RSA tells users to dump NSA algo

By

BSAFE and scrub weakened random number generator.

RSA is warning developer clients to dump a encryption algorithm used by default in two of its products that was discovered to have been weakened by what was alleged to be the National Security Agency.

RSA tells users to dump NSA algo

In a letter sent to clients seen by Wired, RSA "strongly recommends" users dump the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generation) random number generator from all versions of its BSAFE Library and Data Protection Manage crypto key manager.

BSAFE implemented cryptographic functions into other third party software, meaning scores more products may be weakened and at risk of compromise.

A National Institute of Standards and Technology document found by Ars Technica revealed the Dual_EC_DRBG was used in McAfee Firewall Enterprise Control Center 5.3.1 but only in US Government deployments. Many more products were affected.

RSA's announcement was made it said to “ensure a high level of assurance" in the apps and to urge customers to move to another unspecified pseudorandom number generator.

From its end the company had turned off the Dual_EC_DRBG specification in the products.

It was the first known advisory of its kind by a security company since the New York Times revealed documents leaked by Edward Snowden that declared the NSA may have deliberately weakened the algorithm before in 2006 successfully lobbying the National Institute of Standards and Technology to adopt it as a standard for random number generators.

Cryptographer Bruce Schneier speaking when the revelations broke said he "no longer trust[ed] the constants" and "believe[d] the NSA has manipulated them through their relationships with industry".

"Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can," he wrote in a piece for The Guardian.

Asked to respond to the comments, respected cryptographer Peter Guttman of the University of Auckland said he too avoided elliptic curve cryptography.

"I've never liked ECC anyway (even pre-Snowden), it's just way too brittle, make the tiniest mistake and you're toast," he wrote in an email. "Or have some new piece of research come out and you're toast."

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
encryptionnsarsasecurity

Sponsored Whitepapers

Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra

Events

Most Read Articles

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls
Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?