
RSA Response to Media Claims Regarding NSA Relationship - comex
https://blogs.rsa.com/news-media-2/rsa-response/
======
pdknsk
If you read carefully, they don't deny what Reuters reported: taking $10M to
make the RNG default.

Reuters: "Undisclosed until now was that RSA received $10 million in a deal
that set the NSA formula as the preferred, or default, method for number
generation in the BSafe software, according to two sources familiar with the
contract."

And now the response.

RSA: "Recent press coverage has asserted that RSA entered into a “secret
contract” with the NSA to incorporate a known flawed random number generator
into its BSAFE encryption libraries. We categorically deny this allegation."

\---> Only one part of the first sentence needs to be untrue for the
allegation to be deniable. RSA did not incorporate a "known flawed" RNG,
because it wasn't at that time. And that's not what the alleged contract was
even about, but to make default.

RSA: "We have worked with the NSA, both as a vendor and an active member of
the security community. We have never kept this relationship a secret and in
fact have openly publicized it."

\---> Focus on relationship not being secret, but contracts may be.

RSA: "RSA, as a security company, never divulges details of customer
engagements, but we also categorically state that we have never entered into
any contract or engaged in any project with the intention of weakening RSA’s
products, or introducing potential ‘backdoors’ into our products for anyone’s
use."

\---> They had not positively known the RNG is flawed.

~~~
btian
It did. First paragraph in fact

> Recent press coverage has asserted that RSA entered into a “secret contract”
> with the NSA to incorporate a known flawed random number generator into its
> BSAFE encryption libraries. We categorically deny this allegation.

~~~
spikels
Wrong RSA is denying incorporating "a known flawed random number generator"
into BSAFE in 2004. Elsewhere in the same press release RSA states that they
did not consider Dual EC DRBG to be considered flawed until September 2013
despite being aware of concerns dating back to 2007. Therefore in 2004 when
RSA added Dual EC DRBG into BSAFE it was not "a known flawed random number
generator".

They also admit to a business relationship with the NSA but refuse to discuss
it.

~~~
Aloha
'Concerns' and 'known flawed' are not the same thing.

~~~
bmelton
It was 'known flawed' in 2007. What was not know was whether or not anyone
possessed private keys that would have made that known flaw a known exploit.
The knowledge that the NSA did indeed have a backdoor didn't come along until
Snowden.

------
Zigurd
This appears to be a strong denial, which they support by claiming that NSA
was successfully promoting Dual EC DRBG as a better RNG to NIST and the tech
industry. That is, they were being misled as much as anyone else who believed
the NSA regarding Dual EC DRBG.

That sounds good. But the don't even go near the heart of the matter, which,
from the Reuters report is:

 _Undisclosed until now was that RSA received $10 million in a deal that set
the NSA formula as the preferred, or default, method for number generation in
the BSafe software, according to two sources familiar with the contract.
Although that sum might seem paltry, it represented more than a third of the
revenue that the relevant division at RSA had taken in during the entire
previous year, securities filings show._

RSA does not deny that they took $10M to use Dual EC DRBG as the default in
BSafe. Nor do they say why they did, if there is a reason other than that the
NSA paid to make it so. They do not say why they took a sum which boosted
their revenue by over 30% in return for no deliverables other than a change in
default configuration - a couple minutes of work.

~~~
mrobot
Yes, why pay $10M for something that could be accomplished with "Hey this is
better, you guys should switch. Here's why"

~~~
nullc
Because it's really hard to argue in favor of that particular RNG. It's
kludgy, it's slow, the quality of the numbers out of it— by basic RNG tests—
are not very good.

They could have tried to suggest all other options were weak for secret
reasons but that seems like a pretty big risk.

~~~
mrobot
I thought the whole point here was that Dual EC DRBG was clearly better at the
time.

 _We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in
2004, in the context of an industry-wide effort to develop newer, stronger
methods of encryption. At that time, the NSA had a trusted role in the
community-wide effort to strengthen, not weaken, encryption._

~~~
mrobot
Clarification: The argument was not that it was clearly better, but that RSA
believed the NSA could be trusted to have good intentions. This makes changing
a bit more suspicious, but i guess the argument is that it wasn't suspicious
enough to... reject $10M?

------
rdtsc
Well they are either stupid and shouldn't be trusted with security matters or
they are lying sacks of shit.

Yes technically NSA probably didn't tell them at the time what the weakness is
but getting $10M under the table to change a default and not asking questions
is either incredible stupidity for why that might be, or they are are just
lying, they figure out why that might be and did it anyway. (Yes they probably
never put it in writing in any of the internal memos or emails).

Either way they lost credibility and shouldn't be trusted with security
matters. Hope that $10M was worth it.

~~~
amagumori
the thing is, i'm pretty sure the weakness in DUAL_EC_DRBG has been public
knowledge for a while. this paper detailing the vulnerability came out in
2007, and shows how fundamental the weakness really is:

[http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)

------
pvnick
Crap now we're going to go through the whole word parsing game again. This is
not a fun place to be

~~~
summerdown2
See Bruce Schneier's latest post:

[https://www.schneier.com/blog/archives/2013/12/nsa_spying_wh...](https://www.schneier.com/blog/archives/2013/12/nsa_spying_who.html)

> We no longer know whom to trust. This is the greatest damage the NSA has
> done to the Internet, and will be the hardest to fix.

------
belluchan
They're just saying this because it's classified and will never see the light
of day that they were actually adding a backdoor. Or maybe they're just
playing word games. The only thing to go by are the facts. The facts are that
RSA added an NSA backdoored feature as default into their products and were
paid for it.

~~~
saintx
Of course they were playing word games. Could the mixture of lawyers and
cryptography possibly yield anything else?

~~~
saraid216
Don't forget journalists.

------
hondje
Could they, legally, do anything but deny? Shareholders could sue, customers
could sue, I could probably sue... seems like a strongly worded legally air-
tight denial is their only practical option. Plus it might be illegal to
divulge classified info

~~~
jjoonathan
They can deny everything that they didn't do and hope customers don't notice
or care.

~~~
saintx
Second step is total media silence for a few news cycles.

------
a3n
I hope this is true, and not merely plausible deniability, because I was
saddened by the initial reports.

The first bullet starts out very strong. In fact it has the feel of taking NSA
by the neck and helping them along to the underside of the bus (and bravo for
that): "At that time, the NSA had a trusted role in the community-wide effort
to strengthen, not weaken, encryption."

At that time. _Had_ a trusted role.

The second bullet ("one of many choices ...") was ... eh.

The third and fourth bullet were basically RSA explaining that their actions
are determined by others. First they relied upon NIST to stay with it, then at
the last minute they followed NIST's belated lead and recommended against it.
I would have thought they had enough smart and responsible people within RSA
to determine whether Dual EC DRBG was safe and effective or not.

Still, loud applause for turning the NSA's head toward the underside of the
bus.

------
wreegab
Question to RSA:

Are you going to sue Reuters for libel?

~~~
moocowduckquack
That would be hard. Reuters have not reported that RSA took $10 million, they
have reported that documents leaked by Snowdon claim that RSA took $10
million.

~~~
atmosx
They could sue Snowden. But I imagine, it will not payback as a strategy.

~~~
mnordhoff
Maybe they should sue the NSA for writing misleading classified slides and
then letting them get leaked. :-)

------
zonkerton
>we also categorically state that we have never entered into any contract or
engaged in any project with the intention of weakening RSA’s products, or
introducing potential ‘backdoors’ into our products for anyone’s use.

why say "for anyone's use"?

~~~
pyre
"We have not added backdoors requested by any entity for the sole use of that
entity to compromise our products," is how I read that.

Not necessarily a backdoor that is "open to anyone," so much as a backdoor
that is intended to be used be any specific person/group/organization.

------
wfunction
> We have worked with the NSA, both as a vendor and an active member of the
> security community. We have never kept this relationship a secret and in
> fact have openly publicized it.

Liars. They publicized the $10 million deal?!

~~~
icegreentea
No, you're misinterpreting. They're claiming that:

a) They have always had a relationship with the NSA as a vendor, and as a
number of the security committee

b) They have never attempted to hide a)

c) As part of a) they have never signed a "secret contract" (for the mentioned
10 million)

That's their claim. Maybe they're lying about c), but you're barking up the
wrong tree.

(edited for formatting)

~~~
rpedroso
From the web page:

"Recent press coverage has asserted that RSA entered into a 'secret contract'
with the NSA to incorporate a _known flawed_ random number generator into its
BSAFE encryption libraries. We categorically deny this allegation."

The emphasis is mine. This quote allows for the possibility that they entered
into a contract with the NSA to incorporate a random number generator that was
not yet known to be flawed.

~~~
sigzero
Um, if it wasn't known to be flawed, why wouldn't they do it?

~~~
wfunction
Why the hell would the NSA offer MONEY for you to adopt their encryption
proposal if it was actually legitimately good?

It doesn't matter if you have any other information on the security of the
algorithm; the fact that they're offering you money should speak for itself.

~~~
eli
Well, the NSA has a track record of making public encryption algorithms
_stronger_. They proposed changes to DES which puzzled researchers at the
time, but years later were shown to significantly harden the algorithm against
some attacks.

~~~
thematt
I don't have the citation on hand right now, but if I recall correctly their
recommendations strengthened DES against mathematical attacks, but weakened it
against brute-force attacks.

~~~
gizmo686
I don't know what it means to weaken DES against brute-force attacks, but, if
I recall correctly, their changes did weaken it against linear crypto
analysis. Their change was to replace the random constants of DES's s-boxes
with their own constants. They have since then published the criteria that
they used to generated these constants. Based on the fact that everything I
have read on the subject, and talking with several cryptographers, says that
the change was to strengthen DES against differential crypto-analysis, I think
it is reasonable to believe that this is supported by looking at how they
generated the constants.

~~~
mnordhoff
NSA suggested decreasing DES's key size. IBM ultimately agreed to use
effectively 56-bit* keys. This by definition makes brute force attacks easier.
It was apparently criticized at the time, but it's worth noting that there's
nothing secretive about it -- it's a basic and obvious element of the
algorithm.

The public cryptographic community started brute-forcing DES keys for fun in
the '90s; with the NSA's budget, they could have been doing it from the
beginning.

* DES keys are 64 bits, but 8 bits are for parity, so the meaningful key length is 56 bits.

------
blazespin
The doublespeak is desperate and only undermines their credibility. Obviously
they are in a proverbial 'between a rock and a hard place'.

Anyone who bothers to read this carefully and knows the backstory about the
general understanding that the DRBG was weak realizes that there is no way RSA
could have not known it was compromised and they have pretty much completely
confirmed the reports.

In truth, I'm not sure what is worse: that they did or didn't know what they
were doing.

------
tssva
Also remember that RSA was initially deceptive to their customers regarding
the extent of the SecureID compromise a couple of years ago. Their conduct
during that compromise makes it difficult to trust statements they make now.

------
eyeareque
That was a very carefully worded PR statement. They've basically affirmed the
reuters statement, to me anyway.

------
pupdogg
_cough_ bullshit!

------
sbierwagen
Nah.

