Cisco, McAfee, Other Firms Addressing NSA-Linked Encryption Algorithm3:33 PM EST Fri. Sep. 27, 2013
Security firms and networking appliance makers are working to identify the products that support a contentious encryption algorithm believed by some cryptographers to be a potential back door used for surveillance activities conducted by the National Security Agency.
None of the technology vendors reached by CRN have the encryption algorithm set by default, but some firms indicated that the algorithm was supported as an option.
Security vendor Mocana, which provides security for mobile devices and embedded systems, is considering a formal warning to customers that a tool it provides for embedded device encryption could have been used to implement the contentious encryption algorithm. The firm told CRN that its NanoCrypto government-certified cryptographic engine had the questionable encryption algorithm as one of three options made available to developers.
The tool is used to provide encryption for a variety of devices, from medical pumps and pacemakers to industrial manufacturing automation systems used by large defense contractors, said Kurt Stammberger, vice president of market development at Mocana.
"The algorithms in there are not turned on by default, but we will probably be issuing an advisory to our customers to not use the algorithm, and in a future patch turn it off or delete it from the toolkit entirely," Stammberger said.
Stammberger, an early member of RSA -- the security division of EMC -- and founder of the RSA Conference, said the weak encryption algorithm has a significant impact on the entire industry. Patching systems could be costly to technology firms, he said. The loss in confidence from the public and businesses can also have an impact, he said.
"It can have a real economic detriment to American business," Stammberger said.
The encryption algorithm in question is called Dual_EC_DRBG. The pseudo-random number generator had been promoted by the National Institute for Standards and Technology (NIST) as one of four recommended random number generators for use in cryptography. Earlier this month, NIST warned against using Dual_EC_DRBG while cryptographers determine the extent of the algorithm's weaknesses. Leaked documents about the NSA surveillance program outline a multipronged approach to cracking encryption, including spending millions on getting back doors into encryption products.
NEXT: Cisco, Juniper, McAfee Investigating
RSA was the first security firm to issue an advisory over the matter. The firm issued a message to developers Sept. 19, BSafe toolkit, used to implement encryption in thousands of applications, was set up to support the faulty encryption algorithm by default. Cryptographers believe NSA pushed to get the algorithm added as a standard issued by NIST despite it being slower and containing a known weakness. Vendors provided support for the algorithm so businesses could meet the Federal Information Processing Standard (FIPS) certification, which recommended the algorithm as one of the standards required to do business with the U.S. government.
The issue impacts many businesses, said Robert David Graham, a noted cryptography expert and CEO of security consultancy, Errata Security. Firms have to check whether the algorithm was implemented and is in use. Meanwhile, any product updates will have to be applied, Graham said.
"It's not just RSA's products; anybody using Microsoft's crypto libraries or the OpenSSL library has to do the same," Graham said.
Following the RSA recommendations, security firms told CRN that they are addressing customer concerns and determining whether there is a need to issue an advisory about the matter.
Stanley Mesceda, a program manager at SafeNet, an enterprise data protection vendor, said the company uses a mix of hardware-based and other randomizers in its products, making the issue of whether the firm uses the encryption algorithm a moot point. SafeNet was validated by NIST to use the OpenSSL library that supports the questionable encryption algorithm.
"In SafeNet products, we don't use OpenSSL for our randomizer; we have other mechanisms to do the randomization," Mesceda said.
A Cisco Systems spokesperson said the company is completing an internal audit of the products that leverage the standard. The company said the questionable algorithm is not the default random bit generator in Cisco's standard crypto library, but it was implemented as part of compliance efforts in mid-2012.
"AES-CTR is the default selection for the standard crypto library that is deployed across more than 120 Cisco product lines," the company said in a statement issued to CRN. "This default cannot be changed by the user."
Juniper said it also is conducting an audit and "so far has not found any Juniper products that invoke the Dual_EC_DRBG algorithm."
McAfee told CRN that its Firewall Enterprise Control Center supported the Dual_EC_DRBG, but only when it is deployed in federal government or government contractor customer environments, where the FIPS certification has recommended it. "In non-FIPS140-2, non-U.S. government implementations, the product uses the newer SHA1 PRNG random number generator in all other settings," the firm said in a statement.
Symantec refused to comment about the extent of algorithm use in its products. The company is on a NIST validation list for its data loss prevention crypto engine.
Security vendor Thales, which sells hardware security modules that perform encryption for many banks and other financial institutions, told CRN that the "algorithm is supported in a single variant of network encryption appliances in a closed, stand-alone system. The algorithm has not been implemented in any of the company's HSM products, said Richard Moulds, vice president of Thales e-Security.
"We have been aware of the potential flaws in the Dual_EC_DRBG algorithm for a number of years, and as a result we have not implemented this algorithm in any of our HSMs," Moulds said in an email message.
Potential changes in the field of encryption research make crypto systems susceptible to being invalidated at any time, said Tom Cross, director of security research at network security vendor Lancope. Dual_EC_DRBG is supported in Lancope products but not enabled by default.
"It is critical that encryption systems be implemented in such a way that they can be reconfigured in light of changing circumstances," Cross said. "For those customers who have taken the extra step of enabling Dual_EC_DRBG, Lancope has provided guidance regarding how to enable alternatives."
PUBLISHED ON SEPT. 27, 2013