What do Snowden’s NSA crypto revelations mean to us?
RSA comes out of the cold.
Cryptographic software uses pseudo random number generators in things like key generation, one time pads and for arbitrary numbers used only once in a crypto conversation (these are called ‘nonces’, which doesn’t translate especially well into British English!).
The revelations about the National Security Agency’s ‘improvements’ to one of these algorithms in particular (the snappily named DUAL_EC_DRBG) has been the subject of ubergeek debate since 2007 when Microsoft engineers presented flaws in the algorithm, which it transpires were inserted by the NSA so they could spy on us (surprise!).
The algorithm in question has long been derided by people with extraordinarily large brains as being a bit slow and possibly unreliable so it seems unusual that it is the default algorithm for EMC owned RSA’s default algorithm in their BSafe crypto library, which incidentally has FIPS 140-2 validation, ahem.
It has been reported this week that RSA has strongly recommended that customers pick another pseudo random number generator and we recommend that users of the BSafe library do just that.
As for the backdoors encouraged by the security people in other products including Outlook.com / Gmail etc., we are looking forward to further revelations in the World’s press from Russia, with love.
ITC would love the opportunity to talk to you about these and all information security issues. Contact us on [email protected] or call us on 020 7517 3900.