<html>
<head>
<meta http-equiv="Content-Type" content="text/html"/>
</head>
<body style="font-family: sans-serif; font-size: 10pt;">
<p><br></p>
<p>--- Forwarded message ---<br>
From: Threatpost <donotreply@wordpress.com><br>
Date: 20 September 2013 10:48:48 PM<br>
Subject: [New post] In Wake of Latest Crypto Revelations, ‘Everything is
Suspect’<br>
To: suresh@hserus.net</p>
<p>Post : In Wake of Latest Crypto Revelations,
‘Everything is Suspect’<br>
URL : <a
href="http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect/102377">http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect/102377</a><br>
Posted : September 20, 2013 at 1:18 pm<br>
Author : Michael Mimoso</p>
<p>So now that RSA Security has urged developers to back away from the
table and stop using the maligned Dual Elliptic Curve Deterministic Random
Bit Generation (Dual EC DRBG) algorithm, the question begging to be asked
is why did RSA use it in the first place?</p>
<p>Going back to 2007 and a seminal presentation at the CRYPTO conference (
<a
href="http://rump2007.cr.yp.to/15-shumow.pdf">http://rump2007.cr.yp.to/15-shumow.pdf</a>
) by Dan Shumow and Niels Ferguson, there have been suspicions about
Dual EC DRBG primarily because it was backed by the National Security
Agency, which initially proposed the algorithm as a standard.
Cryptographer Bruce Schneier wrote in a 2007 essay ( <a
href="https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html">https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html</a>
) that the algorithm contains a weakness that “can only be described
as a backdoor.”</p>
<p>Given the current climate and revelations about NSA surveillance of
Americans, and implications the spy agency manipulated standards efforts,
in particular those overseen by NIST, Dual EC DRBG and other crypto
standards are going to be scrutinized top to bottom—not to mention the
deterioration of trust in any product built on that standard.</p>
<p>“I wrote about it in 2007 and said it was suspect. I didn’t like it back
then because it was from the government,” Schneier told Threatpost today.
“It was designed so that it could contain a backdoor. Back then I was
suspicious, now I’m terrified.</p>
<p>"We don’t know what’s been tampered with. Nothing can be trusted. Everything is suspect,” Schneier said.</p>
<p>Iin his essay, Schneier wrote that not only was the algorithm derided as
slow compared to better available algorithms, but it had a bias, meaning
that the random numbers it generates aren’t so random. Dual EC DRBG was one
of four approved random bit generators in NIST Special Publication 800-90,
but it sticks out like a sore thumb.</p>
<p>“What Shumow and Ferguson showed is that these numbers have a
relationship with a second, secret set of numbers that can act as a kind of
skeleton key. If you know the secret numbers, you can predict the output of
the random-number generator after collecting just 32 bytes of its output,”
Schneier wrote. “To put that in real terms, you only need to monitor one
TLS Internet encryption connection in order to crack the security of that
protocol. If you know the secret numbers, you can completely break any
instantiation of Dual_EC_DRBG.</p>
<p>“The researchers don't know what the secret numbers are,” Schneier said.
“But because of the way the algorithm works, the person who produced the
constants might know; he had the mathematical opportunity to produce the
constants and the secret numbers in tandem.”</p>
<p>RSA advised its developer customers via email yesterday to no longer use
the algorithm, following a similar NIST recommendation ( <a
href="http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-90-A%20Rev%201%20B%20and%20C">http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-90-A%20Rev%201%20B%20and%20C</a>
) last week. The algorithm is the default pseudo random number
generator in a number of RSA products, including the RSA BSAFE libraries
and RSA’s key management product RSA Data Protection Manager. BSAFE is
embedded in many applications, providing cryptography, digital certificates
and TLS security. RSA said the current product documentation can help
developers change the PRNG in their respective implementations. RSA also
said it would review its products to determine where the algorithm is in
use and make the appropriate changes.</p>
<p>RSA CTO Sam Curry told Wired magazine ( <a
href="http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/">http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/</a>
) , which first reported the story yesterday, the algorithm has been part
of RSA libraries since 2004, two years before it was approved by NIST.</p>
<p>“Every product that we at RSA make, if it has a crypto function, we may
or may not ourselves have decided to use this algorithm,” Curry told Wired.
“So we’re also going to go through and make sure that we ourselves follow
our own advice and aren’t using this algorithm.”</p>
<p>Matthew Green, a cryptographer and research professor at Johns Hopkins
University, said RSA had no good reason to use the algorithm, and its
decision to do so puts the security of any product using the BSAFE library
into question.</p>
<p>“There's no good reason whatsoever, just none,” Green said. “There was
no good reason before the [Crypto 2007] backdoor presentation. It was a
poor decision then, and afterwards I kind of think it was malpractice.
People have known about this for a long time."</p>
<p>RSA’s core product, its SecurID two-factor authentication tokens, was
breached in 2011 and data stolen in that attack was used to attack Lockheed
Martin and others in the defense industry. RSA said it spent more than $66
million cleaning up from the attack and helping customers. An untold number
of RSA SecurID tokens were recalled and replaced. A source close to the
matter told Threatpost that SecurID currently does not use the Dual EC DRBG
random number generator, nor did it prior to the 2011 attack.</p>
<p>In the meantime, the immediate fallout is that we should expect more
technology companies to make similar announcements about NIST-approved and
NSA-influenced encryption. Experts are concerned too about the damage being
inflicted upon NIST as a standards body. It’s likely these revelations will
force greater scrutiny on the NIST-NSA relationship and nudge users and
providers away from the standard in time.</p>
<p>“The U.S. has had an enormous influence on crypto around the world
because we have NIST,” Green said in an interview before the RSA news
broke. “You could see people break away from NIST, which would hurt
everyone, and move to regional standards. That stuff is a problem.</p>
<p>“We trust NIST because there are a lot smart people there. If you split
up into regions, it’s possible things could get less secure,” Green added.
“You could end up with more vulnerabilities; standards get weaker the less
effort you put into it.”</p>
<p>Schneier agreed that scrutiny will tighten on NIST.</p>
<p>“The fact is, NIST has been tarnished badly, and we really need them,”
he said. “This is the biggest problem: The NSA has broken the fundamental
social contract of the Internet."<br></p>
</body>
</html>