The NSA strikes again. Steve Gibson, in his Security Now podcast, yesterday revealed that RSA’s respected and popular BSAFE encryption library contains a serious weakness. Its default random number generator (RNG) isn’t especially random and was tweaked years ago by the NSA to provide them with a back door. RSA is the leading security software firm. Its products are used by most of the major software publishers — Microsoft, Apple, Google, et al. Programmers who use BSAFE may choose to use other (stronger) RNGs, but BSAFE’s default RNG is definitely weak, thanks to NSA’s tinkering.
Secure encryption requires that a unique large random number be used for each encryption. If the number is predictable, the encrypted data can be cracked. Providing truly random large numbers isn’t easy, since computers are if nothing else, deterministic machines. They produce pseudo-random numbers. Typically they seed the RNG with a small random number such as the interval between mouse clicks.
Arstechnica explains: Stop using NSA-influenced code in our products, RSA tells customers
Observers fear that NSA’s actions such as this harm US software suppliers’ credibility. When a backdoor exists, not only is it available to its creator, but uninvited visitors may hammer on it, as well.
Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695