http://www.theguardian.com/world/2013/sep/21/rsa-emc-warning-encryption-system-nsa

Major US security company warns over NSA link to encryption formula

RSA, the security arm of EMC, sends email to customers over default random number generator which uses weak formula

Charles Arthur and agencies

21 September 2013

A major American computer security company has told thousands of customers to stop using an encryption system that relies on a mathematical formula developed by the National Security Agency (NSA).

RSA, the security arm of the storage company EMC, sent an email to customers telling them that the default random number generator in a toolkit for developers used a weak formula, and they should switch to one of the other formulas in the product.

The abrupt warning is the latest fallout from the huge intelligence disclosures by the whistleblower Edward Snowden about the extent of surveillance and the debasement of encryption by the NSA.

Last week, the New York Times reported that Snowden's cache of documents from his time working for an NSA contractor showed that the agency used its public participation in the process for setting voluntary cryptography standards, run by the government's National Institute of Standards and Technology (NIST), [1] to push for a formula it knew it could break. Soon after that revelation, the NIST began advising against the use of one of its cryptographic standards and, having accepted the NSA proposal in 2006 as one of four systems acceptable for government use, said it would reconsider that inclusion in the wake of questions about its security.

RSA's warning underscores how the slow-moving standards process and industry practices could leave many users exposed to hacking by the NSA or others who could exploit the same flaw for years to come.

Rik Ferguson, of the security company Trend Micro, told the Guardian: "That particular standard, the Pseudo Random Number Generator [PRNG] standard, has long been thought to have at best a weakness, and at worst a back door, pretty much since its publication in 2006."

Encryption systems use pseudo-random number generators as part of a complex mathematical process of creating theoretically uncrackable codes. If the number sequences generated can be predicted, that makes the code crackable, given sufficient computing power.

Ferguson pointed to a 2007 presentation by two researchers from Microsoft, Dan Shumow and Niels Ferguson, in which they said: [2] "What we are not saying: NIST intentionally put a back door in this PRNG. What we are saying: the prediction resistance of this PRNG ... is dependent on solving one instance of the elliptic curve discrete log problem. (And we do not know if the algorithm designer knew this beforehand.)"

A person familiar with the process by which NIST would have accepted the PRNG told Reuters that it accepted the code in part because many government agencies were already using it.

RSA had no immediate comment when quizzed by Reuters about the email. It was unclear how the company could reach all the former customers of its development tools, let alone how those programmers could in turn reach all of their customers. That could mean that the weakened PRNG has been used in products spread around the world over the past seven years.

Developers who used RSA's "BSAFE" kit wrote code for web browsers, other software and hardware components to increase their security.

Rik Ferguson said: "The advantage of [the flaw] being so public for so long is that its use has been limited. Typically, cryptographers tend to avoid algorithms that have been shown to be weak. Nonetheless, it's not so much the weakness of the standard that counts, but 'security' services' willingness to subvert the very building blocks that so many of their own citizens and enterprises may later come to rely on for confidentiality and security."

He added: "Now that the ruse of covertly influencing standards has become public knowledge, it will be difficult to maintain trust in that system. After all, what's good for the goose is good for the adversary."

After the Times report, NIST said it was inviting public comments as it re-evaluated the formula.

On 10 September, NIST said: "If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible."

[1] http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/

[2] http://rump2007.cr.yp.to/15-shumow.pdf