RSA ties to NSA PRISM spooks go deeper than first thought

Researchers have uncovered evidence suggesting the National Security Agency (NSA) exploited a flaw in commonly used RSA security technology to crack encryption keys significantly faster.

Researchers from Johns Hopkins University, the University of Wisconsin, Eindhoven University of Technology, the University of Illinois and the University of California reported uncovering the evidence in a white paper entitled On the Practical Exploitability of Dual EC in TLS Implementations [PDF].

The report said the flaw related to the 'Extended Random' transport layer security (TLS) extension found in RSA's BSafe encryption libraries. RSA BSafe is a commonly used cryptographic library and is available in OpenSSL FIPS, Windows Secure Channel, and C/C++ and Java versions.

The flaw increases the speed of a previously reported bug in RSA's Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC), the technology that creates random numeric keys during the encryption process.

Reuters reported the original flaw in BSafe in December 2013, claiming RSA intentionally put the backdoor in at the NSA's request. RSA has constantly denied the allegations and at the time of publishing the NSA and RSA had not responded to V3's request for comment.

The researchers said the effectiveness of the flaw depended greatly on what version of BSafe is used. The paper highlighted BSafe for C and BSafe for Java as being the easiest to target using the extension flaw.

"The BSafe implementations of TLS make the Dual EC backdoor particularly easy to exploit in two ways," read the paper.

"The Java version of BSafe includes fingerprints in connections, making them easy to identify. The C version of BSafe allows a drastic speed-up in the attack by broadcasting longer strings of random bits than one would at first imagine to be possible given the TLS standards."

The news will be taken as troubling within the security community. Encryption has been highlighted as a key way companies can protect themselves against snooping intelligence agencies by numerous security experts.

Edward Snowden, the ex-CIA contractor who originally leaked documents to the press chronicling the NSA's PRISM campaign, highlighted encryption as an effective protection during a keynote at the SXSW conference in Texas in March.

The Snowden documents showed that the NSA had mounted a sophisticated mass-surveillance campaign that siphoned data from numerous technology companies including Google, Microsoft, Facebook, Twitter and Yahoo.

• Tweet  
• Facebook  
•  
•  
• Save this article  
• Send to  

• Topics
• Security
• Government
• Government
• Hacking
• PRISM
• RSA