RSA sold out to the NSA for 10 million

[The Illusive Man]

Yet another nasty secret revealed by Snowden leaks! Really RSA, you sold out for only ten million dollars? At least tack another zero in to your price, have a spine after all.

TL:DR version from Reuters:

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

The earlier disclosures of RSA's entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.

RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to stop using the NSA formula after the Snowden disclosures revealed its weakness.

Even notice that when groups go into the private sector they go bad? Thankfully my PGP key is a Diffie-Hellman/DSS not RSA because of proper paranoia. The flawed algorithm Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) was implemented in the BSAFE library. This means trouble for the following huge list of companies because all their listed software had been using Dual_EC_DRBG. TL:DR anything using Dual_EC_DRBG to generate random data for encryption or FIPS integrity checking is fucked.

The following companies and corresponding software are affected:

(click to show/hide)

Cisco Systems, Inc.: encryptionIOS Algorithms, ACT-2Lite, CiscoSSL FIPS Object Module (Assembler), IOS Common Cryptographic Module (IC2M) within Cat4K, Cisco IOS-XE, ONS Encryption Card Firmware Algorithms, ONS Controller Card Firmware Algorithms, Adaptive Security Appliance OS, Cavium Nitrox PX (CN1520), Cavium Nitrox PX (CN1610), Adaptive Security Appliance Onboard Acceleration, DRBG, IOS-XE Cryptographic Implementation and MOAR!

Microsoft Corporation: Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations.

Apple: Apple iOS CoreCrypto Module, Apple iOS CoreCrypto Kernel Module, Apple OSX CoreCrypto Module

Check Point Software Technologies aka the company that owns zonealarm!: Check Point Crypto Core, Check Point Security Gateway, VSX, Provider-1, Security Management.

Aruba Networks, Inc.: libancrypto.a

Symantec Corporation: Symantec Cross-Platform Cipher Engine, Symantec SymCrypt Cipher Engine.

Blackberry: BlackBerry Cryptographic Kernel, BlackBerry Cryptographic Algorithm Library, BlackBerry Algorithm Library for Secure Work Space

McAfee, Inc.: McAfee Firewall Enterprise 64-bit Cryptographic Engine Virtual and physical, ePO Agent Handler Cryptographic Module, RSA BSAFE Crypto-J, McAfee Linux OpenSSL

VMware, Inc.: VMware Java JCE (Java Cryptographic Extension) Module, VMware NSS Cryptographic Module .

IBM: IBM LTO Ultrium 6 Cryptographic Firmware Library (Lol this is for tape drives), ICC Algorithmic Core on Windows, TS1140 Cryptographic Firmware Library

Intel Corporation: QuickAssist Technology Software Library for Cryptography on the Intel® Communications Chipset 89xx Series.

Motorola Solutions, Inc.: OpenSSL Crypto library-DRBG

Oracle America, Inc.: T10000C CTR DRBG

Toshiba Corporation: Toshiba Secure Cryptographic Suite for Enterprise SSD, Toshiba Secure Cryptographic Suite for Mobile HDD

Hewlett Packard India Software Operations Pvt Ltd: HP-UX Kernel Cryptographic Module.
Hewlett–Packard Development Company, L.P.: HP NSVLE C API Library

OpenSSL Software Foundation, Inc.: OpenSSL FIPS Object Module

Samsung Electronics Co., Ltd: Samsung OpenSSL Cryptographic Module
AND MANY MOAR!

But wait, there’s MOAR courtesy of  Sam Curry, RSA’s chief technology officer.

RSA actually added the algorithm to its libraries in 2004 or 2005, before NIST approved it for the standard in 2006 and before the government made it a requirement for FIPS certification, says Sam Curry, the company’s chief technology officer. The company then made it the default algorithm in BSafe and in its key management system after the algorithm was added to the standard. Curry said that elliptic curve algorithms were all the rage at the time and RSA chose it as the default because it provided certain advantages over the other random number generators, including what he says was better security.

“Cryptography is a changing field. Some algorithms go up and some come down and we make the best decisions we can in any point in time,” he says.”A lot of the hash-based algorithms were getting struck down by some weaknesses in how they chose numbers and in fact what kind of sample set they chose for initial seeding. From our perspective it looked like elliptic curve would be immune to those things.”

Curry says the fact that the algorithm is slower actually provides it with better security in at least one respect.

“The length of time that you have to gather samples will determine the strength of your random number generation. So the fact that it’s slower sometimes gives it a wider sample set to do initial seeding,” he says. “Precisely because it takes a little longer, it actually winds up giving you more randomness in your initial seeding, and that can be an advantage.”

Now for some hilarity, two Microsoft employees (Dan Shumow and Niels Ferguson) discovered this in 2007 and no one listened! Their presentation, On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng  PDFversion here, was downplayed by Microsoft and Jon Callas, the CTO of Silent Circle. Callas who now looks like an ass stated that:

“If [NSA] spent $250 million weakening the standard and this is the best that they could do, then we have nothing to fear from them,” he says. “Because this was really ham-fisted. When you put on your conspiratorial hat about what the NSA would be doing, you would expect something more devious, Machiavellian … and this thing is just laughably bad. This is Boris and Natasha sort of stuff.”

[Ironchew]

Sounds like the NSA paid for an exploit of a known flawed implementation of RSA, not a fundamental weakness of RSA itself. That's what Shor's algorithm is for; just build a reliable quantum computer with enough qubits first.

[The Illusive Man]

F-secure rage quit RSA's 2014 confrence because of this.

As my reaction to this, I’m cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014.

Aptly enough, the talk I won’t be delivering at RSA 2014 was titled "Governments as Malware Authors".

I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway – why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.

Sincerely,

Mikko Hypponen
Chief Research Officer
F-Secure