A second compromised security tool has been uncovered in RSA Security’s Bsafe product, which was subject to revelations that the company used deliberately weak technology to enable the US National Security Agency (NSA) to break organisations using the RSA software.
Security experts at Johns Hopkins, the University of Wisconsin, and the University of Illinois, among others, claim that the tool, known as the “extended random” extension for secure websites, could help crack a version of RSA’s Dual Elliptic Curve software within seconds.
Intriguingly, according to Reuters, RSA did not dispute the results of the research when contacted. “The company said it had not intentionally weakened security on any product and noted that Extended Random did not prove popular and had been removed from RSA’s protection software in the last six months,” claimed Reuters.
RSA chief technologist Sam Curry said that the company had been “too trusting” of the NSA because it, along with many other computer and security technology companies, had worked with the organisation for years to highlight security risks and to improve products.
The claims follow an academic study on the Dual EC DRBG algorithm used in Bsafe. Documents leaked by NSA whistleblower Edward Snowden last year pointed to a compromise of the software, for which Reuters later claimed that RSA had received $10m in payment from the NSA.
The cryptographic libraries, that NSA agents planted on standards committees deliberately weakened, were included in a number of security products.
In a paper, the researchers conclude that the compromised crypto can be easily cracked due to its “inherent predictability weaknesses in generating random numbers”. Indeed, it can take just seconds to crack it in some environments.