Reuters: RSA Weakened Encryption For $10M From NSA 464
Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
RSA Stock (Score:5, Interesting)
RSA is publicly traded, is it not? Reuters is giving them a full weekend to come up with a PR response before the markets open on Monday.
-Also, that wasn't my initial reaction. My initial reaction was to pick my jaw up off the floor. And I thought it couldn't get much worse. Edward Snowden for man of the year.
Regarding the anonymous reader (Score:5, Interesting)
TLS's current big problems are: /") by a Nation State Adversary in real time; NSA secretly control PCI DSS standard and used the excuse of the BEAST attack (CVE-2011-3389) to push RC4 as solution for PCI compliance, instead of TLS 1.2
- RC4, which is actually crackable given a few bytes of known-plaintext prefix (like "GET
- The CA PKI letting any CA impersonate any and every site; we need at minimum certificate transparency, DANE, and maybe something more
- The unencrypted ClientHello, which is what makes the FLYING PIG metadata trawling possible (nothing you couldn't do with Snort, in fact, it IS done with Snort)
All of these are going to be addressed by the TLS WG going forward: most urgently, RC4, which will be replaced with djb's ChaCha20_Poly1305 ciphersuite, courtesy of agl (live on Google servers and with Chrome dev and canary builds right now). More secure than AES-128-GCM or AES-256-GCM, I think - certainly has a higher security margin against both confidentiality and integrity.
The problem of the curves is a big problem, but what makes those curves (specifically Jerry Solinas @ NSA generated the SHA-1 hash seeds for Certicom) bad is mostly implementation choices: bad random numbers for DSA & ECDSA (hello Sony attack), which this subversion massively helps with, and non-constant-time addition ladders and lack of curve point validation, which can result in practical timing attacks and partial key disclosure leaks. djb & Lange already have a group of Safecurves which avoid all of these attacks and which are incidentally incredibly fast, and EdDSA's nonces are deterministic so no entropy needed during signatures, only keygen.
Oh, and - in similar news, which in other circumstance, I would have submitted, and might if for some crazy reason this gets ignored by the IETF chair, but I doubt it - there have been strong calls for the head of the co-chair of the crypto advisory board at the IRTF. He (openly) works for the NSA, which is now clearly a conflict of interest, and we caught him pushing a similarly-backdoored PAKE standard, which the TLS WG resoundingly rejected.
http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html
*EMC Corp* now (Score:5, Interesting)
They're owned by EMC now, all that data held on EMC kit and in EMC 'clouds' secured by RSA software. Or rather *not* secured by *NSA* software so the NSA can break in easier.
Wow, that is trillions in damage even before we get to the criminal law book.
Re:Don't misinform if you don't understand crypto (Score:4, Interesting)
The NIST/SECP curves are NOT safe. They were generated by the NSA, and they need replacing. http://safecurves.cr.yp.to/
We probably don't know the full extent of the 'trapdoors' left by Jerry. What we do know is that unless you're using Brier-Joye's (very, very slow) constant-time short-Weierstrass curve, a timing attack is possible, and probably practical; many of the routines are incomplete or wrongly-implemented, because they're very complex, and the curves aren't complete; some don't even check if the point is on the curve, and if it isn't, we're basically leaking private data; secp256k1 has a complex-multiplication field discriminant of just -3, which may make it more susceptible to one attack and very possible to one extended one we don't know about; and secp224r1 (P-224) definitely has an insecure twist. Something may well be wrong with secp256r1 and the others, but if so, we don't know what it is. Either way, we know the NSA generated it to ostensibly be random but really satisfy some very specific unknown conditions: that alone is reason enough to not trust it.
How is this not criminal fraud on RSA's part? (Score:5, Interesting)
Playing Devil's Advocate (Score:5, Interesting)
What if the NSA had gone to RSA in the past to get them to do what this Reuters article claims, and RSA did indeed say no?
And what if, since many things about the NSA are coming out anyway, the NSA went to Reuters (or used some in-between person or persons) to plant the false story that RSA is in NSAs pocket -- in order to punish them for their earlier refusal? Because they know that you, and most others reading this, will believe that RSA products are infected by NSA backdoors, and not use RSA products... whether the backdoors, or weaknesses, or whatever, are there or not. I mean, it's not like Reuters fact-checks their shit anymore, and the press can get a "deal they can't refuse" just as easily as any other company.
In that kind of scenario, RSA could be telling the absolute truth... and no one will believe them.
Re:They didn't know! (Score:5, Interesting)
A different era. They might have actually thought the NSA were honestly helping. Back then the NSA was probably perceived as being as much about hardening encryption as breaking it.
This Is Not Acceptable. (Score:5, Interesting)
I've followed the Snowden releases, curious as anyone else as to the ways and means of the NSA. Until now, the only real 'news' for me was the incredible scope of the NSA's reach and their staggering, seemingly unlimited budget. But this crosses the line. This little stunt has mammoth, wide reaching and enduring ramifications. This is beyond just storing "metadata", hooking in to Google's pipes or recording German heads of state. This action by the NSA is egregiously unethical on so many levels. There is no legitimate justification for intentionally weakening security of this nature. They might as well have gone to Schlage and told them that, from now on, they may only build deadbolts out of cheap low-grade plastic with a faux metal finish.
The actions of the NSA carry immense potential risks for millions of people. Exploitation of the RSA weakness could lead to completely unnecessary breaches of privacy, political manipulation, loss of safety or financial loss. All in the name of protecting the country. The burden of risk created by weakening RSA is ultimately placed largely on the public. What benefit do we gain from this?
This is not how I want my country to be governed
Re:"We have established what you are, madam. ..." (Score:2, Interesting)
There really isn't any way of knowing. The possibility of a weakness with the elliptic curve cryptography is only suspected, suggested, not proven. Good 'ol Bruce has said that there is nothing in the Snowden leaks to prove that the actual crypto algorithms have been weakened. As far as anyone knows all that NSA has done is try to spread the use of it, which may be because they think that it is better. In a way this is no different than the fixes they made to make DES proof against differential cryptanalysis. Everyone suspected that NSA had weakened DES when in fact they made it stronger, but it took 15-20 years for people to see that. For all we know the elliptic stuff only looks like it might be weak, but it may be perfectly fine and strong, but it may have been chosen since the form looks weak as a troll against anyone that would try to crack it. Square the circle, you can do it!
Re:Not a surprise, but still... (Score:5, Interesting)
Not really. The NSA costs more to run than the national debt. Closing it would be one of the most cost-effective ways to save the nation from bankruptcy. Not that the US is anywhere near close. It will be, if it continues to not spend on the arts and sciences, but economies can remain entirely stable when running 110% of GDP, at least for a few years. Nations aren't like personal bank accounts and you cannot run economies as if they were private budgets.
At this point, the NSA has cost the economy not only its own expenses but billions in international trade (plus interest spanning decades), but can produce no evidence of any benefits. Skipjack is broken, as was SHA-0 (the NSA version of the algorithm). Cryptologists ignored Skipjack once it was determined to be faulty and spent a fair bit of time fixing SHA. These are additional costs, created almost certainly as a result of deliberate breakage by the NSA (it's either that or they're incompetent, take your pick).
When you have something very expensive with no direct or indirect return, you generally term it a failure. When something fails on that scale when your economy has been crippled by neocons and kept defunct by Tea Partiers, the sound fiscal move is to cut losses. When a ship is struggling to stay afloat, you dump the deadweight. The NSA is deadweight until or unless it can show value for money.
Re:RSA Security == FRAUD (Score:3, Interesting)
Their TOTP generator is well known and secure. The problem with TOTP and HOTP systems, though, is that it still requires a shared secret at both ends. The secret in the token is fairly secure, but even if it weren't it doesn't matter much because there's only one secret per token.
The server end, however, needs to store _all_ the secrets. Some dedicated solutions store the secrets on an HSM (hardware security module), which if designed correctly has no way to actually emit the secret--it'll only take a signed message and tell you whether it's authentic. This is what Yubico's HSM module does.
What RSA did for their TOTP service, however, was to put all those secrets into a big database on commodity hardware. In other words, it was hackable through software. And no matter how many firewalls you throw up in front of something, if it's on the network and "secured" by software, it'll be hacked eventually. That was sheer stupidity. There are other services that also do this, like LastPassword and a few others.
At one time nobody would believe that RSA was that stupid. But those days are long gone.
NSA gave them an offer they could not refuse. (Score:5, Interesting)
The sum of money does seem low, but when an agency like the NSA
comes calling, I have a feeling that it they make you a proposal you
cannot refuse.
(Or you can do what Lavabit did, and just shut it down)
Re:Not a surprise, but still... (Score:5, Interesting)
The very word "secrecy" is repugnant in a free and open society; and we are as a people inherently and historically opposed to secret societies, to secret oaths and secret proceedings. We decided long ago that the dangers of excessive and unwarranted concealment of pertinent facts far outweighed the dangers which are cited to justify it.
Re:WHY THE FUCK (Score:5, Interesting)
..do I need an "EC PRNG",if any symmetric cipher and a simple couter is sufficient to generate PR numbers ?
I seriously would like to know !
If that were true, you would not. However, its not established that's true. Some believe iterative hashing is the best way because hashes are explicitly designed to be one-way functions, meaning they are intrinsically not reversible. That is believed to make hash-based PRNGs more resistant to attack. However, on the flip-side cipher-based PRNGs have the advantage that ciphers have been more closely studied, and are likely more resistant to attack because of that. That's why 800-90 specifies both hash-based and cipher-based PRNG algorithms.
The logic behind EC was based on the belief that ECs are more resistant to attack because they are based on different mathematical problems than most hash and cipher algorithms, and therefore are less vulnerable to the current state of the art in attacks designed to attack hashes and ciphers. That assertions seems to be false based on research done in the mid 2000s, but the general answer to your question is that no one is certain that, say, AES-based stream cipher PRNGs are certain to be uncrackable, and so people are always looking for alternatives. In fact, the *strongest* PRNG that I can think of is one that simultaneously generates SHA, AES, *and* EC random streams and XORs them together. To break that random stream, you would have to be able to break all three simultaneously. Even if EC had a backdoor in it, that would not help you at all to break a random stream with its contents XORed into two other generators.
So the general answer to the question of why you'd need anything other than a cipher PRNG is that a) no one knows if your preferred cipher PRNG might be broken tomorrow, and b) having multiple kinds of generators based on entirely different math opens the door to creating stronger generators that are a combination of all of them. And by the way, a cipher-based generator that was the XOR of two different cipher-based generators is not guaranteed to be twice as strong.
EC is a bad candidate in general for this kind of RNG hardening (because of its speed and its poorly understood backdoor possibilities), but we only knew that after it had been studied. If it was faster, and its constants were initialized by another PRNG guaranteed to not include the backdoor, it could serve as a PRNG hardener in theory, since its strength relies on an independent problem from hashes and traditional block ciphers.
Re:RSA Stock (Score:5, Interesting)
oh, that figures! emc is a bunch of asswipes. what I saw during an interview there made me walk^H, no, run away from that place.
Did you see what they did to the inventor and founder of VMWare? They paid her only 6 figures with no fucking stock options..?!
When she complained and threatened to sue they fired her. They said .. but but we have her a 100k a bonus! Meanwhile the CEO of EMC got huge bonuses from vmware revenue.
What douchbags. I got angry and wished she would ahve hired a better lawyer before the acquisition. But her investors forced in and EMC took advantage. They are greedy self centered assholes.
Re:Not a surprise, but still... (Score:5, Interesting)
Maybe if the government spent less money on intelligence, data collection, spying, law enforcement (war on drugs, war on "illegal" fireworks, war on "terrorists" etc), fancy expensive military hardware, bailouts/handouts/subsidies/etc for the big end of town etc and either spent less in total (shoring up the budget) or spent that money on things designed to stimulate the economy and produce stable long term economic growth, the US wouldn't be in so much trouble.
Re:That's a tiny number (Score:4, Interesting)
That statement stands on its own. $10M? For a company (well, a division of EMC, anyway) whose very existence depends on their reputation and ability to keep secrets safe?
As much as I damn both the NSA and corporate greed in general, I find TFA borderline unbelievable. Now, I find it a lot more believable that the NSA "paid" $10M plus a "gentleman's agreement" to allow the children of the entire executive board of EMC to continue taking in oxygen from the atmosphere...
Re:Let me say this from Germany: (Score:5, Interesting)
Google has an interest in proper encryption. They can only sell your data if the potential buyer cannot acquire it without paying them.
Sigh.
Google does not sell data, at least not in any form other than anonymized and aggregated, and not very much even that way. Google makes money from using your data itself (to target ads to you), not from selling it to others.
FWIW, I work for Google, on crypto security stuff, and Google does have a strong interest in proper encryption, because it's the right thing to do. It allows people to control their data. With respect to Google's business, Google would like you to choose to provide your data because you think it's a good trade for Google's services, but wants you to have the ability to make the choice not to provide your data. To anyone, if that's what you want.
Re:That's a tiny number (Score:3, Interesting)
$10M? For a company (well, a division of EMC, anyway) whose very existence depends on their reputation and ability to keep secrets safe?
RSA was an independent company at the time, and quite small. This was probably a significant deal, especially for the government division.
Plus I believe TFA (can't reload it now) said it was handled by the executives directly; the technical team was not involved. So Jim Bizdos may not even have understood what he was getting into. For if he had I would bet he would have asked for more....
Former RSA employee (Score:4, Interesting)
I am appalled.
RSA had, for a long time, an antagonistic relationship with the NSA; we wanted to push good crypto to the world, and the USG felt otherwise.
I knew the people involved, and I don't think any of the original RSA Labs (which was what the RSA Data Security Inc people became) would have compromised their integrity in this manner. What's more, BSAFE (the SW library compromised), became more or less a dead duck after 2000, when the patent on the RSA algorithm expired; free libraries such as BouncyCastle became much more viable.
After RSADSI was bought by Security Dynamics (which later renamed itself RSA Security), there was a gradual Borgification of RSA Labs, with it being assimilated more and more into the mother company (SecurID was always the main source of revenue, not RSA encryption).
I haven't been able to find the date at which the bribe took place, but 10 million seems very low. If Coviello approved this, I hope he's sued by stockholders.
ce
Voting systems too. (Score:5, Interesting)
A while back Ron Rivest (the R in RSA) announced the Three Ballot cryptography for voting systems which was touted a system that would let voters check if their ballot was counted without jeopardizing the anonymity of the secret ballot. The really cool thing about it was that the crypto was a one-way system without any key at all. So it seemed to be uncrackable since there was no trusted key-keeper.
Shortly before the publication was accepted, Andrew Appel at Princeton University and Charles Strauss at Los Alamos National Laboratory published articles showing it was invertable and not anonymous in practical election situations.
http://www.cs.princeton.edu/~appel/papers/DefeatingThreeBallot.pdf [princeton.edu]
http://www.cs.princeton.edu/~appel/voting/Strauss-ThreeBallotCritique2v1.5.pdf [princeton.edu]
Imagine if that had been adopted... Sort of makes you wonder about everything RSA has touched including SSL.
The RSA they use is different from the RSA we use (Score:5, Interesting)
NSA has customers? Surely not the voters
The other intelligence agencies within the government are considered "customers" of NSA products.
You guys have missed one important aspect of the RSA operation.
NSA gave RSA 10 million to weaken/broken the RSA encryption that they sold to US. The "US" here means the non-NSA non-GCHQ based customers.
And spook agencies such as NSA themselves do need to encrypt their OWN secret files too, and surely they are not that stupid to use the same weaken and/or broken encryption algo on their own files.
In other words, NSA and GCHQ (and some of the "trustworthy" spooks from the other 3 countries in the "five eyes" pact) do employ RSA in their day to day encryption, but THEIR version of RSA is the unbroken/unweaken one - unlike the broken version that the RSA sold to the rest of the world.
Re:Not a surprise, but still... (Score:4, Interesting)
Where was the freedom and justice for the natives, or the slaves, or the women, or the non-Protestants? Where was freedom for the interned Japanese, or justice for people accused of Communism during the red scare? Where was the freedom and justice for all the South Americans and Middle Easterners, as they were ruled by our blood-thirsty puppets?
Fuck, was there ever even a single ten year period in which this country "held to the standards of freedom and justice"?
As a naturalized citizen of the United States of America, who originally came from China, back in the 1970's, I do need to speak up on this issue.
Yes, you are right. America does fall short of its ideal, of keeping the freedom and liberty for EVERYONE.
But then, what you are trying to get at is a utopian IDEAL that will never exist in the real world that you and I are living in.
The OP has already said that there were several mis-steps along the way - and as a non-Anglo, I can attest to the fact that the America that I used to know, the pre-1993 USA (before the Waco, Texas incident) was a country which was trying to achieve that ideal, however impossible the target turned out to be.
After the Waco incident, things gone south.
I am speaking as a non-native, non-American born, an observer from the outside.