On Friday, a very big story broke on Reuters, saying that the NSA had paid RSA $10 million
in order to promote Dual EC DRBG encryption as the default in its BSAFE product. It had been suspected for a few years, and more or less confirmed earlier this year, that the NSA had effectively taken over
the standards process for this standard, allowing it to hide a weakness, making it significantly easier for the NSA to crack any encrypted content using it.
As plenty of people noted, the news that RSA took $10 million to promote a compromised crypto standard pretty much destroys RSA's credibility. The company, now owned by EMC, has now put out a statement in response to all of this
, which some claim is the RSA denying
the story. In fact, RSA itself states: "we categorically deny this allegation." But, as you read the details, that doesn't appear to be the case at all. They more or less say that they don't reveal details of contracts, so won't confirm or deny any particular contract, and that while they did promote Dual EC DRBG, and knew that the NSA was involved, they never knew
that it was compromised.
In short: yes, RSA did exactly what the Reuters article claimed, but its best defense is that it didn't know
that Dual EC DRBG was compromised, so they didn't take money to weaken crypto... on purpose. Even if that's what happened.
We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
Right, but that raises questions of why RSA trusted NSA to be a good player here, rather than trying to insert compromises or backdoors into key standards.
This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
Yes, but it was the default. And, as everyone knows, a very large percentage of folks just use the default.
We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
Again, this doesn't make RSA look good. As has now become clear, the NSA had basically sneakily taken over the whole standardization process. RSA more or less trusting NIST without looking into the matter themselves raises questions. Especially if there was a $10 million contract that incentivized them not to dig too deeply. RSA promoted this standard as the default in BSAFE. You would hope that a company with the stature in the space like RSA would be more careful than just to rely on someone else's say so that a particular standard is secure.
RSA claiming it didn't know the standard the NSA paid them $10 million to make default was suspect is hardly convincing. Why else would the NSA suddenly pay them $10 million to promote that standard? Furthermore, it appears that news of this $10 million contract was known a bit more widely. Chris Soghoian points
to an email from cypherpunk Lucky Green, from back in September, to a cryptography mailing list in which he more or less reveals the same info
that Reuters reported on Friday, though without naming the company.
According to published reports that I saw, NSA/DoD pays $250M (per
year?) to backdoor cryptographic implementations. I have knowledge of
only one such effort. That effort involved DoD/NSA paying $10M to a
leading cryptographic library provider to both implement and set as
the default the obviously backdoored Dual_EC_DRBG as the default RNG.
This was $10M wasted. While this vendor may have had a dominating
position in the market place before certain patents expired, by the
time DoD/NSA paid the $10M, few customers used that vendor's
While this describes the right amount, if the NSA is really spending $250 million, it's certainly possible that it has quite a few other $10 million contracts out there to promote or avoid certain other encryption standards depending on what it desires. Hopefully, some reporters are currently reaching out to all the companies on this list
to see if they've got any contracts with the NSA concerning Dual EC DRBG.
Companies taking money from NSA, but claiming that they didn't realize the encryption the contract pushed them to promote was compromised, aren't going to find a very sympathetic audience outside of the NSA. The RSA's "categorical denial" here misses the point. It certainly doesn't suggest that the Reuters story was wrong -- just that the RSA was so blinded by a mere $10 million that it didn't bother to make sure the standard wasn't compromised.