General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsNSA infiltrated RSA security more deeply than thought: study
(Reuters) - Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers.
Reuters reported in December that the NSA had paid RSA $10 million (£6 million) to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or "back door" - that allowed the NSA to crack the encryption.
A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software's vulnerability.
The professors found that the tool, known as the "Extended Random" extension for secure websites, could help crack a version of RSA's Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters.
http://www.reuters.com/article/2014/03/31/uk-usa-security-nsa-rsa-idUKBREA2U0U620140331
RSA Security
http://en.wikipedia.org/wiki/RSA_Security
cantbeserious
(13,039 posts)eom
Ichingcarpenter
(36,988 posts)and the business it brings
hootinholler
(26,449 posts)We've known it's crackable for years!
That's what I've heard around here when I mentioned there was now proof of the NSA jacking encryption.
I have to wonder what other forms of encryption the NSA has 'helped'? Well to be specific, this is methods of random number generation they have helped. If the numbers assumed random in your encryption software aren't quite random, then that bias can be used to crack the encryption.
I'm also waiting for the news that they found a way to encode enough information about the private key when a public/private pair are generated, into the public key. If you could deduce the private key from the public one, then everything encoded with it is obviously compromised.
Ichingcarpenter
(36,988 posts)The very word secrecy is repugnant in a free and open society; and we are as a people inherently and historically opposed to secret societies, to secret oaths and to secret proceedings. We decided long ago that the dangers of excessive and unwarranted concealment of pertinent facts far outweighed the dangers which are cited to justify it. Even today, there is little value in opposing the threat of a closed society by imitating its arbitrary restrictions.
Even today, there is little value in insuring the survival of our nation if our traditions do not survive with it.
And there is very grave danger that an announced need for increased security will be seized upon by those anxious to expand its meaning to the very limits of official censorship and concealment.
That I do not intend to permit to the extent that its in my control.
And no official of my Administration, whether his rank is high or low, civilian or military, should interpret my words here tonight as an excuse to censor the news, to stifle dissent, to cover up our mistakes or to withhold from the press and the public the facts they deserve to know.