RSA`s "Extended Number" Extension a Second NSA Backdoor?

A group of cryptographic researchers found an alleged NSA backdoor in the RSA`s BSAFE library, according to the Reuters news agency. The backdoor was located into the “Extended Number” extension for TLS cryptographic protocol.

A first NSA backdoor was found last year in the RSA`s BSAFE cryptographic library, more precisely in the pseudorandom number generator dubbed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG). Now the “Extended Random” secure websites extension can be used to very quickly crack RSA`s Dual Elliptic Curve version, the researchers found.

“Evidence of an implementation of a non-standard TLS extension called “Extended Random” was discovered in the RSA BSAFE products,” the researchers said. “This extension, co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000.”

The Dual Elliptic Curve encryption was easy to break in a short amount of time with only $1,000 worth of on-the-shelf hardware, they said.

The researchers also discovered using ZMap that only 720 from 28.1 million servers were using the BSafe Java version with the Dual EC DRBG enabled. Only a third of the 720 servers were using Apache Coyote/1.1.

It seems that the “Extended Number” extension was just something the researchers “encountered along the way,” as Stephen Checkoway, co-author of the study said for The Register. “It wasn’t the focus and it doesn’t impact our major findings in any way.”

“For both the Java and C versions of BSAFE, we have no evidence that versions of the libraries supporting extended random ever shipped and our major findings do not rely on extended random in any way,” said a draft copy of the study sent to The Register.

Even though it is alleged that the “Extended Number” extension is a second NSA backdoor in the BSafe cryptographic library, there is no evidence BSafe was ever shipped with this particular extension.