Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

NSA-Linked ‘Extended Random’ Extension Discovered Inside RSA BSAFE: Researchers

A team of university professors say they have found evidence that RSA Security adopted a NSA-linked TLS extension to help the spy agency better crack encryption.

A team of university professors say they have found evidence that RSA Security adopted a NSA-linked TLS extension to help the spy agency better crack encryption.

News of the extension was broken by Reuters, which reported several months ago that RSA Security – now a division of EMC – was paid $10 million to make the flawed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) the default in its BSAFE toolkits. Now, a team of academics say that there is evidence of a non-standard TLS extension known as “Extended Random” in the BSAFE products. This extension could be used to crack a version of the Dual Elliptic Curve algorithm tens of thousands of times faster than the backdoor, according to the researchers.

“This extension,” the researchers explained in a summary, “co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000. In addition, the use of this extension allows for attacks on Dual EC instances configured with P-384 and P-521 elliptic curves, something that is not apparently possible in standard TLS.”

“While the code implementing Extended Random was not compiled into the build of Share for C/C++ examined, it was available (though deactivated) in the build of Share for Java that was analyzed,” according to the summary. “In the latter case, the researchers were able to re-enable it and verify the functionality.”

“If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline,” Johns Hopkins University Professor Matthew Green reportedly told Reuters.

Reuters reported that the extension was not widely adopted. EMC did not respond to SecurityWeek with commentary before publication. EMC in the past has denied RSA was ever involved in a contract or project with the intention of weakening its products. 

The paper, titled ‘On the Practical Exploitability of Dual EC in TLS Implementations’, includes other information as well. For example, the researchers claim in the summary that the RSA BSAFE implementations of TLS make the Dual EC back door “easy to exploit compared to the other libraries analyzed.” The C version of BSAFE makes it possible to speed exploitation by broadcasting long contiguous strings of random byes and by caching the output from each generator call, while the Java version of BSAFE includes fingerprints in connections and therefore makes it relatively easy to identify them in a stream of network traffic, according to the researchers. 

The paper also notes a previously unknown bug in OpenSSL that prevents the library from running when Dual EC is enabled. In addition, the researchers found that the SChannel does not use the current Dual EC standard; instead it omits one step of the Dual EC algorithm. This omission makes the attacks slightly faster, the researcher state in the summary.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.