We all remember the Snowden‘s revelations regarding the support provided my RSA Security, a division of EMC company, to the NSA Intelligence. Snowden accused the RSA to have deliberately inserted an alleged encryption backdoor in the BSafe software.
According the news published by the Reuters agency, documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers.
The flawed random number generator (Dual_EC_DRBG) was used to create a “back door” in popular encryption products, Reuters reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe, a security tool installed in many personal computers.
According the report disclosed by Snowden, the NSA paid a $10 million fee to RSA for the adoption of the flawed algorithm as the default choice in his products, but RSA has always refused the claims.
A group of researchers at Johns Hopkins University, the University of Illinois, has claimed that the choice of the Dual_EC_DRBG systems was not isolated, RSA also adopted another tool called Extended Random extension for secure websites, under the suggestion of the National Security Agency.
The choice for the adoption of the Extended Random extension allows the NSA to crack a version of the Dual Elliptic Curve software tens of thousands of times faster, Reuters reported.
“The professors found that the tool, known as the “Extended Random” extension for secure websites, could help crack a version of RSA’s Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters. While Extended Random was not widely adopted, the new research sheds light on how the NSA extended the reach of its surveillance under cover of advising companies on protection.“
The researchers demonstrated that it is possible to crack a free version of BSafe for Java in just one hour, using about $40,000 worth of computer equipment.
“It would have been 65,000 times faster in versions using Extended Random, dropping the time needed to seconds, according to Stephen Checkoway of Johns Hopkins.The researchers said it took them less than 3 seconds to crack a free version of BSafe for the C programming language, even without Extended Random, because it already transmitted so many random bits before the secure connection began. And it was so inexpensive it could easily be scaled up for mass surveillance, the researchers said” stated Reuters.
This case is yet another pickaxe to the reputation of US Intelligence,
(Security Affairs – RSA, NSA)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.