back to article RSA comes out swinging at claims it took NSA's $10m to backdoor crypto

RSA has hit back at allegations stemming from Edward Snowden's latest whistleblowing – specifically, the claim that it secretly took US$10m from the NSA in exchange for using the deliberately knackered Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) in its encryption products. The EMC-owned security …


This topic is closed for new posts.
  1. Pete Spicer

    "At that time, the NSA had a trusted role in the community-wide effort to strength, not weaken, encryption"

    Wait, am I reading that right? Why would it ever be in the NSA's interest to make encryption stronger for the masses?

    I mean, it wasn't until that long ago that encryption tools required a munitions licence to distribute because they were weapons of a sort. Seems to me that keeping an eye on the industry and maybe slipping the odd slight hurdle into it, on the sly, would absolutely be SOP for them. But maybe I'm just too cynical.

    1. Destroy All Monsters Silver badge

      Because their job is (was?) ALSO to make sure US companies had the tools to net get slurped by evil commie or french or persian spies. Hence the stadardization effort for DES and later AES, accompanied by efforts to persuade people to make the key maybe not too long.

      1. Anonymous Coward
        Anonymous Coward

        Where do you get the idea the NSA's job is to make sure US companies have tools to "not get slurped by evil commie or french or persian spies"?

        Is that stated anywhere else on the internet, except in your comment in this thread?

        I don't believe that's ever been the NSA's job.

        1. Destroy All Monsters Silver badge
          Big Brother

          Where do you get the idea the NSA's job is to make sure US companies have tools to "not get slurped by evil commie or french or persian spies"?

          Is that stated anywhere else on the internet, except in your comment in this thread?

          I don't believe that's ever been the NSA's job.

          Maybe. But if you want to make your comms somewhat secure (in the 80s or the 90s, say), who you gonna call? That's right, the friendly government bureau who knows about those things.

          You want Internet wisdom? I call on ... JIMBO:

          The Mission

          Role in scientific research and development

      2. Yet Another Anonymous coward Silver badge

        But following on from more than a decade of fighting strong encryption products like PGP, weakening existing standards and secretly reducing the key length in commercial products exported.

        You would have to be very niave and very out of touch not to be suspicious.

        Although it is possible that all the world class security experts at RSA never use the internet, or read the newspapers or watch TV or follow the news in anyway.

    2. solo

      Why trust NSA?


      Additionally, NSA is made of full load of high quality geniuses. They come from all sorts academic mines and in academics, trust in a theory is only allowed till you have studied it.

      So, might be RSA hired non-academics. Sorry for the innocence of industrialization.

    3. Anonymous Coward
      Anonymous Coward

      They definitely took the money.. They didn't deny it in case it comes out on the next round of leaks, and when it does they will sack someone as a sacrifice (who incidentally will get a Hugh pay off) and say they had no idea they had been involved.

    4. Pet Peeve

      NSA *HAS* strengthened encryption

      I certainly get the skepticism here, but there has been at least one notable case where the NSA has meddled with a standard to improve it.

      When DES was being developed, a part of the algorithm involved some lookup tables that were used to transform input to output as part of the encryption process. Shortly before the final version of the standard, NSA published a new set of tables and requested them to be adopted for the standard.

      Years later, crypto researchers analyzed what the NSA did, and found that the original tables had some serious weaknesses that badly hurt DES. The new tables fixed the problem.

      Now, I think this is a totally different situation. The problem with dual EC is not that it's weak as such (though it was actually the slowest performing of any of the randomizers in the standard by an ORDER OF MAGNITUDE), but that it is possible to create a relationship between the parameters of the curve that in effect creates a "master key" shortcut to decrypting the data, and there's no way to tell if that relationship exists. Guess who picked the curve for dual EC?

      RSA had no good reason, short of money, to use this algorithm by default. It's quite possible they didn't know about the weakness (it took 3 years for mere mortals to figure out). But the fact remains, Dual EC was the worst choice of the three in the standard, by far, so why make it the default?

      I've heard that some versions of Internet Explorer use it by default too, but I don't know if that's true. Dirty business.

    5. Anonymous Coward
      Anonymous Coward

      @Peter Spicer

      To be fair the NSA suggested changes to DES which -as I recall - included a shorter key. Years later it was discovered that their suggestions strengthened DES, so there is a precedent. Odd course, you could argue that they thought they were weakening DES, and what happened was unexpected.

      1. Michael Wojcik Silver badge

        NSA and Lucifer / DES

        To be fair the NSA suggested changes to DES which -as I recall - included a shorter key. Years later it was discovered that their suggestions strengthened DES, so there is a precedent. Odd course, you could argue that they thought they were weakening DES, and what happened was unexpected.

        Argh (and argh also to Pet Peeve, who posted a better but still agonizingly vague summary of the story).

        Really, in the time it takes to write a post like this, you could, y'know, look it up. The whole thing is in Applied Cryptography and no doubt many online sources.

        1973-1975: NBS, the precursor to NIST, sends out a call for a cipher to establish as a standard. IBM creates Lucifer, as part of its research into block ciphers. (Many notables in the crypto industry were involved: Feistel, Coppersmith, etc.) IBM submits Lucifer to NBS, agreeing to license it without charge.

        1975: NBS asks NSA to evaluate the algorithm and suggest changes. NSA makes various changes, in particular shortening the key (effectively to 56 bits) and changing the S-boxes. This is the NSA acting in its official "help US business" role, as DAM said. And many people were suspicious, in their public responses to NBS - contradicting RSA's ridiculous claim "hey, we all used to trust the NSA without reservation" (I paraphrase).

        1976-1977: NBS holds public workshops to evaluate the revised Lucifer. There is much debate, but NBS standardizes it as DES anyway.

        Schneier notes: "Off the record, NSA has characterized DES as one of their biggest mistakes". Why? Because the standard described it as a hardware cryptosystem, but provided enough information to implement it in software. Apparently someone high up at NSA thought DES would only ever appear in hardware, which would be much easier to keep under export control.

        In the '80s, various other groups (ANSI, some ISO working groups) adopted DES as a general standard, or as part of other standards. It became entrenched (later in 3DES form to fix the short key).

        1977-1981: Various researchers show just how vulnerable DES's short key is. Specifically, they come up with informed estimates for DES brute-force cracking machines (between $5m and $50m) and estimate how long such a machine would take to crack a ciphertext (on the order of a few days; remember this is for circa 1980). There's widespread suspicion that NSA shortened the key so well-funded adversaries (i.e., the NSA) could decrypt communications they felt were particularly interesting.

        There was also a lot of worry that DES was a group, possibly a pure or even closed group; that would make multiple-encryption pointless (3DES would be no stronger than DES), and if closed would cut the effective key length in half, to 28 bits (via a meet-in-the-middle attack). The associated concern was that the NSA knew DES was a group, and possibly had made it a group by mucking with the S-boxes. In 1992 this was publicly disproven (DES is not a group), and Coppersmith says IBM always knew it wasn't a group, but kept the details secret (because, hey, they're IBM).

        What about those S-boxes? They're the non-linear part of DES, and the only real security. Each S-box is a substitution table with a 6-bit input and a 4-bit output. IBM submitted Lucifer with one set of S-boxes; the NSA sent it back with a different set. IBM couldn't find anything wrong with the NSA's set. Some found this worrying.

        Did the NSA use subtly-weak S-boxes (i.e., ones with hidden algebraic structure) so they could break DES? Did they change the S-boxes because they were worried IBM might have put a similar backdoor in their original set? Did they know something that wasn't in the published literature?

        In 1990, we got a strong indication that the answer to the last question was "yes", when Biham and Shamir published their work on differential cryptanalysis. DES is "vulnerable" to DC, in the sense that there are better-than-brute-force attacks against DES with DC. But the S-boxes in DES turn out to be optimized against DC. What a coincidence! Coppersmith has said that IBM and NSA knew about DC back when DES was created.

        In 1993, Matsui published on linear cryptanalysis. It turns out the DES S-boxes are not optimized against LC. You can crack stock DES with around 243 known plaintexts using LC.

        So: Did the NSA not know about LC in 1976? Did they know about it, and keep it as their own backdoor? Did they know about it, but also know about something worse that made it impossible to optimize the S-boxes against both DC and LC and mystery-analysis? Only their tobaccanist knows for sure.

        tl;dr: The NSA both strengthened and weakened DES, almost certainly deliberately. Their involvement was always controversial.

    6. The Man Who Fell To Earth Silver badge

      None of this would be a problem if it was done right the first time

      TOR suffers from the same fundamental flaw that SSL does, namely the fact that it's a single-path system. While multi-path isn't fool proof, it certainly makes the interception and tracking a lot harder. For a lot of purposes, the added latency is quite acceptable, and with a little thought, protocols can be envisioned that prioritize information so the less important goes the lower-latency pathways to increase the apparent responsiveness while the "important stuff" goes the tougher to intercept multi-pathways.

      In a similar way, cloud services can be made more secure by having clients utilize liner functions. (i.e. Instead of encapsulating a complex function with a simple to call wrapper function, you "line" a complex storage functionality by lining it to make it appear simple.) For example, a locally encrypted virtual drive has its container file hosted on cloud(s) drives. If the cloud vendor proves untrustworthy by backdooring their services to others, the "other" gets the container file, and still has to compromise that to get its contents. (e.g. Something like Truthcrypt with the container file RAID 2 stripped, with part of the container file striped on Dropbox and part striped on Google Drive, yet looking like one Truecrypt drive to the user.) Tougher to get the "whole enchilada" container file, and then even if you did get it, you still have the fact that it's encrypted, and you have to deal with that.

  2. Paul J Turner


    "...we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use..."

    Well, you would have to be pretty dumb to put your sneaky business on record with a contract or setting up a project to do so, wouldn't you?

  3. Big-nosed Pengie

    They would say that

    wouldn't they.

    1. g e

      Re: They would say that

      Oh I dunno. They could always fess up and shut the business the same afternoon

    2. Anonymous Coward

      Re: They would say that

      "You may very well think that but I couldn't possibly comment"

  4. Charles Osborne

    And all the color printer manufacturers just decided one day to print identifying information on every single print issuing from their machines. Coincidence? Would have to be otherwise it would be a violation of some anti-trust law. (The yellow ink cartel?)

    Remember, when folks accuse you of being a conspiracy buff, politely answer in the affirmative and ask them, "Are you a coincidence buff?" (HT to Daniel Sheehan)

    1. Michael Wojcik Silver badge

      Are you a coincidence buff?

      Actually, yes. If events A and B have no causal connection, then you have maximum information entropy. More for your money!

  5. Don Jefe

    It's True

    It isn't a backdoor if it's put there intentionally for use by a select group. It's more of a service entrance really.

  6. oldtaku Silver badge

    You'll notice they don't deny taking the $10M.

    Dual_EC_DRBG was known to be weak and slow and suspect even before it was adopted as a standard.

    RSA made it the default in mid 2006 in spite of the known concerns.

    By 2007, both Schneider, Microsoft, and others had shown it was fatally weak and flawed.

    RSA kept using it as the default till late 2013.

    They were either in the NSA's pocket or stunningly incompetent at security, which is supposedly the one thing in the world they were the best at.

    1. Brad Ackerman

      Regarding RSA's competence or lack thereof, I'll just leave this link here.

      1. Michael Wojcik Silver badge

        Indeed. Rivest, Shamir, and Adleman are certainly very competent. The corporation that bears their initials, on the other hand, has something of a mixed record.

        That said, it's hard to believe that making Dual EC DRBG the default for BSAFE was an honest mistake. When it was first published people began to question its utility, since it's slow and has no obvious advantages over competitors.

        And, of course, the standard has an appendix that says, in effect, "hey, here's how you can generate your own points on the curve, rather than using the ones we gave you, which you have no reason to trust". Using your own points doesn't affect FIPS certification or any of the other patently bogus justifications RSA Corp is now spouting.

        So either incompetence (i.e., some PHB decided to make stock Dual EC DRBG the default, and none of the techies called him on it), or malice. Take your pick.

  7. Anonymous Coward
    Anonymous Coward

    "Why would it ever be in the NSA's interest to make encryption stronger for the masses?"

    They are presumably in the business of providing security to national interests against outside attacks, so it would arguably be in their best interest to provide the national infrastructure with secure encryption to protect them from being monitored by outside groups. Of course, such outsiders themselves would undoubtedly obtain those tools as well, so it makes sense that they'd support a method that included a weakness only they knew about. For that matter though, any number of other algorithms could have weaknesses known only to their creators and select groups they share the details with, or perhaps flaws not known to their creators, but discovered by others. RSA might not have fully trusted the algorithm, but then again, no such algorithm should be completely trusted.

    1. lambda_beta

      You've got to be kidding. The NSA does what it does, and dosen't give a sh*t about outside, inside or in between. It is in the business of gathering information even if they don't have a use for it. It's in the busines of spying and to accomplish its mission through clandestine means. It's budget is not made public. Even the number of NSA employees is classified. It's more than big brother, it's big sister, mother father and is not accountable to anyone, even the President and Congress.

      1. Michael Wojcik Silver badge

        It is in the business of gathering information even if they don't have a use for it.

        It's also in the business of making the same activity harder for its competitors in other nations, nitwit.

    2. codeusirae
      Big Brother

      NSA are in the business of providing security?

      "They are presumably in the business of providing security to national interests"

      Going on recent revelations, its the NSA that are the threat to national interests. What with live fire military excercises being carried out in US cities, all it's take is for some right-wing demagogue to declare martial law. And the likes of NSA are on stream to provide total information awareness.

      "it would arguably be in their best interest to provide the national infrastructure with secure encryption to protect them from being monitored by outside groups"

      The NSAs function is to spy on people, not protect them from being spied on by 'outside groups'. As for 'secure encryption', see above, you can't have 'secure encryption' that isn't really secure. That's why DES was crap in the first place ...

  8. Mr. Peterson
    Paris Hilton

    we're not in it just for the money



  9. Sanctimonious Prick

    or introducing potential ‘backdoors’ into our products for anyone’s use.

    They didn't really say that... they did... OK. Wow!

    The NSA says they have to say that. To say anything else would be in breach of their contract with the NSA. The consequences of violating that contract are, AFAIK, unknown. Eddy?

  10. Don Jefe


    Anyone who's ever told a whopper of a lie, has kids, or remembers their childhood, knows you never dish out more than a single helping of bullshit per seating. You've got to keep it simple.

    Not only is crossing the streams of your bullshit the worst way to lie, it's also the best indicator of when you're being lied to. Telling the truth is always a straightforward thing and doesn't need 'proofs'. Speak the truth and if people don't believe you then that's their problem. It's easier that way and ethically sound as if they can't handle the truth, there's fuck all you can do about it.

    Truths are delivered in nice, neat little packages, that are attractive and easy to open. Bullshit on the other hand is delivered in big, bulky crates that you've got to disassemble with a hammer then wade through 350lbs of packing peanuts the get at the useful contents and you're still on the hook for disposing of the crate and the waste from opening the package.

    1. dan1980

      Re: Truism

      @Don Jefe

      I'd agree, broadly, but of course politics shows us time-and-again that the "nice, neat little packages" are often the lies as an accurate understanding sometimes requires more information than can fit in a soundbite.

      I like the point-form format of RSA's response but an accurate representation of the facts requires additional points:

      • The Dual EC DRBG is only one of four PRNGs in the NIST standards document.
      • The Dual EC DRGB was known to be created with input from the NSA* (this is mentioned in the NIST document).
      • The Dual EC DRGB is significantly slower than the other three RNGs in the NIST standard.
      • The NIST document contains no proof (nor does one exist) of Dual EC DRGB's strength (which would serve to offset the extreme computational expense).
      • Very shortly after the publication of the NIST standard, two independent teams discovered that the Dual EC DRBG contains a noticeable bias which could be exploited, given access to other information.
      • Potential for such a bias is well known in cryptography and avoiding it is trivial.
      • A year later, another pair of researchers found that that operation of the standard (specifically, the fixed choice of ellipse points) enables the bias flaw to be exploited by anyone with access to information about how the points were chosen.
      • While it is possible no one has this information, the only people who could have it are the NSA and NIST.
      • Even if no one has that information now, the fixed nature of these points means that if they were ever determined at any time, every implementation of the cryptography would be forever broken and all messages rendered trivial to decrypt.

      The lack of proof should have caused RSA to examine the standard more closely before making it the default PRNG. Failing that, the findings of bias in 2006 should have been enough to warrant caution and a review by RSA. Failing that, the presentation by Ferguson & Shumow a year later should have raised such flags as to prompt RSA to immediately alter their default PRNG and inform their customers of the potential vulnerability.

      Simply saying they "[relied] upon NIST" is utterly inadequate, given that NIST provided no proof of the security of the PRNG**, while independent researchers had proven that there are real, exploitable flaws in it. What justification did the RSA have to rely on a body that provided no proofs?

      The short version of the whole affair is that RSA is one (or more) of the following:

      • Complicit (in NSA weakening of cryptography)
      • Ignorant (of cryptographic research)
      • Lazy
      • Stupid

      In denying the first (as they are), RSA is effectively admitting to one of the others. None are good for a company in the business of protecting users' privacy.

      * - We now know that they were the sole author but we must assume RSA did not know this at the time.

      ** - There can be none.

      1. Destroy All Monsters Silver badge

        Re: Truism

        Simply saying they "[relied] upon NIST" is utterly inadequate, given that NIST provided no proof of the security...

        Actually, RSA was using it even before NIST was done with approval, maybe even before the approval process was even started.

        From the reuters article:

        RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue successfully for NIST approval, according to an official familiar with the proceedings.

        1. dan1980

          Re: Truism


          Yup. Two years earlier, in fact. You'd reckon that would imply that they had examined it and approved it independetly of NIST. You know, being a leading provider of cryptographic solutions and all . . .

          I like the part where RSA talk about "newer, stronger methods of encryption". ECC is definitely designed to address issues with older cryptographic methods - specifically the need for ever-longer keys. In other words, the idea is to make it more efficient. Except, you know, this particular implementation of ECC is orders of magnitude LESS efficient. And has gaping holes, just for laughs.

          It's like deciding on a diesel engine over petrol only to choose a car that drives at 1kmph and has wheels attached with cable ties.

          1. Don Jefe

            Re: Truism

            A major problem with any government is that it's required, by default, the be the final authority on everything inside its boundaries. The ultimate decision on any matter must be someone's responsibility and we've chosen the government to be that someone.

            One of the ways that causes problems is that if the government decrees (x) to be a certain way, then you have no liability in choosing to accept their decree. That decree is retroactive and allows citizens/company's to offset what would otherwise be their own responsibilities and it's an unavoidable fact of having a government. It obviously has both up and downsides.

            In this case RSA can't be held liable, at all, for using an NIST approved algorithm, the ultimate authority had already ruled. But at the same time, the government being that final authority is what allows the common person (that's us :) to seek redress when we have been wronged and provide protections to (in theory) minimize the chances of being wronged to begin with.

            The downsides are an enormous problem. You can't put ultimate authority in the hands of private entities, but putting in the hands of government, any government, guarantees that ultimate authority is completely vulnerable to politics and the inefficiencies and bureaucracy that are inherent it governance of any sort. Short of making me Supreme Chancellor of Earth I don't know how to solve the problem.

            The core issue is one of enormous philosophical depth: Where does, and where should, the ultimate authority in a society rest? It is not a matter of technologies or politics and the trouble is most people, and all governments, really suck at the contemplation, analysis and answers to those kinds of issues. It used to be the Church, and I think what we've got now is somewhat of an improvement. At least governments change and can be changed. Trying to dispute a supernatural being who only communicates with Humans via an old white man is nearly impossible.

            1. Yet Another Anonymous coward Silver badge

              Re: Truism

              No RSA can't be held liable for being ordered by a secret court to do as it was told - just like Huawei can't be held liable in China for doing the same thing.

              But all RSA's foreign customers can now decide that it is about as trustworthy as Huawei and be about as likely to use if to for important stuff. Its US customers will ask themselves if secured by RSA now means - "copied to the IRS" and every other government agency.

              1. Don Jefe

                Re: Truism

                Agreed. This is actually a situation in which 'voting' with your wallet could actually be effective. It could be the IT Security sectors horror story example for the 21st century. It could appear in university ethics textbooks and organizational management training seminars for decades. It should be he horror story.

                But I don't think it will. If there are more than a handful of defections I wold be truly surprised. I would be shocked if a top tier customer abandoned RSA over this. A lot of people will pay lip service to the idea of changing providers, but I doubt a single one of those people will be decision makers. It's a sad state of affairs, but I've found that most people value a discount on future purchases over most anything else.

                1. Scoular

                  Re: Truism

                  If those decision makers share a belief set with NSA and friends then they would not have a serious objection to NSA being able to read their documents, so they would see no need to change suppliers.

                  Those who see themselves as outside the 'group' might well decide to consider alternatives.

                  1. Don Jefe

                    Re: Truism

                    They can consider all they want, but unless they actually have the capacity to affect change it's all just tough guy talk and nothing will happen. Those outside the group have no effective influence, leverage or ability to make decisions large enough to cause RSA any damage.

            2. dan1980

              Re: Truism

              "Trying to dispute a supernatural being who only communicates with Humans via an old white man is nearly impossible."

              Actually, that does sound a bit like the government. At least the one we have in Australia and certainly the previous POTUS.

              I get the bent of your argument but I think it's a little flawed in applying it to this specific case.

              Working from the standpoint that RSA was not helping the NSA to weaken cryptographic standards (benefit of the doubt), we need to look at what they were trying to achieve.

              The first thing to note is that there is no requirement to use any of the PRNGs in the standard when making a cryptographic product.

              Even when aiming to comply with FIPS 140-2 there is certainly no requirement for any particular algorithm to be used, just so long as there is support for at least one of the DRBGs specified in NIST Special Publication 800-90A.

              You don't have to implement all of them as there is at least one certified product that ONLY uses the Dual EC DRBG. Even if you use all of them, there is no requirement to have one or another as the default.

              The RSA might not be "liable" for using a NIST approved algorithm, but they are certainly answerable to their customers for using an algorithm that is known to be flawed. NIST did not provide rigorous (let alone formal) proofs. RSA evidently did not conduct these on their own. Other people did and found serious issues. At that point, RSA could have both maintained their FIPS compliance and increased the security of their toolkit - all it would have taken was to remove the Dual EC DRBG generator or, at the least, stop making it the default. At least until they had independently (of NIST/NSA) verified the security of the algorithm.

              Remember, RSA were at the vangaurd of challenging the NSA in its restriction of cryptographic software exports and it's development of the 'Clipper' chip. It's worth noting that the Clipper chip came from the MOU between the NSA and NIST and it is this same MOU that, as summarised in the link, states that:

              "NIST responsibilities include . . . recognising NSA certified ratings of evaluated trusted systems without requiring additional evaluation . . ."

              This explains why the Dual EC DRBG was included in the NIST standard - it was 'vouched for' by the NSA. This also explains why there is no proof. What it doesn't explain, is why RSA - a company with a history of challenging the NSA on cryptography and security - decided to simply take the word of NIST, who in turn took the word of the NSA.

              And it definitely doesn't explain why they continued to do so, even in the face of evidence that the algorithm was flawed.

    2. Destroy All Monsters Silver badge

      Re: Truism

      The Album of the soundtrack of the trailer...

      Interviewer: An excerpt from Carl French's latest film. Carl, we're all a little mystified by your claim that your new film stars Marilyn Monroe.

      Carl French: It does, yes.

      Interviewer: Who died over ten years ago?

      Carl French: Uh, that's correct.

      Interviewer: Are you lying?

      Carl French: No, no, it's just that she'e very much in the public eye at the moment.

      Interviewer: Does she have a big part?

      Carl French: She is the star of the film.

      Interviewer: And dead.

      Carl French: Well, we dug her up and gave her a screen test, a mere formality in her case, and...

      Interviewer: Can she still act?

      Carl French: Well... well, she-she's still has this-this enormous, ah-ah, kinda indefinable,

  11. Sanctimonious Prick

    Remember When...

    Hacking was something computer hardware/software enthusiasts did to maximise the use of their equipment. Then suddenly, in seemingly an instant, MS was on a lot of desktops. As hackers played with this equipment, they found that there were many backdoors, even from the early DOS days, before Windows. MS did next to little about these backdoors that hackers were finding for very long periods of time. Why?

    1. Anonymous Coward
      Anonymous Coward

      Re: Remember When...

      As hackers played with this equipment, they found that there were many backdoors, even from the early DOS days, before Windows. MS did next to little about these backdoors that hackers were finding for very long periods of time. Why?

      That may not always have been with evil intent - I personally suspect that came much later. Early days computing was more about keeping the damn things running against all odds :). I recall the TSR fights: trying to push as much as possible into high memory to keep enough of that that precious 640k free so you could actually get some work done whilst keeping the box on the network.

      To illustrate the point, the early generation Linux (think Slackware on 14 floppies) was not exactly solid in terms of security either. The Net was in those days more about communicating and less about commerce - even USENET was still of some use then.

      MS had (and has) a very simple, binary focus: does the effort contribute to income? If not, don't do it. There's nothing more to it. As long as CLIENTS do not make alternative choices because of whatever deficiency, MS couldn't care less. Security is at best a sales statement for them, not a goal per se.

      1. dan1980

        Re: Remember When...


        Points for reminding me of endless hours fiddling with LH/DH - most memorably in trying to get spech synthesis working in Dune II.

        I remember having several custom AUTOEXEC.BAT/CONFIG.SYS pairs that I would swap in for various programs/games before restarting the PC. Kids these days have it too easy etc . . .

        It has, however, spilled over into a pathological need to trim Windows down as lean as it will go.

        1. My Alter Ego

          Re: Remember When...

          Those v were the days - when you had boot floppy (if others used the PC) which had ended up having a menu for each game. If I recall, it was also possible to group config.sys settings for specific games too.

          Now I just curse surgeon simulator for not having shadows on Linux - you have no idea how difficult it is to do a brain transplant in an ambulance going over speed bumps when you have no sense of depth!

  12. Anonymous Coward
    Anonymous Coward

    They are all lying

    There is money involved.

  13. Anonymous Coward
    Anonymous Coward

    Follow the money?

    Couldn't some investigative journalism into the company's published accounts provide independent supporting or disconfirming evidence for this?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Follow the money?

      Sure - we've already shown that $10m would have been 30% of Bsafe's annual revenue at the time (Register passim), so we're on it.


    2. Tom 7

      Re: Follow the money?

      Follow the money? In the US or the UK you could easily implement laws that allow money to be followed. But the elected governments seem to know this means their money could be followed too so it never happens.

      If the $10million was paid you can guarantee that the encryption used to shift it around would not be leaky. We need someone on a tropical island with a pocket line-printer.

      1. Yet Another Anonymous coward Silver badge

        Re: Follow the money?

        If there was a $10M invoice to NSA for "services rendered" - then yes

        If there was a $10M higher bid that was accepted somewhere in EMC's $15Bn of sales to the government - probably not

      2. Don Jefe

        Re: Follow the money?

        Following money isn't easy to do. No matter how many resources you have to devote to finding it. You can completely disappear quite a bit of money and never leave a trail a reporter or law enforcement officer can follow.

        Just because a company is publicly traded doesn't mean you get to look at their detailed books. Those are confidential, even for major shareholders. Besides, detailed books are so complex that you can devote entire teams of financial forensics experts to an audit that takes months or even over a year and still not figure out how it all works.

        The actual financial information companies are required to disclose is so high level that it's fairly useless beyond how much money was made vs lost. That's why analysts and brokers are so consistently wrong. On top of that, it's a lot easier to hide money when the people who are giving it to you are the people who make the rules about telling them about it.

        1. dan1980

          Re: Follow the money?

          Hell - earnings reports don't even have to break down sales/revenue by territory.

          Without some verifiable internal documentation, this is going to remain in the accusation-denial stage.

          As I said above, I don't know what's worse - a security company helping the NSA to weaken encryption or a security company being so utterly inept as to disregard the research of their fellow security professionals.

          I always got the impression that the security world was a fairly small group, with all the big names well known to each other and, even when they disagree, showing mutual respect. How did they answer the claims from their fellow security researchers?

          "That's very interesting and you are smart lads, but we think we'll trust these people over here. Yes, the ones who won't provide any proofs. Thanks anyway . . . "

          1. Don Jefe
            Thumb Up

            Re: Follow the money?

            You're spot on about the security world, I hadn't even considered the intra-peer group implications. I would think it really would dent ones reputation to be implicated in this, I know an abuse of client trust like this in my industry would be a real career speed bump.

            I can't believe every computer security professional is an ethically deficient pseudo-spy though. I would assume only a small group knew the facts, the rest were guilty only of doing their jobs and trusting others. I realize being effective in any sort professional security role requires a healthy level of distrust by default, but effective security also requires higher than average levels of trust between security operatives and their clients. There can be no security, of any sort, without trust, which is why it's so extra screwed up when those near the top of the chain abuse that trust. The repercussions end up getting on everybody's shoes.

            1. dan1980

              Re: Follow the money?

              Exactly - as the client, you trust them to be paranoid and distrustful on your behalf! (Though that shouldn't be cause to blindly trust them.)

  14. Mikel

    Had to be a rough day for these guys

    In the annals of PR flackery for security firms, the day coming out with the declaration "we were had" was the least bad choice must be quite memorable.

  15. Destroy All Monsters Silver badge

    Snowden? Maybe not. Probably not.

    Note that contrary to the article, Reuters did not say or imply that the bribery info came from Snowden:

    Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

    It is "sources familiar with the contract", which is someone else.

    Check it out again

    We also read:

    RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue successfully for NIST approval, according to an official familiar with the proceedings.


  16. ysth

    The end of the article seems very flawed (and the title very carefully worded). Nothing RSA says contradicts the allegations; of course they deny actual knowledge of a backdoor or weakened encryption. If anything you can take the RSA blog post as a confirmation that they did take the NSA money to put in the NSA-selected algorithm.

    1. ysth

      It appears the title and end of the story have been corrected; thanks.

  17. Anonymous Coward
    Anonymous Coward

    Read the denial carefully

    They're denying the contract was secret, not denying the contract:

    "Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation. We have worked with the NSA, both as a vendor and an active member of the security community. We have NEVER KEPT THIS RELATIONSHIP A SECRET and in fact have openly publicized it."

    Even the paragraph lower down simply denies they knew it was weak or backdoored:

    "RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."

    If the algorithm was chosen for good reasons, why did the NSA pay them? You don't seek compensation if the NSA was giving you a free improvement.

    If you're using EMC Raids, or cloud storage, better to read the denial not the headlines. You business data is worth the extra time, apply a bit of logic and then consider your options.

    1. Anonymous Coward
      Anonymous Coward

      Re: Read the denial carefully

      You business data is worth the extra time, apply a bit of logic and then consider your options.

      Phah. I'm busy creating a security business, and I have an investor who is more interested in doing things cheap than doing it right, despite that fact that one mistake can basically nuke this business through reputational risk (i.e. cheap is expensive when seen long term). You may know your options, but that doesn't mean you're allowed to do the right thing.

  18. Anonymous Coward
    Anonymous Coward

    "The EMC-owned security outfit said it started using Dual EC DRBG by default in 2004, sometime before the generator was standardised. By 2007 the algorithm was found to effectively have a backdoor in it that weakened the strength of any encryption that relied on it, making life easier for snoops. In September 2013, RSA told its customers to stop using the algorithm."

    So it only took them six years before they accepted facts from 2007?

    "This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs."

    Then the default should be to ask the administrator which one they want when setting the product up. RSA could give suggestions on what to use.

    "We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion."

    To be FIPS complaint I can see why it would need to be used but it shouldn't be the default by default. RSA is also a vendor and they should be on the side of their customers and if something is suspect and there are alternatives then RSA has the obligation to inform the customer and to make changes to what they recommend. Passing the buck the way they are shows nothing more than they are just puppets. We know who is pulling the strings too.

    1. dan1980

      FIPS compliance


      Unless I am mistaken, there is no requirement to implement ALL the DRBGs specified to become FIPS compliant.

      Thus, to become FIPS compliant, RSA could have completely ignored the Dual EC algorithm.

      I would argue that it is the duty of a company like RSA to be paranoid and assume everything is compromised until tested and proven safe, rather than just saying "we relied on those guys". Apparently not.

    2. Adam 1

      @AC, it all stems back to who you think their customer is.

      I remember the Trustwave CA signing the root certificate for surveillance controversy from a few years back. The only use of a CA is to tell you whether the server you are talking to matches who they claim to be. If that is not what they are doing, then they are failing their job to prevent man in the middle attack.

      The difference here is obvious but the reasoning for the outrage is the same. For what purpose does RSA exist if not to provide secure communication between devices? If it knowingly allows this to be compromised, then it is of no value to me.

      I have no problem with it offering Dual EC DRBG as an option, but it should have been actively advising against using this since 2007 when the backdoor was found.

  19. Anonymous Coward
    Anonymous Coward

    Come on people


    Who cares?

    If you were seriously concerned about security you'd do what I did and write your own encryption routine using static from an off-tuned radio sampled through line-in as a random number generator.

    Trust a commercial product? Never. Even if the government didn't knobble it, I don't trust the fsckers who work there not to have knobbled it for their own purposes!

    I know of a certain photo backup project where the DBAs loved to browse all the photos backed up just to get their daily kicks, despite the photos being "encrypted during the backup process".

    1. herman

      Re: Come on people

      Sure dude - and you decrypt it on the other side using some more static from another radio I suppose...

    2. Pet Peeve

      Re: Come on people

      @AC, post your ENT results or shut the hell up, dumbass.

      Even IF your radio-based randomizer has decent entropy (hint: it very likely doesn't, or has bouts of non-randomness when someone with a cellphone walks past your house), it still only solves one of the problems that RNGs are used for, picking session keys/nonces. For other applications, it would be worse than useless.

    3. Don Jefe

      Re: Come on people

      The number of individuals who can write and implement their own effective encryption is absurdly small. There have been more people on the moon than can do functional encryption all by themselves.

      I'm a mechanical engineer, not an IT security professional, but the level complexity I work at is no less advanced than encryption. I believe I am more than capable of overcoming any engineering challenge I am presented with using nothing but my own capabilities. But I would never, ever do that. It's Engineering 101 that if you're working on a critical 'go/no-go' part of a system or on a project where people are guaranteed to be hurt/killed if something goes wrong that you never, under any circumstances be the one to validate your own work. It is lunacy of the highest order to trust yourself completely in dealing with truly complex issues. Hell, authors don't even edit their own books and books are extremely benign.

      There's a lot of science behind it. The summary is that the Human brain creates 'shortcuts', similar to the index of a relational database, to reduce the amount of 'processing' required for dealing with recurring information. You don't have control of how, when or even why your brain does that, it just does.

      The result is that your brain doesn't actually reprocess the problem again, it simply reuses the 'variable' it created earlier. Your brain automatically breaks data integrity rules by storing what is effectively a calculated result instead of recalculating every time*. That's a wonderful thing if you're dealing with a jungle cat that wants to eat you, but extremely dangerous if you're spending weeks and months solving a problem. You don't even know what portions of the problem your brain has created a stored variable for, it's background level processing that doesn't need, or receive, input from you.

      There is a small portion of the population whose brain does not create or store variables and there is a small portion of the population who have direct control of when, what and where to create those variables. The first group are called 'special needs', or 'retarded' people. The second group are those ultra rare people like Stephen Hawking who have unique access to their brain, but nearly every single one of those people have severe physical disabilities. Nobody knows why, but it's nearly always the case.

      I'll end my little article with this. It's possible you're in one of those two groups. I highly doubt it, but it's possible. Assuming you're not, you are doing yourself a great disservice by going at highly complex things alone. Your brain is absolutely guaranteed to fuck you by trying to help you and you're making yourself extremely vulnerable to catastrophic failure and you'll have no one to blame but yourself. You're attempting to overcome millennia of evolution and you are waving your dick at the fang filled mouth of failure probabilities.

      There's a reason I've spent a decade hiring world class engineers and there's a reason RSA has more than one employee, all those other people sure aren't there just to answer phones and make coffee. They are there to do quality control on the variables created by the brains of their colleagues.

      1. dan1980

        Re: Come on people

        @Don Jefe

        Which is why my posts often contain stupid errors, despite me checking them multiple times.

        And presumably why you missed your footnote : )

        1. Don Jefe

          Re: Come on people

          Ha! I'm my own example! I didn't even notice.

  20. Wang N Staines

    Hello hole

    What, you want me to stop digging?

  21. Trollslayer


    The journalist stands by a claim being made but but does he stand by the claim being true?

    Two separate things.

    RSA's statements can be verified.

  22. herman

    Not knowing that the algorithm was flawed is even worse. It really does not give me much faith in the RSA mathematicians.

    The problem is really that when a company is approached by the NSA/CSE/GCHQ/FSB to subvert a product, it is game over for the company. The best thing they can do, is take the money and then close up shop as soon as it is convenient.

  23. Anonymous Coward
    Anonymous Coward

    A bit of perspective

    The NSA look more and more like a Soviet-era Russian research institute: brilliant mathematicians, highly competent engineers with a genius for practical design, and brutally incompetent managers serving goals that are both sinister and self-defeating.

    All that brilliance, in the service of dismal stupidity.

    Meanwhile, the scariest part of the RSA revelations isn't that messages could be decrypted before we all started applying patches around the known weaknesses; nor is it the possibility that our data is still insecure, if the NSA and their private-sector partners still know more than we do.

    The scary thing is that they were (and still are) recording everything, or as close to it as makes no difference in terms of blackmail and commercial losses, and it's trivial to call up records and decrypt them. Or rather, call up the results of the mass decryption and linkage analysis, keyword indexes and crude semantic-searches.

    What could anyone do with your private emails, browsing history and credit-card purchases, if ever you said something inconvenient or embarrassing about defence contractors, your elected representatives, or anyone related to the thousands of NSA and GCHQ staff and subcontractors with full access to the data?

    There are more of them than the total payroll - including informers - of the Stasi and the Securitatae; and they have far, far better tools to mine the data.

    Some of those contractors are the nice young men who all turn up as volunteers in your elections, when they're not filling in their quota of of down-voting and sock-puppetry online. Just like Edward Snowden, some of them will break the rules to act for their principles and their political beliefs; unlike Mr. Snowden, they can do so with impunity.

    How do you fancy your chances in a local election after all the juicy bits are printed up on leaflets and posted into every letterbox within a mile of where you live? Or your school governors? Or the parents of all your teenage childrens' online gaming community and fan club buddies?

    Me, I'd use the Scientologists as a kind of early warning system: they've got history for infiltrating members into sensitive positions and stealing personal data for blackmail campaigns against their enemies. Let's see what starts turning up in their creepy campaigns against critics and ex-cultists, alongside the obvious fabrications and dumpster-dives for unshredded correspondence and medical packaging. Scientologists are too fanatical and arrogant to be subtle about using stolen data, so we'll probably see NSA decrypts turning up in their work before the next elections. An optimist might entertain the hope that popular revulsion against these 'early adopters' will result in effective measures against more subtle misuses of the data by politically-motivated not-so-nice young men; a pessimist might worry more about the authorised official uses of the data.

    1. Destroy All Monsters Silver badge
      Big Brother

      Re: A bit of perspective

      A hard-working Reinhard Heydrich with a terminal to the NSA cloud in his office.

      Yes, not nice.

      This is also what most people don't get at all. From here to the end-of-fiesta the stepsize is only ε - it is not confortably large as the pundits and "business as usual" types of the MSM assert.

      1. Destroy All Monsters Silver badge

        A nice reading complement

        A psychological history of the NSA

        During these wartime years, the NSA grew from 33,000 to 72,000 employees, and was fast developing into the massive bureaucratic spy organization it is today. Organized much like the American corporations of the era, the agency employed a top-down structure that emphasized company loyalty and blind compliance with superiors. The more it grew, the more resilient this structure became.

        Peter Ludlow, a philosopher at Northwestern University, pointed to the sociologist Robert Jackall’s 1988 book, Moral Mazes, for a description of the rules that govern such bureaucracies: “(1) You never go around your boss. (2) You tell your boss what he wants to hear, even when your boss claims that he wants dissenting views. (3) If your boss wants something dropped, you drop it. (4) You are sensitive to your boss’s wishes so that you anticipate what he wants; you don’t force him, in other words, to act as a boss. (5) Your job is not to report something that your boss does not want reported, but rather to cover it up. You do your job and you keep your mouth shut.”

        “The NSA is nothing if not a 1950s-style bureaucracy,” Ludlow told me. “The consequence of that is you’re almost guaranteed to do evil.”

        1. Ken Hagan Gold badge

          Re: A nice reading complement

          If the NSA is a bureaucracy, that's rather re-assuring. It probably has dozens of groups working at cross purposes and totally ignorant of each other's existence. They may *want* to be evil, but they'll never actually get their collective shit together for long enough to achieve it.

          1. dan1980

            Re: A nice reading complement

            @Ken Hagan

            Obligatory xkcd?

          2. Michael Wojcik Silver badge

            Re: A nice reading complement

            They may *want* to be evil, but they'll never actually get their collective shit together for long enough to achieve it.

            Overly optimistic, I think. History is full of examples of inefficient and inconsistent organizations which fail to achieve their goals but still manage to do evil. Domination requires inflicting harm, but the reverse is not true.

  24. Cipher

    This says it all...

    "The carefully worded post, which avoids discussing whether or not the company actually took the NSA's $10m"

    If they didn't take it, they would say so.

    They took the cash.

  25. Anonymous Coward
    Anonymous Coward

    A song for NSA and RSA

    To be sung to the tune of "Let It Snow" (Sammy Cahn and Jule Styne, 1945):

    So the N-S-A came a-calling,

    To get the encrypt-tion a-falling,

    And RSA said "ho ho",

    "Let it go, let it go, let it go".

    So we can finally say "Good night",

    To all of our privacy rights,

    And the NSA says "ho ho",

    "We don't care where you go, where you go, where you go".

  26. G.Y.


    "we took the money, and we got shafted, but we're not whores".

  27. All names Taken

    Dear RSA

    Please deny all claims that this Agency paid RSA a sum of money.

    The claim is that NSA paid RSA 10 million USD and we both know it was far more considerable than that.

    This will give your denials a plausability that strengthens and empowers RSA anticipated denials.

    We at NSA never ever underestimate the power of plausible deniability and look forward to plausible denial as a matter of urgency.

    Yours sincerely


  28. FordPrefect

    I notice they haven't threatened to sue. That to me speaks volumes.

  29. Avatar of They

    Smells a little to me.

    Like the slight hint of PR desperation.

    ....or sh1t shovelling, whichever you prefer.

  30. Anonymous Coward
    Anonymous Coward

    Doesn't much matter now..

    ...what RSA say, only a moron would believe them in future.

    I daresay they'll still get USA business but any non-USA business or individual is fair game to the NSA and RSA have demonstrated that the NSA has them in their back pocket.

    Bye bye RSA, you won't be missed.

    1. Michael Wojcik Silver badge

      Re: Doesn't much matter now..

      They'll continue to get business because for many organizations, data security is just a checkbox on a list of product features. "We need encryption!" "I bought us some encryption!" "Done!"

      I've seen this plenty of times with SSL/TLS support in products. Customers say they need "secure communications". We tell them how to enable SSL/TLS and give them a primer on certificates and PKI. They complain it's too much work, and stick plaintext passphrases in configuration files. They use weak cipher suites. Their applications trust the client without verifying it; often they disable certificate checks or use ADH and trust the server without verification, too.

      RSA could be caught putting backdoors into BSAFE and selling the keys to the highest bidder, and after apologies and a bit of cooling off, they could put BSAFE right back on the market. Most customers simply don't care. Hell, most of them don't know. They read the name "RSA" in a Wall Street Journal piece once, and that's good enough.

  31. raydpratt

    Standard court-room principles of determining veracity scream "you're lying!"

    Edward Snowden has established his veracity and good intentions several times over, but now the RSA is calling him or his documents lies. The RSA has offered nothing more to refute Edward Snowden's established veracity and good intentions beyond a flat denial. The denial does not even have as much credibility as "I am not a crook" (Richard Nixon), "I did not have sex with that woman" (Bill Clinton), or "American boots will not touch the ground in Syria" (nobody went for that one).

    The hand writing on the wall says that the RSA is already out of business.

  32. JCitizen

    NSA and RSA never had any credibility with me anyway...

    Remember how the Clinton administration whined that they couldn't crack the encryption on the new cell phones back when? The news made me believe they forced a piggyback chip to snoop on folks way back in the day. I don't know how far the US government got with that; but I decided I'd never trust anything not open source every again. Snowden's charges are just not surprising to me at all.

    1. dan1980

      Re: NSA and RSA never had any credibility with me anyway...


      Re: the 'piggyback chip' - it was called 'Clipper'. Do you want to know the funny part? RSA led the fight to dump it.

  33. Drs. Security

    why change the default?

    by standard definition, users and as specially administrators are lazy.

    Yes and that means me myself and I as well :)

    So why change the default security random generator if a security company has that as default?

    They know best, right?

    And why did it take our security community 6 (six) years to shy away from this algorithm only after the NIST told us so in September of this year?

    Do we all have a big stock of butter on our heads?

    Did RSA take the money? Probably. Everything to please the stock markets.

    Did they know the reasons why they were paid to do what they did? Possibly not (at least the people deciding in the top layers did not).

    Were they hacked themselves earlier this year too? Wonder if the attackers used this same backdoor.

    Oh how ironic if true *grin*

This topic is closed for new posts.

Other stories you might like