Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Reuters: RSA Weakened Encryption For $10M From NSA

timothy posted about 8 months ago | from the 30-pieces-of-silver-seemed-too-derivative dept.

Businesses 464

Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"

cancel ×

464 comments

Sorry! There are no comments related to the filter you selected.

RSA sold you out (5, Insightful)

Anonymous Coward | about 8 months ago | (#45750763)

The NSA sold its own customers out to the US government for the price of an NYC apartment.

Re:RSA sold you out (4, Funny)

MichaelSmith (789609) | about 8 months ago | (#45750827)

NSA has customers? Surely not the voters.

Re:RSA sold you out (4, Funny)

Nerdfest (867930) | about 8 months ago | (#45750965)

NSA has customers?

Not any more.

Re:RSA sold you out (2)

Jane Q. Public (1010737) | about 8 months ago | (#45751001)

NSA has customers?

Not any more.

They probably do have "customers", in a sense: foreign governments with whom they've made deals.

I would like to answer the question asked in OP, though: SSL has weaknesses, but they are not related to this.

Re:RSA sold you out (2)

Nerdfest (867930) | about 8 months ago | (#45751019)

I think they'll even lose their government contracts, as they know there's no honour among thieves. As for SSL and most of the rest of RSA's business, there are better open solutions. Not packaged as nicely, but available.

Re:RSA sold you out (2)

mrbluze (1034940) | about 8 months ago | (#45751129)

I think they'll even lose their government contracts, as they know there's no honour among thieves. As for SSL and most of the rest of RSA's business, there are better open solutions. Not packaged as nicely, but available.

I bed they don't. They (the NSA) will instead get funding boost to "make reforms".

Re:RSA sold you out (1)

Nerdfest (867930) | about 8 months ago | (#45751193)

I'm more thinking of non-US governments.

Re:RSA sold you out (1)

Anonymous Coward | about 8 months ago | (#45751107)

NSA has customers? Surely not the voters.

The other intelligence agencies within the government are considered "customers" of NSA products.

Re:RSA sold you out (1)

anarkhos (209172) | about 8 months ago | (#45751153)

I think you mean servants

*EMC Corp* now (5, Interesting)

Anonymous Coward | about 8 months ago | (#45750881)

They're owned by EMC now, all that data held on EMC kit and in EMC 'clouds' secured by RSA software. Or rather *not* secured by *NSA* software so the NSA can break in easier.

Wow, that is trillions in damage even before we get to the criminal law book.

TYPO: you mean RSA sold out its customers (5, Informative)

Anonymous Coward | about 8 months ago | (#45751165)

TYPO: you mean RSA sold out its customers

That's a tiny number (5, Insightful)

bob_super (3391281) | about 8 months ago | (#45750785)

Considering that this kind of revelations could cause massive exodus of all RSA's non-US (and many US) customers, that's a surprisingly low number.

Re:That's a tiny number (5, Insightful)

Anonymous Coward | about 8 months ago | (#45750839)

Considering that this kind of revelations could cause massive exodus of all RSA's non-US (and many US) customers, that's a surprisingly low number.

A massive exodus to where exactly?

When an organization like the RSA can be bought, what in the hell makes you think the rest aren't too, regardless of country.

Re:That's a tiny number (1)

Anonymous Coward | about 8 months ago | (#45751011)

Considering that this kind of revelations could cause massive exodus of all RSA's non-US (and many US) customers, that's a surprisingly low number.

A massive exodus to where exactly?

When an organization like the RSA can be bought, what in the hell makes you think the rest aren't too, regardless of country.

I'm going back to using Cub Scouts with semaphore flags for messages, myself. If you can't trust a Cub Scout, who can you trust?

Re:That's a tiny number (0, Flamebait)

Anonymous Coward | about 8 months ago | (#45751109)

Considering that this kind of revelations could cause massive exodus of all RSA's non-US (and many US) customers, that's a surprisingly low number.

A massive exodus to where exactly?

When an organization like the RSA can be bought, what in the hell makes you think the rest aren't too, regardless of country.

I'm going back to using Cub Scouts with semaphore flags for messages, myself. If you can't trust a Cub Scout, who can you trust?

Apparently that is even in question if said Cub/Eagle Scout happens to be gay.

Re:That's a tiny number (5, Insightful)

gmuslera (3436) | about 8 months ago | (#45751061)

Companies/organizations from other countries aren't forced by law to both do it, and not tell that they did it. Even if you includes countries like UK, Sweden, South Korea and a few others as compromised, there is plenty of room for independent development. And, of course, open source solutions indepently reviewed. But the point is, if you want security, don't buy anything from US companies. Weakening crypto means that not only NSA can access it.

Re:That's a tiny number (4, Insightful)

JoeyRox (2711699) | about 8 months ago | (#45750915)

Like most criminals they probably never expected to be caught.

RSA Stock (5, Interesting)

Anonymous Coward | about 8 months ago | (#45750791)

RSA is publicly traded, is it not? Reuters is giving them a full weekend to come up with a PR response before the markets open on Monday.

-Also, that wasn't my initial reaction. My initial reaction was to pick my jaw up off the floor. And I thought it couldn't get much worse. Edward Snowden for man of the year.

Re:RSA Stock (1)

Nerdfest (867930) | about 8 months ago | (#45750995)

I really hope a lot of the company's executives have a crap-load of money tied up in RSA stock. I'm also hoping a lot of the NSA people are heavily invested in it as well.

"We have established what you are, madam. ..." (5, Insightful)

bill_mcgonigle (4333) | about 8 months ago | (#45750803)

"... We are now merely haggling over the price."

Oh, no, wait, it's $10M.

(apologies to George Bernard Shaw)

P.S. - AC, yes, if you used an RSA CA appliance with the default Dual EC DRBG PRNG configuration, your private key is probably easy to break and your traffic easy to intercept/decrypt if you're not using perfect forward secrecy (assuming that's not on an RSA appliance).

Re:"We have established what you are, madam. ..." (2)

PolygamousRanchKid (1290638) | about 8 months ago | (#45750833)

Oh, no, wait, it's $10M.

More like, 10 million pieces of silver . . . if this is true . . .

Re:"We have established what you are, madam. ..." (2, Interesting)

Anonymous Coward | about 8 months ago | (#45751229)

There really isn't any way of knowing. The possibility of a weakness with the elliptic curve cryptography is only suspected, suggested, not proven. Good 'ol Bruce has said that there is nothing in the Snowden leaks to prove that the actual crypto algorithms have been weakened. As far as anyone knows all that NSA has done is try to spread the use of it, which may be because they think that it is better. In a way this is no different than the fixes they made to make DES proof against differential cryptanalysis. Everyone suspected that NSA had weakened DES when in fact they made it stronger, but it took 15-20 years for people to see that. For all we know the elliptic stuff only looks like it might be weak, but it may be perfectly fine and strong, but it may have been chosen since the form looks weak as a troll against anyone that would try to crack it. Square the circle, you can do it!

Re:"We have established what you are, madam. ..." (1)

MRe_nl (306212) | about 8 months ago | (#45750969)

That quote was the first thing that came to mind. Realise that it is very much a one time payment if the prostitute is a prostitute secretly. Blackmail time! /sociopath

Re:"We have established what you are, madam. ..." (0)

Anonymous Coward | about 8 months ago | (#45751187)

Any time a government is involved, everyone is getting backdoored and receiving the bill for it as well.

Don't misinform if you don't understand crypto (0)

Anonymous Coward | about 8 months ago | (#45750811)

Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"

No, you are completely wrong because the issues are unrelated. The NIST curves which are used in SSL and TLS for key establishment via EC Diffie-Hellman are not suggested to be broken, but a PRNG based on elliptic curves which is not used by most TLS implementations at all.

WHY THE FUCK (0)

Anonymous Coward | about 8 months ago | (#45750845)

..do I need an "EC PRNG",if any symmetric cipher and a simple couter is sufficient to generate PR numbers ?

I seriously would like to know !

Re:Don't misinform if you don't understand crypto (4, Interesting)

Anonymous Coward | about 8 months ago | (#45750951)

The NIST/SECP curves are NOT safe. They were generated by the NSA, and they need replacing. http://safecurves.cr.yp.to/

We probably don't know the full extent of the 'trapdoors' left by Jerry. What we do know is that unless you're using Brier-Joye's (very, very slow) constant-time short-Weierstrass curve, a timing attack is possible, and probably practical; many of the routines are incomplete or wrongly-implemented, because they're very complex, and the curves aren't complete; some don't even check if the point is on the curve, and if it isn't, we're basically leaking private data; secp256k1 has a complex-multiplication field discriminant of just -3, which may make it more susceptible to one attack and very possible to one extended one we don't know about; and secp224r1 (P-224) definitely has an insecure twist. Something may well be wrong with secp256r1 and the others, but if so, we don't know what it is. Either way, we know the NSA generated it to ostensibly be random but really satisfy some very specific unknown conditions: that alone is reason enough to not trust it.

CryptoLocker (0)

Anonymous Coward | about 8 months ago | (#45750821)

So why doesn't the NSA help us out by cracking cryptolocker?

Re:CryptoLocker (3, Insightful)

jonwil (467024) | about 8 months ago | (#45751303)

Because the people behind CryptoLocker (who are probably from Russia or China or some other country that isn't exactly best buddies with the US) are likely smart enough not to trust US-made off-the-shelf cryptography.

Amirite? Probably not. (1)

Anonymous Coward | about 8 months ago | (#45750825)

Hardly anyone uses FIPS-186-3, and its use isn't mandated by RFC 2246 or any later standard that describes SSL or TLS. While Dual_EC_DRBG can be used by TLS/SSL, almost no one does. TLS/SSL has its problems, sure, but this isn't one of them.

SSL Security (5, Informative)

Vellmont (569020) | about 8 months ago | (#45750831)

"If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
No. SSL doesn't specify the method to produce random numbers. Why would it? The NIST method is very very slow, so I'd be surprised if any browsers or servers used it as the random number source.

Re:SSL Security (4, Insightful)

Anonymous Coward | about 8 months ago | (#45750953)

The article submitter (or maybe the Slashdot "editors" and I use the term loosely) probably just wanted to link whore by playing a game of Madlibs and associating anything related to cryptography and the big-bad NSA. The elliptic curve thing.. that people already assumed was flawed in 2006 years before Snowden became cool and that nobody used*... is *not* how the NSA would operate if it wanted to be *effective* at spying on everyone.

Remember kids: Snowden said that the NSA hates it when you use cryptography. If the NSA could just click a button and decrypt everyone's traffic, then they wouldn't have gone to the major expense and risk to bypass the encryption that Google/Yahoo/etc. were using, now would they?

* No really, nobody used it. Try to do anything with that RNG in OpenSSL and guess what... your program segfaults because in 7 years nobody even did rudimentary unit tests of the code, much less tried to do anything with it.

Re:SSL Security (4, Informative)

Anonymous Coward | about 8 months ago | (#45751199)

Nobody used? Try a ton of people used.

Commercial products that must be FIPS certified tend to use libraries like BSafe, not OpenSSL. OpenSSL has received FIPS certification, but it's really difficult to ship a product using OpenSSL and keep that certification, because FIPS certification is not just about source code and algorithms.

And I doubt RSA was the only company the NSA approached to use Dual_EC_DRBG by default. I know for a fact that it's used in several other commercial products. And because it's so slow and so suspicious, it's reasonable to believe that these companies were coaxed to use it, too.

Re:SSL Security (0)

Anonymous Coward | about 8 months ago | (#45751217)

SSL does specify a method to produce random numbers in its KDF--i.e. Key Derivation Function, a.k.a key stretching, which is a type of CSPRNG. Thankfully it uses a mix of one-way hashes.

RSA Security == FRAUD (1)

Anonymous Coward | about 8 months ago | (#45750837)

This incident and their 100% CRAP one-time-password generator technology (use by the Chinese to get into Lockheed Martin), means they are simply a FRAUD.
This company is like shiny choclate-paper wrapped around a nice brown stink.

Just a printout of random numbers would be way much more secure than their otp generator electronic crapola. As I wrote even before Snowden: RSA epitomizes the corruption of the western world.

Re:RSA Security == FRAUD (2)

Trepidity (597) | about 8 months ago | (#45750865)

Just a printout of random numbers would be way much more secure than their otp generator electronic crapola.

A pretty large amount of what RSA sells could be replaced with simple commodity tech and be an improvement. At best they sell hugely overpriced Enterprise-Ready versions of those same commodity encryption tools, packaged into "appliances". Apparently they didn't even do that right, though.

Not a surprise, but still... (5, Insightful)

surfdaddy (930829) | about 8 months ago | (#45750849)

I mean, what the FUCK? The land of freedom and liberty. That's what I was always taught. We have a Constitution, which includes protections against unreasonable search. And now my FUCKING GOVERNMENT is doing pretty much anything you can conceive of in the name of spying on everybody including the people of the United States. They are so FUCKING PARANOID that EVERYTHING is on the table, including the privacy and liberty of the citizens. I lower my head in FUCKING SHAME as to what has become of this country.

Re:Not a surprise, but still... (0)

Anonymous Coward | about 8 months ago | (#45750899)

I mean, what the FUCK? The land of freedom and liberty. That's what I was always taught. We have a Constitution, which includes protections against unreasonable search. And now my FUCKING GOVERNMENT is doing pretty much anything you can conceive of in the name of spying on everybody including the people of the United States. They are so FUCKING PARANOID that EVERYTHING is on the table, including the privacy and liberty of the citizens. I lower my head in FUCKING SHAME as to what has become of this country.

A government will go to great lengths when it's superpower status is in jeopardy. Let's not forget that the US is in dept up to it's eyeballs and is one Chinese yuan away from bankruptcy. The NSA is doing everything it can to save your ass.

Re:Not a surprise, but still... (4, Insightful)

fyngyrz (762201) | about 8 months ago | (#45750949)

The NSA is doing everything it can to save your ass.

No. US citizens are not under any real threat, either short term or long -- at least, no threat that isn't in the end posed by our government itself. What the NSA is doing is attempting to shore up the government, which, frankly, I'm beginning to feel would be better off being replaced by people, almost *any* group of people, who simply understand that it is not acceptable to break one's oath, and that the oath to the constitution is designed to, and should, ultimately govern all of our legislation.

Re:Not a surprise, but still... (2)

Nerdfest (867930) | about 8 months ago | (#45750985)

You''ll probably also want to make sure that those people know where the borders are and that 'checkpoints' a couple of hundred miles inland are also not acceptable. As the GP said, WHAT THE FUCK has happened to the US.

Re:Not a surprise, but still... (2)

gmuslera (3436) | about 8 months ago | (#45751083)

The elephant in the room is the NSA and the people are behind it. That is the actual threat. How much till some "emergence" forces to strip even more rights?

Re:Not a surprise, but still... (0)

Anonymous Coward | about 8 months ago | (#45751017)

About $10 trillion of the U.S. debt is owned by ... the U.S. China owns about $1.2 trillion. Quit spreading your FUD.

Re:Not a surprise, but still... (4, Interesting)

jd (1658) | about 8 months ago | (#45751231)

Not really. The NSA costs more to run than the national debt. Closing it would be one of the most cost-effective ways to save the nation from bankruptcy. Not that the US is anywhere near close. It will be, if it continues to not spend on the arts and sciences, but economies can remain entirely stable when running 110% of GDP, at least for a few years. Nations aren't like personal bank accounts and you cannot run economies as if they were private budgets.

At this point, the NSA has cost the economy not only its own expenses but billions in international trade (plus interest spanning decades), but can produce no evidence of any benefits. Skipjack is broken, as was SHA-0 (the NSA version of the algorithm). Cryptologists ignored Skipjack once it was determined to be faulty and spent a fair bit of time fixing SHA. These are additional costs, created almost certainly as a result of deliberate breakage by the NSA (it's either that or they're incompetent, take your pick).

When you have something very expensive with no direct or indirect return, you generally term it a failure. When something fails on that scale when your economy has been crippled by neocons and kept defunct by Tea Partiers, the sound fiscal move is to cut losses. When a ship is struggling to stay afloat, you dump the deadweight. The NSA is deadweight until or unless it can show value for money.

Re:Not a surprise, but still... (0)

Anonymous Coward | about 8 months ago | (#45750933)

I don't buy all the waffling from RSA employees questioned by the article, so I have a question. Was this purely a matter of greed, or was this more of a "here is an offer you can't refuse"?

Re:Not a surprise, but still... (4, Insightful)

Anonymous Coward | about 8 months ago | (#45750967)

I mean, what the FUCK? The land of freedom and liberty. That's what I was always taught.

And now you know why they were so careful to teach you that. Because it's a lie. You see, the easiest slave to control is one who doesn't realize he's a slave.

Re:Not a surprise, but still... (0)

Anonymous Coward | about 8 months ago | (#45751013)

You see you dont get out of the Empire that easily. The British have all ways Controlled / owned the NSA -
Now honour your masters and learn to spell colour correctly. SERFS!

MU WAH , HA HA .

Re:Not a surprise, but still... (4, Insightful)

bob_super (3391281) | about 8 months ago | (#45751029)

I cringe every time I see elementary school children reciting the pledge of allegiance.
Start them young...

Re:Not a surprise, but still... (0)

Anonymous Coward | about 8 months ago | (#45751205)

Your funny moderation is depressing. Should be insightful.

Re:Not a surprise, but still... (2, Insightful)

Seumas (6865) | about 8 months ago | (#45751221)

They teach them to parrot "freedom!" rhetoric, while not bothering to teach them about the foundation of our government, Constitution, etc. In fact, they undermine it by educating them from "summarized" versions of the Bill of Rights or by having class lessons on "revising the constitution", strongly implying in their young mushy brains that the constitution is a living yadda yadda yadda (because, you know, things like preventing the government from infringing on the rights of women to vote are things that may someday need to be changed to fit into the world we live in blah blah blah).

In my entire school life, we spent far more time in DARE programs than we did learning about government, liberties, and civics.

Re:Not a surprise, but still... (3, Insightful)

BringsApples (3418089) | about 8 months ago | (#45751059)

Ahh, but you see my friend, my countryman... this is our time to shine. This is the very reason that America was ever great. This is the time to revolt in the proper way. It's not our country that's gone down the tubes, but our government. When The People break the law, the governing body has to step in to set them right. When the government breaks the law, The People have to step up to set them right. If not, then The People need to get used to getting fucked regularly by the power that develops in their stead.

Re:Not a surprise, but still... (1)

Seumas (6865) | about 8 months ago | (#45751225)

"Okay, we hear you and we're going to stop violating your civil liberties you guys".

[Goes back to *secretly* violating your civil liberties.]

Re:Not a surprise, but still... (0)

Anonymous Coward | about 8 months ago | (#45751097)

Well I guess it's okay when it's just "others".

They've been doing stuff all around the world in the past 100 years.
You realize that now?

Up to you to keep it that way (1)

SuperKendall (25149) | about 8 months ago | (#45751235)

The land of freedom and liberty. That's what I was always taught.

It is, but you have to vote for people that want to keep it that way. You have to complain when people tell you that this or that part of the constitution doesn't mean anything anymore. You have to complain when government grows, for the larger a government is the farther it is from control even of elected officials.

Anything worthwhile requires care and upkeep, and a nation is no different.

Catastrophic (5, Insightful)

Anonymous Coward | about 8 months ago | (#45750875)

Wow. With one single contract, RSA just destroyed their whole business. A company in the trust business cannot allow themselves to lose their customers' trust.

No RSA product can ever be trusted again.

Regarding the anonymous reader (5, Interesting)

Anonymous Coward | about 8 months ago | (#45750877)

TLS's current big problems are:
- RC4, which is actually crackable given a few bytes of known-plaintext prefix (like "GET /") by a Nation State Adversary in real time; NSA secretly control PCI DSS standard and used the excuse of the BEAST attack (CVE-2011-3389) to push RC4 as solution for PCI compliance, instead of TLS 1.2
- The CA PKI letting any CA impersonate any and every site; we need at minimum certificate transparency, DANE, and maybe something more
- The unencrypted ClientHello, which is what makes the FLYING PIG metadata trawling possible (nothing you couldn't do with Snort, in fact, it IS done with Snort)

All of these are going to be addressed by the TLS WG going forward: most urgently, RC4, which will be replaced with djb's ChaCha20_Poly1305 ciphersuite, courtesy of agl (live on Google servers and with Chrome dev and canary builds right now). More secure than AES-128-GCM or AES-256-GCM, I think - certainly has a higher security margin against both confidentiality and integrity.

The problem of the curves is a big problem, but what makes those curves (specifically Jerry Solinas @ NSA generated the SHA-1 hash seeds for Certicom) bad is mostly implementation choices: bad random numbers for DSA & ECDSA (hello Sony attack), which this subversion massively helps with, and non-constant-time addition ladders and lack of curve point validation, which can result in practical timing attacks and partial key disclosure leaks. djb & Lange already have a group of Safecurves which avoid all of these attacks and which are incidentally incredibly fast, and EdDSA's nonces are deterministic so no entropy needed during signatures, only keygen.

Oh, and - in similar news, which in other circumstance, I would have submitted, and might if for some crazy reason this gets ignored by the IETF chair, but I doubt it - there have been strong calls for the head of the co-chair of the crypto advisory board at the IRTF. He (openly) works for the NSA, which is now clearly a conflict of interest, and we caught him pushing a similarly-backdoored PAKE standard, which the TLS WG resoundingly rejected.
http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html

Let me say this from Germany: (0)

Anonymous Coward | about 8 months ago | (#45750929)

..sure as hell I trust Google as much as I trust the NSA to do crypto properly for me. And that "djb" guy, is he also on the payroll of the N.S.C. ???

Re:Let me say this from Germany: (3, Informative)

Anonymous Coward | about 8 months ago | (#45750987)

djb's funded by a NIST grant or two, but they're actually furious that, for example, he's running a crypto competition without telling them. Dude is a professor with tenure, and does what the fuck he wants, and is a great example why such things can sometimes be brilliant for science. (There are plenty of people who don't like him because of his personality and penchant for unusual decisions, but these decisions are often for very sound reasons.) I've checked his stuff out extensively, and this is great.

Similarly, I've been through Adam Langley's stuff on this draft with a fine-toothed comb, and it's fine. ChaCha20's great, we analysed it and its variant as part of the BLAKE hash in SHA-3 competition; best attack 7/20, which makes it slightly better than the eSTREAM winner Salsa20 (best attack 8/20).

Many cryptographers have worked together on all this stuff. Some of them are American. Bruce Schneier is American, but I don't think the NSA have subverted him. Quite the opposite.

It says a lot about the NSA's actions that they've irrevocably damaged the US's national interests by providing some very strong reasons for everyone else not to trust them, though. You're right not to put trust in people you don't know. You don't know me. Weigh in yourself, check this stuff, if you have better ideas, please contribute them, and at the very least feel free to provide oversight, please!

Re:Let me say this from Germany: (0)

Anonymous Coward | about 8 months ago | (#45751053)

Why do we need EC at all ? Is it more resilient against Quantum computers ?

Can't we just use DH+Blowfish or RSA+3DES and be done with it ?
Regarding the "error-timing weaknesses" and the following RC4-knee-jerk adoption, maybe we should change the protocol instead of using the RC4 crapola ? Would that be too rational ?

Re:Let me say this from Germany: (4, Informative)

Anonymous Coward | about 8 months ago | (#45751135)

We can't really recommend RSA 3072 bits now, 4096 for being safe. We're approaching the limits where RSA is going to become prohibitively slow - same for standard D-H. If we need more security but keep similar mechanics, representing the discrete log algorithms with a different field is definitely the way to go.

As far as practical quantum computers, it's hard to predict timescales. They'll probably mash all discrete log and polynomial/factoring algorithms into pulp - but we don't have any reason to suspect any NSA is THAT far ahead. That would be a phenomenal cryptanalytic and mathematical advance. I'd estimate we still have 20 years, but I'm plucking numbers out of the air here.

As far as post-quantum encryption goes, we're looking too far ahead, it's not developed enough yet to have anything good to switch to. Hash-based signatures which are a possibility, but two-key ciphers are a big problem: the few which have been proposed are often based, on, say, lattice algorithms (such as NTRU, although I have a hunch the NSA have a hand in that one, purely because it's a public key standard, it's American and it's patented; it's had bad security reviews too, with some key leakage with signatures) and linear codes (like Goppa codes with McEliece signatures, the drawback of these systems being the keys are REALLY BIG). Worst, we don't have any proof quantum computers are actually bad at solving these either: in fact, I think they ought to be really good at solving lattice algorithms, we just don't have an algorithm that we know of that would allow them to do it yet. We need another decade's research; we need something to switch to FOR that decade, first.

Yes, using TLS 1.2's AES-128-CCM or AES-128-GCM or CAMELLIA equivalents or something would have been more rational. That's why NSA convinced PCI DSS to recommend RC4.

I wouldn't recommend Blowfish nowadays, not when Twofish exists, at least. And 3DES? No. Way too old and creaky. Didn't you want to use a cipher they hadn't co-designed?

Re:Let me say this from Germany: (-1)

Anonymous Coward | about 8 months ago | (#45751115)

Google has an interest in proper encryption. They can only sell your data if the potential buyer cannot acquire it without paying them. Hence, they need to make sure your data gets to them and no-one else.

Mankind sold out for a relative pittance (1)

JoeyRox (2711699) | about 8 months ago | (#45750893)

I'm more surprised that civilization has lasted this long considering the greedy nature of man. It only takes one wealthy wackjob to buy a chemical or nuclear weapon and use it to kill millions of people.

Fuck off (0)

Anonymous Coward | about 8 months ago | (#45750979)

..General Alexander.

Nuke hystyeria (4, Insightful)

fyngyrz (762201) | about 8 months ago | (#45751041)

It only takes one wealthy wackjob to buy a chemical or nuclear weapon and use it to kill millions of people.

No, it also takes a seller of such weapons. And there aren't any, or we'd have been sweeping up the remains of some city, political center, or major chunk of infrastructure by now. The whole "terrorists and nuclear weapons" is a total mind job done on you and yours by your government. One thing to to keep in mind: Nukes are very difficult and expensive to manufacture, and pretty damned difficult to lose track of.

Civilization isn't likely to die due to nuclear weapons. We've set off well over a thousand of them already, and there's no particular notable effects other than the low hum of hysteria at the intersection of the set of the ill-informed and the paranoid.

Also, Chemical weapons are a lot less "mass" than nukes are, barring very sophisticated delivery systems, which again, aren't available to religious tools. Bacterial weapons are vaguely possible (although still very, very technical), but incorporate the downside of most likely eventually killing everyone everywhere instead of just the target(s), and so not even your average superstition-addled dingbat seriously considers them.

If you are a US citizen, If you want to worry about civilization, you should be worrying about the decay of our government from one authorized by the constitution into a form exclusively controlled by corporate and political groups. Because unlike the "nuclear threat", said decay is real and ongoing and has already screwed things up immensely: almost 100% loss of manufacturing capacity and so also jobs, crippling inflation, loss of citizen's rights, usurpation of article five powers by the judiciary, illegal legislation that spans almost the entire bill of rights to ex post facto laws to the complete inversion of the commerce clause, promulgation of multiple very expensive, ultimately useless wars... the problem isn't terrorists. The problem is our federal government. The whole terrorist thing is to keep the citizens looking the wrong way.

Re:Nuke hystyeria (1)

JoeyRox (2711699) | about 8 months ago | (#45751079)

"No, it also takes a seller of such weapons. And there aren't any, or we'd have been sweeping up the remains of some city, political center, or major chunk of infrastructure by now."

So because to our knowledge nobody has ever sold a rogue nuclear weapon to someone in the past that means it will never happen in the future? And you can leave out the government propaganda nonsense - I don't believe in government any more than you do.

Slashdot or Twitter? (4, Insightful)

Threni (635302) | about 8 months ago | (#45750905)

"amirite?"

This wouldn't have been posted 10, or even 5, years ago. I don't want to see it. Please don't lower your standards.

Re:Slashdot or Twitter? (1, Troll)

sideslash (1865434) | about 8 months ago | (#45750943)

I don't think there should be a comma after the "5" in your post.

Re:Slashdot or Twitter? (0)

Anonymous Coward | about 8 months ago | (#45751085)

Anyone who uses "amirite" as part of an argument is probably wrong, amirite?!

Re:Slashdot or Twitter? (0)

Anonymous Coward | about 8 months ago | (#45751151)

"amirite?"

This wouldn't have been posted 10, or even 5, years ago. I don't want to see it. Please don't lower your standards.

Speaking of standards, perhaps you should go talk to the fucktards* over at Merriam-Webster. They accept submissions so fast it makes TLD Registrars look conservative.

(* yeah, that's probably in the unabridged version too)

RSA Denial (1)

Jerslan (1088525) | about 8 months ago | (#45750911)

From TFA:

RSA and EMC declined to answer questions for this story, but RSA said in a statement: "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own."

That is one of the biggest loads of horse shit I have ever heard. If any part of that statement from the RSA were true then the NSA deal would never have happened and the NSA Formula would never even have been an option, much less the default...

Playing Devil's Advocate (5, Interesting)

Anonymous Coward | about 8 months ago | (#45750993)

What if the NSA had gone to RSA in the past to get them to do what this Reuters article claims, and RSA did indeed say no?

And what if, since many things about the NSA are coming out anyway, the NSA went to Reuters (or used some in-between person or persons) to plant the false story that RSA is in NSAs pocket -- in order to punish them for their earlier refusal? Because they know that you, and most others reading this, will believe that RSA products are infected by NSA backdoors, and not use RSA products... whether the backdoors, or weaknesses, or whatever, are there or not. I mean, it's not like Reuters fact-checks their shit anymore, and the press can get a "deal they can't refuse" just as easily as any other company.

In that kind of scenario, RSA could be telling the absolute truth... and no one will believe them.

Re:Playing Devil's Advocate (1)

phrostie (121428) | about 8 months ago | (#45751095)

Remember the NSAKey?

http://en.wikipedia.org/wiki/NSAKEY [wikipedia.org]

MS gave the same song and dance

Re:Playing Devil's Advocate (0)

Anonymous Coward | about 8 months ago | (#45751119)

You have a point...I just looked at the officers and board of directors for EMC and it's an almost entirely aryan company i.e. whites and indians...not a jew to be found anywhere...how do we know this isn't a zionist takedown of one of the last white owned technology and security companies?

Re:RSA Denial (2)

bob_super (3391281) | about 8 months ago | (#45751051)

I don't see a problem with the statement:
  - For $10M, the NSA became a customer
  - RSA didn't design or enable back doors, it provided an inferior and more breakable encryption. That's not technically a back door.

Pay attention to the weasel words. No statement gets out unchecked by Legal.

Treason and crimes against humanity (4, Insightful)

dgatwood (11270) | about 8 months ago | (#45750921)

I'm assuming for the moment that this evidence is, in fact, legitimate. Given how heinous the NSA's actions have been lately, it seems completely in character, which makes that likely a safe assumption. However, just to give them the benefit of the doubt, everyone involved should receive a fair trial. With that said, everyone involved should be tried for high crimes against the United States and its allies. These are accusations of very serious crimes.

Deliberately compromising the secure communications of hundreds of millions of computers all around the world just so a bunch of pencil-dicked asshats can play their little spy games goes so far beyond unconscionability that it borders on a crime against humanity. Such ends-justify-means thinking is fundamentally incompatible with any form of liberty or justice. Our data is fundamentally easier to crack not just by our own government, but also by organized crime syndicates, foreign governments, and even terrorist groups. In all likelihood, even military communications gear is less secure, which means our troops are at elevated risk during a time of war as a direct result of their actions. That's treason, even by the absolute strictest definition thereof. Further, such deliberate weakening of crypto endangers the lives of dissidents in countries with oppressive regimes, many of which are considered our enemies—an act that could also be considered treason.

Their actions, if true, clearly constitute providing material support to terrorists and treason by means of providing material aid to our enemies in a time of war. Therefore, according to U.S. law, everyone involved should be immediately treated as enemy combatants, deported to an appropriate holding facility outside our borders—preferably the one affectionately known as "Gitmo"—and tried before a military tribunal.

In addition to prosecution of individuals, there should be consequences for the groups involved. RSA should be immediately dissolved and all its assets destroyed. Further, at this point, it should be abundantly clear to anyone with even the slightest understanding of crypto that nothing short of the complete and total elimination of the NSA and a constitutional amendment clearly and plainly banning any similar organization from ever existing in the future can even begin to restore trust in cryptography and computers. That organization is fundamentally malevolent, and its very existence is inherently incompatible with the very concepts of security and privacy. No matter what successes they may have had, nothing can possibly even come close to justifying such a heinous breach of the public's trust.

Re:Treason and crimes against humanity (0)

Anonymous Coward | about 8 months ago | (#45751183)

Dude, you just have to operate under the assumption that anything that happens on a computer is public. If you want to wack it to tranny porn without anyone knowing buy it on dvd with cash from a brick and mortar porno store. If you want to be the center of a gay gangbang bukkake session go hang out in the bathroom of a gay nightclub instead of trolling craigslist. Or you could just come out of the closet, I mean no one except your wife really cares if you like to smoke pole, bro.

The article is at best suggestive (0)

Anonymous Coward | about 8 months ago | (#45750941)

From the article:

RSA's contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit. No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.

"The labs group had played a very intricate role at BSafe, and they were basically gone," said labs veteran Michael Wenocur, who left in 1999.

Within a year, major questions were raised about Dual Elliptic Curve. Cryptography authority Bruce Schneier wrote that the weaknesses in the formula "can only be described as a back door."

The revealed information only proves that NSA wanted elliptic curve to spread, not necessarily why. It could be because they were certain that it was the best technical road for the future, or it could be because they knew something special about it that was useful to them. There isn't really any way of knowing. Even Schneier is overstepping. The weakness has been suspected, but never proven as far as I've seen. It is suggestive, but not definitive. People have had similar doubts about the NSA before, such as when they changed the DES S-boxes before approving the DES as a standard that was developed by IBM. People though they had inserted a weakness and spent countless amounts of time in analysis and testing to try to prove that. Eventually it was demonstrated that it DES was immune to differential cryptanalysis which broke many other ciphers but which NSA knew about 20 years before anyone else, and strengthened DES against. It could be similar scenario playing out here. There is no way to tell. One thing I'll note is that I believe I've seen that Schneier has said that there is nothing in the Snowden leaks to prove that NSA has actually weakened the ciphers although that bit of news is a challenge to find.

Re:The article is at best suggestive (0)

Anonymous Coward | about 8 months ago | (#45751269)

Hello, potential NSA shill! No, it's not "weakness". It's a blatant, neon-sign, 100% pure honest-to-god backdoor, so obvious nobody needed a proof.

Look: If I said I've got this great cryptographically secure random number generator that, given an entropy source, uses RSA to generate sort of random numbers (that turn out to not be particularly great random numbers anyway, by the way), that relies on the hardness of factoring (so, it'll be quantum-computer crackable in the future where a symmetric one wouldn't be?) and is ridiculously slow by comparison to the normal ones you'd use by, say, keying a block or stream cipher and feeding it with a counter... you could generate a keypair yourself, but don't worry about that, here's a default public key you could use, right here in this government crypto standard, nudge nudge wink wink, and said absolutely nothing else, what would your next three questions be?

That's right. How did you generate this public key, where's the private key, and what are you trying to pull? That's EXACTLY what the NSA did with Dual_EC_DRBG, only with elliptic curves. I'm not even simplifying. It's the world's most obvious backdoor.

By the way, NSA's changes strengthened DES against differential cryptanalysis, but weakened DES to linear cryptanalysis. The only pure strengthening I ever saw them do was add the rotate to SHA to make the final SHA-1, which strengthened it a little against an unknown attack that was later rediscovered by Xiaoyun Wang, et al, although that method was later extended to cover SHA-1 as well (although to date, no civilian researcher has publicly demonstrated a single full collision, there are some practical attacks on protocols that use it and it falls within the NSA's known capabilities), and of course, MD5.

article not found (0)

Anonymous Coward | about 8 months ago | (#45750945)

now thats funny

Re: article not found (0)

Anonymous Coward | about 8 months ago | (#45751035)

Same. Wow.

How is this not criminal fraud on RSA's part? (5, Interesting)

JoeyRox (2711699) | about 8 months ago | (#45750957)

They advertised and sold a product promising to secure customers' data yet they intentionally put an algorithmic backdoor inside that could be used not only by the US government but also discovered and used by hackers to compromise customers' security.

New Strategy (2)

cervesaebraciator (2352888) | about 8 months ago | (#45750971)

Let's get together and make tons of new cryptographic systems. We'll keep selling out and weakening them until the NSA hits budget limits. We get rich; the NSA won't have money to continue spying. Win; win.

Here's One (0)

Anonymous Coward | about 8 months ago | (#45751123)

http://scherbius2014.de/BitMischer.cpp

A SPN network,unlike all the popular Feistel networks around.

Re:New Strategy (0)

Anonymous Coward | about 8 months ago | (#45751143)

the NSA won't have money to continue spying.

No, they'll just divert funds from education, healthcare, and any other services that only benefit people whose annual income is less than 7-digits.

Voynich Manuscript Unbroken Yet (1)

Mister Liberty (769145) | about 8 months ago | (#45750997)

That should be the big news.

They didn't know! (5, Insightful)

hawguy (1600213) | about 8 months ago | (#45751009)

"They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption."

Right, the NSA, known to be codebreakers, paid them $10M to include their "special" algorithm, and no one had any idea that it could be compromised. Right. Why else would they pay them to use it?

Re:They didn't know! (5, Interesting)

edelbrp (62429) | about 8 months ago | (#45751139)

A different era. They might have actually thought the NSA were honestly helping. Back then the NSA was probably perceived as being as much about hardening encryption as breaking it.

so all those https are worthless (0)

Anonymous Coward | about 8 months ago | (#45751103)

https - your NSA is sniffing your buying habbits

Bet this cost millions in damages (1)

PortHaven (242123) | about 8 months ago | (#45751111)

I remember a while ago that all the little RSA doodads had to be replaced because they had been breached.

I bet you 10 to 1, it was related to this.

Re:Bet this cost millions in damages (1)

kriston (7886) | about 8 months ago | (#45751271)

RSA SecurID tokens have absolutely nothing at all to do with this.

They deserve the $10M (1)

thisisauniqueid (825395) | about 8 months ago | (#45751121)

Since there are only about three people in the world that could actually tell you whether one set of elliptic curve constants are inherently more secure than another set, I'd say they deserve the $10M, probably a lot more. (Whether or not what they did is ethical is a totally different issue. It clearly was not ethical to betray the whole world's trust like that, especially for a company where half their core business is verifying trust.)

Bill Gates does this for free (0)

Anonymous Coward | about 8 months ago | (#45751161)

No-one has to buy out Microsoft- Microsoft inserts back-doors into every one of its products as part of Bill Gates' pact to work in every way to give 'the elite' more perfect control of the 'sheeple'.

Did you know that Bill Gates partnered with Rupert "Fox News" Murdoch to create a massive database that is intended to gather information about every aspect of every child in the USA? Did you know that Gates' foundation pays teachers extra money if they use 'information' they have overheard during class or noted during meetings with parents, to 'enhance' the records of individual children? Did you know that Gates specifically mandated that every aspect of a child's sexual development must be noted in his database system? Did you know that Gates uses a specific pedophile term that labels potential victims, inBloom, for the company he and Murdoch created?

Yahoo, Google, Twitter, Microsoft, Oracle, all of your main telecom companies- ALL the biggest players WILLINGLY implement NSA projects for the greater glory of what they think of as their exclusive team. Use an encryption product from ANY of these companies, and you only protect your data from casual attackers, NEVER from anyone with any links to the US government.

But the encryption scandals pale into insignificance compared to Bill Gates' work pushing Common Core, inBloom surveillance of your children, and Xbox One Kinect 2 surveillance of your own homes (including giving a legion of pedophiles within government circles access to your children's bedrooms).

How often have you read the comments from vile shills here saying it is a GOOD thing that Gates is persuading millions of Americans to install NSA cameras and microphones in their homes, monitoring the living room (or bedroom) 24/7, with a military grade time-of-flight sensor that can even trigger recording based on patterns of Human movement, including sexual activity?

Only complete cretins did NOT know RSA was in bed with the NSA. Only complete cretins did not know official encryption standards were utterly compromised by the NSA.

But Gates putting NSA cameras and microphones into millions of homes, and attempting to monitor the most intimate details of the lives of every US child, should make you sick and terrified to your core. Gates targets the most vulnerable in society, and attempts to use them as a trojan horse to get the most depraved policies of social engineering forcibly applied to the whole population. And Gates spends almost all his time, just like Tony Blair, travelling the world, hooking up with the most evil, most powerful, most influential individuals they can find in every possible nation. The solution Gates sells on his travels has ***US***, the people, as the problem.

Don't like the fake NSA crippled encryption in mainstream products- no problem, you can use any one of a number of excellent free solutions. But what happens when you seek to protect your children from inBloom, Common Core, or the Microsoft NSA cameras and microphones that monitor you when you and your family visit neighbours and friends? You can say "keep the Xbox One out of my home", but you will encounter Kinect 2 spy hardware once you leave your home.

Ask any person who lived in a Soviet state during the bad times, and they'll explain the REAL purpose of full surveillance projects, and exactly why the state wants you to know there can be no protecting members of your family from the most sickening abuses against their privacy and dignity. You wear people down. You break them body and spirit. And then you rebuild them any way you wish, as scared, unquestioning drones whose passive support is ALWAYS guaranteed even when 'active' support may not be.

The old Soviet Stalinist model worked, but was infinitely flawed, and non-sustainable in a modern society. Tony Blair's 21st Century version, promoted at every turn by people like Gates, is redesigned from the ground up to offer perfect control to the 'elite' layer of society. The sheeple are perfectly controlled to never question the existing political system that PRETENDS to ask them a single significant question every four years or so, and instead focus 100% of their active concerns on celeb/fashion/gizmo/sport issues of the moment.

Gates seeks to make the upper strata of society LOATH and DESPISE the general masses precisely because of their actions and what they put up with. Then Gates wants those in real power to impose unthinkably evil changes on the population of the Earth. Blair and Gates need an absolute EMPATHY barrier, so the top has ZERO empathy for the masses, and then will countenance the previously unthinkable. Blair wants World War, with full unleashing of the planet's nuclear and biological arsenals. Gates wants a massive population reduction, of at least THREE BILLION Humans. Most of the circle Blair leads do not want global war, but step-by-step Blair is leading them down that path perfectly.

Every thing electronic is back-doored from long be (-1)

Anonymous Coward | about 8 months ago | (#45751185)

I thought we already knew this.
You fools have been watched since your inception.
The FCC MANDATES it.
Now get over your butt-hurt and do something about it or quit crying.

This Is Not Acceptable. (5, Interesting)

Anonymous Coward | about 8 months ago | (#45751195)

I've followed the Snowden releases, curious as anyone else as to the ways and means of the NSA. Until now, the only real 'news' for me was the incredible scope of the NSA's reach and their staggering, seemingly unlimited budget. But this crosses the line. This little stunt has mammoth, wide reaching and enduring ramifications. This is beyond just storing "metadata", hooking in to Google's pipes or recording German heads of state. This action by the NSA is egregiously unethical on so many levels. There is no legitimate justification for intentionally weakening security of this nature. They might as well have gone to Schlage and told them that, from now on, they may only build deadbolts out of cheap low-grade plastic with a faux metal finish.

The actions of the NSA carry immense potential risks for millions of people. Exploitation of the RSA weakness could lead to completely unnecessary breaches of privacy, political manipulation, loss of safety or financial loss. All in the name of protecting the country. The burden of risk created by weakening RSA is ultimately placed largely on the public. What benefit do we gain from this?

This is not how I want my country to be governed

I am outraged! (1)

Daniel Hoffmann (2902427) | about 8 months ago | (#45751211)

They sold out for so little.

It's not the crypto, it's the RNG (5, Informative)

kriston (7886) | about 8 months ago | (#45751241)

Having worked with pre-2000 versions of RSA BSAFE, the thing that the NSA paid RSA to do was to change the default selection of the random number generator with a weaker one. Nobody had to use the default version--it was just picked if you didn't specify one (or a callback to your own RNG). We had our own multi-threaded rendezvous noise generator thing since this was back before hardware entropy engines.

Oh, and before that, the NSA had unsuccessfully tried to get RSA to tell people that 512-bit keys were safe enough. It wasn't successful mostly because the old guard was still running the company then.

Fraud? (0)

Anonymous Coward | about 8 months ago | (#45751257)

This looks like a pretty straightforward commercial transaction If this agreement was with a non-governmental entity, wouldn't it be fraud to sell security software with a deliberately created flaw in exchange for money?

coincidence..? (0)

Anonymous Coward | about 8 months ago | (#45751281)

Oddly (right), a few hours before the Reuters story, two FreeCode rngs were updated...

China might be safer (0)

Anonymous Coward | about 8 months ago | (#45751289)

It seems Chinese hardware, algorithms and security systems are becoming more and more desirable.

Not because they are less bugged or not used for spying, but because we must take more precautions using them from the outset. USA equipment now only gives false assurances of security, and that by nature, lowers one's care-factor.

Sorry RSA, you just caused yourself a major harm.

If you have purchasing authority (0)

Anonymous Coward | about 8 months ago | (#45751297)

If you have purchasing authority, make sure you let the RSA know why you won't buy from them.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>