Extended Random: The PHANTOM NSA-RSA backdoor that never was

Profs' paper was all about attacking Dual EC DRBG, not a Snowden-esque spy bombshell

The Essential Guide to IT Transformation

Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSA's encryption software BSafe. But it appears to be more sound and fury than substance.

The brouhaha was kicked off by a Reuters report into an as-yet-unpublished academic study examining the cryptographically crap Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) algorithm used by default in BSafe. Dual EC DRBG is now known to be flawed, encryption that uses it is weakened, and the study sought to quantify exactly how useless the bit generator is.

But according to Reuters this week, this new academic study showed there was another dubious NSA-backed encryption system in BSafe besides Dual EC DRBG. The venerable news service kicked off its exclusive with:

Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers.

That second tool, says Reuters, was Extended Random, a draft TLS extension supposedly designed to enhance the strength of encryption. Yes, it can, for example, be used by Dual EC DRBG in HTTPS connections – but there's no evidence BSafe ever shipped with support for that unloved extension. And the aforementioned study focused instead on proving how encryption using Dual EC DRBG can be cracked in mere seconds.

Indeed, in a draft copy of the study seen by The Reg, the authors of the paper stated:

For both the Java and C versions of BSAFE, we have no evidence that versions of the libraries supporting extended random ever shipped and our major findings do not rely on extended random in any way.

When El Reg spoke to the boffins behind the Dual EC DRBG study, there was some mystification as to what the fuss over Extended Random was all about.

"Extended Random was just something we encountered along the way," Stephen Checkoway, co-author of the study and assistant research professor at Johns Hopkins University in Maryland told The Register. "It wasn't the focus and it doesn't impact our major findings in any way."

The point of the study, he explained, was to show how easy it was to break BSafe's Dual EC DRBG-derived encryption using off-the-shelf components. With $40,000 of computer kit, encryption using the dodgy bit generator failed very quickly, but the researchers also found that if you were prepared to wait a very short time the same effect could be achieved with just $1,000 of hardware.

Extended Random (ER) is certainly contentious. It was proposed in 2008 by Margaret Salter, the then-technical director of the NSA's defensive Information Assurance Directorate, and drafted with the help of an independent expert. But the proposed extension expired before it could be accepted as a standard, and it turned out Extended Random simplified attacks on data encrypted using Dual EC DRBG, rendering it less than useful. ER, if enabled by a server, apparently speeds up an attack on Dual EC by a factor of up to 65,000.

ER wasn't even part of the C and C++ version of BSafe, Checkoway pointed out to us, and although it was in the Java version, it was disabled by default and the team had to tinker with the executables to enable it. ER was helpful in breaking Dual EC DRBG, but there's scant evidence anyone was actually using it – and the Internet Assigned Numbers Authority didn’t even assign it an official number.

The researchers behind the study used ZMap to discover how many public-facing servers were using the Java version of BSafe, and found that of the 28.1 million systems probed, only 720 were using the software with Dual EC DRBG enabled, and over a third of which were using one package - Apache Coyote/1.1.

In addition, a 2012 paper [PDF] by the International Computer Science Institute in Berkeley showed just 0.0013 per cent of 1.8 million SSL certificates studied supported, but not necessarily used, the Extended Random extension.

EMC, which owns RSA, wasn't willing to go on the record with El Reg on the use of ER in the public domain, but some interesting stats did come up during February's RSA 2014 conference in San Francisco. The company then pointed out that Dual EC DRBG (and thus ER) was one of its least-used generators in its portfolio, and the buyers were almost exclusively customers in the US government.

The short-lived draft ER, funded by the United States Department of Defense, does appear to be hopelessly flawed when used in conjunction with the dubious NSA-championed Dual EC DRBG algorithm. But it seems that the exclusive bombshell revelations about ER is less of a smoking gun and more of a damp squib. ®


Computer security analyst Daniel Miller has published an Nmap script to identify TLS (HTTPS) servers using Extended Random. We're told the academic research is to be published online soon.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.