The "Extended Random" Feature in the BSAFE Crypto Library

Matthew Green wrote a fascinating blog post about the NSA's efforts to increase the amount of random data exposed in the TLS protocol, and how it interacts with the NSA's backdoor into the DUAL_EC_PRNG random number generator to weaken TLS.

Posted on December 28, 2017 at 6:30 AM • 12 Comments

Comments

Petre PeterDecember 28, 2017 9:29 AM

@ Clive Robinson 10q

It seems that if the system is not vulnerable to DoS it's vulnerable to Eve; if it's not vulnerable to Eve it's vulnerable to DoS.

Sancho_PDecember 28, 2017 5:27 PM

“… — after all, why would the government spy on itself?” (M. Green)

Clearly it hurts.
Clearly it hurts NOBUS + USG.

There is only one entity that wants to hurt NOBUS + USG.
Occam’s razor:
The Russians did it.
As they were meddling in the 2016 election. Not to forget the DNC, Mirai, …
OMG! But wait:

Occam + 1:
The USG wanted it (but never used it), hoping the NO-NOBUS (e.g. the Chinese copymasters) think it was an improvement and use it?

hmmDecember 28, 2017 6:31 PM


Meh. This isn't an R or D issue, this isn't US vs Russia or China, Trump vs the factual world.

The I.C. has been given the bailiwick to collect ALL communications that it feasibly can.
It is decided that the security risk for you, end user, is less than their benefit.

Rutkowska is right, blind trust is a failed model.

Whisper not her name...December 29, 2017 8:47 AM

@Prince Humperdink:

The lesson--which should not be a new lesson--is that Johanna is once again way ahead of the curve.

Way ahead of which curve?

Nick P, would have a lot more to say on just how far behind she realy is. He has called her out many times. Others would point out she has not said anything she could not have learned from this (and one or two other) security blogs. She is not the "One eyed man in the kingdom of the blind", but a self promoting sales person with expired "best before" goods.

GweihirDecember 29, 2017 8:40 PM

Caught red-handed. Again. It seems the NSA has gotten pretty incompetent of late. One factor surely is bureaucracy, but I do hope that many of the really competent people they had took a cold hard look at what they were actually doing and who benefited and left.

curiouscatDecember 31, 2017 4:10 AM

does anyone else notice and wonder why with it so widely and well known about mass data collection and for a long while now, why has and is almost all network traffic being encrypted with aes? how much traffic was and is encrypted with any of the other amazing and beautiful ciphers? take a look at consumer encryption i.e. certificates, they are now almost exclusively aes.

GarrettJanuary 2, 2018 4:37 PM

Out of curiosity, would this have been a real vulnerability if the actual implementation fed the extra bits from a separate CSPRNG?

hmmJanuary 3, 2018 2:40 AM

What if it generates a predictable rainbow-tablesque artifact that is easily guessed "first" in purpose-built cracking algorithms operated by different divisions of the same folks?

I mean duh right.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.