Feeds

Extended Random: The PHANTOM NSA-RSA backdoor that never was

Profs' paper was all about attacking Dual EC DRBG, not a Snowden-esque spy bombshell

Choosing a cloud hosting partner with confidence

Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSA's encryption software BSafe. But it appears to be more sound and fury than substance.

The brouhaha was kicked off by a Reuters report into an as-yet-unpublished academic study examining the cryptographically crap Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) algorithm used by default in BSafe. Dual EC DRBG is now known to be flawed, encryption that uses it is weakened, and the study sought to quantify exactly how useless the bit generator is.

But according to Reuters this week, this new academic study showed there was another dubious NSA-backed encryption system in BSafe besides Dual EC DRBG. The venerable news service kicked off its exclusive with:

Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers.

That second tool, says Reuters, was Extended Random, a draft TLS extension supposedly designed to enhance the strength of encryption. Yes, it can, for example, be used by Dual EC DRBG in HTTPS connections – but there's no evidence BSafe ever shipped with support for that unloved extension. And the aforementioned study focused instead on proving how encryption using Dual EC DRBG can be cracked in mere seconds.

Indeed, in a draft copy of the study seen by The Reg, the authors of the paper stated:

For both the Java and C versions of BSAFE, we have no evidence that versions of the libraries supporting extended random ever shipped and our major findings do not rely on extended random in any way.

When El Reg spoke to the boffins behind the Dual EC DRBG study, there was some mystification as to what the fuss over Extended Random was all about.

"Extended Random was just something we encountered along the way," Stephen Checkoway, co-author of the study and assistant research professor at Johns Hopkins University in Maryland told The Register. "It wasn't the focus and it doesn't impact our major findings in any way."

The point of the study, he explained, was to show how easy it was to break BSafe's Dual EC DRBG-derived encryption using off-the-shelf components. With $40,000 of computer kit, encryption using the dodgy bit generator failed very quickly, but the researchers also found that if you were prepared to wait a very short time the same effect could be achieved with just $1,000 of hardware.

Extended Random (ER) is certainly contentious. It was proposed in 2008 by Margaret Salter, the then-technical director of the NSA's defensive Information Assurance Directorate, and drafted with the help of an independent expert. But the proposed extension expired before it could be accepted as a standard, and it turned out Extended Random simplified attacks on data encrypted using Dual EC DRBG, rendering it less than useful. ER, if enabled by a server, apparently speeds up an attack on Dual EC by a factor of up to 65,000.

ER wasn't even part of the C and C++ version of BSafe, Checkoway pointed out to us, and although it was in the Java version, it was disabled by default and the team had to tinker with the executables to enable it. ER was helpful in breaking Dual EC DRBG, but there's scant evidence anyone was actually using it – and the Internet Assigned Numbers Authority didn’t even assign it an official number.

The researchers behind the study used ZMap to discover how many public-facing servers were using the Java version of BSafe, and found that of the 28.1 million systems probed, only 720 were using the software with Dual EC DRBG enabled, and over a third of which were using one package - Apache Coyote/1.1.

In addition, a 2012 paper [PDF] by the International Computer Science Institute in Berkeley showed just 0.0013 per cent of 1.8 million SSL certificates studied supported, but not necessarily used, the Extended Random extension.

EMC, which owns RSA, wasn't willing to go on the record with El Reg on the use of ER in the public domain, but some interesting stats did come up during February's RSA 2014 conference in San Francisco. The company then pointed out that Dual EC DRBG (and thus ER) was one of its least-used generators in its portfolio, and the buyers were almost exclusively customers in the US government.

The short-lived draft ER, funded by the United States Department of Defense, does appear to be hopelessly flawed when used in conjunction with the dubious NSA-championed Dual EC DRBG algorithm. But it seems that the exclusive bombshell revelations about ER is less of a smoking gun and more of a damp squib. ®

Bootnote

Computer security analyst Daniel Miller has published an Nmap script to identify TLS (HTTPS) servers using Extended Random. We're told the academic research is to be published online soon.

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.