RSA Security, a subsidiary of cloud storage pioneer EMC, has advised its customers against using an encryption technology they supplied, as it may have been compromised by the NSA (National Security Agency).
In the 1990s, the NSA attempted to claim rights to unlock all encryption systems. They were denied after freedom-of-speech and privacy-rights advocates objected to the idea. However, the NSA reports that it must be able to decipher encrypted communications for the protection of the U.S. against organized crime and terrorism. Recently, the NSA has been intercepting communications data around the world through its Prism electronic surveillance program.
Warnings Against SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generator
On September 9th, the U.S. National Institute of Standards and Technology (NIST) warned consumers against the use of its SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), as a result of revelations about the NSA inserting backdoor vulnerabilities into technical standards for encryption technology that are used by many organizations.
After NIST released the warning, the RSA began contacting customers to suggest they stop using the feature, which comes standard in a variety of the their offerings. RSA stated: “to ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG.”
The companies advisory explained that all versions of RSA BSAFE Toolkits, including Micro Edition Suite, Crypto-C ME, Crypto-J, Crypto-C, Cert-J, Cert-C, SSL-J, and SSL-C were all affected, in addition to all versions of the RSA Data Protection Manager (DPM). The RSA reported to be in the process of reviewing its product portfolio in an attempt to ensure other procedures used by the company don’t have vulnerabilities.
The Dual EC DRBG is a pseudorandom number generator (PRNG) based on an approach to public-key cryptography known as elliptic curve cryptography, which users several constants in order to determine the output. According to research presented by Microsoft researchers, it’s easy for these constants to be deliberately devised for the designer to predict the output.
Many security researchers have explained the importance of generating these elliptic curve points in an honest, trustworthy way. This problem was identified during the development process, and addressed by including further specifications for generating different points than the default values provided, although many people continue to wonder how trustworthy these default elliptic curve points actually are.
NIST stated that when vulnerabilities are found, the company works with the cryptographic community to solve them as quickly as possible. In addition to RSA Security, many other companies are using the compromised Dual EC DRBG, including Symantec, McAfee, Juniper Networks, and BlackBerry.
For now, the NSA will continue their battle with cryptographers who are developing increasingly complex security systems.
“[Your] professionalism in dealing with this situation at the Zero hour is definitely a rarity. Your team’s response was to take on a project that you had no prior knowledge of other than a customer was in a tight spot and needed assistance.”