Second NSA ‘backdoor’ found in RSA’s BSafe library
Researchers from Johns Hopkins University, the University of Wisconsin, Technische Universiteit Eindhoven, the University of Illinois at Chicago, and UC San Diego have discovered that the NSA infiltrated RSA’s BSafe crypto library not just once but at least twice.
In a paper titled On the Practical Exploitability of Dual EC in TLS Implementations the researchers describe the effect of adding the Extended Random protocol to the discredited Dual Elliptic Curve random number generator. (It was learned last year that the elliptic curve algorithm had first been influenced by the NSA, and then incorporated into the BSafe library following payment of $10 million to RSA.)
Extended Random was supposed to make the elliptic curve’s generation of random numbers more random. This is critical to the generation of secure keys that cannot be deduced. True randomness is very difficult to achieve, and if the random numbers can be guessed, the keys can be discovered. Extended Random was supposed to improve on the security of the elliptic curve algorithm.
But Extended Random was designed by the NSA. And its use with the random number generator within dual elliptic curve makes the discovery of the crypto keys very much easier. In fact, say the researchers, it speeds up cracking the keys by a factor of 65,000.
We also discovered evidence of the implementation in the RSA BSAFE products of a non-standard TLS extension called “Extended Random.” This extension, co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000. In addition, the use of this extension allows for attacks on Dual EC instances configured with P-384 and P-521 elliptic curves, something that is not apparently possible in standard TLS.
Background to the research
RSA has not disputed the findings of the paper. Reuters reports, “The company said it had not intentionally weakened security on any product and noted that Extended Random did not prove popular and had been removed from RSA’s protection software in the last six months.”
That is, it appears to have been removed after the NSA’s backdoor in the elliptic curve library was made public. This smacks more of crisis control than a simple commercial decision — and you have to wonder whether the RSA brand name, once perhaps the most trusted name in security, can now survive.