A group of cryptographic researchers found an alleged NSA backdoor in the RSAâ€™s BSAFE library, according to the Reuters news agency. The backdoor was located into the â€œExtended Numberâ€ extension for TLS cryptographic protocol.
A first NSA backdoor was found last year in the RSAâ€™s BSAFE cryptographic library, more precisely in the pseudorandom number generator dubbed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG). Now the “Extended Random” secure websites extension can be used to very quickly crack RSAâ€™s Dual Elliptic Curve version, the researchers found.
â€œEvidence of an implementation of a non-standard TLS extension called â€œExtended Randomâ€ was discovered in the RSA BSAFE products,â€ the researchers said. Â â€œThis extension, co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000.â€
The Dual Elliptic Curve encryption was easy to break in a short amount of time with only $1,000 worth of on-the-shelf hardware, they said.
The researchers also discovered using ZMap that only 720 from 28.1 million servers were using the BSafe Java version with the Dual EC DRBG enabled. Only a third of the 720 servers were using Apache Coyote/1.1.
It seems that the â€œExtended Numberâ€ extension was just something the researchers â€œencountered along the way,” as Stephen Checkoway, co-author of the study said for The Register. “It wasn’t the focus and it doesn’t impact our major findings in any way.”
Â â€œFor both the Java and C versions of BSAFE, we have no evidence that versions of the libraries supporting extended random ever shipped and our major findings do not rely on extended random in any way,â€ said a draft copy of the study sent to The Register.
Even though it is alleged that the â€œExtended Numberâ€ extension is a second NSA backdoor in the BSafe cryptographic library, there is no evidence BSafe was ever shipped with this particular extension.