Feeds

Extended Random: The PHANTOM NSA-RSA backdoor that never was

Profs' paper was all about attacking Dual EC DRBG, not a Snowden-esque spy bombshell

5 things you didn’t know about cloud backup

Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSA's encryption software BSafe. But it appears to be more sound and fury than substance.

The brouhaha was kicked off by a Reuters report into an as-yet-unpublished academic study examining the cryptographically crap Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) algorithm used by default in BSafe. Dual EC DRBG is now known to be flawed, encryption that uses it is weakened, and the study sought to quantify exactly how useless the bit generator is.

But according to Reuters this week, this new academic study showed there was another dubious NSA-backed encryption system in BSafe besides Dual EC DRBG. The venerable news service kicked off its exclusive with:

Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers.

That second tool, says Reuters, was Extended Random, a draft TLS extension supposedly designed to enhance the strength of encryption. Yes, it can, for example, be used by Dual EC DRBG in HTTPS connections – but there's no evidence BSafe ever shipped with support for that unloved extension. And the aforementioned study focused instead on proving how encryption using Dual EC DRBG can be cracked in mere seconds.

Indeed, in a draft copy of the study seen by The Reg, the authors of the paper stated:

For both the Java and C versions of BSAFE, we have no evidence that versions of the libraries supporting extended random ever shipped and our major findings do not rely on extended random in any way.

When El Reg spoke to the boffins behind the Dual EC DRBG study, there was some mystification as to what the fuss over Extended Random was all about.

"Extended Random was just something we encountered along the way," Stephen Checkoway, co-author of the study and assistant research professor at Johns Hopkins University in Maryland told The Register. "It wasn't the focus and it doesn't impact our major findings in any way."

The point of the study, he explained, was to show how easy it was to break BSafe's Dual EC DRBG-derived encryption using off-the-shelf components. With $40,000 of computer kit, encryption using the dodgy bit generator failed very quickly, but the researchers also found that if you were prepared to wait a very short time the same effect could be achieved with just $1,000 of hardware.

Extended Random (ER) is certainly contentious. It was proposed in 2008 by Margaret Salter, the then-technical director of the NSA's defensive Information Assurance Directorate, and drafted with the help of an independent expert. But the proposed extension expired before it could be accepted as a standard, and it turned out Extended Random simplified attacks on data encrypted using Dual EC DRBG, rendering it less than useful. ER, if enabled by a server, apparently speeds up an attack on Dual EC by a factor of up to 65,000.

ER wasn't even part of the C and C++ version of BSafe, Checkoway pointed out to us, and although it was in the Java version, it was disabled by default and the team had to tinker with the executables to enable it. ER was helpful in breaking Dual EC DRBG, but there's scant evidence anyone was actually using it – and the Internet Assigned Numbers Authority didn’t even assign it an official number.

The researchers behind the study used ZMap to discover how many public-facing servers were using the Java version of BSafe, and found that of the 28.1 million systems probed, only 720 were using the software with Dual EC DRBG enabled, and over a third of which were using one package - Apache Coyote/1.1.

In addition, a 2012 paper [PDF] by the International Computer Science Institute in Berkeley showed just 0.0013 per cent of 1.8 million SSL certificates studied supported, but not necessarily used, the Extended Random extension.

EMC, which owns RSA, wasn't willing to go on the record with El Reg on the use of ER in the public domain, but some interesting stats did come up during February's RSA 2014 conference in San Francisco. The company then pointed out that Dual EC DRBG (and thus ER) was one of its least-used generators in its portfolio, and the buyers were almost exclusively customers in the US government.

The short-lived draft ER, funded by the United States Department of Defense, does appear to be hopelessly flawed when used in conjunction with the dubious NSA-championed Dual EC DRBG algorithm. But it seems that the exclusive bombshell revelations about ER is less of a smoking gun and more of a damp squib. ®

Bootnote

Computer security analyst Daniel Miller has published an Nmap script to identify TLS (HTTPS) servers using Extended Random. We're told the academic research is to be published online soon.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.