In December 2013, RSA was accused of entering into a secret $10 million agreement with the NSA to use a flawed community-developed encryption formula in its products, but a backdoor may not be all that was snuck in, according to researchers from various universities.
“Evidence of an implementation of a non-standard TLS extension called “Extended Random” was discovered in the RSA BSAFE products,” according to researchers from Johns Hopkins University, University of Wisconsin, Eindhoven University of Technology, and University of California, San Diego.
In September 2013, the National Institute of Standards and Technology (NIST), as well as RSA, advised against using the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) algorithm because it contained a backdoor. All versions of RSA's BSAFE Toolkits were affected.
“This extension, co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the [Dual_EC_DRBG] attack by a factor of up to 65,000,” according to the researchers. “In addition, the use of this extension allows for attacks on [Dual_EC_DRBG] instances configured with P-384 and P-521 elliptic curves, something that is not apparently possible in standard TLS.”
SCMagazine.com had an email correspondence with an RSA spokesperson on Tuesday, but the company was not prepared to release an official statement.
Reuters broke the story in December that the NSA allegedly arranged a secret $10 million deal with RSA that resulted in the flawed algorithm being used in RSA products. A few days later, RSA denied the allegations and reminded everyone how it recommended in September 2013 that the algorithm no longer be used.
“When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media,” RSA said in a December 2013 statement.
[An earlier version of this story incorrectly referred to Dual_EC_DRBG as an RSA algorithm].