[Cryptography] RSA recommends against use of its own products.

Jerry Leichter leichter at lrw.com
Sun Sep 22 09:43:21 EDT 2013 

On Sep 20, 2013, at 2:08 PM, Ray Dillinger wrote:
> More fuel for the fire...
> 
> http://rt.com/usa/nsa-weak-cryptography-rsa-110/
> 
> RSA today declared its own BSAFE toolkit and all versions of its
> Data Protection Manager insecure, recommending that all customers
> immediately discontinue use of these products....
Wow.  You took as holy writ on a technical matter a pronouncement of the general press.  And not just of the general press, but of RT, a Russian publication with a clear pro-Russian anti-American bias.  (Not that they don't deliver useful information - I've read them in the past, along with Al Jazeera and, on the flip side, The Debka Files.  They are all valid and useful members of the press, but their points of view, AKA biases, are hardly a secret.)

The original article in Wired is still a bit sensationalistic, but at least it gets the facts right.

BSAFE is a group of related libraries of crypto primitives that RSA has sold for many years.  They generally implement everything in the relevant standards, and sometimes go beyond that and include stuff that seems to be widely accepted and used.  Naturally, they also use the same libraries in some packaged products they sell.  

As far as I know, the BSAFE implementations have been reasonably well thought of over the years.  In my experience, they are conservatively written - they won't be the fastest possible implementations, but they'll hold their own, and they probably are relatively bug-free.  A big sales advantage is that they come with FIPS certifications.  For whatever you think those are actually worth, they are required for all kinds of purposes, especially if you sell products to the government.

I remember looking at BSAFE for use in a product I worked on many years ago.  We ended up deciding it was too expensive and used a combination of open source code and some stuff we wrote ourselves.  The company was eventually acquired by EMC (which also owns RSA), and I suspect our code was eventually replaced with BSAFE code.

Since Dual EC DRBG was in the NIST standards, BSAFE provided an implementation - along with five other random number generators.  But they made Dual EC DRBG the default, for reasons they haven't really explained beyond "in 2004 [when these implementations were first done] elliptic curve algorithms were becoming the rage and were considered to have advantages over other algorithms...."

I'd guess that no one remembers now, six or more years later, exactly how Dual EC DRBG came to be the default.  We now suspect that a certain government agency probably worked to tip the scales.  Whether it was directly through some contacts at RSA, or indirectly - big government client says they want to buy the product but it must be "safe by default", and "Dual EC DRBG is what our security guys say is safe" - who knows; but the effect is the same.  (If there are any other default choices in BSAFE, they would be worth a close look.  Influencing choices at this level would have huge leverage for a non-existent agency....)

Anyway, RSA has *not* recommended that people stop using BSAFE.  They've recommended that they stop using *Dual DC DRBG*, and instead select one of the other algorithms.  For their own embedded products, RSA will have to do the work.  Existing customers most likely will have to change their source code and ship a new release - few are likely to make the RNG externally controllable.  Presumably RSA will also issue new versions of the BSAFE products in which the default is different.  But it'll take years to clean all this stuff up.
                                                        -- Jerry

More information about the cryptography mailing list