Print 27 comment(s) - last by Perry Tanko.. on Jan 19 at 4:47 PM

NSA entered into a $10 million contract with RSA to place a flawed formula within encryption software

Security industry leader RSA was caught working with the U.S. National Security Agency (NSA), and now it's seeing some backlash from former allies. 
According to a new report from CNET, some leaders in the computer security world who were scheduled to speak at the RSA Conference next month have backed out due to recent discoveries about the RSA's connections with the NSA.
The report said Mikko Hypponen, chief technology officer of F-Secure; Josh Thomas, the Chief Breaking Officer at security firm Atredis, and Jeffrey Carr, another security industry veteran who analyzes espionage and cyber warfare methods, have all canceled their presentations at the RSA Conference.
Carr and Hypponen have taken it a step further by boycotting the conference. Hypponen said "nationality" was the reason for his cancellation while Carr said the RSA had violated its customers' trust. 
"I don't want to send mixed messages, so I have canceled all my appearances at RSA 2014," said Hypponen.
Once Carr announced his boycott, others followed, including Marcia Hoffman, privacy attorney and former Electronic Frontier Foundation lawyer; Alex Fowler, Mozilla privacy and public policy expert; Christopher Soghoian, American Civil Liberties Union advocate and privacy expert; Adam Langley, Google security expert, and Chris Palmer, Google Chrome security engineer. 
The RSA Conference is scheduled for next month in San Francisco.

Jeffrey Carr [SOURCE:]

According to documents leaked by former NSA contractor Edward Snowden, the NSA entered into a $10 million contract with RSA to place a flawed formula within encryption software (which is widely used in personal computers and other products) to obtain "back door" access to data. The RSA software that contained the flawed formula was called Bsafe, which was meant to increase security in computers. The formula was an algorithm called Dual Elliptic Curve, and it was created within the NSA. RSA started using it in 2004 even before the National Institutes of Standards and Technology (NIST) approved it. 
RSA said it had no idea that the algorithm was flawed, or that it gave the NSA back door access to countless computers and devices. The NSA reportedly sold the algorithm as an enhancement to security without letting the RSA in on its real intentions. 
"Recent press coverage has asserted that RSA entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.  We categorically deny this allegation," said RSA in a blog post.
Many in the security community were surprised at RSA's entanglement with the NSA, but the latest news of a $10 million contract as well has really shocked the industry.
RSA is known as a pioneer in the realm of computer security, and has notoriously fought off the NSA in previous attempts at breaking encryption in the 1990s. 
"I can't imagine a worse action, short of a company's CEO getting involved in child porn," said Carr. "I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.”

Source: CNET

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Real Believable
By Reclaimer77 on 1/9/2014 4:27:47 PM , Rating: 5
The NSA reportedly sold the algorithm as an enhancement to security without letting the RSA in on its real intentions.

"Recent press coverage has asserted that RSA entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation," said RSA in a blog post.

Right, real believable. Your JOB is security and you want us to believe you bought some code from the NSA and just used it without making sure it was robust and...and...what's the word I'm looking for? Oh yeah, SECURE!!

Also you expect us to believe that the NSA is where to go to shop for "security enhancement" software. The agency who's job is to SPY electronically! Again, reeeaaal believable there guys.

RE: Real Believable
By japlha on 1/9/2014 5:03:59 PM , Rating: 2
I'm sure the NSA "promised" (with a cherry on top) that there was no back door in their code.

RE: Real Believable
By GulWestfale on 1/9/14, Rating: -1
RE: Real Believable
By ritualm on 1/9/2014 6:55:37 PM , Rating: 2
Perception is reality.

They don't want to get hit with an unwanted public image by remaining committed to the conference.

RE: Real Believable
By Reclaimer77 on 1/9/2014 7:10:08 PM , Rating: 2
probably the biggest abuser of data collection and privacy invasion

I really have a problem with ignorant populist hyperbole like this. In the literal sense, Google does not invade your privacy.

Also the big difference is that you can opt-out and not agree to the way Google does this. Obviously with this NSA backdoor nonsense, that's not an option.

RE: Real Believable
By JasonMick on 1/9/2014 7:24:12 PM , Rating: 2
I really have a problem with ignorant populist hyperbole like this. In the literal sense, Google does not invade your privacy.
Well, it may invade your privacy but only if you're stupid, and its reach is limited.

I think the simple way to clarify this to people is to simply state this:

If Google did the things the NSA is doing, its employees would be sent to prison.

Google haters, I'm all for criticizing the company when it oversteps (e.g. with the Street View data collection), but if you're going to compare it to the NSA, give me some evidence that it's sabotaging your electronics with listening devices and installing rootkits/keyloggers/screengrabbers on your PC.

Because the NSA is doing all of those things.

RE: Real Believable
By Reclaimer77 on 1/9/2014 8:03:02 PM , Rating: 2
If Google did the things the NSA is doing, its employees would be sent to prison.

You really cut to the heart of the matter there, I couldn't agree more.

RE: Real Believable
By MrBlastman on 1/10/2014 10:18:16 AM , Rating: 3
If you work for the Government, you are immune to prosecution as long as you...

a. Pay off the right people
b. Suck off the right people
c. Your political party/supporter/individual remains in power
d. It is profitable for those in power

Once someone else steps in, watch out. You're on the block.

I'm sure Jefferson and Franklin would be rolling over in their graves if they saw all this.

There's a reason Federal power should be extremely limited. The NSA is a shining example, glistening on a tall pedestal, as to why.

RE: Real Believable
By JasonMick on 1/9/2014 7:20:14 PM , Rating: 5
what's also funny is that two guys from google, probably the biggest abuser of data collection and privacy invasion, also cancelled their appearances. maybe they really think not being associated with RSA will make them look less like enthusiastic NSA collaborators??
Yea except Google employees would be convicted of breaking the law and would be thrown in prison if they did the things the NSA is doing.

There's a huge leap between what Google is doing:
+ collecting data from a limited set of partner sites
+ mining data off open networks
+ scraping websites
+ using cookies to track browsing history in a course manner

...versus what the NSA is doing:
+ Collecting data ALL phone companies
+ Collecting emails snippets from ALL companies (except those that encrypt mail)
+ Cooperating with political suppression campaigns
+ auto-attacking peoples' computers with malware
+ having two whole factories devoted to sabotaging Americans' electronics with implanted surveillance devices
+ breaking into encrypted networks by paying for security flaws.

To give an analogy Google is like the person who finds a phone on the street and sells it. Is it taking advantage of the former owner's foolishness for profit? Sure.

But the NSA is like someone who smashes in your home windows and steals all the electronics out of your house. That's a much graver attack. Even those that have tried to intelligently secure themselves are vulnerable of becoming its victims.

Morally speaking, Google's actions may at times be considered questionable. But they're a far cry from the NSA's acts which are downright despicable.

RE: Real Believable
By GulWestfale on 1/9/2014 7:37:03 PM , Rating: 3
yes, the NSA is worse than google, but google has illegally collected data using its streetview cars. these cars were equipped to collect data from wifi networks, and obviously this equipment wasn't installed and set up to collect data by accident.

as far as the NSA is concerned, they would not be able to collect nearly as much data if corporations weren't cooperating with them, and were trying to uphold the law instead of helping them break it.

RE: Real Believable
By Reclaimer77 on 1/9/14, Rating: -1
RE: Real Believable
By GulWestfale on 1/10/2014 7:47:33 AM , Rating: 1
so the german government is bad for trying to protect its citizens, which is its job, as a government??

RE: Real Believable
By Reclaimer77 on 1/10/2014 9:07:26 AM , Rating: 2
What? I think you're getting way off the point here dude. I never said that, that's not even the issue.

RE: Real Believable
By ven1ger on 1/13/2014 3:02:22 PM , Rating: 2
The German government should have mandated that vendors/manufacturers who sell commercial routers to have them secured from initial setup. Did Google do anything with this illegal data that was being collected from unsecured routers? Did Google steal any of the bandwidth off these unsecured devices, or mine the data off of them? But, it's okay for the actual thieves that steal your info or utilize the bandwidth off these devices.

It's kind of stupid to broadcast yourself to the neighbor and not expect someone will be listening. If the German gov't really wanted to protect people's privacy, then they should penalize the companies that sell these routers unsecured, but then again, maybe the German gov't wants to be able to spy on their citizens.

RE: Real Believable
By boobo on 1/10/2014 12:48:51 AM , Rating: 2
If "corporations" refused to cooperate, their executives would be charged at best with contempt and at worst with treason.

They got orders from a secret court to help. The one guy who refused to cooperate had to close his business.

RE: Real Believable
By Labotomizer on 1/9/14, Rating: -1
RE: Real Believable
By JasonMick on 1/9/2014 7:07:27 PM , Rating: 5
Absolutely. RSA is just playing a silly semantics game.

The company's founders left long ago, and in its modern corporate-owned incarnation, it is badly hurting for cash. It claims it "worked with the NSA", writing:
Recent press coverage has asserted that RSA entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

We made the decision to use Dual EC DRBG as the default in BSafe toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
Note they never deny incorporating the flaw for cash. They simply deny KNOWINGLY incorporating it.

Google sec researcher Damien Miller writes:
RSA wins the prize for Carefully Worded Press Release of the year
Precisely... none of us are fooled.

You tried to save your crappy company by selling out corporate security and public privacy. Now your sh!t company is losing money. Don't make excuses for what you did. You dug the grave with your lies. Now it's your time to lie in it. Good riddance.

RE: Real Believable
By Spuke on 1/9/2014 10:13:22 PM , Rating: 4
Precisely... none of us are fooled.
Yep, and after their refusal to (at least initially) answer Congress' questions, I will no longer defend them (I defended them by saying they have masters that approved what they do, we need to go after those people...which is true but maybe gutting them will serve as a lesson to Congress and the White House). Quite frankly, the only thing I'm surprised at is the interception of electronics to implant tampering devices. Woah!

And what is the NSA thinking? With their refusal? We'll just let that slide now? Really? LOL!

The message is clear. You're under the big hairy eyeball now.

RE: Real Believable
By The0ne on 1/10/2014 2:37:21 AM , Rating: 2

RE: Real Believable
By MozeeToby on 1/10/2014 10:15:16 AM , Rating: 3
It's not quite that simple. The backdoor the NSA introduced was in the form of very carefully selected non-random numbers in place of numbers that should have been selected randomly. The algorithm itself is basically sound, though there have been problems uncovered with it, it's the standardizing on these particular non-random seed values that open the door completely. If you don't know what to look for it's exceedingly difficult to discover the relationship between them. Someone outside the NSA discovered the same vulnerability and went back and tested the numbers provided and lo and behold, against astronomical odds, the NSA provided numbers just happen to provide a backdoor.

Now, on the other hand. Researchers had already uncovered the more minor flaws in the algorithm before RSA made the selection. That's one red flag right there. A much, much larger problem is that the NSA didn't describe how they chose their random numbers. They should have provided steps, including the use of an actual bona fide random number source, that RSA could follow to choose their own number. Instead they said "just use this" and RSA went along with it.

RE: Real Believable
By Spuke on 1/10/2014 1:03:46 PM , Rating: 2
Great info thanks!

RE: Real Believable
By asgallant on 1/10/2014 11:58:59 AM , Rating: 2
The problem here is not that they didn't check, it's that no one outside of the NSA thought that the algorithm using dual elliptic curves was breakable with current technology. Cryptography based on dual elliptic curve pseudo-random number generation has been around for a while, and was widely considered to be secure. I find it more surprising that the NSA was the only organization that found a way to break it; I expect that others (the Chinese, Russians, maybe some black hat hackers at the least) cracked it as well, but haven't been caught yet.

RE: Real Believable
By MozeeToby on 1/10/2014 5:38:25 PM , Rating: 2
They didn't break it so much as the version they provided was broken, extremely subtly. So subtle in fact that it's still an open debate if this back door even actually exists (personally I believe it does, for whatever that is worth).

The algorithm uses a few random numbers for the seed, even if you know what the numbers are you can't break anyone's use of it; that would have been detected and flagged immediately. No, what the NSA did was provide some numbers for the seed that had a very special relationship with one another. Knowing the numbers, and the relationship, they can look at the last few random numbers out of the algorithm and guess the next one.

Did RSA know that such a thing was possible? At the time it was pure conjecture that such an attack was possible. It's since been shown to be practical by white hat researchers. You also need to keep in mind that one of the NSA's charters is to provide and strengthen publicly available cryptography. Offering their expertise to RSA was entirely appropriate and expected. That doesn't, IMO, wash away RSA's responsibility to do due diligence, which they failed to do when they didn't demand the details of how the "random" seed values were generated (or better yet, generate their own).

RE: Real Believable
By milktea on 1/10/2014 12:49:47 PM , Rating: 2
As JasonMick has said, the RSA founders had left the company a long time ago. So RSA is probably run by NSA agents.

So those held prominent positions at RSA should be worried. Because, I would guess that, they would be foreign intelligence's prime targets. Intelligence agents publicly know is a very scary position to be in. :|

Of course they are together
By wind79 on 1/9/2014 7:29:58 PM , Rating: 2
R SA and N SA, maybe they are sister companies to begin with...

NSA is Schizophrenic
By ralith on 1/10/2014 8:40:15 AM , Rating: 2
The NSA is tasked with both intercepting foreign communications and protecting US government communications from being intercepted and cracked. So half of them want to put back doors in the security standards, and the other half don't. Sorta funny if you think about it.

It does, however, make sense that a company/standards committee would be thrilled to get and algorithm from them since they employ a VERY large number of very smart cryptologists. I just would've thought if they were not in bed with the NSA they would've double checked and triple checked it for backdoors before using it.

Guess what NSA/FBI/CIA?
By Perry Tanko on 1/19/2014 4:47:26 PM , Rating: 1
You have undercut American security with the open ended spying techniques that will actually benefit the USA's enemies. China is good at finding security holes; no doubt they will find one of the backdoors and hit U.S. financial institutions or perhaps the backbone itself when we are most vulnerable.

Now, the only clear alternative to business as usual is for U.S. firms to set up companies overseas and develop new encryption standards that cannot be cracked or reverse engineered by the NSA/FBI/CIA.

"Well, there may be a reason why they call them 'Mac' trucks! Windows machines will not be trucks." -- Microsoft CEO Steve Ballmer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki