> We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it.
"Recent press coverage has asserted that RSA entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation."
The emphasis is mine. This quote allows for the possibility that they entered into a contract with the NSA to incorporate a random number generator that was not yet known to be flawed.
Why the hell would the NSA offer MONEY for you to adopt their encryption proposal if it was actually legitimately good?
It doesn't matter if you have any other information on the security of the algorithm; the fact that they're offering you money should speak for itself.
Well, the NSA has a track record of making public encryption algorithms stronger. They proposed changes to DES which puzzled researchers at the time, but years later were shown to significantly harden the algorithm against some attacks.
I don't have the citation on hand right now, but if I recall correctly their recommendations strengthened DES against mathematical attacks, but weakened it against brute-force attacks.
I don't know what it means to weaken DES against brute-force attacks, but, if I recall correctly, their changes did weaken it against linear crypto analysis. Their change was to replace the random constants of DES's s-boxes with their own constants. They have since then published the criteria that they used to generated these constants. Based on the fact that everything I have read on the subject, and talking with several cryptographers, says that the change was to strengthen DES against differential crypto-analysis, I think it is reasonable to believe that this is supported by looking at how they generated the constants.
NSA suggested decreasing DES's key size. IBM ultimately agreed to use effectively 56-bit* keys. This by definition makes brute force attacks easier. It was apparently criticized at the time, but it's worth noting that there's nothing secretive about it -- it's a basic and obvious element of the algorithm.
The public cryptographic community started brute-forcing DES keys for fun in the '90s; with the NSA's budget, they could have been doing it from the beginning.
* DES keys are 64 bits, but 8 bits are for parity, so the meaningful key length is 56 bits.
The NSA is really bizarre because they have two missions: 1) to break encryption and spy, and 2) to make better encryption so the enemy can't spy on the U.S.
It makes sense if you think about it: Both goals are useful to Uncle Sam and both require the same skill set. The trouble is it obviously creates quite the conflict of interest.
It doesn't make sense. It's set up that way for historical reasons, and because the folk in charge have always really prioritised 1) over 2), and hence have had no motivation to suggest a better alternative.
While a separate organisation might be best, even a division within NSA etc. explicitly tasked with protection rather than intelligence gathering would be preferable to the status quo, so long as its head could be publically known. In the end it comes down to there being no individual with that responsibility. You need someone who is visible in that role, whose mission is purely to protect, overseeing a staff whose mission is purely to protect.
Because while the NSA would love to backdoor your application, they also want to be the only ones who backdoor your application. The NSA would still want to promote security to prevent other malicious attackers from being able to exploit a domestic corporation bad security.
It's in the best interests of national security for the NSA to promote both good and/or backdoored algorithms for all allied nations and their corporations.
Well, they're clearly claiming that the "secret contract" as reported did not exist.
If you're going to call them out on being liars about that (go for it!), might want to make it less ambiguous.
For all its worth, I think RSA probably did help out the NSA with Dual EC DRBG, but:
a) Until I see some source documents from Snowden's stash, it's going to be all very annoying because until you see the terms of the contract (and no, you can't just go by some journalist's summary), you have no idea what RSA/NSA are dancing around
b) Whatever deal there was was probably set up in some fun way to make it all nicely deniable and even plausible sounding.
> Well, they're clearly claiming that the "secret contract" as reported did not exist.
Crap. They're only denying a carefully-worded strawman. They leave open:
1.) Adding support for a known-flawed PRNG for free and then entering into a secret contract with the NSA to make the already-supported PRNG the default.
2.) Entering into a secret contract with someone else (FBI?) to "incorporate" a known-flawed PRNG.
3.) Entering into a secret contract with the NSA to use a PRNG that they didn't yet know to be flawed because they didn't look at it.
Edit: You're right, they did deny it 'as reported', with "Recent press coverage has asserted ...". This could involve a creative reading of "[r]ecent press coverage", or a lie.
Edit: Also, "Crap." wasn't directed at you. I'm sorry. It was directed at RSA; these stories always get me in a lather.
The other thing that gets me is what while they sort of hint that there was no such secret contract, they simultaneously (and rather clearly) state that they cannot divulge customer contracts. So, whether or not it's a "secret" contract is moot; they aren't going to release information about any and all contracts. I guess that effectively makes them all secret, but it seems to me that debating whether or not these contracts are or are not secret is a pointless endeavor. We cannot find out the details of them through RSA (they are contractually obligated not to provide this information), so we must instead rely on the leaked documents Snowden has been providing, assuming it's true. And it probably is.
I think the real kicker here isn't that RSA was intentionally including maliciously modified algorithms as much as the NSA simply bribed^Woffered them $10 million to, err, "prioritize" its inclusion. This is probably more a lesson on distrusting government offers for lucrative contracts in exchange for nifty tools more than anything, IMO.
They also said "... we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products ...". You know, I'm having trouble finding a hole in that one. The full sentence is:
"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."
Maybe it hinges on misleading commas and the odd "for anyone’s use" part. With some gymnastics, I might be able to interpret that as meaning "we have entered into a contract and engaged in a project with the intention of weakening RSA’s products for some people's use".
They only say that they've never entered into a contract with the intention of weakening their products, not that they've never entered into a contract that did weaken their products without realising it at the time.
Liars. They publicized the $10 million deal?!