[Cryptography] RSA is dead.

ianG iang at iang.org
Sun Dec 22 02:17:31 EST 2013


On 21/12/13 20:59 PM, Phillip Hallam-Baker wrote:
>
>
>
> On Sat, Dec 21, 2013 at 1:37 AM, ianG <iang at iang.org

>         We know more than that.  They stated they were the sole editor.
>           They
>         claim the mission to subvert, as laid out very clearly in their
>         goals
>         (snippet above).  They have the capability, beyond ours.  There is
>         sufficient information to show that there was a programme of
>         convincing
>         suppliers to prioritise in that direction.
>
>
>
>     Just on that last point, new data came out yesterday.
>
>     http://www.reuters.com/__article/2013/12/20/us-usa-__security-rsa-__idUSBRE9BJ1C220131220
>     <http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220>
>
>     Two snippets:
>
>         "Undisclosed until now was that RSA received $10 million in a
>     deal that set the NSA formula as the preferred, or default, method
>     for number generation in the BSafe software, according to two
>     sources familiar with the contract."
>
>     ...
>
>         "RSA adopted the algorithm even before NIST approved it. The NSA
>     then cited the early use of Dual Elliptic Curve inside the
>     government to argue successfully for NIST approval, according to an
>     official familiar with the proceedings.
>
>         RSA's contract made Dual Elliptic Curve the default option for
>     producing random numbers in the RSA toolkit.  ..."
>
>
> In fairness to Art et al, I very much doubt the NSA came along and said,
> 'here is $10 to drop a back door into BSafe'.


I doubt that too, although there are reports that this sort of thing 
happened elsewhere.

What is clear is that the team did their research and figured out who 
would be open to such things.  RSA was vulnerable, we know the channel 
and motives:  money, business decisions, weakened core crypto team.


> The deal was reported at the time, I heard it as 'NSA pays RSA $10
> million to make ECC available in BSafe'. Which was not at all surprising
> given that we know RSA2048 (maybe RSA4096) is the end of the line for
> practical RSA.


I heard it as "and we especially want the DUAL_EC to be the default 
RNG".  That is, it was an actual request, and it was part of the 
contract discussions.

Now, the thing to realise is that this is benign from RSA's pov, but 
only seemingly benign from NSA's pov.  This is how it is done -- an 
unauditable, unverifiable, benign, totally reasonable shift.


...
> But the point I want to make here is we need to avoid accusing people of
> being in league with the devil when all they actually did was not ask
> the right questions or enough questions.


Absolutely, we need to separate the people from the problem.  Old Dutch 
expression:  go soft on the people, go hard on the problem.

Nobody needs to accuse the RSA folk of being evil.  Nor should we accuse 
the NSA of being stupid, and to say they wouldn't do such things is 
simple ignorance.

The NSA are very smart.  They know how to figure out the openings, what 
is possible.  They know how to convince someone who wants to be 
convinced.  $10m makes someone want to be convinced.

As I seem to be saying a lot, *it is their job* !  The NSA are spies, 
after all, and they're very good at it.  If this doesn't make any sense, 
read more spy novels -- there is a common thread, *the asset always loses*.



So what about RSA?  One could say that RSA were naive, or innocent, or 
tricked.  It can happen to all of us.

But, RSA didn't make one small mistake, they made two huge mistakes.

What was RSA's job?  Their job was to serve their customers with secure 
crypto.  They didn't, instead, they allowed an interested party to get 
between them and the customers, which was an abrogation of their 
self-claimed standard:

   "Unlike alternatives such as open source, our technology is backed by 
highly regarded cryptographic experts."

This mistake is not like (say) an airline being tricked into revealing 
their customer list or a phone company being tricked into letting 
someone tap their fibres.  An airline flies people in planes, a phone 
company delivers calls, they aren't in the privacy business.

This is like an airline dropping maintenance, and putting planes into 
mountains.  RSA was in the crypto business -- it shipped dodgy crypto. 
They made the one mistake that is impossible to argue away:  Negligence 
in the core business.



It's still just one mistake.  Where RSA made their second mistake [0], 
and crossed into gross negligence was when all the warnings came out 
(2007, Microsoft), and

       *RSA did nothing* .

It's all over.  For the sake of the entire crypto business, RSA must be 
blacklisted.  Every provider must be taught that breaking trust in core 
business with customers is unacceptable.

And, don't blame me for this rationale.  The NSA must be taught that if 
they wish to pervert a supplier, the responsibility for its failure must 
come back to the NSA.  The NSA brought RSA down.


> NSA recruitment is already down by a third. I suspect their technical
> recruitment is down to zero. Pre Snowden a spell at the NSA was a good
> thing to have on your resume. After Snowden it is like haveing a
> conviction for hacking.


Yup.  And no doubt RSA sales are down a long way.  On this dire thread, 
this is a termination event;  if I was boss at EMC I'd be looking at 
breaking up the division, selling it.  At a minimum, re-branding it and 
cleaning out the staff.

All this at NSA's door.  Who think it is fine to destroy their own 
country's industry to get a leg-up on a bunch of net cowboys and 
towelheads.  And they still aren't taking it seriously, still saying 
they are doing god's work, protecting Americans from idiots with 
firecrackers, to paraphrase that Wall Streeter.

Strange bunch of people.



iang

[0] http://financialcryptography.com/mt/archives/001447.html


More information about the cryptography mailing list