A group of professors from Johns Hopkins and the University of Wisconsin have discovered a second, even weaker exploit in the RSA encryption standard, reports Reuters. This could potentially be abused by hackers who are trying to force their way into someone’s desktop to view or alter the data contained within.
Several months ago we first reported on the story that the RSA had agreed to put an NSA-friendly backdoor into their flagship encryption method, known in layman’s as the “Dual Elliptic Curve”, or Dual EC_DRBG if abbreviations are more your thing.
Since then, news has surfaced that the supposed fail safe for the random number generation in Dual EC, dubbed “Extended Random”, may be even weaker than the original standard, providing yet more fuel to the fire that the RSA has been trying to squelch since the story of their intentional collusion with the NSA first broke back in December of last year.
“If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline,” Matt Green, a professor specializing in cryptography at Johns Hopkins University and one of the authors of the upcoming academic report, told Reuters
In the end, although RSA makes a decent punching bag for this whole debacle, in reality it was the US government who coerced and pressured them into compromising the security of their public encryption standard for private gain. Knowing the way Uncle Sam operates, they likely had enough capital and FISA court orders to strike so much fear into engineers at the company they weren’t left with any other options but to comply with their requests, and only now has the true extent of these transgressions finally come to light.
“We could have been more skeptical of NSA’s intentions,” RSA Chief Technologist Sam Curry told Reuters. “We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure. Now we see that was a mistake.”