Security Experts:

NSA-Linked 'Extended Random' Extension Discovered Inside RSA BSAFE: Researchers

A team of university professors say they have found evidence that RSA Security adopted a NSA-linked TLS extension to help the spy agency better crack encryption.

News of the extension was broken by Reuters, which reported several months ago that RSA Security - now a division of EMC - was paid $10 million to make the flawed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) the default in its BSAFE toolkits. Now, a team of academics say that there is evidence of a non-standard TLS extension known as "Extended Random" in the BSAFE products. This extension could be used to crack a version of the Dual Elliptic Curve algorithm tens of thousands of times faster than the backdoor, according to the researchers.

"This extension," the researchers explained in a summary, "co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000. In addition, the use of this extension allows for attacks on Dual EC instances configured with P-384 and P-521 elliptic curves, something that is not apparently possible in standard TLS."

"While the code implementing Extended Random was not compiled into the build of Share for C/C++ examined, it was available (though deactivated) in the build of Share for Java that was analyzed," according to the summary. "In the latter case, the researchers were able to re-enable it and verify the functionality."

"If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline," Johns Hopkins University Professor Matthew Green reportedly told Reuters.

Reuters reported that the extension was not widely adopted. EMC did not respond to SecurityWeek with commentary before publication. EMC in the past has denied RSA was ever involved in a contract or project with the intention of weakening its products. 

The paper, titled 'On the Practical Exploitability of Dual EC in TLS Implementations', includes other information as well. For example, the researchers claim in the summary that the RSA BSAFE implementations of TLS make the Dual EC back door "easy to exploit compared to the other libraries analyzed." The C version of BSAFE makes it possible to speed exploitation by broadcasting long contiguous strings of random byes and by caching the output from each generator call, while the Java version of BSAFE includes fingerprints in connections and therefore makes it relatively easy to identify them in a stream of network traffic, according to the researchers. 

The paper also notes a previously unknown bug in OpenSSL that prevents the library from running when Dual EC is enabled. In addition, the researchers found that the SChannel does not use the current Dual EC standard; instead it omits one step of the Dual EC algorithm. This omission makes the attacks slightly faster, the researcher state in the summary.

view counter