True/sad story. So at Sun when I was building crypto tools for Java I wanted to be able to use the RSA public key algorithm in the class loader (part of a capabilities based security system). We negotiated with RSA for a right to use their patent in Java, which proceeded right up until the final contract came back (which our lawyer signed but I did not get a chance to review) where the wording was changed to be a license to BSAFE rather than the patent. Clearly I wasn't going to put BSAFE into the JVM, I l already had an implementation of their algorithm in Java. There was never a good explanation for how the lawyer got so "confused" at the last minute and "forgot" to have these changes reveiwed by the engineer leading the project.
Given the sort of shenanigans we've been reading about I would not be surprised to hear that someone who was neither a Sun or RSADSI employee said "spike this deal".
I don't understand your "spike this deal" idiom. I can't make sense of an analogy to a spiked drink (rufie) or spiked football (scoring a point). The closest I can find is "spike somebody's guns" meaning "to spoil someone's plans". Do you mean someone wanted to prevent you from using RSA's patent in the JVM?
(I initially assumed you meant "force this deal".)
So - what was the outcome? Did the RSA public key algorithm make it's way in? Either through the BSAFE license, or did you just wait for the patent to expire?
They're under NDA and cannot reveal the customer's name. The thread doesn't say how much the customer paid, does anybody know? A friend told me 600k USD last night, but I cannot find any sources that back this up.
Why did we implement Dual EC DRBG in the first place?
- ----------------------------------------------------
It was requested by a sponsor as one of several deliverables. The
reasoning at the time (my reasoning and call as the project manager)
was that we would implement any algorithm based on official published
standards. SP800-90A is a more or less mandatory part of FIPS 140-2,
for any module of non-trivial complexity. FIPS 140-2 validations are
expensive and difficult, taking on average a year to complete and we
have to wait years between validations. So, there is an incentive to
pack as much as possible into each validation and our sponsors (dozens
of them) had a long list of requirements they were willing to fund.
We knew at the time (this was the pre-Snowden era) that Dual EC DRBG
had a dubious reputation, but it was part of an official standard (one
of the four DRBGs in SP800-90A) and OpenSSL is after all a comprehensive
cryptographic library and toolkit. As such it implements many algorithms
of varying strength and utility, from worthless to robust. We of course
did not enable Dual EC DRBG by default, and the discovery of this bug
demonstrates that no one has even attempted to use it.
Where did our implementation come from?
- --------------------------------------
The client requirement was simply "Implement all of SP800-90A". Our code
was implemented solely from that standard.
Seems fair enough if a client says "implement all the standard" that they implemented it... it's a bit different than "just add this one algorithm"
It's worth pointing out that at the scale mentioned, there's no reason that the "paying customer" had to be The United States National Security Agency. It was a published algorithm, and OpenSSL is used in countless commercial projects. It would have been entirely reasonable for one of these to have come to OpenSSL requesting implementation (albeit as part of a NSA-funded internal project with a 400% markup), and the request would have seemed entirely reasonable.
I don't think you can tar the OpenSSL folks with this without much better evidence.
NSA didn't need to backdoor DES when they just forced everyone to use weak keys:
> 1979 - Present, DES: The Data Encryption Standard was altered by the NSA to make it harder to mathematically attack but easier to attack via Brute Force methods. The original version of DES, called Lucifer, used a block and key length of 128-bits and was vulnerable to differential cryptanalysis. NSA requested that the already small DES key size of 64-bits be shrunk even more to 48-bits, IBM resisted and they compromised on 56-bits11. This key size allowed the NSA to break communications secured by DES.
This is why any known NSA employee from security standards groups (including IETF and Trusted Computing Group [1]) must be forbidden to participate in the making of that standard. Their role there can only be seen as to facilitate weakening of the standards, either by weakening the algorithms themselves, or if that's too hard and/or obvious, to convince everyone else to use a weaker version of it (which NIST kind of tried to do with SHA-3 recently, too).
As long as there's any chance of NSA being involved even remotely in a security standard, I'm going to lose faith in that whole standard and the group.
I did consider trying to work in the part where they shortened the keys and eventually DES became useless because of it, but it was a bit of a diversion from the salient (heh) reason I put this on the timeline, that they improved the s-boxes without explanation and that colors any subsequent requests they made to do similar.
I think there are two types of commentators on this issue. Those who've been involved in negotiating agreements like this and those who haven't. Those who have can see how something like this happens. Those who haven't cannot believe how something like this could happen. It's important to remember/realize that no one, outside a handful of folks, understood what the NSA was up to until the last 12 months. Heck, at one point not too far back it was probably prestigious to mention you worked closely with the NSA on developing your technology. Help you impress a few corporate execs and close some deals.
It's important to remember/realize that no one, outside a handful of folks, understood what the NSA was up to until the last 12 months.
There were loads of people - members of the general public, security researchers, government watchdog types, privacy advocates, crazy conspiracy nuts, etc. - who very strongly suspected, for good reason, exactly what turned out to be going on.
ECHELON started in the 1960s. Rumors about it were everywhere by the early 1990s. It became so famous it was featured in pop-culture movies, TV shows, and video games.
There was at least one good book (note 2005 publication) that showed how it was possible to piece together some pretty good guesses about what was happening from unclassified information:
In short, that book argues the NSA was expanding its eavesdropping capabilities so enormously, so quickly, that the only reasonable target for it was "everything." There simply weren't enough top-secret, diplomatic, or encrypted messages to justify the infrastructure devoted to the task; the NSA had to be developing the ability to listen to absolutely anything it wanted to.
Thanks for this comment - it is one of the rare that says "we did not know before". As opposed to a big part of commentators (mostly outside of HN) that say, Snowden did not reveal anything new.
Are EMC/RSA denying that they took money from the NSA? That alone seems damning, since I can't think of any way that the existence of such a contract for any stated purpose doesn't undermine the credibility of the company fatally.
Really, "implement this, it'll help us get our pet standard through the process" isn't that unlikely a request to get - standard processes are rife with shenanigans at the best of times, and more companies/agencies than you'd hope take part in those.
Also, note that "the NSA is backdooring American crypto" has not always been considered a likely proposition.
What this shows, in the most charitable if feeble light possible, is that RSA will implement something important to one paying customer that affects all paying customers, and will not disclose that without rocks having been turned over.
I don't think the, "We trusted the NSA" explanation makes them look stupid or negligent. This article does reference the fact that people are now retroactively claiming understanding of some of these revelations, but I think the writer forgets that this might apply to him as well.
NOW it makes perfect sense to see how terrible this is, but we haven't always just blatantly assumed the NSA was out to get us. They used to not have the worst reputation in the world in the security community, right? I'm not the best authority for this, but from what I could gather they played a kind of spooky-but-helpful role prior to the Snowden leaks in the intelligence community - that is, you could generally trust they were thought to have the community's best interest at heart, even if they couldn't say why.
Papers were published by reputable cryptographers in 2007 making it clear that a Dual EC DRBG could be backdoored by the entity that chose the points.
The whole point is that this didn't come out of no-where. This algorithm was already regarded as being suspect, and RSA knew that they had been paid to make it the default in their cryptography library.
This isn't like the DES situation, where there was never any real evidence that the changes made by the NSA had made DES weaker (and as we later found out, they'd actually made the algorithm stronger whilst at the same time ensuring that the key-space was small enough that they could crack it).
RSA have seriously let down their customers & not for the first time. If I was an RSA customer I'd be taking a good hard look at dropping them as soon as I possibly could.
I'm loosely quoting a source I can't remember, but I think it was ridiculing a repeated tactic of some candidate. It's a dynamic that seems to play out a lot if you know to look for it in issues that involve a lot of public relations games.
I think you are right to emphasize how little we remember when we learned what. That's why the above tactic works so well. It lets politicians' dance around their tactical mistakes and change positions without undermining their own base. It is also how disingenuous people can now able to talk about "welcoming debate" and have a large portion of the population perceive this as advocating some reasonable middle ground.
It seems to me that she addressed those exact concerns:
> So, yes, it is possible that, in 2004, nobody at RSA had any articulable suspicions about Dual EC. They may have taken it on faith that this was another DES situation where the NSA knew it was better but couldn't disclose why. Okay. Is that fair? I think that's fair.
> If that were the end of the story, I would be standing here saying “poor RSA! How cruelly the NSA mistreated them!” But, guess what, it isn't. In 2007 the possibility of a backdoor was made very public, and after that “everyone knew” not to use it. None of us knew for sure it was backdoored (even if some people retroactively pretend they did) but that was kind of a crazy risk to take when there were other RNGs to pick from with no known risks and were faster to boot.
"We trusted the NSA" might have been a good excuse without the payment. It seems really strange that the NSA would need to pay RSA to "improve" their RNGs.
And it doesn't change the rest of the post's point - after Dual EC was determined to be backdoorable, RSA didn't say anything.
"As a bonus, all the other algorithms are apparently faster and that’s generally a desirable property."
I apologize for discussing a technical topic in whats likely to be a political crypto-rage flamewar, but I've been digesting some thoughts about this and the figure of merit of processing required per bit of randomness is probably interesting, in that for a given set of professional grade RNGs (not algorithms implemented by idiots) the more processing required to generate a bit of randomness, the more likely it is someone's sticking a nasty backdoor in.
Or rephrased the more time you spend sticking magic "nothing up my sleeves" constants into a bit, the more likely something unpleasant is getting stuck in there.
(edited to add I'm talking about "real" RNGs not implying the worlds simplest shortest LFSR is magically better than a real RNG just because its really fast... I'm talking about more "in class" performance comparisons than joke vs real.)
Here's a question: Do we think Snowden is intentionally misleading us to attack RSA and EMC, or that he's actually releasing as little information as he can to get us on the right track toward fixing things? Why would this particular piece of information be selected if it was not a real problem?
I'm tired of having to correct people on this, but here goes: Snowden is not leaking anything anymore. He leaked most of the documents he had to some selected journalists a long time ago and it is now up to them to analyze them and responsibly report whatever interesting information there is to be learned from them.
tl;dr point by point on why RSA's press statement makes them lying liars who lie, and that they were wilfully negligent from 2007-2013 at the very least.
I really needed someone to summarize the article in one sentence (who has time to read more than one) and at the same time editorialize. Now I don't have to read the article or reason. Super convenient. Thanks!
What did you expect? RSA got purchased by EMC in 2006. That's the kiss of death in terms if any semblance of ethics. Someone in EMC would have known about this and swayed decision making.
"we continued to rely upon NIST as the arbiter of that discussion"
This seems like a reasonable position to me, but I'm not in the field. Can someone tell me why it's not reasonable, in the face of all sorts of theories and suspicions being thrown about, to rely on the leading standards body as to whether the algorithm is flawed?
> assume it was publicly documented at the time that BSAFE defaulted to Dual EC
Was it? Before it was revealed to be the BSAFE default I was going around saying that no one would have chosen to use it anyways, so it was probably a pretty ineffectual backdoor except if it ever was option for a downgrading attack.
We use RSA tokens at the financial institution I work for. I'll be checking in with our CTO tomorrow (was out sick today) to see about removing them from our systems.
With a quarterly income of $587 million in Q2 of 2012, isn't 10 million dollars "chump change" for EMC? Perhaps it's more of a lubricant for the larger picture of deals and pressures.
I worked for RSA back in the 1990s. Back then at least, the sales staff's pay was based heavily on commission. It has a sliding structure that meant that people who sold more got a higher percentage. $10m might not have been a lot to EMC, but to the sales guy it probably meant over $50k, maybe over $100k. That one sale alone would have blasted him/her past the quota and bumped up the commission percentage.
My blog has been accruing more personal things and whiny rants lately. I decided to separate this from my doubtlessly profound philosophical ramblings about the meaning of life and Skyrim. All in all, a list of markdown gists is just about as functional as tumblr...
[+] [-] ChuckMcM|12 years ago|reply
Given the sort of shenanigans we've been reading about I would not be surprised to hear that someone who was neither a Sun or RSADSI employee said "spike this deal".
[edit: clarity]
[+] [-] pydave|12 years ago|reply
(I initially assumed you meant "force this deal".)
[+] [-] alan_cx|12 years ago|reply
[+] [-] ghshephard|12 years ago|reply
[+] [-] morsch|12 years ago|reply
They're under NDA and cannot reveal the customer's name. The thread doesn't say how much the customer paid, does anybody know? A friend told me 600k USD last night, but I cannot find any sources that back this up.
[+] [-] amatix|12 years ago|reply
[+] [-] ajross|12 years ago|reply
I don't think you can tar the OpenSSL folks with this without much better evidence.
[+] [-] a3vioces|12 years ago|reply
[+] [-] salient|12 years ago|reply
> 1979 - Present, DES: The Data Encryption Standard was altered by the NSA to make it harder to mathematically attack but easier to attack via Brute Force methods. The original version of DES, called Lucifer, used a block and key length of 128-bits and was vulnerable to differential cryptanalysis. NSA requested that the already small DES key size of 64-bits be shrunk even more to 48-bits, IBM resisted and they compromised on 56-bits11. This key size allowed the NSA to break communications secured by DES.
http://ethanheilman.tumblr.com/post/70646748808/a-brief-hist...
This is why any known NSA employee from security standards groups (including IETF and Trusted Computing Group [1]) must be forbidden to participate in the making of that standard. Their role there can only be seen as to facilitate weakening of the standards, either by weakening the algorithms themselves, or if that's too hard and/or obvious, to convince everyone else to use a weaker version of it (which NIST kind of tried to do with SHA-3 recently, too).
As long as there's any chance of NSA being involved even remotely in a security standard, I'm going to lose faith in that whole standard and the group.
[1] - http://www.securitycurrent.com/en/writers/richard-stiennon/i...
[+] [-] abadidea|12 years ago|reply
[+] [-] jonpeda|12 years ago|reply
[deleted]
[+] [-] jusben1369|12 years ago|reply
[+] [-] Lagged2Death|12 years ago|reply
There were loads of people - members of the general public, security researchers, government watchdog types, privacy advocates, crazy conspiracy nuts, etc. - who very strongly suspected, for good reason, exactly what turned out to be going on.
ECHELON started in the 1960s. Rumors about it were everywhere by the early 1990s. It became so famous it was featured in pop-culture movies, TV shows, and video games.
There was at least one good book (note 2005 publication) that showed how it was possible to piece together some pretty good guesses about what was happening from unclassified information:
http://www.amazon.com/Chatter-Dispatches-Secret-Global-Eaves...
In short, that book argues the NSA was expanding its eavesdropping capabilities so enormously, so quickly, that the only reasonable target for it was "everything." There simply weren't enough top-secret, diplomatic, or encrypted messages to justify the infrastructure devoted to the task; the NSA had to be developing the ability to listen to absolutely anything it wanted to.
[+] [-] reirob|12 years ago|reply
[+] [-] ska|12 years ago|reply
[+] [-] JoachimSchipper|12 years ago|reply
Also, note that "the NSA is backdooring American crypto" has not always been considered a likely proposition.
(Of course, all of the above is bad/wrong; it's just not that much worse than you'd expect. "That much worse than you'd expect" is http://en.wikipedia.org/wiki/RSA_Security#Security_breach.)
[+] [-] a3n|12 years ago|reply
[+] [-] diminoten|12 years ago|reply
NOW it makes perfect sense to see how terrible this is, but we haven't always just blatantly assumed the NSA was out to get us. They used to not have the worst reputation in the world in the security community, right? I'm not the best authority for this, but from what I could gather they played a kind of spooky-but-helpful role prior to the Snowden leaks in the intelligence community - that is, you could generally trust they were thought to have the community's best interest at heart, even if they couldn't say why.
[+] [-] pja|12 years ago|reply
The whole point is that this didn't come out of no-where. This algorithm was already regarded as being suspect, and RSA knew that they had been paid to make it the default in their cryptography library.
This isn't like the DES situation, where there was never any real evidence that the changes made by the NSA had made DES weaker (and as we later found out, they'd actually made the algorithm stronger whilst at the same time ensuring that the key-space was small enough that they could crack it).
RSA have seriously let down their customers & not for the first time. If I was an RSA customer I'd be taking a good hard look at dropping them as soon as I possibly could.
[+] [-] rz2k|12 years ago|reply
"...
"It's old news."
I'm loosely quoting a source I can't remember, but I think it was ridiculing a repeated tactic of some candidate. It's a dynamic that seems to play out a lot if you know to look for it in issues that involve a lot of public relations games.
I think you are right to emphasize how little we remember when we learned what. That's why the above tactic works so well. It lets politicians' dance around their tactical mistakes and change positions without undermining their own base. It is also how disingenuous people can now able to talk about "welcoming debate" and have a large portion of the population perceive this as advocating some reasonable middle ground.
[+] [-] chilldream|12 years ago|reply
> So, yes, it is possible that, in 2004, nobody at RSA had any articulable suspicions about Dual EC. They may have taken it on faith that this was another DES situation where the NSA knew it was better but couldn't disclose why. Okay. Is that fair? I think that's fair.
> If that were the end of the story, I would be standing here saying “poor RSA! How cruelly the NSA mistreated them!” But, guess what, it isn't. In 2007 the possibility of a backdoor was made very public, and after that “everyone knew” not to use it. None of us knew for sure it was backdoored (even if some people retroactively pretend they did) but that was kind of a crazy risk to take when there were other RNGs to pick from with no known risks and were faster to boot.
[+] [-] MichaelGG|12 years ago|reply
And it doesn't change the rest of the post's point - after Dual EC was determined to be backdoorable, RSA didn't say anything.
[+] [-] valarauca1|12 years ago|reply
[1] https://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA.2...
[+] [-] Zigurd|12 years ago|reply
Pick one.
[+] [-] VLM|12 years ago|reply
I apologize for discussing a technical topic in whats likely to be a political crypto-rage flamewar, but I've been digesting some thoughts about this and the figure of merit of processing required per bit of randomness is probably interesting, in that for a given set of professional grade RNGs (not algorithms implemented by idiots) the more processing required to generate a bit of randomness, the more likely it is someone's sticking a nasty backdoor in.
Or rephrased the more time you spend sticking magic "nothing up my sleeves" constants into a bit, the more likely something unpleasant is getting stuck in there.
(edited to add I'm talking about "real" RNGs not implying the worlds simplest shortest LFSR is magically better than a real RNG just because its really fast... I'm talking about more "in class" performance comparisons than joke vs real.)
[+] [-] mrobot|12 years ago|reply
[+] [-] mikevm|12 years ago|reply
[+] [-] Grue3|12 years ago|reply
[+] [-] RSAInsecurity|12 years ago|reply
[+] [-] alan_cx|12 years ago|reply
[+] [-] PaulHoule|12 years ago|reply
They gave up on that and chose to focus instead on stealing the keys
[+] [-] davidgerard|12 years ago|reply
[+] [-] macspoofing|12 years ago|reply
[+] [-] chris_wot|12 years ago|reply
[+] [-] uptown|12 years ago|reply
https://www.google.com/finance?q=NYSE:EMC
[+] [-] crystaln|12 years ago|reply
This seems like a reasonable position to me, but I'm not in the field. Can someone tell me why it's not reasonable, in the face of all sorts of theories and suspicions being thrown about, to rely on the leading standards body as to whether the algorithm is flawed?
[+] [-] nullc|12 years ago|reply
Was it? Before it was revealed to be the BSAFE default I was going around saying that no one would have chosen to use it anyways, so it was probably a pretty ineffectual backdoor except if it ever was option for a downgrading attack.
[+] [-] atmosx|12 years ago|reply
[+] [-] wavefunction|12 years ago|reply
[+] [-] ozten|12 years ago|reply
[+] [-] drig|12 years ago|reply
[+] [-] blazespin|12 years ago|reply
[+] [-] aaronchriscohen|12 years ago|reply
[+] [-] thearn4|12 years ago|reply
[+] [-] abadidea|12 years ago|reply
[+] [-] ihsw|12 years ago|reply
[+] [-] onedev|12 years ago|reply