[Cryptography] RSA recommends against use of its own products.

Jerry Leichter leichter at lrw.com
Tue Sep 24 12:01:58 EDT 2013

On Sep 23, 2013, at 4:20 AM, ianG <iang at iang.org> wrote:
>>> RSA today declared its own BSAFE toolkit and all versions of its
>>> Data Protection Manager insecure...
> Etc.  Yes, we expect the company to declare itself near white, and the press to declare it blacker than the ace of spaces.
> Meanwhile, this list is about those who know how to analyse this sort of stuff, independently.  So...

>> ...  But they made Dual EC DRBG the default ...
> I don't see a lot of distance between choosing Dual_EC as default, and the conclusion that BSAFE & user-systems are insecure.
The conclusion it leads to is that *if used in the default mode*, it's (well, it *may be*) unsafe.  We know no more today about the quality of the implementation than we did yesterday.  (In fact, while I consider it a weak argument ... if NSA had managed to sneak something into the code making it insecure, they wouldn't have needed to make a *visible* change - changing the default.  So perhaps we have better reason to believe the rest of the code is OK today than we did yesterday.)

> The question that remains is, was it an innocent mistake, or were they influenced by NSA?
a)  How would knowing this change the actions you take today?
b)  You've posed two alternatives as if they were the only ones.  At the time this default was chosen (2005 or thereabouts), it was *not* a "mistake".  Dual EC DRBG was in a just-published NIST standard.  ECC was "hot" as the best of the new stuff - with endorsements not just from NSA but from academic researchers.  Dual EC DRBG came with a self-test suite, so could guard itself against a variety of attacks and other problems.  Really, the only mark against it *at the time* was that it was slower than the other methods - but we've learned that trading speed for security is not a good way to go, so that was not dispositive.

Since we know (or at least very strongly suspect) that the addition of Dual EC DRBG to the NIST standards was influenced by NSA, the question of whether RSA was also influenced is meaningless:  If NSA had not gotten it into the standard, RSA would probably not have implemented it.  If you're asking whether NSA directly influenced RSA to make it the default - I doubt it.  They had plenty of indirect ways to accomplish the same ends (by influencing the terms of government purchases to make that a requirement or a strong suggestion) without leaving a trail behind.

> We don't have much solid evidence on that.  But we can draw the dots, and a reasonable judgement can fill the missing pieces in.
And?  It's cool for discussion, but has absolutely nothing to do with whether (a) BSAFE is, indeed, safe if you use the current default (we assume not, at least against NSA); (b) BSAFE is safe if you *change* the default (most will likely assume so); (c) users of BSAFE or BSAFE-based products should make sure the default is not used in products they build or use (if they're worried about NSA, sure) (d) implementors and users of other crypto libraries should change what they are doing (avoid Dual EC DRBG - but we already knew that).

                                                        -- Jerry

More information about the cryptography mailing list