RSA issues non-denying denial of NSA deal to favor flawed crypto code

Nothing in response denies RSA got $10 million to make Dual EC_DRBG default.

by - Dec 23 2013, 9:58am USMST

Jeremy Brooks

RSA has issued a statement denying allegations stemming from Friday's bombshell report that the encryption software provider received $10 million from the National Security Agency (NSA) in exchange for making a weak algorithm the preferred one in its BSAFE toolkit.

The press release went live on Sunday, two days after Reuters said the secret contract was part of an NSA campaign to embed encryption software that the agency could break into widely used computer products. RSA's statement was worded in a way that didn't clearly contradict any of the article's most damaging accusations. For instance:

Recent press coverage has asserted that RSA entered into a "secret contract" with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.

Later in the release, RSA officials wrote: "RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."

Taken on its face, the statements seem to assert only that the contract wasn't secret and that the goal of the contract was to improve, not weaken, the cryptographic capabilities of BSAFE. Nothing in the release contradicts the findings of the Reuters article—that RSA accepted $10 million from the NSA in exchange for making the Dual EC_DRBG BSAFE's default pseudo random number generator (PRNG). RSA's defense seems to be that officials didn't know the NSA-influenced deterministic random bit generator had weaknesses that could be exploited to crack adversaries' cryptographic keys.

If so, that's not much of a defense. Yes, it may be true that RSA engineers didn't know Dual EC_DRBG was dangerously weak in 2004, when they made it the BSAFE default. But by 2007—when researchers from Microsoft devised an attack that allowed adversaries to guess any key created with the PRNG with relatively little work—the weakness was abundantly clear. Whether RSA didn't notice the glaring insecurity or was contractually prevented from demoting or speaking out against Dual EC_DRBG is unknown. In either case, RSA allowed BSAFE to favor an algorithm known to be unsafe for more than five years, and thanks to a contract that was never publicly disclosed, RSA profited from that action. That hardly endorses RSA or its products.

And in any event, Reuters never claimed RSA knew Dual EC_DRBG was crippled at the time the contract was executed.

The full text of the RSA release:

December 22, 2013

Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.

Key points about our use of Dual EC DRBG in BSAFE are as follows:

  • We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
  • This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
  • We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
  • When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.

RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.

RSA, The Security Division of EMC

Reuters journalist Joseph Menn is standing by his reporting.

Story updated to add detail about Reuters not reporting Dual EC_DRBG weakness was known to RSA.

© 2013 Condé Nast. All rights reserved

http://arstechnica.com/security/2013/12/rsa-issues-non-denying-denial-of-nsa-deal-to-favor-flawed-crypto-code/