NSA able to compromise Cisco, Juniper, Huawei switches
mysidia at gmail.com
Wed Jan 1 19:06:59 UTC 2014
On Wed, Jan 1, 2014 at 3:55 AM, Saku Ytti <saku at ytti.fi> wrote:
> Is this legal? Can NSA walk in to US based company and legally coerce to
> install such backdoor? If not, what is the incentive for private company to
As evidenced by "Lavabit"; apparently, one thing that they CAN do
is issue an order to the US based company to release their secret
cryptography keys such as RSA secret keys to the government, including the
secret keys that correspond to the public keys on their X509 certificates;
possibly including certificates used for code signing and code
distribution to users.
AND maintain confidentiality that they were required to release keys.
Recall, Lavabit was deemed in violation of the order: due to halting
their service, after being forced to release the cryptography keys.
The RSA secret keys can then be used to forge the company's signature on a
payload containing a malicious copy of the firmware or operating system.
And perform man in the middle attacks against web sites, and other
software update infrastructure --- in order to distributed tampered
with software with forged code signatures.
More information about the NANOG