Following leaks from former U.S. National Security Agency (NSA) contractor Edward Snowden it had previously been revealed that the NSA had attempted to subvert commercially used cryptography standards, however new research now adds dramatically to this story.
Reuters had earlier revealed in December 2013 that the NSA paid the RSA to develop the now discredited 'Dual Elliptic Curve' random number generating system which was then incorporated in many commercial encryption implementations. In exchange for $10M the RSA compromised 'Dual Elliptic Curve' to provide a backdoor that permitted the NSA to decrypt information encrypted with commercial software using the compromised number generation system.
What has now become apparent is that the extent to which the system was compromised was very much more severe than previously imagined.
A group of professors from multiple universities including the University of Wisconsin, the University of Illinois, and Johns Hopkins, has discovered and revealed that the NSA was using additional software that exploited further weaknesses in an additional protocol known as 'Extended Random'. 'Extended Random' was put forward in a Pentagon paper on 2006 as a way of increasing the randomness of the 'Dual Elliptic Curve' cryptographic keys. This additional protocol was added to RSA encryption to further 'secure it' but as the researchers have discovered this was very far from the truth.
As an example the universities demonstrated how it was possible to crack BSafe for Java encryption (which uses RSA encryption) in about an hour by employing the backdoor. It gets worse though. Using additional techniques employing the 'Extended Random' vulnerability it was possible to reduce the decryption time by 65,000 times meaning they could decrypt data 'protected' by this encryption in less than three seconds.
Reuters reports further on this story here.
