For those reading VG or following the NSA debacle, it’s not news that security provider RSA got paid by the NSA to implement and push compromised security tools actually made by the NSA for the purpose of compromising civilian cryptography.
Dual EC_DRBG [known as Dual Elliptic Curve] is a pseudo-random number generator that was developed by cryptographers from the National Security Agency and was the default RNG in BSAFE even after researchers demonstrated weaknesses so severe that many suspected they were introduced intentionally so the US spy agency could exploit them to crack encrypted communications of people it wanted to monitor.
Fast forward a few months, because the big news this morning is that the NSA had more than one claw in RSA’s operation, and this new revelation is far worse.
Extended Random was a second RNG [random number generator] that would presumably make cryptographic keys more robust by adding a second source of randomness. In theory, the additional RNG should increase the entropy used when constructing a new key. In reality, the algorithm made protected communications even easier for attackers to decrypt by reducing the time it takes to predict the random numbers generated by Dual EC_DRBG…
But what does all this mean, you ask? The short version is this: The NSA paid one of the leading computer security companies to offer a password generator that the NSA designed. Then, they had RSA offer a second tool as well, claiming that it would make keys safer. In actuality, it made everything hundreds of times weaker—for the express purpose of allowing the NSA to spy on users. The real kicker? RSA knew the whole time that it was offering bogus and even dangerous software.
“If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline,” Matt Green, a professor specializing in cryptography at Johns Hopkins University and one of the authors of the upcoming academic report, told Reuters.
Lovely.
If all of that doesn’t make you angry, perhaps this additional tidbit will. First, we now know based on leaked documents that Microsoft currently charges the FBI about $200 per information request. That makes sense and isn’t necessarily crazy in itself—until you realize that in November 2013, the FBI Digital Intercept Unit was billed $281,000. For you mathy folks, that averages out to 50 people a day, all month long, that one tiny unit of the FBI is asking for info on. I’m sure they all have proper warrants though, right?
You’d think there would be a law against a company misrepresenting their product and lying to customers. If any other product had supplied *exactly the opposite* results of its selling points, there would be lawsuits out the wazoo and investigations by the federal government. In this case, not a peep. “Equal justice for all” my foot.
‘Course, we’re used to that by now, aren’t we?
1 Comment