RSA is accused again to have helped NSA to weaken security products

16:50 ET, 1 April 2014

A group of researchers from Johns Hopkins University discovered that a second NSA tool aggravate the RSA security software’s vulnerability.

We all remember the Snowden‘s revelations regarding the support provided my RSA Security, a division of EMC company, to the NSA Intelligence. Snowden accused the RSA to have deliberately inserted an alleged encryption backdoor in the BSafe software.

According the news published by the Reuters agency, documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers.

The flawed random number generator (Dual_EC_DRBG) was used to create a “back door” in popular encryption products, Reuters reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe, a security tool installed in many personal computers.


According the report disclosed by Snowden, the NSA paid a $10 million fee to RSA for the adoption of the flawed algorithm as the default choice in his products, but RSA has always refused the claims.

A group of researchers at Johns Hopkins University, the University of Illinois, has claimed that the choice of the Dual_EC_DRBG systems was not isolated, RSA also adopted another tool called Extended Random extension for secure websites, under the suggestion of the National Security Agency.

The choice for the adoption of the Extended Random extension allows the NSA to crack a version of the Dual Elliptic Curve software tens of thousands of times faster, Reuters reported.

The professors found that the tool, known as the “Extended Random” extension for secure websites, could help crack a version of RSA’s Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters. While Extended Random was not widely adopted, the new research sheds light on how the NSA extended the reach of its surveillance under cover of advising companies on protection.

The researchers demonstrated that it is possible to crack a free version of BSafe for Java in just one hour, using about $40,000 worth of computer equipment.

“It would have been 65,000 times faster in versions using Extended Random, dropping the time needed to seconds, according to Stephen Checkoway of Johns Hopkins.The researchers said it took them less than 3 seconds to crack a free version of BSafe for the C programming language, even without Extended Random, because it already transmitted so many random bits before the secure connection began. And it was so inexpensive it could easily be scaled up for mass surveillance, the researchers said” stated Reuters.

This case is yet another pickaxe to the reputation of US Intelligence,

Pierluigi Paganini

(Editor-In-Chief, CDM)





FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.