NSA-RSA Ties Raise New ConcernsVetting Security Products a 'Very Difficult Proposition'
New revelations that the National Security Agency meddled with RSA encryption tools have technology buyers concerned about the security of offerings not only from RSA, but other security product vendors, too.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"There is uncertainty and concern about what's being put into those items," says a deputy chief information security officer of a U.S. government agency, who asked to remain anonymous. "Yes, we are concerned; yes, we are trying to put a [product vetting] process in place. It's a very difficult proposition. You can't do a family tree maker on a computer to find out where this item comes from."
New academic research shows that security technology provider RSA adopted not just one, but two encryption tools developed by the NSA, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, as first reported by the Reuters news service.
News reports in December said RSA received $10 million from the NSA to make a now-discredited cryptography system the default software used by a number of RSA's Internet and computer security programs (see NSA Reports Sullying Vendors' Standings?). The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or back door - that allowed the NSA to crack the encryption, Reuters reports.
65,000 Times Faster
Now, a group of researchers from Johns Hopkins University, the University of Wisconsin and other universities says it has discovered that a second NSA tool exacerbated the RSA software's vulnerability. The researchers say they found that the tool, known as the Extended Random extension for secure websites, could help crack a version of RSA's Dual Elliptic Curve software 65,000 times faster.
RSA, the security unit of storage maker EMC, told Reuters that it had not intentionally weakened security on any product and noted that Extended Random extension did not prove popular and had been removed from RSA's protection software in the last six months.
"We could have been more skeptical of NSA's intentions," RSA Chief Technologist Sam Curry told the news service. "We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure."
Curry did not say if the government had paid RSA to incorporate Extended Random in its BSafe security kit, which also housed Dual Elliptic Curve.
RSA did not respond to ISMG's request for comment.
In addition to the latest revelations about RSA's use of NSA cryptography, also hurting the level of trust in the supply chain are revelations, based on U.S. government documents leaked by Edward Snowden, that the NSA hacked into the computers of Chinese communications giant Huawei Technologies. According to published reports, the NSA sought to exploit Huawei's technology so that when the company sold equipment to other countries - including allies and nations that avoid buying American products - the NSA could roam through the company's computer and telephone networks to conduct surveillance and, if ordered by the president, an offensive cyber-operation.
Huawei itself is under suspicion that its communications products have been tampered with by the Chinese government to pilfer American government and military secrets and corporate intellectual property, an accusation that the vendor denies (see House Panel: 2 Chinese Firms Pose IT Security Risks).
That any national government could corrupt IT products raises concerns among security professionals.
"The assumption that governments would keep citizens' best interests in mind when balancing national security against privacy concerns has clearly turned out to be misplaced, and this has huge implications for the trust dynamic that necessarily needs to exist between customer and vendor, citizen and state," says Steve Durbin, global vice president of the Information Security Forum, a not-for-profit association that develops IT security best practices.
Evaluating the Consequences
Durbin says organizations of all sizes must evaluate the consequences of a supplier providing harmful access to their information. "Businesses must focus fixes on the most vulnerable spots in their supply chains now, before hackers, or other cybercriminals, find their way in to disrupt the global distribution of goods and services," he says.
That's on the mind of the deputy CISO at the government agency, who does work with the NSA and did not want to be identified because of the sensitive nature of the topic. He says his agency is considering establishing a process that would quarantine new technology in a test bed to vet it for any security anomalies.
RSA's reputation has been sullied by its relationship with NSA, whether deservingly or not. "Regaining that trust will be a long haul requiring a degree of openness regarding what has happened and a focus on ensuring that it cannot happen again, a very tall order," Durbin says. "It'll take communication, collaboration, sharing and a lengthy period of time with no similar incidents before we can get close to that trust that has been so dramatically destroyed under the guise of national security."