News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
This ad will display for the next 20 seconds. Click for more information, or
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
Hardware
Is your endpoint data protected?
Average Rating:
Rate this article:  
Researchers Find NSA Planted Two Spy Tools through RSA

Researchers Find NSA Planted Two Spy Tools through RSA
By Barry Levine

Share
Share on Facebook Share on Twitter Share on Linkedin Share on Google Plus

A team of professors has reportedly concluded that U.S. National Security Agency is even more untrustworthy than previously thought. The NSA apparently implemented not one but two encryption tools distributed through security firm RSA to make it easier to eavesdrop on Web transmissions. RSA trusted the NSA since it's charged with U.S. security.
 



Last fall, an encryption tool widely distributed through leading security firm RSA was withdrawn because of concerns it was vulnerable to decoding by the U.S. National Security Agency (NSA), which created it. Now, a team of researchers has reported that the super-secret agency also created at least one other tool that allowed it to more easily decode transmissions.

Both tools were part of RSA's BSafe software security package, and both are assumed to have provided back-door access to communications and software encrypted with BSafe tools.

The Reuters news agency reported Monday that a team of academic researchers from several universities, including Johns Hopkins, the University of Wisconsin and the University of Illinois, has discovered the NSA was involved with the second tool. It's called an "Extended Random" extension, and it can be used to crack the RSA's Dual Elliptic Curve random number generator software -- the other NSA developed tool that had been withdrawn -- tens of thousands of times faster than other methods.

NIST and NSA

The Extended Random software is supposed to increase the randomness of Dual Elliptic Curve-generated numbers, thus making its encoding more secure. However, the researchers discovered that the extra data transmitted by Extended Random before a secure connection begins made decoding the the following transmission much easier.

The Extended Random software was removed from RSA's BSafe security kit within the last six months. Reportedly, Extended Random had not been widely adopted.

"We trusted [the NSA] because they are charged with security" for the U.S., a RSA executive told Reuters.

The National Institute of Standards and Technology (NIST) had accepted an NSA proposal in 2006 to create the Dual Elliptic Curve random number generator. There had subsequently been suspicions and reports -- including from Microsoft researchers -- that the resulting code from the NSA contained a back door.

Snowden Documents

But NIST reportedly accepted it because other governmental agencies were using it. In December, Reuters reported that the NSA had paid RSA $10 million to make the Dual Elliptic Curve the default for its BSafe security kit. RSA has declined to comment on the possibility that the NSA also paid the company a fee for including Extended Random in the kit.

After documents revealed by ex-NSA contractor Edward Snowden indicated the NSA was involved in community cryptography standards in order to create vulnerabilities it could exploit, NIST issued a warning in September than the Dual Elliptic Curve code "no longer be used."

After the NIST warning, RSA warned its customers, since the code was being widely used for security. A random number generator is common in cryptography, but a generator that is not random is more easily hacked. Some experts have contended, however, that only the NSA had the capability of breaking this particular generator.
 

Tell Us What You Think
Comment:

Name:



Get Powerful App Acceleration with Cisco. In a world where time is money, you need to accelerate the speed at which data moves through your data center. Cisco UCS Invicta delivers powerful, easy-to-manage application acceleration for data-intensive workloads. So you can make decisions faster and outpace the competition. Learn More.


 Hardware
1.   Acer Desktop Box Rides Chrome Wave
2.   Feds OK IBM-Lenovo x86 Server Deal
3.   New Lenovo PCs for Business Users
4.   Price Wars Hitting Laptop Market?
5.   Have Net Routers Reached The Limit?


advertisement
Feds OK IBM-Lenovo x86 Server Deal
Makes Lenovo a player for data centers.
Average Rating:
Acer Desktop Box Rides Chrome Wave
Chromebox targets schools, small biz.
Average Rating:
Acer Chromebook Packed with Power
13-inch screen on under-$300 devices.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Researchers Find Malicious Android Apps Can Hack Gmail
A new study shows that a weakness in the Android mobile operating system can be used to steal sensitive, personal info from unwitting users. Gmail proved to be the easiest app to attack; Amazon, the hardest.
 
UPS Stores in 24 States Hit by Data Breach
Big Brown has been breached. UPS said that about 105,000 customer transactions at 51 of its UPS Store locations in 24 states could have been compromised between January and August.
 
Cost of Target Data Breach: $148 Million Plus Loss of Trust
The now infamous Target data breach is still costing the company -- and its shareholders -- plenty. In fact, the retailing giant forecast the December 2013 incident cost shareholders $148 million.
 

Enterprise Hardware Spotlight
Acer's New Desktop Box Rides the Chrome OS Wave
Filling out its Chrome OS line, Acer is following the introduction of a larger Chromebook line earlier this month with a new tiny $180 desktop Chromebox and also a smaller Chromebook.
 
Feds OK $2.3 Billion IBM-Lenovo x86 Server Deal
IBM and Lenovo are celebrating U.S. approval of their x86-based server deal, having cleared some major security hurdles. The deal makes Lenovo a major player for enterprise data centers.
 
Three New Lenovo PCs Aimed at Business Users
With businesses wanting computing solutions that do more for less money, Lenovo has unveiled three new desktop PCs that it says offer solid computing at a budget-minded price.
 

Mobile Technology Spotlight
Screen Shortage Briefly Puts Brakes on iPhone 6
RAM? Check. Antenna switch? Check. Screen? Oops. Parts suppliers for Apple have found themselves facing a shortage of screens for the new iPhone 6 as next month's release date for the new smartphone looms.
 
Bounty Offered to Coders for Oculus Rift Bugs
Coders who find bugs in software for the Oculus Rift VR immersive headset could receive a reward of at least $500 under Facebook's White Hat bounty program. Facebook acquired Oculus in March.
 
Google Glass Adds Voice Access to Phone Contacts
The latest update to Google Glass will let users access their top 20 phone contacts with voice commands alone. A user can then choose a phone call, Google hangouts, e-mail or text messaging.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.