On Sep 23, 2013, at 4:20 AM, ianG <i...@iang.org> wrote:
>>> RSA today declared its own BSAFE toolkit and all versions of its
>>> Data Protection Manager insecure...
> Etc.  Yes, we expect the company to declare itself near white, and the press 
> to declare it blacker than the ace of spaces.
> Meanwhile, this list is about those who know how to analyse this sort of 
> stuff, independently.  So...

>> ...  But they made Dual EC DRBG the default ...
> I don't see a lot of distance between choosing Dual_EC as default, and the 
> conclusion that BSAFE & user-systems are insecure.
The conclusion it leads to is that *if used in the default mode*, it's (well, 
it *may be*) unsafe.  We know no more today about the quality of the 
implementation than we did yesterday.  (In fact, while I consider it a weak 
argument ... if NSA had managed to sneak something into the code making it 
insecure, they wouldn't have needed to make a *visible* change - changing the 
default.  So perhaps we have better reason to believe the rest of the code is 
OK today than we did yesterday.)

> The question that remains is, was it an innocent mistake, or were they 
> influenced by NSA?
a)  How would knowing this change the actions you take today?
b)  You've posed two alternatives as if they were the only ones.  At the time 
this default was chosen (2005 or thereabouts), it was *not* a "mistake".  Dual 
EC DRBG was in a just-published NIST standard.  ECC was "hot" as the best of 
the new stuff - with endorsements not just from NSA but from academic 
researchers.  Dual EC DRBG came with a self-test suite, so could guard itself 
against a variety of attacks and other problems.  Really, the only mark against 
it *at the time* was that it was slower than the other methods - but we've 
learned that trading speed for security is not a good way to go, so that was 
not dispositive.

Since we know (or at least very strongly suspect) that the addition of Dual EC 
DRBG to the NIST standards was influenced by NSA, the question of whether RSA 
was also influenced is meaningless:  If NSA had not gotten it into the 
standard, RSA would probably not have implemented it.  If you're asking whether 
NSA directly influenced RSA to make it the default - I doubt it.  They had 
plenty of indirect ways to accomplish the same ends (by influencing the terms 
of government purchases to make that a requirement or a strong suggestion) 
without leaving a trail behind.

> We don't have much solid evidence on that.  But we can draw the dots, and a 
> reasonable judgement can fill the missing pieces in.
And?  It's cool for discussion, but has absolutely nothing to do with whether 
(a) BSAFE is, indeed, safe if you use the current default (we assume not, at 
least against NSA); (b) BSAFE is safe if you *change* the default (most will 
likely assume so); (c) users of BSAFE or BSAFE-based products should make sure 
the default is not used in products they build or use (if they're worried about 
NSA, sure) (d) implementors and users of other crypto libraries should change 
what they are doing (avoid Dual EC DRBG - but we already knew that).

                                                        -- Jerry

The cryptography mailing list

Reply via email to