Print 25 comment(s) - last by TSS.. on Dec 25 at 5:32 AM

RSA responded saying that it had no idea the NSA algorithm was flawed

Former U.S. National Security Agency (NSA) contractor Edward Snowden has brought many NSA secrets to light this year, the most recent being a "secret" contract between the agency and security industry leader RSA. 
According to more documents leaked by Snowden, the NSA entered into a $10 million contract with RSA to place a flawed formula within encryption software (which is widely used in personal computers and other products) to obtain "back door" access to data. 
The RSA software that contained the flawed formula was called Bsafe, which was meant to increase security in computers. The formula was an algorithm called Dual Elliptic Curve, and it was created within the NSA. RSA started using it in 2004 even before the National Institutes of Standards and Technology (NIST) approved it. 
According to the RSA, it had no idea that the algorithm was flawed, or that it gave the NSA back door access to countless computers and devices. The NSA reportedly sold the algorithm as an enhancement to security without letting the RSA in on its real intentions. 
In fact, RSA responded to media reports about its contract with the NSA, saying it was never secret at all. It said the fact that RSA worked with NSA was always made public, but that RSA had no idea the government agency was actually sabotaging its encryption product. 

"Recent press coverage has asserted that RSA entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.  We categorically deny this allegation," said RSA in a blog post.

"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security."

Many in the security community were surprised at RSA's entanglement with the NSA, but the latest news of a $10 million contract as well has really shocked the industry.

RSA is known as a pioneer in the realm of computer security, and has notoriously fought off the NSA in previous attempts at breaking encryption. 

Back in the 1990s, RSA -- which was started by MIT professors in the 1970s and is now a subsidiary of EMC Corp. -- rallied against the Clinton administration's "Clipper Chip," which was supposed to be a required component in computers and phones that would allow government officials to bypass encryption with a warrant.

RSA created a public campaign against the Clipper Chip, and it was eventually tossed out. However, it resorted to export controls to stop enhanced cryptography from crossing U.S. borders, and RSA fought further. RSA then established an Australian division that could ship the products it wanted.

RSA told customers to stop using the NSA formula in Bsafe when NIST issued new guidance in September 2013.

Source: RSA

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Not a day goes by...
By MrBlastman on 12/23/2013 1:19:40 PM , Rating: 5
That I'm further disgusted by all of this. When that buffoon, Alexander went on 60 Minutes a week ago lying with a straight face to all of America, it was a crime. It was a crime against the Constitution and the Flag that we all live under.

The crazy part is, he might actually believe he wasn't lying. He might truly believe he's doing it for the better. He also might not believe in the Constitution--as in one of those idiots who thinks the Constitution has outlived its usefulness and needs to be "revised."

And now this, with the RSA. I can't say that I am surprised. I'm not. It makes perfect sense that the NSA would slip in faulty code. Such is the nature of security crazies who want Police everywhere in our lives.

The crime is that while there are security/police people who actually believe they are doing it for the good--there are many in power that want to do it... and increase it... for more power. They think they are doing it to better everyone, much like books were burned in Fahrenheit 451.

What the NSA has done here with RSA, well, I can't help but believe they've done it elsewhere, too. Who knows how deep this web of deception and subterfuge has gone. This deceit, well, when will it be punished?

The Pentagon considers our Founding Fathers terrorists. I dare say the Pentagon is wrong. The true terrorists are within our own borders. They are walking among us. They look like us. They talk like us. The eat, sleep and be like us. They are in our Government and every single time they turn a blind eye to our Constitution, they commit another terrorist act against all of America. These are the terrorists! They are the ones we should be fighting.

So I ask simply: When will all these false prophets be held accountable? They're the ones who should be strung up or taken out by drone-strikes. Not hardworking, innocent Americans. We should hold them to the spirit of our Constitution!

It bothers me that nearly any form of computer cryptography could have been violated by the NSA. Well, any form that is sold by a major company. But then, there are probably plenty of free ones out there that have been "planted," too. Until we start trying these criminals in the NSA and Washington, nothing will change.

RE: Not a day goes by...
By Argon18 on 12/23/2013 1:26:23 PM , Rating: 3
"The Pentagon considers our Founding Fathers terrorists."

If you want to point the finger, it should be pointed at the top. One of Obama's biggest campaign promises was "bringing accountability to Washington!" yet he's done the exact opposite. Whether it's the Fast n Furious scandal putting thousands of assault weapons into drug cartel hands, or the $Billions in public debt he's created, or the flubbed Guantanamo trials, or failed ObamaCare rollout, or this spying on Americans that Snowden exposed, Obama has failed miserably at "bringing accountability to Washington".

In fact, in each of those examples, nobody got fired, nothing changed, Obama claimed he has "complete confidence" in the people behind these colossal screw-ups. Obama and his cronies and appointees are a pack of criminals taking a shit on the American people.

RE: Not a day goes by...
By MrBlastman on 12/23/2013 1:31:55 PM , Rating: 2
Indeed, they are, and our people are bending over and taking it, because they are being told it is all "okay."

RE: Not a day goes by...
By KCjoker on 12/23/2013 6:17:51 PM , Rating: 3
I'm just glad the media is reporting and calling out Obama for all those things. /sarcasm

RE: Not a day goes by...
By name99 on 12/23/2013 8:50:54 PM , Rating: 4
Hell, why didn't you add Benghazi in there and get the wing nut trifecta?

Your overall point makes sense, but you lose credibility by immediately then plunging into a morass of conspiracy theories, irrelevancies, and half-baked understandings of what's specifically relevant to the Obama administration and what has been part of the Washington consensus for at least thirty years.

RE: Not a day goes by...
By integr8d on 12/24/2013 12:33:35 AM , Rating: 2
Wake up homey. There's no such thing as a conspiracy theory anymore; only possibilities. And anyone who considers any of this stuff to be outside of the possible, well, good luck.

What is directly relevant to Obama is no different than what encompasses DC. People point at Obama because Obama currently runs these departments. So it's appropriate. We can track back to who did what and when. And yes, that's all still relevant. But Obama is in a direct position to change the direction now. So it falls on him. And it falls on his supporters to apply pressure.

RE: Not a day goes by...
By Argon18 on 12/24/2013 4:50:10 PM , Rating: 1
I guess you were taking a nap between 2000 and 2008, when the left-wing nuts took the "blame Bush" approach to everything under the sun. I got a parking ticket; it's Bush's fault!!111

RE: Not a day goes by...
By TyroneJ on 12/23/2013 4:38:22 PM , Rating: 2
Whether Alexander believes he wasn't lying is irrelevant. No Evil Person believes they are evil. Hitler, General Alexander, Idi Amin, Stalin, Pol Pot, Bin Laden all believed they were working for a higher purpose. That is what makes Evil so dangerous - it's minions believe they are doing good, and so their ends justify their means.

RE: Not a day goes by...
By Argon18 on 12/23/2013 5:40:20 PM , Rating: 2
"and so their ends justify their means"

This concept is the common thread amongst evil. It is the justification for torture, terrorism, and even the common thief. How many common crooks have justified their theft or robbery by claiming they were only "doing it for their kids, doing it to feed their family" or some other similar nonsense.

Similarly, this is how Obama and his cronies justify their illegal actions.

RE: Not a day goes by...
By comrade65 on 12/23/2013 6:45:12 PM , Rating: 5
The real crooks are the gang of shrub, (what else do you call a little bush), who started all this garbage with their phony crisis about everything and their endless, illegal and expensive wars that were all done 'off budget' so we wouldn't see the true cost until they were out of office. Those wars are where the huge budget deficit came from. If you believe anything else, I've got a bridge in New York you can buy. Remember the pictures of Rumsfailed shaking hands and laughing with Saddam Hussein? Remember the pictures of bush planting a lip-lock on the Saudi king? Remember Cheney saying; "Deficits don't matter!"? Those were the real criminals who started all this garbage!

RE: Not a day goes by...
By Solandri on 12/24/2013 5:52:36 AM , Rating: 2
There's a good comic for people who think like you do:

Regardless of who started it, someone in power who continues it is just as complicit. "Billy started it, I just followed him" was never a valid excuse when you were a kid, and it isn't a valid excuse in adulthood.

RE: Not a day goes by...
By Argon18 on 12/24/2013 4:58:13 PM , Rating: 2
"Those wars are where the huge budget deficit came from."

One of Obama's campaign platforms was the $5 Trillion in public debt that GWB added. B.O. had this to say in response to the Bush administration's deficit and debt:

"The fact that we are here today to debate raising America’s debt limit is a sign of leadership failure. It is a Sign that the US Government cannot pay its own bills. It is a sign that we now depend on ongoing financial assistance from foreign countries to finance our Government’s reckless fiscal policies. ... Increasing America’s debt weakens us domestically and internationally. Leadership means that 'the buck stops here'. Instead, Washington is shifting the burden of bad choices today onto the backs of our children and Grandchildren. America has a debt problem and a failure of leadership. Americans deserve better."

Keeping in mind that GWB increased debt by $5T in his 8 years, can you not see the hypocrisy in that fact that Obama increased the debt by an additional $5T in just 4 years. We still have the second term of this joker to finish out, who knows how many more $Trillions he's going to add. B.O. is a liar and a fraud and we are all paying the price for his incompetence.

RE: Not a day goes by...
By TSS on 12/25/2013 5:32:36 AM , Rating: 2
HAH. Yeah, i'm sure the $758 billion stimulus program obama enacted in 2009 had nothing to do with it. That's just about the entire Iraq war there.

When are you people going to figure out it's not just the republicans, or the democrats, but both parties are equally to blame? Not to mention it goes back for many, many, MANY years before bush.

Why did bush run deficits? It's very, very simple: Because Clinton was the last person to steal from social security. How else do you think he "balanced the budget"? He didn't balance anything, he did just 2 things: 1. Steal the last of the actual money from social security (now filled with $2,6 trillion worth of treasuries, or IOU's from the government, causing a drag on the budget because of yearly payments), and 2. Convert the vast majority of US debt, which then had an average maturity of 15+ years, to short term debt which carries much lower rates,saving money on interest rates, but also meaning now more then half of US debt matures under 3 years. If it wasn't for this combined with ZIRP from the Fed, interest on national debt would've already cost $1+ trillion a year. Which it will anyway if rates go back up to the historical average of 6,6%.

Oh now you think the democrats did it? What about Reagan who introduced deficit spending? There's hardly been a president who ran up the debt faster percentage wise then reagan, including bush and obama.

I've said it before (and was ridiculed for it) but i'll say it again. You want to look at the last fiscally responsive president? Jimmy carter. During the oil shocks he saw what the amount of credit present in the US economy had for effect and raised interest rates through the roof to stop it. And yknow what, he would've succeeded had he'd been re-elected, the rates would've come down naturally, credit would've been rained in, and NONE of the current fiscal problems would've been problems. Bush could've started 2 additional wars and the budget would've been *fine*.

But no. The American people decided they didn't like hardship. So they elected Nixon instead, first thing he did was drop the interest rates and resume the expansion of credit and whodathunkit, the economy "recovered". Also he had to drop the gold standard 3 years later because of this very fact, too much money vs gold in circulation. Gee, i wonder how that happened.

If it's the fault of ANYBODY, it's the fault of the american people as a whole. Vote republican. Vote democrat. But whatever you do, don't educate yourself. Just blame the other guy. Meanwhile, steal from your children, go on, they can't defend themselves anyway. You say your government are criminals? Well i say:

"Every nation get's the government it deserves".

By Ammohunt on 12/23/2013 12:23:30 PM , Rating: 2
Selinux is also a product of the NSA makes you wonder.

RE: selinux
By JasonMick on 12/23/2013 1:15:00 PM , Rating: 1
Selinux is also a product of the NSA makes you wonder.
If true, this could compromise much of the internet's supposed security, as SSL certificates use ECDSA.

This could be hugely exploitable, not just to the NSA, but to any cybercriminal who can reverse engineer the flaw.

And here we have yet one more reason why Microsoft, Google, et al. are currently handling the NSA like a well-funded cybercriminal.

The agency is clearly using traditionally criminal tactics, e.g. digital insider sabotage and such.

RE: selinux
By Argon18 on 12/23/2013 1:18:28 PM , Rating: 1
As the 800 lb gorilla, you are delusional if you think Microsoft does not have NSA back-doors in its products. The press release spokesperson at Microsoft of course has plausible deniability. Besides, isn't saying "Microsoft" and "security" in the same sentence an oxymoron?

RE: selinux
By Argon18 on 12/23/2013 1:20:30 PM , Rating: 3
Microsoft is pretty good about putting exploitable back-doors into its own products, it doesn't need the NSA's help for that. Lol.

RE: selinux
By GulWestfale on 12/23/2013 2:33:28 PM , Rating: 3
ah, i miss the days when searching for "NSA back door access" meant browsing through craigslist looking for desperate hookers...

RE: selinux
By edelbrp on 12/23/2013 5:27:11 PM , Rating: 4
SELinux is a sort of sandboxing function in the kernel. The NSA implemented it to meet internal requirements and they released it as open-source. It has been rewritten and picked apart over the last 13 years. It would be incredible if any sort of elaborate backdoor were still in existence (if there ever was one). Still, though, it does raise some eyebrows.

By fic2 on 12/23/2013 4:24:58 PM , Rating: 2
Collusion or incompetence. Which is it?

RE: So...
By edelbrp on 12/23/2013 5:16:27 PM , Rating: 2
The NSA had a history (at the time) for being a very positive source of security practices and standards/software. Dual Elliptical at the time was considered pretty solid, although some researchers were studying it and raising questions. Obviously the NSA knew more. It will be very interesting to see if more information comes out indicating at what point and under who's authority the NSA went 'bad'.

RE: So...
By Solandri on 12/24/2013 6:11:56 AM , Rating: 3
This. Back in the 1970s, the cryptography community made DES the standard encryption scheme for a multitude of government and private applications. The NSA was involved in its development and at one point they said "don't use keys within this range of numbers." They didn't explain why, they just said not to use those keys.

That led to some speculation that NSA knew how to crack DES except for keys in that range. But 15 years later the public cryptographic community discovered differential crytanalysis. And lo and behold, the keys within that range were vulnerable to attack by differential crytanalysis.

So what had happened was that NSA had discovered differential crytanalysis long before the public. And when DES was being standardized, they made sure the keys which were weak to it were excluded from the possible key base of DES. They strengthened DES, not weakened it.

That earned them a lot of street cred with the cryptography community, and until recently there was very little evidence to counter that good karma NSA had built up. While some people questioned dual elliptical curves, you have to remember that there are always people who question anything. Without evidence to the contrary, you have to go with what history says. And history said NSA was trying to strengthen crytographic standards, not weaken them.

It will indeed be interesting to see who was responsible for this within NSA. This isn't something you can keep secret forever. Eventually public research would have figured it out, probably within a decade or two. And at that point your credibility is shot, perhaps forever. That's an awfully big price to pay for something of time-limited value.

Avoid RSA
By Aberforth on 12/23/2013 1:33:20 PM , Rating: 2
Many still use this creepy double elliptic Logmein for instance.

RE: Avoid RSA
By edelbrp on 12/23/2013 5:01:20 PM , Rating: 2
It isn't a cipher, it is a pseudo random number generator. Modern OSs these days use a combination of entropy sources that feed a 'pool', including hardware generated random numbers. It would be very odd for Logmein to opt to use its own random number generator, but possible. I'm rather curious how you would know that Logmein uses Duel Elliptical, yet get random number generation confused with cipher algorithms?

By TheJian on 12/25/2013 4:00:26 AM , Rating: 2
If you really didn't understand they were back-dooring your software then I REALLY can't trust you know what you're doing.

A security firm who can't see a backdoor when it smacks them in the face is by definition NOT a security firm right?

"University professor Matthew Green suggested that RSA Security (or an RSA Security employee) was pressured by the U.S. government to use it.

So why would RSA pick Dual_EC as the default? You got me. Not only is Dual_EC hilariously slow — which has real performance implications — it was shown to be a just plain bad random number generator all the way back in 2006. By 2007, when Shumow and Ferguson raised the possibility of a backdoor in the specification, no sensible cryptographer would go near the thing. And the killer is that RSA employs a number of highly distinguished cryptographers! It's unlikely that they'd all miss the news about Dual_EC.
—Matthew Green, cryptographer and research professor at Johns Hopkins University

Even the college professor thinks your full of it. So you're either too stupid to run a security company (employs HIGHLY distinguished cryptographers remember!), or you ALLOWED a backdoor. I believe they knew exactly what was happening and it seems the cryptography professor thinks the same. I don't see how you can't know this as an authority on the subject. Isn't that like saying Einstein doesn't know what E=MC^2 is when he's the one who came up with it? RSA came up with much of the security we use today, but has no idea what security is or how to keep their own stuff secure? Did they write the code for this stuff or YOU? Even if THEY did, you didn't look at it before you put it in your products? YOU KNEW. PERIOD.

Either way I now want you out of business and not in control of any security period. Snowden looks better every day, while the exact opposite is true of our govt and the people running it. Every day they grow even more guilty than the day before. More and more it looks like a bunch of people are upset that some dude outed their ILLEGAL actions. I'm pretty sure the founding fathers would think Snowden was a hero, and our Govt is full of traitors. We don't need the constitution stepped on "for our own safety", but we DO need the constitution to keep us safe from YOU. And for those about to say Snowden put a bunch of people in danger...Would they be in any danger (BS but whatever) if the Govt hadn't broken laws that he outed? Would he be in the news if there was NOTHING TO OUT? YOU put them in danger, not the guy who uncovered it. YOU put them in danger by BREAKING THE LAW to begin with.

If it's so important to nail Snowden for "breaking the law", why isn't it just as important to put all of those that clearly BROKE the law behind bars too (lying under oath, tapping everyone etc)? Why do you get a pass? Because you decided the constitution doesn't mean squat and your ILLEGAL actions are OK in your own minds "for our safety"?? Heck, I guess we live in chaos then, where we all decide to follow only the laws we LIKE, and screw the ones we don't. If a country has lost trust in USA, blame yourselves for breaking laws everyone THOUGHT we followed.

If you keep printing FAKE money (backed by nothing but faith soon if not already, devaluing it with every printing) nobody will believe in the dollar soon either.

Merry Christmas to everyone but Congress+Obama (oh and the people running obamacare site) I hope santa leaves these people some coal from now until the end of time ;)

"Young lady, in this house we obey the laws of thermodynamics!" -- Homer Simpson
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki