[Cryptography] Fwd: [IP] RSA Response to Media Claims Regarding NSA Relationship

Jerry Leichter leichter at lrw.com
Mon Dec 23 07:40:55 EST 2013 

On Dec 23, 2013, at 12:08 AM, Bill Cox wrote:

> Does this mean RSA denies accepting $10M for making the NSA RNG the default in BSAFE?  You did not say so in your post.  So now RSA "categorically denies" entering into a secret contract with the NSA.  If it wasn't secret, why didn't I hear about it?  I'm pretty sure it would have made the geek news, and I may not be a crypto expert, but I follow geek news (slashdot would have burned RSA alive).
Oh, for God's sake, let it go.

We're talking about 2004.  Were you following the news about RSA in 2004?  In enough detail to have spotted one press blurb out of many?  Would you remember one blurb from 10 years ago?

I'm not sure about the exact timing, but EMC - RSA's parent - acquired the company I was working at in 2004 (SMARTS).  I would have had a particular interest in EMC-related stories - and, given a long-standing interest in crypto, in EMC and RSA related stories.  I have no memory of PR around any such contract.  Doesn't mean it didn't happen, but the fact that neither of us remember it means precisely nothing.

In any case, we have one story from one source asserting, in very general terms, that some kind of contract existed.  No one else has confirmed it.

I'm actually willing to believe that the NSA would have done this, but I doubt it would have been done in the way you seem to think.  All it would take is for any government agency to come to RSA and say "Hey, we have $10M in our budget to buy security stuff this year.  Our security experts tell use your stuff is the best."  And then later:  "Our security guys say we really need to have that Dual EC RNG thingie.  It's going to be in the new NIST standard, you know.  Oh, you guys already implemented it?  Great!"  [NSA seems to have tipped RSA off that Dual EC DRNG was coming; RSA would have been all too happy to get out ahead of the curve, no pun intended.  No big deal, it wasn't really a secret, and NSA may well have given the same "heads up" to the few other commercial crypto vendors as well.]  And then finally, when RSA can just *feel* that money filling a big hole in a sales target:  "Oh, our security guys tell use the new RNG needs to be the default.  Safer that way."  And the trivial change is made.

Of course, the government agency's "security guys" either are the NSA, or are being advised by the NSA.  That's one of NSA's roles:  They advise the rest of the government on cryptography.  No one would anyone question them doing their job.

Requirements for specific approved algorithms, and specific default configurations, are standard practice in government contracts; if you want to sell to the USG, you sell on their terms.

The indirect approach would have been easy for NSA to pull off, would have come out of someone else's budget (sure, it's only $10M, but any bureaucrat who can find a way to get *someone else* to spend it so that he can keep it for his own projects will be delighted) and would leave no NSA fingerprints. Even the NSA guys advising the other parts of the government probably wouldn't know *why* Dual EC DRNG was now on the "recommended" list - someone else would maintain the list.  No one outside of NSA would have to know anything about NSA interests, goals, and methods - something NSA would find much more desirable than letting their interest be known and then have to buy silence.

I'll believe NSA pulled RSA into a conspiracy when I see *much* stronger evidence than we've seen so far.

But there will be plenty of people of the "where there's smoke there's fire" persuasion, who will now avoid RSA.  NSA has managed to badly damage the reputation of RSA.  (Well, considering their fiasco with RSA access tokens not so long ago, maybe their reputation was already tarnished.)  I'm guessing we'll see more stories and rumors in the future - now that "everyone knows" RSA was infiltrated by NSA, should we trust any EMC product?  After all, RSA is EMC's "security division" - they advise the rest of the company. 

This is the collateral damage that flows from the kinds of games NSA has been playing.  There will be more.

(BTW, I've been out of EMC for many years now.  Only ended up there through an acquisition; never liked the place, would have no reason to defend them.)

                                                        -- Jerry

PS   The stuff about RSA advising the rest of EMC about security is true.  The SMARTS stuff had its own crypto - I and guys working for me developed it.  We initially looked at available crypto code - BSAFE was one thing we looked at - but it was either too expensive, or came with open source licensing terms we couldn't live with.  After the acquisition we kept hearing complaints from RSA security guys that we should be using the approved corporate stuff.  As long as I stayed in charge of that software, I resisted - we had better things to do than to re-architect our security code - but I hear that, long after I left, all the stuff we developed was ripped out and replaced.  I won't make any strong claims about our stuff - it could have been attacked, though you'd have to know what you were doing - but for various reasons we didn't represent a particularly high value target.  It was probably good enough for the role it played, and I remain proud of the way we managed to slip a fairly good level of security in a backwards-compatible into an existing product, selling to customers who, for the most part, didn't think security was important and didn't want it "getting in their way".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131223/4095f650/attachment.html>

More information about the cryptography mailing list