions, but these decisions are often for very sound reasons.) I've checked his stuff out extensively, and this is great.
Similarly, I've been through Adam Langley's stuff on this draft with a fine-toothed comb, and it's fine. ChaCha20's great, we analysed it and its variant as part of the BLAKE hash in SHA-3 competition; best attack 7/20, which makes it slightly better than the eSTREAM winner Salsa20 (best attack 8/20).
Many cryptographers have worked together on all this stuff. Some of them are American. Bruce Schneier is American, but I don't think the NSA have subverted him. Quite the opposite.
It says a lot about the NSA's actions that they've irrevocably damaged the US's national interests by providing some very strong reasons for everyone else not to trust them, though. You're right not to put trust in people you don't know. You don't know me. Weigh in yourself, check this stuff, if you have better ideas, please contribute them, and at the very least feel free to provide oversight, please!
Re:Let me say this from Germany: (Score:4, Informative)
We can't really recommend RSA 3072 bits now, 4096 for being safe. We're approaching the limits where RSA is going to become prohibitively slow - same for standard D-H. If we need more security but keep similar mechanics, representing the discrete log algorithms with a different field is definitely the way to go.
As far as practical quantum computers, it's hard to predict timescales. They'll probably mash all discrete log and polynomial/factoring algorithms into pulp - but we don't have any reason to suspect any NSA is THAT far ahead. That would be a phenomenal cryptanalytic and mathematical advance. I'd estimate we still have 20 years, but I'm plucking numbers out of the air here.
As far as post-quantum encryption goes, we're looking too far ahead, it's not developed enough yet to have anything good to switch to. Hash-based signatures which are a possibility, but two-key ciphers are a big problem: the few which have been proposed are often based, on, say, lattice algorithms (such as NTRU, although I have a hunch the NSA have a hand in that one, purely because it's a public key standard, it's American and it's patented; it's had bad security reviews too, with some key leakage with signatures) and linear codes (like Goppa codes with McEliece signatures, the drawback of these systems being the keys are REALLY BIG). Worst, we don't have any proof quantum computers are actually bad at solving these either: in fact, I think they ought to be really good at solving lattice algorithms, we just don't have an algorithm that we know of that would allow them to do it yet. We need another decade's research; we need something to switch to FOR that decade, first.
Yes, using TLS 1.2's AES-128-CCM or AES-128-GCM or CAMELLIA equivalents or something would have been more rational. That's why NSA convinced PCI DSS to recommend RC4.
I wouldn't recommend Blowfish nowadays, not when Twofish exists, at least. And 3DES? No. Way too old and creaky. Didn't you want to use a cipher they hadn't co-designed?
TYPO: you mean RSA sold out its customers (Score:5, Informative)
TYPO: you mean RSA sold out its customers
Re:SSL Security (Score:4, Informative)
Nobody used? Try a ton of people used.
Commercial products that must be FIPS certified tend to use libraries like BSafe, not OpenSSL. OpenSSL has received FIPS certification, but it's really difficult to ship a product using OpenSSL and keep that certification, because FIPS certification is not just about source code and algorithms.
And I doubt RSA was the only company the NSA approached to use Dual_EC_DRBG by default. I know for a fact that it's used in several other commercial products. And because it's so slow and so suspicious, it's reasonable to believe that these companies were coaxed to use it, too.
It's not the crypto, it's the RNG (Score:5, Informative)
Having worked with pre-2000 versions of RSA BSAFE, the thing that the NSA paid RSA to do was to change the default selection of the random number generator with a weaker one. Nobody had to use the default version--it was just picked if you didn't specify one (or a callback to your own RNG). We had our own multi-threaded rendezvous noise generator thing since this was back before hardware entropy engines.
Oh, and before that, the NSA had unsuccessfully tried to get RSA to tell people that 512-bit keys were safe enough. It wasn't successful mostly because the old guard was still running the company then.
Re:RSA Stock (Score:5, Informative)
RSA is publicly traded, is it not? Reuters is giving them a full weekend to come up with a PR response before the markets open on Monday.
RSA Security, Inc. was acquired by EMC Corporation (http://www.nyse.com/about/listed/lcddata.html?ticker=emc) in 2006 and is now a division of EMC.
Comment removed (Score:5, Informative)
seconded. DJB won't do what he's told (Score:4, Informative)
> Dude ... does what the fuck he wants, and is a great example why such things can sometimes be brilliant for science.
> (There are plenty of people who don't like him because of his personality and penchant for
> unusual decisions, but these decisions are often for very sound reasons.
Having had the honor and the curse of working with him, I whole-heartedly agree.
Daniel J Berstein can be counted on to never do what anyone tells him to do.
It's rather annoying. It makes him hard to deal with, and it means if NSA asked him to do something he'd almost surely do the opposite - loudly.
Re:That's a tiny number (Score:5, Informative)
Well, there's a Federal Judge who just ruled that they engaged in unconstitutional actions and there was a panel of hand-picked sympathizers who just came out with a report that they're breaking the law (nobody expected anything but whitewash -- when the totally owned lackeys still criticize the NSA, you know there's serious shit going on).
Here's Judge Leon's decision:
https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2013cv0851-48 [uscourts.gov]
The real meat starts at page 43, heading i. What is really wonderful to see, is how J. Leon eviscerates the Smith v. Maryland case, the case upon which all the NSA's masspionage is based. He distinguishes it and limits it to its facts -- it will be great to see that pillar of the Third Party Doctrine die like it deserves.
Re:Voting systems too. (Score:5, Informative)
Re:Regarding the anonymous reader (Score:2, Informative)
We're going to debate whether this is a MUST for TLS 1.3. If we have a really fast, strong, constant-time public key exchange algorithm - one which makes even ECDHE look slow - and we do: Curve25519 or its faster, equivalent Twisted Edwards cousin Ed25519 - I see no reason to not mandate it.
The drawback of going SHOULD is some people won't, and a Nation State Adversary (I've started to use that term as a catch-all, general description of the threat model posed by hostile extremely well-funded national intelligence agencies such as NSA and GCHQ - the initials are serendipitous and will hopefully serve as a reminder about who can never be trusted again!) will capitalise on that opportunity by convincing people not to.
Saying it MUST be forward-secure eliminates that, and if we can push TLS 1.3 as hard as we can when its design is finished, peer-reviewed, multiple well-tested and publicly audited implementations exist by publishing a new BCP which we'll point to and convince PCI DSS and other national standards agencies that running the old TLS versions now is a security vulnerability that MUST be fixed... then we might finally get some movement on that. It took something like a decade for TLS 1.2 rollout. I don't think all of that is due to the NSA, but I do think that ponderous inertia definitely helped their cause.