22 December 2013
NSA Kills RSA
Date: Sun, 22 Dec 2013 10:17:31 +0300
From: ianG <iang[at]iang.org>
To: Phillip Hallam-Baker <hallam[at]gmail.com>
Cc: John Kelsey <crypto.jmk[at]gmail.com>,
Subject: [Cryptography] RSA is dead.
On 21/12/13 20:59 PM, Phillip Hallam-Baker wrote:
On Sat, Dec 21, 2013 at 1:37 AM, ianG <iang[at]iang.org
We know more than that. They stated they were the sole editor. They
claim the mission to subvert, as laid out very clearly in their goals (snippet
above). They have the capability, beyond ours. There is sufficient
information to show that there was a programme of convincing suppliers to
prioritise in that direction.
Just on that last point, new data came out yesterday.
"Undisclosed until now was that RSA received $10 million in a deal that set
the NSA formula as the preferred, or default, method for number generation
in the BSafe software, according to two sources familiar with the contract."
"RSA adopted the algorithm even before NIST approved it. The NSA then cited
the early use of Dual Elliptic Curve inside the government to argue successfully
for NIST approval, according to an official familiar with the proceedings.
RSA's contract made Dual Elliptic Curve the default option for producing
random numbers in the RSA toolkit. ..."
In fairness to Art et al, I very much doubt the NSA came along and said,
'here is $10 to drop a back door into BSafe'.
I doubt that too, although there are reports that this sort of thing happened
What is clear is that the team did their research and figured out who would
be open to such things. RSA was vulnerable, we know the channel and
motives: money, business decisions, weakened core crypto team.
Phillip Hallam-Baker wrote:
The deal was reported at the time, I heard it as 'NSA pays RSA $10
million to make ECC available in BSafe'. Which was not at all surprising
given that we know RSA2048 (maybe RSA4096) is the end of the line for
I heard it as "and we especially want the DUAL_EC to be the default RNG".
That is, it was an actual request, and it was part of the contract discussions.
Now, the thing to realise is that this is benign from RSA's pov, but only
seemingly benign from NSA's pov. This is how it is done -- an unauditable,
unverifiable, benign, totally reasonable shift.
Phillip Hallam-Baker wrote:
But the point I want to make here is we need to avoid accusing people of
being in league with the devil when all they actually did was not ask the
right questions or enough questions.
Absolutely, we need to separate the people from the problem. Old Dutch
expression: go soft on the people, go hard on the problem.
Nobody needs to accuse the RSA folk of being evil. Nor should we accuse
the NSA of being stupid, and to say they wouldn't do such things is simple
The NSA are very smart. They know how to figure out the openings, what
is possible. They know how to convince someone who wants to be
convinced. $10m makes someone want to be convinced.
As I seem to be saying a lot, *it is their job* ! The NSA are spies,
after all, and they're very good at it. If this doesn't make any sense,
read more spy novels -- there is a common thread, *the asset always loses*.
So what about RSA? One could say that RSA were naive, or innocent,
or tricked. It can happen to all of us.
But, RSA didn't make one small mistake, they made two huge mistakes.
What was RSA's job? Their job was to serve their customers with secure
crypto. They didn't, instead, they allowed an interested party to get
between them and the customers, which was an abrogation of their self-claimed
"Unlike alternatives such as open source, our technology is backed by highly
regarded cryptographic experts."
This mistake is not like (say) an airline being tricked into revealing their
customer list or a phone company being tricked into letting someone tap their
fibres. An airline flies people in planes, a phone company delivers
calls, they aren't in the privacy business.
This is like an airline dropping maintenance, and putting planes into
mountains. RSA was in the crypto business -- it shipped dodgy crypto.
They made the one mistake that is impossible to argue away: Negligence
in the core business.
It's still just one mistake. Where RSA made their second mistake ,
and crossed into gross negligence was when all the warnings came out (2007,
*RSA did nothing* .
It's all over. For the sake of the entire crypto business, RSA must
be blacklisted. Every provider must be taught that breaking trust in
core business with customers is unacceptable.
And, don't blame me for this rationale. The NSA must be taught that
if they wish to pervert a supplier, the responsibility for its failure must
come back to the NSA. The NSA brought RSA down.
Phillip Hallam-Baker wrote:
NSA recruitment is already down by a third. I suspect their technical
recruitment is down to zero. Pre Snowden a spell at the NSA was a good
thing to have on your resume. After Snowden it is like haveing a
conviction for hacking.
Yup. And no doubt RSA sales are down a long way. On this dire
thread, this is a termination event; if I was boss at EMC I'd be looking
at breaking up the division, selling it. At a minimum, re-branding
it and cleaning out the staff.
All this at NSA's door. Who think it is fine to destroy their own country's
industry to get a leg-up on a bunch of net cowboys and towelheads.
And they still aren't taking it seriously, still saying they are doing god's
work, protecting Americans from idiots with firecrackers, to paraphrase that
Strange bunch of people.
Date: Sun, 22 Dec 2013 08:52:18 -0500
From: Phillip Hallam-Baker <hallam[at]gmail.com>
Subject: Re: [Cryptography] RSA is dead.
On Sun, Dec 22, 2013 at 2:17 AM, ianG <iang[at]iang.org> wrote:
[Snip message above]
The job of the NSA was to make America safe. They have not been doing that
job at all.
Over the past twenty years the industrialized world has become dependent
on the net as a critical infrastructure. Without power and water it is not
possible to live in the urban population densities we live in today. Without
the net there is no food on the shelves of the supermarkets.
Instead of eliminating the vulnerabilities in the critical infrastructure,
the NSA has worked to make them bigger and create new ones.
The civil industry can't work with the agency that is meant to be working
on the same problems. The NSA has completely destroyed the trust that was
I find it very hard to see who is going to be joining the NSA now. It used
to be that they were the only game in town if you wanted to do crypto. Then
they became a place where you would get paid rather less than in industry
but get to work with the best people and emerge with a stellar resume. Now
they are a place where you will be paid less than in the commercial crypto
world, you will be considered a pariah in your local community and your resume
will be toxic afterwards.
The NSA has become the crypto world equivalent of Fox 'News': once you work
there you can't work anywhere else in the industry.
And, don't blame me for this rationale. The NSA must be taught that if they
wish to pervert a supplier, the responsibility for its failure must come
back to the NSA. The NSA brought RSA down.
No the lesson is that nobody works with the NSA.
If the US government wants to do anything to protect the country against
cyber attack they are going to have to set up a civil run, civil led organization
to do the work
The cryptography mailing list