NSA Infiltrated RSA Deeper Than Imagined 168
Rambo Tribble (1273454) writes "Reuters is reporting that the U.S. National Security Agency managed to have security firm RSA adopt not just one, but two security tools, further facilitating NSA eavesdropping on Internet communications. The newly discovered software is dubbed 'Extended Random', and is intended to facilitate the use of the already known 'Dual Elliptic Curve' encryption software's back door. Researchers from several U.S. universities discovered Extended Random and assert it could help crack Dual Elliptic Curve encrypted communications 'tens of thousands of times faster'."
Thank goodness for open-source alternatives (Score:4, Informative)
So those that know how, can test and verify open-source alternatives are cryptographically secure, not back-doored, and safe for people to use.
Re:FIPS 140-2 4.9.2. The Other Back Door. (Score:4, Informative)
>But making a practical attack based on that seems unlikely to me.
Q: If you have a 128 bit 'full entropy' key K[127:0] , how much is the entropy reduce if K[(n*16)+15:(n*16)] K[((n+1)*16)+15:((n+1)*16)] for n in {0..7} ?
A: A lot.
I.E. It reduces the brute force search space by a lot.
Re:Sales plummeted (Score:2, Informative)
So your solution is what? Build your own crypto software?
Use open source implementations of the established standard algorithms, with many eyes on them.
Should every company and person wanting to have encrypted communications do this too?
Yes. Proprietary software should have zero market share in this area. It's too important.
Do you trust your compiler? Or your hardware?
Yes, I do, but you don't have to.
If you're very very paranoid, use the "countering trusting trust" techniques.