On Sep 20, 2013, at 2:08 PM, Ray Dillinger wrote:
> More fuel for the fire...
>
> http://rt.com/usa/nsa-weak-cryptography-rsa-110/
>
> RSA today declared its own BSAFE toolkit and all versions of its
> Data Protection Manager insecure, recommending that all customers
> immediately discontinue use of these products....
Wow. You took as holy writ on a technical matter a pronouncement of the
general press. And not just of the general press, but of RT, a Russian
publication with a clear pro-Russian anti-American bias. (Not that they don't
deliver useful information - I've read them in the past, along with Al Jazeera
and, on the flip side, The Debka Files. They are all valid and useful members
of the press, but their points of view, AKA biases, are hardly a secret.)
The original article in Wired is still a bit sensationalistic, but at least it
gets the facts right.
BSAFE is a group of related libraries of crypto primitives that RSA has sold
for many years. They generally implement everything in the relevant standards,
and sometimes go beyond that and include stuff that seems to be widely accepted
and used. Naturally, they also use the same libraries in some packaged
products they sell.
As far as I know, the BSAFE implementations have been reasonably well thought
of over the years. In my experience, they are conservatively written - they
won't be the fastest possible implementations, but they'll hold their own, and
they probably are relatively bug-free. A big sales advantage is that they come
with FIPS certifications. For whatever you think those are actually worth,
they are required for all kinds of purposes, especially if you sell products to
the government.
I remember looking at BSAFE for use in a product I worked on many years ago.
We ended up deciding it was too expensive and used a combination of open source
code and some stuff we wrote ourselves. The company was eventually acquired by
EMC (which also owns RSA), and I suspect our code was eventually replaced with
BSAFE code.
Since Dual EC DRBG was in the NIST standards, BSAFE provided an implementation
- along with five other random number generators. But they made Dual EC DRBG
the default, for reasons they haven't really explained beyond "in 2004 [when
these implementations were first done] elliptic curve algorithms were becoming
the rage and were considered to have advantages over other algorithms...."
I'd guess that no one remembers now, six or more years later, exactly how Dual
EC DRBG came to be the default. We now suspect that a certain government
agency probably worked to tip the scales. Whether it was directly through some
contacts at RSA, or indirectly - big government client says they want to buy
the product but it must be "safe by default", and "Dual EC DRBG is what our
security guys say is safe" - who knows; but the effect is the same. (If there
are any other default choices in BSAFE, they would be worth a close look.
Influencing choices at this level would have huge leverage for a non-existent
agency....)
Anyway, RSA has *not* recommended that people stop using BSAFE. They've
recommended that they stop using *Dual DC DRBG*, and instead select one of the
other algorithms. For their own embedded products, RSA will have to do the
work. Existing customers most likely will have to change their source code and
ship a new release - few are likely to make the RNG externally controllable.
Presumably RSA will also issue new versions of the BSAFE products in which the
default is different. But it'll take years to clean all this stuff up.
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
