[Cryptography] Fwd: [IP] RSA Response to Media Claims Regarding NSA Relationship

Kent Borg kentborg at borg.org
Sun Dec 22 21:55:51 EST 2013


 From Dave Farber's IP list.  Stunning.  Just stunning.

-kb


-------- Original Message --------
Subject: 	[IP] RSA Response to Media Claims Regarding NSA Relationship
Date: 	Sun, 22 Dec 2013 20:18:28 -0500
From: 	Dave Farber <dave at farber.net>
Reply-To: 	dave at farber.net
To: 	ip <ip at listbox.com>





---------- Forwarded message ----------
From: *Richard Forno*
Date: Sunday, December 22, 2013
Subject: RSA Response to Media Claims Regarding NSA Relationship
To: Infowarrior List <infowarrior at attrition.org 
<mailto:infowarrior at attrition.org>>
Cc: Dave Farber <dave at farber.net <mailto:dave at farber.net>>


(c/o Jericho)

RSA Response to Media Claims Regarding NSA Relationship
https://blogs.rsa.com/news-media-2/rsa-response/

December 22, 2013

Recent press coverage has asserted that RSA entered into a “secret 
contract” with the NSA to incorporate a known flawed random number 
generator into its BSAFE encryption libraries.  We categorically deny 
this allegation.

We have worked with the NSA, both as a vendor and an active member of 
the security community. We have never kept this relationship a secret 
and in fact have openly publicized it. Our explicit goal has always been 
to strengthen commercial and government security.

Key points about our use of Dual EC DRBG in BSAFE are as follows:

         • We made the decision to use Dual EC DRBG as the default in 
BSAFE toolkits in 2004, in the context of an industry-wide effort to 
develop newer, stronger methods of encryption. At that time, the NSA had 
a trusted role in the community-wide effort to strengthen, not weaken, 
encryption.

         • This algorithm is only one of multiple choices available 
within BSAFE toolkits, and users have always been free to choose 
whichever one best suits their needs.

         • We continued using the algorithm as an option within BSAFE 
toolkits as it gained acceptance as a NIST standard and because of its 
value in FIPS compliance. When concern surfaced around the algorithm in 
2007, we continued to rely upon NIST as the arbiter of that discussion.

         • When NIST issued new guidance recommending no further use of 
this algorithm in September 2013, we adhered to that guidance, 
communicated that recommendation to customers and discussed the change 
openly in the media.

RSA, as a security company, never divulges details of customer 
engagements, but we also categorically state that we have never entered 
into any contract or engaged in any project with the intention of 
weakening RSA’s products, or introducing potential ‘backdoors’ into our 
products for anyone’s use.


---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.


Archives <https://www.listbox.com/member/archive/247/=now> 
<https://www.listbox.com/member/archive/rss/247/125678-f3167250> | 
Modify 
<https://www.listbox.com/member/?member_id=125678&id_secret=125678-586023a8> 
Your Subscription | Unsubscribe Now 
<https://www.listbox.com/unsubscribe/?member_id=125678&id_secret=125678-9f2875ca&post_id=20131222201900:324A04FA-6B70-11E3-BE49-F5515A2DC128> 
	[Powered by Listbox] <http://www.listbox.com>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131222/5eebf9ca/attachment-0001.html>


More information about the cryptography mailing list