LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   NSA deeper into RSA then stated before (https://www.linuxquestions.org/questions/linux-security-4/nsa-deeper-into-rsa-then-stated-before-4175500104/)

lleb 03-31-2014 06:09 PM

NSA deeper into RSA then stated before
 
http://m.slashdot.org/story/200129

In short they now has a means to decrypt RSA keys tens of thousands of times faster.

What to replace RSA with for ssh keys and more?

metaschima 03-31-2014 07:30 PM

First of all, RSA encryption does NOT equal RSA the company. We're talking about the company here.

Second, the reuters article mentions only the Elliptic curve PRNG NOT the Elliptic curve encryption. Basically, the backdoor that was inserted was really just making RSA co. use the Elliptic curve PRNG, which is known to be extremely weak:
http://blog.0xbadc0de.be/archives/155
It was actually discovered in 2012:
http://cyberwarzone.com/did-nsa-put-...ption-standard

As for Extended Random, see:
http://dualec.org/
Quote:

We also discovered evidence of the implementation in the RSA BSAFE products of a non-standard TLS extension called “Extended Random.” This extension, co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000. In addition, the use of this extension allows for for attacks on Dual EC instances configured with P-384 and P-521 elliptic curves, something that is not apparently possible in standard TLS. While the code implementing Extended Random was not compiled into our build of Share for C/C++, it was available (though deactivated) in the build of Share for Java that we analyzed. In the latter case, we were able to re-enable it and verify the functionality. Note that the attack times reported below do not take advantage of extended random.
Also see:
http://www.linuxquestions.org/questi...sa-4175488778/

unSpawn 03-31-2014 07:56 PM

Quote:

Originally Posted by lleb (Post 5144389)
In short they now has a means to decrypt RSA keys tens of thousands of times faster.

Unless I read things wrong I think that's a too sensationalist summary of things. First of all you need a "product" that includes the Dual Elliptic Curve Deterministic Random Bit Generator (some versions of Windows IIRC) and then the Extended Random protocol would have been a proposed addition to that.


Quote:

Originally Posted by lleb (Post 5144389)
What to replace RSA with for ssh keys and more?

First of all there's a difference between RSA Inc the company (BSAFE SW, HW token) and RSA as in the algorithm. Secondly as you moved from OpenSSH-1 to OpenSSH-2 you should already have moved from RSA to DSA keys (http://www.snailbook.com/faq/ssh-1-vs-2.auto.html) and only use RSA when talking to systems that can't do DSA.

lleb 04-02-2014 06:49 AM

Quote:

Originally Posted by unSpawn (Post 5144427)
Unless I read things wrong I think that's a too sensationalist summary of things. First of all you need a "product" that includes the Dual Elliptic Curve Deterministic Random Bit Generator (some versions of Windows IIRC) and then the Extended Random protocol would have been a proposed addition to that.

good to know here.


Quote:

First of all there's a difference between RSA Inc the company (BSAFE SW, HW token) and RSA as in the algorithm. Secondly as you moved from OpenSSH-1 to OpenSSH-2 you should already have moved from RSA to DSA keys (http://www.snailbook.com/faq/ssh-1-vs-2.auto.html) and only use RSA when talking to systems that can't do DSA.
i thought dsa keys were considerably easier to crack then rsa? thankfully i am running OpenSSH-2 on all of my systems.


All times are GMT -5. The time now is 03:01 PM.