NSA's $10M RSA Contract: Origins
"For almost 10 years, I've been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we're the real enemy, we're the real target."
"We have the system that they're most afraid of. If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically theatening to the N.S.A.'s interests that it's driving them into a frenzy."
- James Bidzos (President, RSA Data Security in an interview with Steven Levy of the New York Times, June 1994)Compare the above remarks by former RSA President James Bidzos in 1994 with RSA's formal statement about its relationship with the NSA (December 2013):
We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.What happened to a company that in the 90's knew exactly where it stood vis a vis the NSA and this latest NSA-friendly incarnation? According to Reuters, it was a change in business direction away from pure cryptology in favor of joining the government for the war on hackers.
"When I joined there were 10 people in the labs, and we were fighting the NSA," said Victor Chan, who rose to lead engineering and the Australian operation before he left in 2005. "It became a very different company later on." By the first half of 2006, RSA was among the many technology companies seeing the U.S. government as a partner against overseas hackers."Steven Levy's article "Battle of the Clipper Chip" which is where I found the top quote from James Bidzos is a must-read because although it was written 19 1/2 years ago, it provides keen insight into the issues that frame today's crisis of trust with RSA. Back then, the NSA and the Clinton Administration thought that a Key Escrow plan like Clipper Chip was the way to go. When the market place rejected using Clipper, the NSA eventually switched tactics to develop and promote its own encryption algorithm; first to RSA with a $10 million sweetener and then to NIST with the incentive that RSA had already adopted it. Today we all know that the NSA succeeded. What isn't known is why RSA agreed to it.
RSA's public statement on the issue is both misleading and lacking details which pertain to the facts uncovered by Joseph Menn for Reuters. Here are the four key points made in their statement and the problems with each:
“We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.”This fails to disclose the terms of RSA's agreement with the NSA to use Dual EC DRBG. It also paints RSA as naive as to the NSA's motives which is ludicrous once you know what happened 10 years earlier with Clipper Chip.
“This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.”With this statement RSA is trying to pass off the responsibility for using a back-doored Random Number Generator to the user!
“We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.”It became a NIST standard because RSA took the NSA's money in the first place. Concerns about the algorithm were raised in 2006 and were included in NIST SP 800-90A as being unresolved. By 2007, RSA should have been sufficiently alarmed to investigate on its own. To say that they relied upon NIST as the arbiter is merely an attempt to shift responsibility away from itself as the producer and onto NIST.
“When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.”So once the New York Times' article was published and NIST took steps, then RSA did the right thing? And they expect credit for that?
RSA cannot escape responsibility for offering a compromised BSAFE product for the last 9 years by saying "we just followed NIST" and "our customers had a choice". This is a gross violation of its own mission statement not to mention its own illustrious history of defending the integrity of encryption against government attempts to weaken it.
I announced last Friday that I joined Mikko Hyponnen and Josh Thomas in pulling my talk from RSAC, but there needs to be an industry-wide boycott of RSA products. It's not enough to just talk about how bad this is. RSA's parent EMC, like every other corporation, has a Board of Directors that is answerable to its shareholders for maximizing revenue. If RSA's customers begin canceling their contracts and/or refuse to buy RSA products, the company's earnings will drop and that's the type of message that forces Boards to make changes.
RelatedJoining Mikko in Protest, I've Cancelled My Talk at RSA
BlackBerry Ltd, the NSA, and The Encryption Algorithm that NIST Warned You Not To Use