The One Big Question About RSA and Its Relationship With the NSA
Last week, the Internet security world was jolted by a Reuters report detailing a secret $10 million payment to the security company RSA from the National Security Agency. The source of the information, Reuters said, came from new documents from former NSA contractor Edward Snowden.
The point of the payment, according to the report, was to help the NSA boost the adoption of a formula it had created for generating random numbers, which was then inserted as the default option on RSA security products. The result would essentially amount to the creation of a “back door,” giving the NSA the ability to decrypt Internet traffic that had been encrypted using a product known as BSafe.
On Sunday, RSA, a division of storage and IT giant EMC best known for its widely used security tokens, denied the report in a corporate blog post. It said that it has worked with the NSA for years and has never kept the relationship a secret, doing so with the intent of strengthening security products used in both the government and private sectors.
But its explanation is incomplete — RSA’s statement has been attacked by many — and leaves many questions. Among them is one big one that hangs above all the others: What did RSA know about the algorithm that was ultimately found to contain the “back door,” and, perhaps more importantly, if it did have some idea, why did it say nothing about it for six years?
The problematic formula is known as Dual EC DRBG, which stands for Dual Elliptic Curve Deterministic Random Bit Generator. Generating a random number is a crucial function in encrypting communications on the Internet.
RSA included the software libraries for using it in BSafe products beginning in 2004. At the time, the method was on its way to being approved by the U.S. National Institute of Standards and
Time Technology for use by the federal government. NIST’s stamp of approval on encryption technology is generally considered important for the private sector, as well. NIST approved it in 2006, and including it was required in any product that was to be approved for use under FIPS 140-2, the Federal Information Processing Standard regarding cyber security.
By mid-2007, the NSA’s back door had been discovered. According to an entry on the Open Sourced Vulnerability Database, researchers at Microsoft had found that Dual EC DRBG “contains a flaw that may allow a specific organization to decrypt any current or future traffic utilizing this cryptography.” The entry also contains a warning: “The United States National Security Agency (NSA) maintains a private key that will decrypt output.”
Even after these concerns arose, according to RSA, it continued to defer to NIST as to whether Dual EC DRBG was still reliable. As long as NIST maintained its approval, which it did even after the findings of the Microsoft researchers became public, RSA continued to stand behind Dual EC DRBG, considered products using the algorithm to be secure, and represented that to its customers.
It wasn’t until this year — after documents released by Snowden revealed that the NSA had managed to compromise much of the encryption technology used around the world — that attention turned back to those questions raised by the Microsoft researchers in 2007.
After those disclosures, in September, NIST walked back its approval of Dual EC DRBG. One thing we don’t know: Why did it take NIST so long to act?
But the bigger question lies at RSA’s door. Once NIST acted, RSA quickly followed suit. As it says in its statement: “When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.”
What that implies is that for six years it either conducted no research of its own to either duplicate or challenge the findings of the original Microsoft researchers. Or, if it did any such research, it did not disclose the results to the public or its customers. After the vulnerability was found, Dual EC DRBG still continued to be the default option on its BSafe products, and remained so until recently.
I asked RSA about this, and was told that the company won’t be commenting on the matter beyond what it already said in Sunday’s blog post. But the concern goes straight to the heart of the questions from computer security pros, who for years have trusted RSA to give them sound advice on securing their systems.
Indeed, there’s now talk of boycotting RSA’s annual conference, easily one of the biggest security-oriented events of the year. And at least one high-profile speaker has already announced his intention to cancel a scheduled talk.
Expect the pressure to intensify on RSA in the coming weeks as security pros clamor for a fuller explanation.