On 19/09/13 00:23 AM, Lucky Green wrote:
According to published reports that I saw, NSA/DoD pays $250M (per
year?) to backdoor cryptographic implementations. I have knowledge of
only one such effort. That effort involved DoD/NSA paying $10M to a
leading cryptographic library provider to both implement and set as
the default the obviously backdoored Dual_EC_DRBG as the default RNG.
So, boom. Once the finger is pointed so directly, this came tumbling
down within a day or two.
http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/
http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html?
One mystery is left for me. Why so much? It clearly doesn't cost that
much money to implement the DRBG, or if it did, I would have done it for
$5m, honest injun! Nor would it cost that to test it nor to deploy it
on mass. Documentation, etc.
What are we to conclude was the reason for such a high cost? Conscience
sedative? Internal payoffs?
This was $10M wasted. While this vendor may have had a dominating
position in the market place before certain patents expired, by the
time DoD/NSA paid the $10M, few customers used that vendor's
cryptographic libraries.
Another theory - take a fool's money?
And, what happens to RSA now? If this is business-as-usual, does this
mean that when the Feds show up to my door with 'a proposal' that I
should see the mutual interest in sharing my customer's data with them
by means ecliptic & exotic? Take the 30 pieces of silver (adj. for 2000
years of inflation), and be happy they're also keeping my struggling
business in the black? Or grey?
Or, is it the new Crypto AG? Is RSA the new byword for sellout? Does
RSA go out of business? An Arthur Anderson event?
In which case I have no choice. I have a reason to preserve the privacy
of my customers, and tell the NSA I'm not interested in their cyanide
pill patriotism.
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
