Jump to content

NSA paid $10 million to put its backdoor in RSA encryption, according to Reuters report


Reefa

Recommended Posts




code_large_verge_medium_landscape.jpg


When leaked documents claimed to have caught the NSA inserting bad protocols into the national standards board NIST, it raised more questions than answers. Why would the NSA go to the trouble of inserting a inferior standard into NIST's set of four, when most cryptographers would simply ignore the bad algorithm in favor of the others? Even if foul play had occurred, what was the agency getting out of the deal?


Now, a Reuters exclusive report is showing the other side of the story. The report details a secret deal between the NSA and respected encryption company RSA, in which the agency paid $10 million for RSA to incorporate the weaker algorithm into an encryption product called BSafe.


Because of the earlier work, the algorithm had been approved by NIST, so RSA could claim their encryption used only nationally certified protocols. At the same time, BSafe's encryption was defaulting to a fundamentally flawed encryption algorithm, which the NSA could subvert whenever they needed to.


The bad program in question is known as DUAL_EC_DRBG, and cryptographers have found it suspicious for years. The program as a random number generator, but there are a number of fixed, constant numbers built into the algorithm that can function as a kind of skeleton key.


Anyone who knows the right numbers can decipher the resulting cryptotext — a feature that leaked Snowden documents confirm was installed by the NSA. The algorithm is also more than a hundred times slower than the alternative random number generators, which has led almost all major encryption programs to abandon the program. However, since BSafe is based on closed-source protocols, RSA was able to implement DUAL_EC_DRBG as a default setting effectively in secret.


In a statement to Reuters, RSA denied the allegations it had implemented the backdoor. "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products," a spokesman said. "Decisions about the features and functionality of RSA products are our own."




Link to comment
Share on other sites


  • Replies 6
  • Views 1.4k
  • Created
  • Last Reply

Top Posters In This Topic

  • oliverjia

    3

  • irefay

    1

  • Reefa

    1

  • AgentBlade

    1

Top Posters In This Topic

anyone with due background please let us know: Is the AES/TWOFISH/SERPENT encryption algorithm backed up by the RSA? If so, does it mean all encryption tools are affected, including truecrypt? Hope not!

Link to comment
Share on other sites


Strange, the stock price for EMC Corp (RSA's parent company) is doing quite well. Since this has come to light, I wouldn't use any RSA developed or backed encryption. Frankly, any NIST encryption is also suspect.

Link to comment
Share on other sites


I actually read about this tonight while I was at work via AppyGeek

It's crazy because it's true and it makes you ask the question "Who can you trust?"

I remember years back reading about Kevin Mitnick, and about the FBI's trusted program at the time called "Carnivore"

It was such an intense time to be submerged in this culture and to be reading about such things because it was all theories and speculation that "Big Brother" was spying on us but it's true and it has been for years. We now know that bribes have been placed in order to make it easier, but I am one of the minds that wonder if RSA has done this then who else?

Link to comment
Share on other sites


anyone with due background please let us know: Is the AES/TWOFISH/SERPENT encryption algorithm backed up by the RSA? If so, does it mean all encryption tools are affected, including truecrypt? Hope not!

Am pretty sure TrueCrypt's algorithms and source code have all been sufficiently vetted by cryptographic experts worldwide.

Link to comment
Share on other sites


Time will tell. Check out CISCO. Its overseas market collapsed since the Sn0wd3n revealing.

Strange, the stock price for EMC Corp (RSA's parent company) is doing quite well. Since this has come to light, I wouldn't use any RSA developed or backed encryption. Frankly, any NIST encryption is also suspect.

Link to comment
Share on other sites


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...