NSA Allegedly Paid RSA $10M To Implement Flawed Cryptography Standard

rated by 0 users
This post has 4 Replies | 1 Follower

Top 10 Contributor
Posts 25,782
Points 1,162,530
Joined: Sep 2007
ForumsAdministrator
News Posted: Sat, Dec 21 2013 12:45 AM
According to a new report, the NSA once paid the RSA Security $10M to implement a flawed security standard as the default protocol in its products. This new information builds on allegations from September that claimed the RSA had deployed a flawed, broken cryptographic standard. The new allegations, like much of what we've learned about the modern National Security Agency, comes from the files one-time Booz Allen contractor Edward Snowden began releasing this spring. If true, the blowback could destroy the RSA's credibility in the cryptographic world.

The practical fallout from this news is likely to be relatively small. The standard in question is called Dual_EC_DRBG. It was first put forward as a standard for performing elliptic curve cryptography. It came under suspicion almost immediately -- of the four algorithms the National Institute of Standards and Technology recommended for cryptography at the time, Dual_EC_DRBG was three orders of magnitude slower than the other three. Researchers suspected as early as 2006 that the code contained a back door and proved it was statistically flawed by 2007.



None of that, however, stopped the RSA from making Dual_EC_DRBG its standard cryptographic algorithm for many of its products over the past few years. What that means, in essence, is that the standard was deliberately broken and the NSA could trivially penetrate any data secured with it. Being caught flat-footed was bad enough for RSA -- once news of the backdoor was confirmed, the firm quickly warned its customers to cease using the encryption method with its bSafe line of products.

Bad cryptographic recommendations are one thing. Accepting $10M to deliberately implement a flawed standard is something else altogether. As you can imagine, the RSA is tripping over itself to disclaim the allegations, telling Reuters "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own."

Others have claimed that RSA Security was fooled by the NSA, and that the organization didn't show its true hand when it paid RSA to implement the flawed standard. Normally, that would be little more than an exceptionally convenient excuse -- but there's historical reasons to think it might be true.

A Different Era

Back in the 1970s, when the encryption standard DES (Digital Encryption Standard) was being developed, the NSA stepped in and made certain recommendations and changes to the proposed implementation. For decades, cryptographers suspected that the NSA had used its knowledge of the cipher to weaken the DES standard. In the mid-1990s, research emerged proving that the opposite was true.

By the late 1970s, the NSA was aware of a then-new type of cryptographic attack called differential cryptanalysis. DES, in its original form, was highly vulnerable to this new attack vector. The NSA patched the standard to harden it, and then told no one what it knew. Code that looked suspicious, to outside analysis, was actually proven to be tremendously helpful.

Given this, it's not hard to see how the RSA might have thought that the NSA was offering improvements that actually were  improvements, even if they looked suspicious. Whether the company was actually hoodwinked or is falling back on an excuse is still unknown. And regardless of the RSA's complicity, it shows the shift in mentality at the NSA. Over the space of 30 years, the organization went from securing America's cryptographic standards to actively working against them. 
  • | Post Points: 65
Top 25 Contributor
Posts 3,538
Points 54,420
Joined: Jul 2004
Location: United States, Massachusetts
ForumsAdministrator
MembershipAdministrator
Dave_HH replied on Sat, Dec 21 2013 10:45 AM

Not surprising but pretty disturbing.

Editor In Chief
http://hothardware.com


  • | Post Points: 5
Top 25 Contributor
Posts 3,466
Points 46,975
Joined: Nov 2005
Location: Metropolis
ForumsAdministrator
Moderator

News:
telling Reuters "RSA always acts in the best interest of its customers..."

And the NSA is the custormer.

 SPAM-posters beware! ®

  • | Post Points: 5
Top 10 Contributor
Posts 8,571
Points 103,110
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Sat, Dec 21 2013 8:09 PM

RSA is either extremely smart, or extremely stupid.

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 5
Not Ranked
Posts 1
Points 5
Joined: Dec 2013

Since 9/11 it's the War on Terror

One "false flag" attack so called by error

Blair, Bush, and Israel had a Pact in store

Their next surprise is knocking at your door

A hidden vile Idea from those who want "more"

will use you and your Belief for the next World War

As "chosen people" gain while Humankind loses

Greed wins not by the swords but by the words of Moses

Daring is to tell you when, better then to tell you rhymes

could not side with either one to get ready for our times

to look beyond and past today to seek for a solution

one only hope is there for you and spells Wavevolution

.........

A new type of Revolution wins with the ultimate weapon:

Your Mind

http://www.wavevolution.org/en/humanwaves.html

  • | Post Points: 5
Page 1 of 1 (5 items) | RSS