A group of professors and researchers from several universities in the US and the Netherlands have tested the exploitability of various implementations of the infamous Dual_EC_DRBG cryptographic algorithm which is though to have been backdoored by the US NSA, and have discovered that the RSA BSAFE products contain another tool used by NSA that could make a Dual EC attack considerably faster and easier.
“We analyzed the use of Dual EC in four recent TLS/SSL library implementations: RSA BSAFE Share for C/C++, RSA BSAFE Share for Java, Microsoft SChannel, and OpenSSL.”
They discovered that OpenSSL had a bug that prevented the library from running when Dual EC is enabled, but that patching it can result in a pretty resilient library.
On the other hand, they discovered that SChannel does not implement the current Dual EC standard – it omits one step of the Dual EC algorithm – but that this makes attacks slightly faster.
Finally, the RSA BSAFE implementations of TLS as well as the Java version of BSAFE can be easily exploited, the latter especially because of the additional implementation of a TLS extension called “Extended Random.”
“This extension, co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000. In addition, the use of this extension allows for for attacks on Dual EC instances configured with P-384 and P-521 elliptic curves, something that is not apparently possible in standard TLS,” the researchers explained.
“While the code implementing Extended Random was not compiled into our build of Share for C/C++, it was available (though deactivated) in the build of Share for Java that we analyzed. In the latter case, we were able to re-enable it and verify the functionality. ”
The also shared that it took them only several seconds to decrypt TLS connections made by RSA Share for C/C++, and less than a minute on an old laptop.
“Other libraries, such as Share for Java, Microsoft SChannel, and OpenSSL (with the bug repaired) also proved feasible to attack, but were in some cases significantly more costly,” they noted.
According to a Reuters report, RSA did not dispute this research, and commented that Extended Random was removed from its software half a year ago because it proved unpopular. The NSA declined to comment on the findings.