Original URL: https://www.theregister.com/2014/04/02/extended_random_nsa_rsa_bsafe/

Extended Random: The PHANTOM NSA-RSA backdoor that never was

Profs' paper was all about attacking Dual EC DRBG, not a Snowden-esque spy bombshell

By Iain Thomson in San Francisco

Posted in Security, 2nd April 2014 03:33 GMT

Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSA's encryption software BSafe. But it appears to be more sound and fury than substance.

The brouhaha was kicked off by a Reuters report into an as-yet-unpublished academic study examining the cryptographically crap Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) algorithm used by default in BSafe. Dual EC DRBG is now known to be flawed, encryption that uses it is weakened, and the study sought to quantify exactly how useless the bit generator is.

But according to Reuters this week, this new academic study showed there was another dubious NSA-backed encryption system in BSafe besides Dual EC DRBG. The venerable news service kicked off its exclusive with:

Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers.

That second tool, says Reuters, was Extended Random, a draft TLS extension supposedly designed to enhance the strength of encryption. Yes, it can, for example, be used by Dual EC DRBG in HTTPS connections – but there's no evidence BSafe ever shipped with support for that unloved extension. And the aforementioned study focused instead on proving how encryption using Dual EC DRBG can be cracked in mere seconds.

Indeed, in a draft copy of the study seen by The Reg, the authors of the paper stated:

For both the Java and C versions of BSAFE, we have no evidence that versions of the libraries supporting extended random ever shipped and our major findings do not rely on extended random in any way.

When El Reg spoke to the boffins behind the Dual EC DRBG study, there was some mystification as to what the fuss over Extended Random was all about.

"Extended Random was just something we encountered along the way," Stephen Checkoway, co-author of the study and assistant research professor at Johns Hopkins University in Maryland told The Register. "It wasn't the focus and it doesn't impact our major findings in any way."

The point of the study, he explained, was to show how easy it was to break BSafe's Dual EC DRBG-derived encryption using off-the-shelf components. With $40,000 of computer kit, encryption using the dodgy bit generator failed very quickly, but the researchers also found that if you were prepared to wait a very short time the same effect could be achieved with just $1,000 of hardware.

Extended Random (ER) is certainly contentious. It was proposed in 2008 by Margaret Salter, the then-technical director of the NSA's defensive Information Assurance Directorate, and drafted with the help of an independent expert. But the proposed extension expired before it could be accepted as a standard, and it turned out Extended Random simplified attacks on data encrypted using Dual EC DRBG, rendering it less than useful. ER, if enabled by a server, apparently speeds up an attack on Dual EC by a factor of up to 65,000.

ER wasn't even part of the C and C++ version of BSafe, Checkoway pointed out to us, and although it was in the Java version, it was disabled by default and the team had to tinker with the executables to enable it. ER was helpful in breaking Dual EC DRBG, but there's scant evidence anyone was actually using it – and the Internet Assigned Numbers Authority didn’t even assign it an official number.

The researchers behind the study used ZMap to discover how many public-facing servers were using the Java version of BSafe, and found that of the 28.1 million systems probed, only 720 were using the software with Dual EC DRBG enabled, and over a third of which were using one package - Apache Coyote/1.1.

In addition, a 2012 paper [PDF] by the International Computer Science Institute in Berkeley showed just 0.0013 per cent of 1.8 million SSL certificates studied supported, but not necessarily used, the Extended Random extension.

EMC, which owns RSA, wasn't willing to go on the record with El Reg on the use of ER in the public domain, but some interesting stats did come up during February's RSA 2014 conference in San Francisco. The company then pointed out that Dual EC DRBG (and thus ER) was one of its least-used generators in its portfolio, and the buyers were almost exclusively customers in the US government.

The short-lived draft ER, funded by the United States Department of Defense, does appear to be hopelessly flawed when used in conjunction with the dubious NSA-championed Dual EC DRBG algorithm. But it seems that the exclusive bombshell revelations about ER is less of a smoking gun and more of a damp squib. ®

Bootnote

Computer security analyst Daniel Miller has published an Nmap script to identify TLS (HTTPS) servers using Extended Random. We're told the academic research is to be published online soon.