Connect with us

Hi, what are you looking for?



NSA-Linked ‘Extended Random’ Extension Discovered Inside RSA BSAFE: Researchers

A team of university professors say they have found evidence that RSA Security adopted a NSA-linked TLS extension to help the spy agency better crack encryption.

A team of university professors say they have found evidence that RSA Security adopted a NSA-linked TLS extension to help the spy agency better crack encryption.

News of the extension was broken by Reuters, which reported several months ago that RSA Security – now a division of EMC – was paid $10 million to make the flawed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) the default in its BSAFE toolkits. Now, a team of academics say that there is evidence of a non-standard TLS extension known as “Extended Random” in the BSAFE products. This extension could be used to crack a version of the Dual Elliptic Curve algorithm tens of thousands of times faster than the backdoor, according to the researchers.

“This extension,” the researchers explained in a summary, “co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000. In addition, the use of this extension allows for attacks on Dual EC instances configured with P-384 and P-521 elliptic curves, something that is not apparently possible in standard TLS.”

“While the code implementing Extended Random was not compiled into the build of Share for C/C++ examined, it was available (though deactivated) in the build of Share for Java that was analyzed,” according to the summary. “In the latter case, the researchers were able to re-enable it and verify the functionality.”

“If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline,” Johns Hopkins University Professor Matthew Green reportedly told Reuters.

Reuters reported that the extension was not widely adopted. EMC did not respond to SecurityWeek with commentary before publication. EMC in the past has denied RSA was ever involved in a contract or project with the intention of weakening its products. 

The paper, titled ‘On the Practical Exploitability of Dual EC in TLS Implementations’, includes other information as well. For example, the researchers claim in the summary that the RSA BSAFE implementations of TLS make the Dual EC back door “easy to exploit compared to the other libraries analyzed.” The C version of BSAFE makes it possible to speed exploitation by broadcasting long contiguous strings of random byes and by caching the output from each generator call, while the Java version of BSAFE includes fingerprints in connections and therefore makes it relatively easy to identify them in a stream of network traffic, according to the researchers. 

The paper also notes a previously unknown bug in OpenSSL that prevents the library from running when Dual EC is enabled. In addition, the researchers found that the SChannel does not use the current Dual EC standard; instead it omits one step of the Dual EC algorithm. This omission makes the attacks slightly faster, the researcher state in the summary.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights