Tag: internet service providers

Stop using NSA-influenced code in our products, RSA tells customers

Firm “strongly recommends” customers stop using RNG reported to contain NSA backdoor.

by Dan Goodin – Sept 19 2013, 7:43pm EDT
Officials from RSA Security are advising customers of the company’s BSAFE toolkit and Data Protection Manager to stop using a crucial cryptography component in the products that was recently revealed to contain a backdoor engineered by the National Security Agency.
An advisory sent to select RSA customers on Thursday confirms that both products by default use something known as Dual EC_DRBG when creating cryptographic keys. The specification, which was approved in 2006 by the National Institute of Standards and Technology (NIST) and later by the International Organization for Standardization, contains a backdoor that was inserted by the NSA, the New York Times reported last week. RSA’s advisory came 24 hours after Ars asked the company if it intended to warn BSAFE customers about the deliberately crippled pseudo random number generator (PRNG), which is so weak that it undermines the security of most or all cryptography systems that use it.
“To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG,” the RSA advisory stated. “Technical guidance, including how to change the default PRNG in most libraries, is available in the most current product documentation” on RSA’s websites.
The BSAFE library is used to implement cryptographic functions into products, including at least some versions of the McAfee Firewall Enterprise Control Center, according to NIST certifications. The RSA Data Protection Manager is used to manage cryptographic keys. Confirmation that both use the backdoored RNG means that an untold number of third-party products may be bypassed not only by advanced intelligence agencies, but possibly by other adversaries who have the resources to carry out attacks that use specially designed hardware to quickly cycle though possible keys until the correct one is guessed.
McAfee representatives issued a statement that confirmed the McAfee Firewall Enterprise Control Center 5.3.1 supported the Dual_EC_DRBG, but only when deployed in federal government or government contractor customer environments, where this FIPS certification has recommended it. The product uses the newer SHA1 PRNG random number generator in all other settings.
The NIST certification page lists dozens of other products that also use the weak RNG. Most of those appear to be one-off products. More significant is the embrace of BSAFE as the default RNG, because the tool has the ability to spawn a large number of derivative crypto systems that are highly susceptible to being broken.
< – >
http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/

UK and US spies have cracked BlackBerry's BES encryption

UK and US spies have cracked BlackBerry’s BES encryption

By Peter Sayer
Techworld
09 September 2013
The U.S. National Security Agency is able to read messages sent via a
corporate BlackBerry Enterprise Server (BES), according to a report by
German news magazine Der Spiegel. The purpose of this spying is economic
or political, and not to counter terrorism, the magazine hints.
The report, published in English on Monday, cites internal documents
leaked by former NSA contractor Edward Snowden.
Governments have long demanded that BlackBerry provide access to encrypted
messages carried by its email and BlackBerry Messenger (BBM) services, to
allow them to monitor for terrorist activity.
BlackBerry has complied in the case of its consumer-grade BlackBerry
Internet Service (BIS), notably providing the Indian government with
access to consumer messages. Indeed, Der Spiegel cited NSA documents
claiming that since 2009, analysts have been able to see and read
[…]
http://news.techworld.com/security/3467695/report-uk-and-us-spies-have-cracked-blackberrys-bes-encryption/

Security and Pervasive Monitoring

Security and Pervasive Monitoring
The Internet community and the IETF care deeply about how much we can trust commonly used Internet services and the protocols that these services use.  So the reports about large-scale monitoring of Internet traffic and users disturbs us greatly.  We knew of interception of targeted individuals and other monitoring activities, but the scale of recently reported monitoring is surprising. Such scale was not envisaged during the design of many Internet protocols, but we are considering the consequence of these kinds of attacks.
Of course, it is hard to know for sure from current reports what attack techniques may be in use.  As such, it is not so easy to comment on the specifics from an IETF perspective.  Still, the IETF has some long standing general principles that we can talk about, and we can also talk about some of the actions we are taking.
In 1996, RFC 1984 articulated the view that encryption is an important tool to protect privacy of communications, and that as such it should be encouraged and available to all.  In 2002, we decided that IETF standard protocols must include appropriate strong security mechanisms, and established this doctrine as a best current practice, documented in RFC 3365. Earlier, in 2000 the IETF decided not to consider requirements for wiretapping when creating and maintaining IETF standards, for reasons stated in RFC 2804. Note that IETF participants exist with positions at all points of the privacy/surveillance continuum, as seen in the discussions that lead to RFC 2804.
As privacy has become increasingly important, the Internet Architecture Board (IAB) developed guidance for handling privacy considerations in protocol specifications, and documented that in RFC 6973. And there are ongoing developments in security and privacy happening within the IETF all the time, for example work has just started on version 1.3 of the Transport Layer Security (TLS, RFC 5246) protocol which aims to provide better confidentiality during the early phases of the cryptographic handshake that underlies much secure Internet traffic.
Recent days have also seen an extended and welcome discussion triggered by calls for the IETF to build better protections against wide-spread monitoring.
As that discussion makes clear, IETF participants want to build secure and deployable systems for all Internet users.  Indeed, addressing security and new vulnerabilities has been a topic in the IETF for as long as the organisation has existed.  Technology alone is, however, not the only factor. Operational practices, laws, and other similar factors also matter. First of all, existing IETF security technologies, if used more widely, can definitely help.  But technical issues outside the IETF’s control, for example endpoint security, or the properties of specific products or implementations also affect the end result in major ways. So at the end of the day, no amount of communication security helps you if you do not trust the party you are communicating with or the devices you are using. Nonetheless, we’re confident the IETF can and will do more to make our protocols work more securely and offer better privacy features that can be used by implementations of all kinds.
So with the understanding of limitations of technology-only solutions, the IETF is continuing its mission to improve security in the Internet.  The recent revelations provide additional motivation for doing this, as well as highlighting the need to consider new threat models.
We should seize this opportunity to take a hard look at what we can do better.  Again, it is important to understand the limitations of technology alone. But here are some examples of things that are already ongoing:

  • We’re having a discussion as part of the development of HTTP/2.0 as to how to make more and better use of TLS, for example to perhaps enable clients to require the use of security and not just have to react to the HTTP or HTTPS URLs chosen by servers.
  • We’re having discussions as to how to handle the potentially new threat model demonstrated by the recent revelations so that future protocol designs can take into account potential pervasive monitoring as a known threat model.
  • We’re considering ways in which better use can be made of existing protocol features, for example, better guidance as to how to deploy TLS with Perfect Forward Secrecy, which makes applications running over TLS more robust if server private keys later leak out.
  • We’re constantly updating specifications to deprecate older, weaker cryptographic algorithms and allocate code points for currently strong algorithm choices so those can be used with Internet protocols.

And we are confident that discussions on this topic will motivate IETF participants to do more work on these and further related topics.
But don’t think about all this just in terms of the recent revelations.  The security and privacy of the Internet in general is still a challenge even ignoring pervasive monitoring, and if there are improvements from the above, those will be generally useful for many reasons and for many years to come.  Perhaps this year’s discussions is a way to motivate the world to move from “by default insecure” communications to “by default secure”.  Publicity and motivation are important, too. There is plenty to do for all of us, from users enabling additional security tools to implementors ensuring that their products are secure.
In the Vancouver IETF meeting, there will be time dedicated to discuss this, and we ask that those interested in working on this topic contribute to the analysis and develop proposals in this area.  Those contributions are very welcome and can start now and continue in Vancouver and beyond.
Relevant mailing lists (from most specific to most general) include:

Jari Arkko, Chair of the IETF and Stephen Farrell, IETF Security Area
Director