On Sep 20, 2013, at 2:08 PM, Ray Dillinger wrote:
> More fuel for the fire...
> http://rt.com/usa/nsa-weak-cryptography-rsa-110/
> RSA today declared its own BSAFE toolkit and all versions of its
> Data Protection Manager insecure, recommending that all customers
> immediately discontinue use of these products....
Wow.  You took as holy writ on a technical matter a pronouncement of the 
general press.  And not just of the general press, but of RT, a Russian 
publication with a clear pro-Russian anti-American bias.  (Not that they don't 
deliver useful information - I've read them in the past, along with Al Jazeera 
and, on the flip side, The Debka Files.  They are all valid and useful members 
of the press, but their points of view, AKA biases, are hardly a secret.)

The original article in Wired is still a bit sensationalistic, but at least it 
gets the facts right.

BSAFE is a group of related libraries of crypto primitives that RSA has sold 
for many years.  They generally implement everything in the relevant standards, 
and sometimes go beyond that and include stuff that seems to be widely accepted 
and used.  Naturally, they also use the same libraries in some packaged 
products they sell.  

As far as I know, the BSAFE implementations have been reasonably well thought 
of over the years.  In my experience, they are conservatively written - they 
won't be the fastest possible implementations, but they'll hold their own, and 
they probably are relatively bug-free.  A big sales advantage is that they come 
with FIPS certifications.  For whatever you think those are actually worth, 
they are required for all kinds of purposes, especially if you sell products to 
the government.

I remember looking at BSAFE for use in a product I worked on many years ago.  
We ended up deciding it was too expensive and used a combination of open source 
code and some stuff we wrote ourselves.  The company was eventually acquired by 
EMC (which also owns RSA), and I suspect our code was eventually replaced with 
BSAFE code.

Since Dual EC DRBG was in the NIST standards, BSAFE provided an implementation 
- along with five other random number generators.  But they made Dual EC DRBG 
the default, for reasons they haven't really explained beyond "in 2004 [when 
these implementations were first done] elliptic curve algorithms were becoming 
the rage and were considered to have advantages over other algorithms...."

I'd guess that no one remembers now, six or more years later, exactly how Dual 
EC DRBG came to be the default.  We now suspect that a certain government 
agency probably worked to tip the scales.  Whether it was directly through some 
contacts at RSA, or indirectly - big government client says they want to buy 
the product but it must be "safe by default", and "Dual EC DRBG is what our 
security guys say is safe" - who knows; but the effect is the same.  (If there 
are any other default choices in BSAFE, they would be worth a close look.  
Influencing choices at this level would have huge leverage for a non-existent 

Anyway, RSA has *not* recommended that people stop using BSAFE.  They've 
recommended that they stop using *Dual DC DRBG*, and instead select one of the 
other algorithms.  For their own embedded products, RSA will have to do the 
work.  Existing customers most likely will have to change their source code and 
ship a new release - few are likely to make the RNG externally controllable.  
Presumably RSA will also issue new versions of the BSAFE products in which the 
default is different.  But it'll take years to clean all this stuff up.
                                                        -- Jerry

The cryptography mailing list

Reply via email to