NSA might be behind weakening of Android Random Number Generator problem

[Its About Sharing]

This is something we (now) have to consider, if you already hadn't. In the interview a few weeks or month back on Let's Talk Bitcoin with the computer scientist who discovered the low entropy of the android based random number generator that was generating 9 bits (and not 256, if I remember correctly) of entropy he stated he found 2 points of weakness and it was VERY suspicious to him.

Snowden released some more information and what I'm seeing is that SHA256 is indeed secure but the weakness would be in implementation and such. The NSA is becoming a Saboteur of implementation it seems.

The latest article regarding this (Sept 5) is here:
Latest Snowden revelation: NSA sabotaged electronic locks
http://www.latimes.com/opinion/opinion-la/la-ol-nsa-introduced-vulnerabilities-into-encryption-snowden-reveals-20130905,0,2218463.story

Snippet:

The latest Edward Snowden-powered exposé published by the New York Times, ProPublica and the Guardian is, to me, the most frightening. It reveals that the National Security Agency has moved beyond its historic role as a code-breaker to become a saboteur of the encryption systems. Its work has allegedly weakened the scrambling not just of terrorists' emails but also bank transactions, medical records and communications among coworkers.

Here's the money graf:

"The NSA hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world."

I'd be disappointed if the NSA hadn't figured out how to do that hacking trick. But adding vulnerabilities to standard encryption techniques? That's just making the job easier for hackers to make sense of the scrambled data they steal.

I wish I could add my help but I'm not a programmer. Hopefully bringing things like this to the attention of those capable of discovering these "flaws" will allow for their correction.

It's About Sharing

[1714923434]

1714923434

[1714923434]

1714923434

[1714923434]

1714923434

[1714923434]

1714923434

[1714923434]

1714923434

[Nigeria Prince]

Yes, I agree. NSA and dictator Obama are behind this.

[Its About Sharing]

Yes, I agree. NSA and dictator Obama are behind this.

My real point, if it is not clear, is EXTREME EFFORT should be spent in looking at these interfaces between our the cryptographic security (e.g. SHA256) and it's technical implementation.
The "back doors" or "weak points" will be in plain site and easily overlooked. e.g. - The android random number generator.
We patch these weak points or saboteured areas, and we will be good.

IAS

[b!z]

Yes, I agree. NSA and dictator Obama are behind this.

My real point, if it is not clear, is EXTREME EFFORT should be spent in looking at these interfaces between our the cryptographic security (e.g. SHA256) and it's technical implementation.
The "back doors" or "weak points" will be in plain site and easily overlooked. e.g. - The android random number generator.
We patch these weak points or saboteured areas, and we will be good.

IAS

The problem is that these backdoors could be hidden in plain sight, and we may never find them.

[Mike Hearn]

I suspected this might come up.

So, I realise that you can see me as a part of the wider conspiracy, but I have more knowledge of exactly what went wrong with the Android RNG than is currently public (full details will be released at some academic conference in the coming months, I believe). The failure modes involved are quite straightforward and the kind of mistake that's very easy to make, given Android's architecture. No cleverness or NSA conspiracy is required - it's the kind of bug anyone could introduce accidentally without realising they'd done anything wrong.

Let's look at it another way. The NSA targets RNGs because it's possibly for them to break in subtle ways without anyone noticing for a long time. Evidence: the Debian OpenSSL fiasco that was obvious to anyone who simply reviewed the patches applied to their fork. No way was that an NSA covert op because it was so freaking obvious, it escaped detection for a  long time simply because nobody bothered to check that Debian wasn't doing something stupid.

Anyway. Once the full details are made public you can review them and decide for yourself. Occam's Razor and all that. BTW hiding RNG faults in an open source OS is a really bad idea. The worst faults were in Jellybean, released end of 2012. Less than a year later the Bitcoin community discovered the issue. If that's the NSA's plan to undermine public crypto, they suck at it.

[Its About Sharing]

Thanks for the information Mike.

Again, my point is just to lock down the weak points. Whether or not the NSA did anything is not so much the point (though it is a possibility and an attention grabber / worst case scenario that we should be open to.)

Were you the guy in the interview? Why say "I realise that you can see me as a part of the wider conspiracy"? The man in the interview was clear that it looked suspicious (2 weak points and not 1).

Point taken though,
Thanks again,
IAS

[Mike Hearn]

No it wasn't me in the interview.

The first set of RNG problems (pre-Jellybean) weren't even made by Google. They were inherited from Apache Harmony.

[frankenmint]

Thanks for the information Mike.

Again, my point is just to lock down the weak points. Whether or not the NSA did anything is not so much the point (though it is a possibility and an attention grabber / worst case scenario that we should be open to.)

Were you the guy in the interview? Why say "I realise that you can see me as a part of the wider conspiracy"? The man in the interview was clear that it looked suspicious (2 weak points and not 1).

Point taken though,
Thanks again,
IAS

What mike says....believe me...if the times comes the btc becomes a threat to USA, the NSA will come up with something to destroy all blockchains with a type of virus or wurm...but I don't see that happening...we would all just move to anc or zerocoin backed...but then "that" coin is just a matter of time to be targeted...peraps an alt that is percieved to be anonymous will be the coin that has the conspiracy backdoors we rave of.

[piotr_n]

BTW hiding RNG faults in an open source OS is a really bad idea.

Bad idea that obviously worked - all the Android systems had been exposed to crypto attacks for years.
And they would probably still have been exposed, if not for the bitcoins users alerting the whole world.

Let me remind you that this weakness was publicly reported at least few months before Google fixied it.
And they fixed it only after some people lost their money, so Google was facing lawsuits.

Are we supposed to believe that Google just did not know about the RNG problem, before bitcoin users reported it?
Yeah, right..
Well, I don't believe it.

[b!z]

BTW hiding RNG faults in an open source OS is a really bad idea.

Bad idea that obviously worked - all the Android systems had been exposed to crypto attacks for years.
And they would probably still have been exposed, if not for the bitcoins users alerting the whole world.

Let me remind you that this weakness was publicly reported at least few months before Google fixied it.
And they fixed it only after some people lost their money, so Google was facing lawsuits.

Are we supposed to believe that Google just did not know about the RNG problem, before bitcoin users reported it?
Yeah, right..
Well, I don't believe it.

Perhaps they don't want to take action unless there is a risk of them losing users/money.

[piotr_n]

Perhaps they don't want to take action unless there is a risk of them losing users/money.

Obviously.
The question is: why they don't want to take action?
I mean, they cannot be so stupid to not understand that not taking the action is basically leaving an open backdoor in their encryption libraries.
So why do they willingly keep the backdoor open?

[Its About Sharing]

Perhaps they don't want to take action unless there is a risk of them losing users/money.

Obviously.
The question is: why they don't want to take action?
I mean, they cannot be so stupid to not understand that not taking the action is basically leaving an open backdoor in their encryption libraries.
So why do they willingly keep the backdoor open?

Maybe because Google was initially funded by people with clear ties to the NSA?

[Mike Hearn]

Sigh. The fault described in the RSA paper was in the pre-Jellybean version of the RNG. It was "fixed", unfortunately the fix involved replacement of the bad RNG with one that had a different and even worse set of bugs, which were not publicly reported until the Bitcoin event.

[piotr_n]

I think we all understand your explanation, but some of us just don't quite believe that the alleged broken fix has not been an NSA approved "solution".

I don't know how you guys work there in Google, but all the companies I have worked in, when they fix a bug, they also create test cases, to make sure that the problem has actually been fixed.
And you are saying that they fixed such a critical security issue, basically a backdoor, though without realizing that they didn't actually fix it...

Well, it would mean that either Google is lamer than a drunk teenage girl, or somebody is just trying to sell us some fairy tales.

[gmaxwell]

I think we all understand your explanation, but some of us just don't quite believe that the alleged broken fix has not been an NSA approved "solution".

I don't know how you guys work there in Google, but all the companies I have worked in, when they fix a bug, they also create test cases, to make sure that the problem has actually been fixed.
And you are saying that they fixed such a critical security issue, though without realizing that they didn't actually fix it...
Well, it would mean that either Google is lamer than a drunk teenage girl, or somebody is just trying to sell us some fairy tales.

Piotr_n, show some civility!

Mike isn't an android developer, he's not Google CEO, this isn't his mistake.  The new bug, which has not yet been disclosed by Google, is apparently an entirely different bug than the old one.  I have no doubt that they tested the fix for the old bug and were confident that it was fixed... but a test for an old bad behavior doesn't always show the new one.

In any case, I'm not subject to any Google confidentiality agreements and have no privileged access to the bug information in this case, and I think other people know about this class of weakness already... so I suppose I can tell you what my guess of the bug is:  I think android was seeding the OpenSSL RNG at start and then forking more processes and, in the coarse of doing so, copying the RNG's state. OpenSSL has automatic seeding of its internal state from the OS, but it only fires once. If you aren't careful with the use of fork you can end up with processes that have duplicate copies of the RNG state.  I don't know that this was the case on android, but it's a bug other people have had before, which the workaround proposed for android would have fixed.  But it is entirely unlike the harmony bad RNG problems, and while you can always fault someone for making a critical security mistake, this isn't one that would have resulted from a straight up sloppy QA practice.

[piotr_n]

But I am, not accusing Mike of anything.
I am accusing Google of collaboration with NSA.

Considering today's headlines, shouting about NSA being able to break all kind of cyphers, thanks to exploits planted in all kind of software - why would we not assume that Android is on their list?
Just think about all the circumstances around this specific problem and its alleged fix that introduced "even worse set of bugs"...

Is Mike's explanation plausible - yes, it is.
But is it more plausible then an NSA designed backdoor theory - IMO, no!

[jgarzik]

Yes, this subject was covered here:

     http://www.reddit.com/r/Bitcoin/comments/1lt8tt/speculation_are_bitcoin_thieves_revealing_nsa/

Did the NSA plant the flaw?  Seems unlikely.

Were they aware of the flaw, and could have included it in their suite of tools?  Absolutely.  NSA most certainly reviews software -- open and closed source -- to find bugs they may exploit at a later date.

And ironically, bitcoin thieves are working to help secure us from NSA software backdoors.  

[MatthewLM]

I would be more concerned with proprietary software than open-source software. Mike is right in that the NSA would find it easier to hide back-doors in proprietary software. This is a good reason to switch to open-source. Indeed problems with open-source software will remain there until somebody discovers it but the point is it's still easier to hide in proprietary software. Though I don't deny that the NSA might have been behind this and it's absolutely disgusting that they have and do get away with things like this.

[gmaxwell]

Don't be so sure that you can't plant backdoors in open source software.  Some of the mistakes I make on non-released code would be really awesome ultra-subtle backdoors.

... but it really doesn't matter.  We need to be vigilant in auditing the tools we use, and we need to use open tools which can be audited.  This will catch both intentional back doors as well as honest mistakes.

At the end of the day if we want secure systems this is what we must do... because no matter how trustworthy a vendor is, everyone can make mistakes.

Short of more leaked NSA documents, I suspect we'll never know if most possible backdoors were intentional or accidental. If google is gaining backdoors like that I'd put a bigger bet on it being via planted employees than on it being company policy: the former is a lot easier to keep secret than the latter.  ... and that same kind of weakness could exist anywhere— in google things, in community developed things, anywhere.

The only answer is extensive review and building robust systems which are not as vulnerable to single points of failure.  (On this regard, I'm kind of sad that none of the first wave of hardware wallets will target doing multisignature…)

[Mike Hearn]

The good news about the NSA is they do have fear. Apparently when Phil Zimmerman announced Silent Circle they circulated an email titled "This can't be good". It does seem that done properly strong crypto still works, modulo this super mysterious 2010 "breakthrough" they made.

Whilst Silent Circle is proprietary, RedPhone and TextSecure are not anymore thanks to Twitter. I installed them both a few days ago. I didn't get RedPhone working yet unfortunately, but both apps get good reviews and are slickly implemented. More importantly they're doing end to end crypto. I think we'll see more of that kind of thing in future - people are starting to recognise now that end to end crypto is important, it's not just for tinfoil hatters, and also that building something secure that has poor usability is a waste of time.

The next stages of this game will be very interesting indeed. I anticipate much more aggressive moves from both attackers (NSA/GCHQ) and defenders (the wider software/internet engineering community).