Study alleges deeper NSA influence on RSA

RSA adopted a second NSA-developed encryption tool, increasing the agency's spying capabilities, a study claims

Security firm RSA has adopted two encryption tools developed by the US National security agency, greatly increasing the agency’s ability to spy on internet communications, a study claims.

In December, a Reuters report claimed the NSA had paid RSA $10m to make a now-discredited cryptography system the default in its security software.

The report said the Dual Elliptic Curve random number generator had a deliberate flaw or "back door" that allowed the NSA to crack the encryption.

At the time, RSA said in a blog post that it has never entered into a contract with the “intention of weakening RSA’s products, or introducing potential ‘back doors’ into our products for anyone’s use”.

Now Reuters reports that a study by reseachers from a Dutch university and several US universities has discovered a second NSA tool increased the agency’s ability to read encrypted data.

The researchers found the tool, known as the "Extended Random" extension for secure websites, could help crack a version of RSA's Dual Elliptic Curve 65,000 times faster.

In a Pentagon-funded paper in 2008, the Extended Random protocol was touted as a way to boost the randomness of the numbers generated by the Dual Elliptic Curve, according to Reuters.

While Extended Random was not widely adopted, Reuters said the new research sheds light on how the NSA extended the reach of its surveillance under cover of advising companies on protection.

More on RSA

  • RSA announces Managed Security Partner programme
  • RSA 2014: Coviello downplays relationship between RSA and NSA
  • RSA 2014: News, analysis and video from RSA Conference 2014
  • RSA denies secret contract with NSA

RSA, now owned by EMC, said the company had not intentionally weakened security on any product, and that due to a lack of popularity, Extended Random had been removed from RSA software six months ago.

"We could have been more skeptical of NSA's intentions," RSA chief technologist Sam Curry told Reuters.

"We trusted them because they are charged with security for the US government and US critical infrastructure."

But Curry declined to say whether the government had paid RSA to incorporate Extended Random in its BSafe security software, which also included Dual Elliptic Curve.

At RSA Conference 2014 in San Francisco in February, Art Coviello, executive chairman of RSA, rejected reports of RSA colluding with the NSA.

He said that when the National Institute of Standards and Technology (Nist) issued new guidance to stop the use of the Dual Elliptic Curve algorithm in September 2013, RSA immediately acted on that guidance by notifying customers and taking steps to remove the algorithm from use.

Coviello said “when or if the NSA blurs the line between its defensive and intelligence gathering roles, and exploits a position of trust within the security community, then that is a problem because if in matters of standards, in reviews of technology or in areas where we all open ourselves up we cannot be sure which part of the NSA we are actually working with, and what their motivations might be, then we should not work with the NSA at all”.

He told Computer Weekly that “what it means is: we don’t know. And it is a hypothetical. ‘When or if’ – when they do something like that, it is a problem. If they have done something like that, it is a problem. But it is a hypothetical. So the answer is: we don’t know.”

But, Coviello said while it has been reported as fact that the Dual Elliptic Curve algorithm was the mechanism for the NSA compromising commercial crypto, there is no truth in the claim.

He said Nist could not find a way of breaking it, but had chosen to take the algorithm out purely because of the theoretical attacks against it.

But according to the latest research summary, the results of tests indicate that a sufficiently motivated attacker with knowledge of the back door is able to decrypt traffic in a targeted manner in all of the cases studied.

For RSA’s BSAFE-C, the researchers said: “It seems likely that dragnet surveillance of all encrypted communication is possible.

“For other libraries, dragnet surveillance depends on the attackers computational abilities, the amount of communication, and, in some cases, additional knowledge about the server using the library,” they said.

Read more on Privacy and data protection