RSA Tells Developers To Ditch Contentious Encryption Algorithm


RSA, the security division of EMC, is warning software developers that one of its toolkits to implement encryption is set by default to configure a controversial algorithm that may contain a back door that could be used to decrypt protected data and view sensitive files.

In an email to developers, RSA said its BSafe toolkit supports a random number generator cryptography experts are concerned contains a modification enabling it to be used in U.S. government surveillance activities. An RSA spokesperson told CRN Friday that RSA has changed the default in the toolkit and in its key management system.

The company has not indicated why RSA set its toolkit by default to an algorithm known for containing a weakness and being slow to generate random numbers.

[Related: 10 Ways NSA Surveillance Revelations Could Impact The Channel]

The toolkits are widely distributed. In 2009, RSA offered free downloads of its BSafe Share encryption technology to software developers under a program called the RSA Share Project. RSA, Bedford, Mass., said the message it sent to developers Thursday provided details about changing the default to another random number generator supported by the company. All versions of its BSafe toolkits are impacted by the changes.

Revelations stemming from the leaked National Security Agency documents provided by Edward Snowden have prompted a discussion among cryptographers over a known weakness in the algorithm called Dual EC DRBG. The NSA pushed to get the algorithm added as a standard issued by the National Institute of Standards and Technology (NIST) despite it being slower and containing a known weakness. Documents obtained by Snowden have shown that the NSA spent $250 million to influence product designs to enable back-door access in commercial encryption toolkits and other software. Earlier this month NIST strongly recommended against using the algorithm.

Security experts told CRN the NSA revelations should be an eye-opener to businesses and solution providers and will lead to more questions about data control and retention, and security measures of cloud-based services.

"Anything that leaves our network we have to assume that it is being looked at," said Michael Sutton, vice president of security research at Zscaler, a San Jose, Calif.-based cloud security vendor. "I think you will see a move toward companies requiring and implementing encryption to a greater degree and you'll see more websites move to SSL only."

Other experts said that when put into context, businesses should be assessing their systems and applying security best practices to address more nefarious threats.

The NSA revelations have prompted a policy discussion about how much reach citizens want their government authorities to have for national defense, said Chris Petersen, chief technology officer and co-founder of LogRhythm, a Boulder, Colo.-based security information event management appliance maker.

"The fact that the NSA can decrypt encrypted data if they want to is irrelevant because they shouldn’t be decrypting it on the average citizen in the first place," Petersen told CRN

PUBLISHED SEPT. 20, 2013