Remember folks, this is via Snowden - and we've still seen less than 1% of what he liberated. And only the part of that 1% that made it through media vetting.
posted by bashos_frog at 3:50 PM on December 20, 2013 [40 favorites]

RSA is almost surely going to lose all their international business. I hope they lose most of their domestic business as well. Maybe the telegram guys can buy them from EMC.
posted by bashos_frog at 3:52 PM on December 20, 2013 [8 favorites]

RSA might as well close-up shop. No one's going to trust them now.
posted by Thorzdad at 3:59 PM on December 20, 2013 [3 favorites]

RSA should have already gone out of business after the SecureID debacle. Anyone who is still a customer of RSA at this point is a sucker.
posted by 1970s Antihero at 3:59 PM on December 20, 2013 [9 favorites]

"LBJ took the IRT
Down to 4th Street USA
When he got there
What did he see?
The youth of America on LSD"

After reading the title of this post, I had to get that out of my system...

Carry on...
posted by HuronBob at 4:02 PM on December 20, 2013 [2 favorites]

I've been wondering what the exchange rate on 40 pieces of silver was.
posted by CheeseDigestsAll at 4:04 PM on December 20, 2013 [20 favorites]

"'They did not show their true hand,' one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption."

Oh, come on.

"Hi, we're the NSA. We have this spiffy new pseudorandom number generator that you could use as a crucial part of your encryption algorithm. We'll pay you 10 MILLION DOLLARS!"

"Gee, that's really nice of you guys! Thanks!"

"No problem, just doing our job, spying on peop...uh, I mean developing tools to help prevent people from being spied upon. Yeah, that's right. Just helping everybody to keep their secrets."
posted by Ivan Fyodorovich at 4:06 PM on December 20, 2013 [21 favorites]

"Hi, we're the NSA. We have this spiffy new pseudorandom number generator wooden horse that you could use as a crucial part of your encryption algorithm bring into your city. We'll pay you 10 MILLION DOLLARS!"

"Gee, that's really nice of you guys! Thanks!"

FTFY
posted by double block and bleed at 4:13 PM on December 20, 2013 [10 favorites]

Huh. So the NSA secretly paid RSA to put Dual_EC_DBRG in a prominent place in BSafe, then used RSA/BSafe's adoption to argue to NIST that they should make this algorithm a national standard.

Also:

No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.

"The labs group had played a very intricate role at BSafe, and they were basically gone," said labs veteran Michael Wenocur, who left in 1999.

posted by hattifattener at 4:17 PM on December 20, 2013 [3 favorites]

Sadly the only thing surprising to me about this is the relatively low amount. I guess they couldn't ask for more because it would be hard to hide in their financials. I wonder if there are other dollars squirreled away in executive's offshore accounts.
posted by birdherder at 4:18 PM on December 20, 2013 [8 favorites]

These things are all perfectly sensible and obvious to anyone with imagination. What would you do if you were King? Well, you'd sure as hell keep an ear to the ground, because peasant revolts are often unpleasant.

And so you corrupt the keystone popular leaders, work the national events and news to affect the behaviours of the masses, give where you must and take all you can.
posted by five fresh fish at 4:27 PM on December 20, 2013 [1 favorite]

Remember folks, this is via Snowden

I'll bet another NSA payoff of $10 million kept Snowden at #2 at Time.
posted by Blazecock Pileon at 4:36 PM on December 20, 2013 [9 favorites]

It's almost like they want to kill the Internet…
posted by ob1quixote at 4:42 PM on December 20, 2013

No, they just want to be able to drown it in a bathtub.
posted by double block and bleed at 4:43 PM on December 20, 2013 [3 favorites]

I'd been wondering if maybe I'm too cynical, but now I'm laughing at that naivete.
posted by Pope Guilty at 4:46 PM on December 20, 2013 [11 favorites]

Remember folks, this is via Snowden - and we've still seen less than 1% of what he liberated. And only the part of that 1% that made it through media vetting.

I think the difficulty with vetting these docs is turning them into a story most people can understand. I feel like there's a rising fatigue around these issues for many - I'm casually interested in infosec so I find each new one fascinating, but I almost guarantee this story is a non-starter among my less-techie peers.

Also, I can't see RSA going out of business for this. Should they? Yeah, probably. But RSA is a Big Fish and fills lots of security-related niches. They probably got some help from the NSA to become that big fish. I know the saying isn't "no one ever got fired for buying RSA" but that's probably still going to be true for the foreseeable future.

To me it's similar to when a company that issues SSL certs gets hacked. Is there any practical recourse? Sure you can refuse to trust certs issued by that vendor, but then you can no longer securely use parts of the internet (hell, MeFi's cert vendor Comodo was the victim of a several high-profile certificate thefts). And it's the same with RSA - if you want to stop using them, lots of other things are going to break.
posted by antonymous at 4:49 PM on December 20, 2013 [2 favorites]

It's the payment that really makes it look dirty. Decades earlier, the NSA contributed "improved" substitution tables to the DES algorithm, and while people were suspicious, no one could demonstrate that it didn't make DES more secure, which is what the NSA claimed. It's not that people couldn't imagine the NSA weakening the algorithm, but their pose of public service was surprisingly effective at greasing the path of acceptance of their changes.

But man, the payment... the metaphorical briefcase full of cash just tars the whole thing in guilty knowledge.
posted by fatbird at 4:49 PM on December 20, 2013 [8 favorites]

And yeah, RSA won't go out of business over this. The largest part of their business is simply providing the SecurId devices (and some other software lines); it's not actually required that their crypto by unimpeachable, that's just a marketing pose that's worked well for them.

I mean, it was what, ten years ago when someone found encryption keys in the Windows 2000 source code whose name started "NSA_"? Didn't hurt sales at all. Businesses don't really give a shit, they just like to pretend that they do.
posted by fatbird at 4:52 PM on December 20, 2013 [3 favorites]

Why is "improved" in quotes? The NSA did improve DES, this is not debated at all. It's even cited in the wikipedia page, with sources.

There's a bunch of shady the the NSA has done (DUAL_EC_DRBG, Clipper chip, etc) but DES is definitely not one.
posted by yeahwhatever at 5:03 PM on December 20, 2013 [9 favorites]

fatbird: _NSAKEY
posted by Pruitt-Igoe at 5:15 PM on December 20, 2013 [2 favorites]

"Improved" is in quotes because at the time, it was thought and later known that the NSA was relying on crypto math that they knew and hadn't revealed, in order to argue for their changes. The fact that their changes increased security under later-discovered differential cryptanalysis argues in favour of it being a real improvement, but again, this isn't known, because the NSA doesn't share their math, they just say "trust us".

And now we find that, mathematically, their preferred PRNG algorithm is so weak as to constitute a backdoor, but it was accepted and made the default thanks to bribes. And in retrospect, their improvements to DES allowed them to negotiate a shorter key length that later, quite quickly, turned out to be insufficiently long given developments in computing power. Quelle suprise.

The crypto world has done well since WWII in fostering credibility based on open review. The NSA had an extended time when "trust us, we're the government" worked, and when that stopped working, they resorted to cash payments. Now even that won't work.
posted by fatbird at 5:15 PM on December 20, 2013 [1 favorite]

> It's the payment that really makes it look dirty

Totally. I don't get what RSA thought the NSA was buying for $10 million, if not a back door. If the PRNG was superior it should have won out on its merits.
posted by Horselover Fat at 5:36 PM on December 20, 2013

...

So maybe software companies needed export licenses for crypto for ....


I don't even know any more.
posted by tilde at 5:38 PM on December 20, 2013

Judas!
posted by newdaddy at 5:41 PM on December 20, 2013

There was a time when the NSA was by awesome math nerds and guys like Snowden. Folks whobwere more interedted in pushing the limits of computing and developing this new world of sattelites abd datacenters. Then like all tech companies rhe suits came in and turned the whole operation to maximum evil corporate bullshit.
posted by humanfont at 5:44 PM on December 20, 2013

I'm not seeing coverage of this on any of the cable news networks. Can someone ask the Duck Dynasty guys what they think of BSafe's random number generator?
posted by RobotVoodooPower at 5:54 PM on December 20, 2013 [34 favorites]

Also -- according to the reading of the Reuters article, I don't think the Snowden docs leaked the existence of the $10 million contract, just the existence of the backdoor.

Which may explain the delay on propagating this article, since it is now impossible to fact-check articles that quote anonymous sources leaking government secrets without passing coded notes on paper and meeting people in person on long public piers.
posted by RobotVoodooPower at 6:12 PM on December 20, 2013 [1 favorite]

So are one-time-pads and sending encrypted messages as images the only really secure system now?
posted by Benny Andajetz at 6:13 PM on December 20, 2013 [1 favorite]

This is clear sabotage of security. Not just of the world's security, but also of the US, and primarily people in the US. How can this be possible under the NSA charter? When will the people with their names on this project be prosecuted? How could the NSA administrators make such a bad trade off that makes vulnerable the very people they're supposed to protect?

The incidents of the past decade are not the first time that the NSA has betrayed the US. This is not the first time that they should have been punished for their misdeeds, and in the past we were strong enough of a country to punish the NSA. But I fear we've become too weak of a nation, a nation so pitiful that it refuses to punish people for their misdeeds because it would mean admitting guilt. It would mean that failure results in administrators getting demoted rather that promoted.

Do you know anyone at the NSA? Encourage them to quit to save their dignity and show their patriotism. But my second fear is that Snowden's description of the situation is right, employment at the NSA is a big paycheck for not much work and enough spare time to watch some shows after work and dull your conscience. Hopefully they can no longer ignore the extent of the betrayal of the US.
posted by Llama-Lime at 6:15 PM on December 20, 2013 [5 favorites]

So are one-time-pads and sending encrypted messages as images the only really secure system now?

If one-time pads or any other code-book style of encryption based solely on a big shared secret were practical for routine use we'd already by using them. We don't fuck around with complex asymmetric algorithms for fun, y'know. It's not like an Amazon courier is going to personally hand-carry a thumb drive with an OTP on it over to your house so you can secure your communications with them so you can order from them online.
posted by George_Spiggott at 6:23 PM on December 20, 2013 [6 favorites]

For about half a second, I thought that this was about Wu-Tang Clan.
posted by Sphinx at 6:30 PM on December 20, 2013 [5 favorites]

> I don't think the Snowden docs leaked the existence of the $10 million contract, just the existence of the backdoor

I think that's correct, though the revelation/confirmation that the PRNG was back-doored is what can get mainstream media to follow-up on it.
posted by Horselover Fat at 6:35 PM on December 20, 2013

It's not like an Amazon courier is going to personally hand-carry a thumb drive with an OTP on it over to your house so you can secure your communications with them so you can order from them online.

But it's not the worst thing in the world to mobilize a fleet of drones for.
posted by antonymous at 6:40 PM on December 20, 2013

I wonder if any divisions of Reuters use RSA Keys.
posted by starscream at 6:46 PM on December 20, 2013

So are one-time-pads and sending encrypted messages as images the only really secure system now?

It's not RSA the algorithm that's damaged, it's RSA the company, and by proxy the reputation of every U.S. company that produces closed-source encryption software and would like to have $10 million bucks.

One time pads, homebrew CPUs on homemade FPGA toolchains running an open source OS, and burying your data in your neighbor's back yard are still good advices.
posted by RobotVoodooPower at 6:46 PM on December 20, 2013 [2 favorites]

Quantum key distribution has some promise, but it requires an uninterrupted medium, like a single run of optical fiber without any repeaters or amplifiers in between. One imagines an old-fashioned POTS-like switching system that creates continuous optical links between parties. But you still need an unreasonably good optical medium; better than anything we can make now, if you want to go over 100km or so.
posted by George_Spiggott at 6:46 PM on December 20, 2013

But it's not the worst thing in the world to mobilize a fleet of drones for.

If it were verifiable that the drone wasn't compromised en route, then yeah, you could then do business with Amazon, but nobody else until you got your own OTP from them as well.

Really the only way to be sure with a one-time pad is to transfer it on a medium that has destructive read properties -- i.e. it is irretrievably corrupted or wiped on the very first read, and that would have to be a property of the medium itself, not any electronics or firmware in the device. Then just hope your computer doesn't crash when you're copying it to your hard drive it because you won't get a second chance.
posted by George_Spiggott at 6:58 PM on December 20, 2013 [1 favorite]

Its weird that the reuters article keeps diappearing and reappearing for me. I'm not sure what to make of that.
posted by Joh at 8:09 PM on December 20, 2013

Someone should do a PSA about this.
posted by otherthings_ at 8:54 PM on December 20, 2013 [2 favorites]

So.. angry.. Even if you believe it's good for US security that NSA can break crypto, deliberately sabotaging cryptographic systems is terribly stupid. I'd love to read a technical analysis about whether this backdoor is discoverable by other adversaries; it's possible it's keyed strongly enough that only NSA can use it. Even so, NSA itself is not a fully trustworthy organization, and there's no reason to think China / Russia / random Moldovan script kiddie doesn't have access to NSA's backdoors too.

Part of what's weird in this story is we knew in 2007 that Dual_EC_DRBG was fishy. In retrospect RSA's promotion of it should have been a big red flag at the time.

I'd love to read more about the 2010 SecurID attack in light of what we know now about NSA. At the time we all smiled and assumed the adversary was China. I guess that's still the most likely explanation, since NSA didn't need to work nearly that hard to compromise RSA products. But still...
posted by Nelson at 10:09 PM on December 20, 2013

homebrew CPUs on homemade FPGA toolchains running an open source OS ... still good advices.

Just as long as you hand-coded the compiler.
posted by Twang at 10:11 PM on December 20, 2013 [4 favorites]

I'm not seeing coverage of this on any of the cable news networks. Can someone ask the Duck Dynasty guys what they think of BSafe's random number generator?

They said as Christians they don't approve of backdoor shenanigans.
posted by 445supermag at 10:29 PM on December 20, 2013 [12 favorites]

The prevailing opinion is that China (via some proxy) broke into RSA as a means to break into Lockheed (and likely other defense contractors that used SecureID). Considering the presumed targets of that attack are US defense contractors, it would very much surprise me if the NSA were behind it.

This is of course speculation, but the vast majority of people I know in the field believe it to be true.

To answer your other question, figuring out the Dual_EC_DRBG prng (which is what this is about -- the NSA paid for it to be default in BSafe) weakness is akin to solving the discrete logarithm problem, so no, theoretically non-NSA actors should not have access to it.

While both are interesting, and both involve RSA I don't see the two connected very strongly. SecureID is fundamentally a hash chain, and the initial seed derivation probably doesn't require much entropy. The danger from backdoored prngs is more pronounced with things that require entropy on a regular basis (stream-style ciphers). It's probable that using a backdoored prng to generate the seeds for SecureID reduces the keyspace to something the NSA could attack, but I certainly don't think SecureID's was the primary target. Note: I am not a real cryptographer, and I'd take this with a grain of salt.

Also of interest, the existing OpenSSL implementation of Dual_EC_DRBG is flawed in another way. This result calls into question the some of the certification procedures that must be run on these algorithms.
posted by yeahwhatever at 12:32 AM on December 21, 2013 [2 favorites]

figuring out the Dual_EC_DRBG prng weakness is akin to solving the discrete logarithm problem

I'd love to read more about the technical details of the RSA BSafe weakness. Here's what I've pieced together from mainstream press sources and Wikipedia, do I have this right?

1. Dual_EC_DBRG contains some arbitrary constants that seed the generator. In 2007 we learned that if those constants were picked by an adversary like the NSA, they could compromise the generator.
2. In September 2013 we learned that NSA has backdoored many common crypto implementations. One specific broken implementation was RSA BSafe, which used the NSA-compromised Dual_EC_DBRG as its default generator.
3. Today we learned that NSA paid $10M to have RSA compromise BSafe for them.

What I'm still confused about is the status of the constants. Is there one set in the NIST standard that everyone uses, and that we now believe are compromised by NSA?
posted by Nelson at 12:49 AM on December 21, 2013

Technical stuff aside, I'm still furious to read how NSA is deliberately undermining security for everyone. Even if you're a true-blue American Patriot you have to worry that this sort of deliberate sabotage weakens the algorithms for everyone who uses them, not just commie dupes. And if you'd prefer not to trust the NSA then their actions have completely compromised NSA's stated role of also helping build secure cryptosystems. Not to mention that no one can trust NIST, who are at best unwitting participants, nor companies like RSA and EMC. Intel is suspect too, given their rather vigorous insistence that people use their undocumented hardware random number generator.
posted by Nelson at 12:52 AM on December 21, 2013 [1 favorite]

Yes, crypto algorithms/implementations often include large constants. There are cases where basically you need some numbers and they can't be all zeros, but need to be uniform between implementations. Its common to use digits of pi, or e for these constants, as its assumed these numbers cannot be backdoored. For example SHA-2 uses both the "first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19" and the "first 32 bits of the fractional parts of the cube roots of the first 64 primes 2..311" (wikipedia). These groups of numbers are considered "safe", because they can be explained. The constant used in the presumed NSA backdoored PRNG cannot be explained in a non-malicious way, to the best of my knowledge.

So yes, the NIST standard specifies the constants a proper implementation of Dual_EC_DRBG must use, and these constants are likely backdoored. From the original presentation which revealed the problem in Dual_EC_DRBG: "The prediction resistance of this PRNG (as presented in NIST SP800-90) is dependent on solving one instance of the elliptic curve discrete log problem."

To break this down a bit more (and I apologize if you know this), common crypto systems rely on certain things being computationally hard to do. For example, if you have two very large primes (call them p and q) and you multiply them together (resulting in n), it is extraordinarily difficult to go from n back to p and q. In fact, you have to just guess numbers until you hit. Modern crypto systems rely on this factoring (or other problems with some of the same properties, for example, elliptic curves) taking longer than the data they protect needs to be secret. However, if you already know p and q (because you generated them in the first place, lets say) factoring n is obviously very easy.

What the authors are saying is there is a constant in Dual_EC_DRBG which, if you knew the component parts to, Dual_EC_DRBG would not have it's required randomness to be safe to use. However, getting those component parts requires solving a very hard problem (as in, baring dramatic improvements in public cryptanalysis and computers, we'll all be dead before any computers can rip it apart).

Does that answer things?
posted by yeahwhatever at 1:37 AM on December 21, 2013 [2 favorites]

> Its common to use digits of pi, or e for these constants, as its assumed these numbers cannot be backdoored.

By the way, these are known as “nothing up my sleeve numbers”.
posted by wachhundfisch at 2:36 AM on December 21, 2013 [2 favorites]

However, getting those component parts requires solving a very hard problem

Namely, finding someone within the NSA who can be corrupted. /hamburger.
posted by five fresh fish at 2:48 AM on December 21, 2013 [1 favorite]

Just as long as you hand-coded the compiler.

See there's this thing about trusting trust...
posted by regularfry at 5:14 AM on December 21, 2013 [2 favorites]

Is there any particular reason I should enable SELinux?
posted by mikelieman at 7:55 AM on December 21, 2013 [1 favorite]

Or.... Is there any way to actually DISABLE SELinux at this point? I know having it set at a system boot level of disable via /etc/sysconfig resulted in failed fedup updates, so effectively, no. Is this normal paranoia, or am I being needlessly worrisome?
posted by mikelieman at 7:56 AM on December 21, 2013

RSA Security LLC is not the same as the RSA algorithm, Benny Andajetz. Actually RSA related algorithm are the safe alternative for public-key cryptography since the NSA put back doors in ECC by cooking the constants.

I've zero clue if Ron Rivest, Adi Shamir, or Leonard Adleman own much of RSA Security today, but Shamir was barred from attending the NSA-sponsored Cryptologic History Symposium because the U.S. refused to grant him a J1 visa.
posted by jeffburdges at 8:27 AM on December 21, 2013 [2 favorites]

Actually RSA related algorithm are the safe alternative for public-key cryptography since the NSA put back doors in ECC by cooking the constants.

That article conflates the Dual_EC_DRBG random number generator (which does now appear to have been comprehensively pre-cooked by the NSA) with ECC in its entirety.

Has there been any solid evidence yet that the standard curves are compromised? I remember there being a lot of speculation about the NIST curves, given that the constants are all magic numbers with no obvious provenance.

(There is this allusion from Schneier, after he saw the Guardian's Snowden documents; this StackExchange discussion is interesting and notes "he never liked elliptic curves".)
posted by We had a deal, Kyle at 8:44 AM on December 21, 2013

I wouldn't disable SELinux just yet, until we find existence of an actual backdoor. I'd save the paranoia for your closed-source GPU driver, BIOS, CPU microcode, CA-signed certs, etc.
posted by RobotVoodooPower at 8:56 AM on December 21, 2013

Yes, I'd been thinking about Schneier's recent comments, but google popped up that article. Anyways Schneier's old concerns about ECC remain even if that crypto.SE commentor's is correct that Koblitz curves look hard to cook.
posted by jeffburdges at 10:11 AM on December 21, 2013

At $10 million, RSA sold their trustworthiness for cheap. Did they not think they'd be found out?
posted by anemone of the state at 10:35 AM on December 21, 2013

The question is: Why did the NSA think targeting these organisations was useful? Obviously, they were getting some kind of benefit from it.

Hint: It wasn't about catching terrorists.
posted by anemone of the state at 12:43 PM on December 21, 2013

I'm sure the cover story would have to do with Islamists/Marxists infiltrating charities and using them as vehicles for pushing a subversive agenda, and stress that by spying on the charities, they were doing them a favour by helping hunt down the extremists who may or may not have infiltrated them and might be tarnishing their ideals with their Islamomarxist subversions as we speak.
posted by acb at 1:56 PM on December 21, 2013

Relevant. And interesting -- check the date.
posted by yeahwhatever at 3:05 PM on December 21, 2013 [1 favorite]

Huh, interesting indeed, Lucky Green knew about the $10M in September. He's a nym I recognize, an old school Cypherpunk.
posted by Nelson at 3:32 PM on December 21, 2013

Remember folks, this is via Snowden - and we've still seen less than 1% of what he liberated. And only the part of that 1% that made it through media vetting.

So, if you know me, you know who I work for.

I have it on very, very good authority that we ain't seen nothing yet.
posted by rollbiz at 9:43 PM on December 21, 2013 [6 favorites]

Here's a thought experiment and a prediction:

Suppose you were heading up a spy agency that considers itself answerable to nobody, which can intercept a large fraction of global electronic communications. How might you use that power?

They're probably already doing it.
posted by anemone of the state at 10:50 PM on December 21, 2013 [4 favorites]

What fascinates me is that Bsafe is a bit-player in the crypto library space any more. Yes, there's a few people using it still (RSA, I think Oracle, nobody else comes to mind), but most everyone has moved to OpenSSL; for better, or worse. Strangely, US government agencies are more likely to be affected by it than adversaries since FIPS 140 mandates validated crypto, and Bsafe is one of the few libraries generally available that's validated. OpenSSL maintains a separate strain for the validated version that often is buggy, and outdated.

So basically, it seems like RSA took a bribe from the US gov't to shoot the US gov't in the foot. Seems par for the course.
posted by petrilli at 8:21 AM on December 23, 2013

RSA issues non-denying denial of NSA deal.
posted by 1970s Antihero at 9:57 AM on December 23, 2013 [1 favorite]

Congressional Reps ask Bruce Schneier to explain to them what the NSA is doing, because the NSA won't tell them

Washington State Bill Proposes Criminalizing Help to NSA, Turning Off Resources to Yakima Facility
posted by jeffburdges at 6:18 PM on January 16, 2014

I'd actually missed the sharing information with local law enforcement mention in the article on the Washington State Bill :

"Last fall, Reuters reported that NSA is sharing information gathered without a warrant with local law enforcement. The documents said that most cases where this is happening are not terror-related. By banning this practice, the bill would lessen the practical effect of all that data collecting that NSA is doing."

How could that ever serve legitimate national security interests? It's certainly good for harassing activists, derailing protests, etc. though I bet.
posted by jeffburdges at 6:36 PM on January 16, 2014

TrustyCon: The Cyber Conference for RSA Dropouts
posted by KatlaDragon at 4:24 AM on January 20, 2014 [1 favorite]