Connect with us

Hi, what are you looking for?



NSA-Linked ‘Extended Random’ Extension Discovered Inside RSA BSAFE: Researchers

A team of university professors say they have found evidence that RSA Security adopted a NSA-linked TLS extension to help the spy agency better crack encryption.

A team of university professors say they have found evidence that RSA Security adopted a NSA-linked TLS extension to help the spy agency better crack encryption.

News of the extension was broken by Reuters, which reported several months ago that RSA Security – now a division of EMC – was paid $10 million to make the flawed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) the default in its BSAFE toolkits. Now, a team of academics say that there is evidence of a non-standard TLS extension known as “Extended Random” in the BSAFE products. This extension could be used to crack a version of the Dual Elliptic Curve algorithm tens of thousands of times faster than the backdoor, according to the researchers.

“This extension,” the researchers explained in a summary, “co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000. In addition, the use of this extension allows for attacks on Dual EC instances configured with P-384 and P-521 elliptic curves, something that is not apparently possible in standard TLS.”

“While the code implementing Extended Random was not compiled into the build of Share for C/C++ examined, it was available (though deactivated) in the build of Share for Java that was analyzed,” according to the summary. “In the latter case, the researchers were able to re-enable it and verify the functionality.”

“If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline,” Johns Hopkins University Professor Matthew Green reportedly told Reuters.

Reuters reported that the extension was not widely adopted. EMC did not respond to SecurityWeek with commentary before publication. EMC in the past has denied RSA was ever involved in a contract or project with the intention of weakening its products. 

The paper, titled ‘On the Practical Exploitability of Dual EC in TLS Implementations’, includes other information as well. For example, the researchers claim in the summary that the RSA BSAFE implementations of TLS make the Dual EC back door “easy to exploit compared to the other libraries analyzed.” The C version of BSAFE makes it possible to speed exploitation by broadcasting long contiguous strings of random byes and by caching the output from each generator call, while the Java version of BSAFE includes fingerprints in connections and therefore makes it relatively easy to identify them in a stream of network traffic, according to the researchers. 

Advertisement. Scroll to continue reading.

The paper also notes a previously unknown bug in OpenSSL that prevents the library from running when Dual EC is enabled. In addition, the researchers found that the SChannel does not use the current Dual EC standard; instead it omits one step of the Dual EC algorithm. This omission makes the attacks slightly faster, the researcher state in the summary.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.