Someone at RSA should grow a pair since the jig is up & no one is fooled anymore.
Can they not find the leadership on hand who understood at some point that something was going on with Dual EC DRBG (the secret sauce behind the RSA BSAFE standard)?
Someone at RSA repeatedly chose to pretend they didn’t notice the signs that the standard was clearly compromised to avoid angering the NSA. The people(s) in charge of the decision to allow faulty & fake standards to pass as protection frankly feel we are all fools. They are the same sort of people who, if placed at the helm of the Titanic, would see an iceberg on the horizon and steer straight towards it.
- A long time ago: NSA issues changes to DES without much explanation. It is eventually shown by others that they improved it, not backdoored it.
- September 2001: the start of a fundamental change in what the NSA feels its mission and scope are, and everyone outside can see it happening over the next several years.
- June 2004: ANS X9.82, Part 3 draft published with Dual EC DRBG. (This is the earliest reference I can find to starting the standardization process. More documentation here.)
- ~2004: NSA allegedly approaches RSA with an offer for ten million dollars to make Dual EC its default random number generator in the BSAFE library despite it being relatively new, a bit strange, and very slow. We do not know what reasons they gave or what terms may have been agreed to.
- January 2005: first interior-to-standards-group concerns Dual EC could be backdoored, according to Matthew Green.
- March 2006: Acknowledgements published that an adversary with special knowledge could subvert the proof of Dual EC’s security.
- June 2006: first edition of NIST SP 800-90A, containing Dual EC. It is now claimed by a Reuters source (perhaps someone can give me a cite of at-the-time discussion) that RSA already having deployed it was used as a reason to put it in this standard.
- August 2007: Claims published by Microsoft that Dual EC could contain a backdoor. Everyone eyes it warily and nobody, it seems, deliberately chooses to use it after this point. After all, it is broken in OpenSSL for years and nobody notices. It quietly remains the default in BSAFE.
- September 2013: Luvatfirstbyte covers revelations derived from the Snowden leak show* that Dual EC is definitely deliberately backdoored by the NSA. Absent from the mix, US media fails to cover the story. LAFB reports how RSA acts really surprised. RSA offers some weak excuse that elliptic curves were totally hip (literally in vogue) at the time. RSA does not mention anything about taking anyone’s money. Allegations are posted that an unspecified company accepted ten million dollars to make it their default. Everyone paying attention is pretty sure it’s RSA. (*Smart people disagree with the smoking-gunness of Dual EC being called out specifically by the leak. It’s complicated.)
- December 2013: Reuters points to RSA specifically regarding the ten million dollars. RSA issues a non-denial of such magnitude that I’m driven to rage blog.
It is abundantly clear that, yes, RSA crowned Dual EC as the default before the first published concerns it could be a backdoor & well before it became officially NIST standard.
From 2007 to 2013, RSA was in a state of negligence regarding their use of Dual EC as the default. I believe they had all the information necessary to deduce something was wrong and, for whatever reason, did not act. Endangering all of their customers & their customers’ customers.
As news broke about the never functionally secure nature of Dual EC just a few months ago, a lot of people in the community said, “Well, nobody used it anyway because everybody knew something was wrong with it.” This attitude strengthens the position that nearly no one actually realized Dual EC was the default in BSAFE and, critically, that RSA cannot really claim they never even suspected a thing at any point.
The reasons RSA did nothing is probably contractual & political while current PR efforts do no favors for their integrity. At all. Can’t we fast-forward to the future where the crooked have been made straight?