Extended Random: The PHANTOM NSA-RSA backdoor that never was

Profs' paper was all about attacking Dual EC DRBG, not a Snowden-esque spy bombshell

Seven Steps to Software Security

Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSA's encryption software BSafe. But it appears to be more sound and fury than substance.

The brouhaha was kicked off by a Reuters report into an as-yet-unpublished academic study examining the cryptographically crap Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) algorithm used by default in BSafe. Dual EC DRBG is now known to be flawed, encryption that uses it is weakened, and the study sought to quantify exactly how useless the bit generator is.

But according to Reuters this week, this new academic study showed there was another dubious NSA-backed encryption system in BSafe besides Dual EC DRBG. The venerable news service kicked off its exclusive with:

Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers.

That second tool, says Reuters, was Extended Random, a draft TLS extension supposedly designed to enhance the strength of encryption. Yes, it can, for example, be used by Dual EC DRBG in HTTPS connections – but there's no evidence BSafe ever shipped with support for that unloved extension. And the aforementioned study focused instead on proving how encryption using Dual EC DRBG can be cracked in mere seconds.

Indeed, in a draft copy of the study seen by The Reg, the authors of the paper stated:

For both the Java and C versions of BSAFE, we have no evidence that versions of the libraries supporting extended random ever shipped and our major findings do not rely on extended random in any way.

When El Reg spoke to the boffins behind the Dual EC DRBG study, there was some mystification as to what the fuss over Extended Random was all about.

"Extended Random was just something we encountered along the way," Stephen Checkoway, co-author of the study and assistant research professor at Johns Hopkins University in Maryland told The Register. "It wasn't the focus and it doesn't impact our major findings in any way."

The point of the study, he explained, was to show how easy it was to break BSafe's Dual EC DRBG-derived encryption using off-the-shelf components. With $40,000 of computer kit, encryption using the dodgy bit generator failed very quickly, but the researchers also found that if you were prepared to wait a very short time the same effect could be achieved with just $1,000 of hardware.

Extended Random (ER) is certainly contentious. It was proposed in 2008 by Margaret Salter, the then-technical director of the NSA's defensive Information Assurance Directorate, and drafted with the help of an independent expert. But the proposed extension expired before it could be accepted as a standard, and it turned out Extended Random simplified attacks on data encrypted using Dual EC DRBG, rendering it less than useful. ER, if enabled by a server, apparently speeds up an attack on Dual EC by a factor of up to 65,000.

ER wasn't even part of the C and C++ version of BSafe, Checkoway pointed out to us, and although it was in the Java version, it was disabled by default and the team had to tinker with the executables to enable it. ER was helpful in breaking Dual EC DRBG, but there's scant evidence anyone was actually using it – and the Internet Assigned Numbers Authority didn’t even assign it an official number.

The researchers behind the study used ZMap to discover how many public-facing servers were using the Java version of BSafe, and found that of the 28.1 million systems probed, only 720 were using the software with Dual EC DRBG enabled, and over a third of which were using one package - Apache Coyote/1.1.

In addition, a 2012 paper [PDF] by the International Computer Science Institute in Berkeley showed just 0.0013 per cent of 1.8 million SSL certificates studied supported, but not necessarily used, the Extended Random extension.

EMC, which owns RSA, wasn't willing to go on the record with El Reg on the use of ER in the public domain, but some interesting stats did come up during February's RSA 2014 conference in San Francisco. The company then pointed out that Dual EC DRBG (and thus ER) was one of its least-used generators in its portfolio, and the buyers were almost exclusively customers in the US government.

The short-lived draft ER, funded by the United States Department of Defense, does appear to be hopelessly flawed when used in conjunction with the dubious NSA-championed Dual EC DRBG algorithm. But it seems that the exclusive bombshell revelations about ER is less of a smoking gun and more of a damp squib. ®


Computer security analyst Daniel Miller has published an Nmap script to identify TLS (HTTPS) servers using Extended Random. We're told the academic research is to be published online soon.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.