[HN Gopher] RSA chief believed cryptographers' warnings on Dual ... ___________________________________________________________________ RSA chief believed cryptographers' warnings on Dual EC DRBG lacked merit (2014) Author : jalcazar Score : 164 points Date : 2021-09-03 13:03 UTC (9 hours ago) (HTM) web link (jeffreycarr.blogspot.com) (TXT) w3m dump (jeffreycarr.blogspot.com) | trasz wrote: | RSA, being American company, cannot refuse NSA's backdoors. | Discovery of the backdoor hurt RSA's business, so it's | understandable RSA has beef with them. | er4hn wrote: | This wasn't added via a secret order however. RSA had a | business agreement with the NSA to add the backdoor. RSA was | paid $10 Million for this. | rdtsc wrote: | > RSA, being American company, cannot refuse NSA's backdoors. | | The key is selling to American government, and any entity | related to it. But no, they can't mandate RSA build anything. | Of course, if they refuse, they'll find another company which | would, pay them lots of money, and then issue a certification | requirement that only this particular backdoor algorithm is | "approved" and then wait for RSA to go out of business. | elmo2you wrote: | Since when can they not refuse a NSA backdoor? Where does the | mandate come from, with which the NSA supposedly can instruct | commercial/private entities to integrate technological back | doors? Does it even have such a legal mandate. I'm sure the NSA | will argue that they do, but that doesn't mean they actually | have it. | bdamm wrote: | Government buyers that are less important (e.g. state level | tollways) would be mandated to buy the backdoored algorithm | by having the federal government cook it into a specification | of how to buy tollway equipment, for example. Once the | backdoored algorithm is in the product suite, it can be put | to work on a more tactical level. | trasz wrote: | Some of the ways are already known: your company can be | denied lucrative government contracts if you deny. Or you | might learn you can't export your products due to export | restrictions. Other ways are known to exist, but details are | not available yet - go read about National Security Letters, | or kangaroo "secret courts". | HappySweeney wrote: | Not that I don't agree, but how do you know the secret | courts are kangaroo? | Spooky23 wrote: | Courts that aren't adversarial are just interpreting law. | Secrecy makes it worse by eliminating accountability by | the petitioner and judge. | | For a non-secret example, look at the Social Security | "fair hearings", where an administrative law judge | basically listens to a petition and makes a decision. The | standards vary significantly by locale. | kook_throwaway wrote: | The fact that it's secret. | | Also that you aren't even allowed to show up to defend | _yourself_. [1] | | Also that they denied 11 out of 34,000 requests over a 35 | year period. | | Also that the judges are appointed by _one person_ and | don 't even need congressional approval. | | How could it possibly _not_ be a kangaroo court? | | [1] https://en.m.wikipedia.org/wiki/Ex_parte | bdamm wrote: | We keep having this come up with some of the EC curves like NIST | P-256 for example. There's no evidence that it is actually | backdoored, but the consensus seems to be that the construction | is suspicious, unlike the construction for SHA-2. | | What do we do with it? Not many in a product development team | that is interacting with other companies or organizations can | meaningfully defend not using a NIST curve because it looks | suspicious. | fmajid wrote: | It is difficult to get a man to understand something when his | salary depends upon his not understanding it. | | -- Upton Sinclair | johnklos wrote: | From the wonderful fortune(6) database: Anyone | who is capable of getting themselves made President should | on no account be allowed to do the job. -- Douglas Adams, | "The Hitchhiker's Guide to the Galaxy" | | I think the RSA chief can be trusted to do what's in the best | financial interest of the RSA, even when that is in contradiction | of the correct thing, so long as there's plausible deniability. | | I'm glad this is being brought up and not forgotten. | [deleted] | CamperBob2 wrote: | nullc's flagged comment may not have been the best way to get the | point across, but it's an important point nevertheless. | Conversations about the US intelligence community's repeated | attempts to suppress and subvert modern encryption standards | never seem to mention Crypto AG, perhaps the most egregious | example we know about. A great article just came out that | highlights some of the shenanigans: | | https://spectrum.ieee.org/the-scandalous-history-of-the-last... | ... In 1966, the relationship among CAG, the NSA, and the | CIA went to the next level. That year, the NSA delivered | to its Swiss partner an electronic enciphering system | that became the basis of a CAG machine called | the H-460. Introduced in 1970, the machine was a | failure. However, there were bigger changes afoot at CAG: | That same year, the CIA and the German Federal | Intelligence Service secretly acquired CAG for | US $5.75 million. | | I'm surprised no one has submitted this one, actually. | DaftDank wrote: | Reading about this saga in Ben Buchanan's book "The Hacker and | the State" made me realize how every government agency (NIST in | this case) seems to be always second fiddle to the "needs" of the | NSA/national security apparatus. It seems clear from the book | that there was a point in time when they essentially just left it | in the NSA's hands to develop, knowing it was probably not | secure. Not exactly some huge revelation that the national | security apparatus can exert power and leverage over other | government groups, or even private companies, but the extent to | which it happens was surprising. | nullc wrote: | Budiansky's Code Warriors emphasized the point that the NSA and | its precursors has actively withheld information from the | civilian government, including the president. Unfortunately, | the very secrecy of it prevent us from knowing the full extent, | we only know of the specific cases where its been documented. | er4hn wrote: | Another problem is how NIST should come up with standards. NIST | is in charge of standards, but that means that they need to | turn to subject matter experts for each separate field. They | need to define the standards for everything from measuring | weights, to chemicals in wastewater, to cryptography. | | So then for each standard you then end up with the government | equivalent of an open process where there are requests for | comments, maybe a meeting or two to discuss, and trusted folks | end up defining the bulk of the document with oversight from | editors. | | Where this breaks down is when you have the subject matter | expert on crypto in government, the NSA, be interested in | undermining the standards for their own specialty to serve | their internal agenda. | tptacek wrote: | Two things real quick: | | Art Coviello is a salesman who headed the company that _bought_ | RSA and took the name. It would be a little weird to expect him | to meaningfully know what a cryptographer even is. The idea that | Coviello would himself be weighing NIST against crypto eprints is | pretty silly. | | And, more importantly, the only important cite here is Shumow and | Ferguson. Schneier didn't analyze Dual EC (he never did work in | elliptic curves at all, and claimed not to trust their math); | here, he's simply reporting on Shumow and Ferguson's paper, and | he doesn't even say Dual EC was backdoored. Nor, for that matter, | do the cites before Shumow and Ferguson. | | (Before anyone jumps on my back about this: I basically shared | Schneier's take on this, that Dual EC was too conspicuous to | really be a backdoor, and that the right response was to ignore | and never use it. I was wildly wrong about how prevalent Dual EC | was --- I couldn't imagine any sane engineer adopting it, because | it's slow and gross. If I'd known before the BULLRUN revelations | that, for instance, every Juniper VPN box was using Dual EC, I'd | have been a lot more alarmed and a lot less charitable about it. | Oh well, live and learn.) | jldugger wrote: | > Art Coviello is a salesman who headed the company that bought | RSA and took the name. It would be a little weird to expect him | to meaningfully know what a cryptographer even is. | | I don't expect any random person to know, but why would anyone | spend that much money to buy that company without doing enough | due dilligence to what a crytographer does? I don't imagine | they'd be any expert in cryptoanalysis, but you'd likely listen | do your own cryptographers on RSA staff, right? | S_A_P wrote: | Not disagreeing with your take, but I think its important to | note that I just don't see it being possible that Art came up | with his take without any input from folks in the company. I | would imagine there were meetings where these talking points | were constructed. Right? | tptacek wrote: | I think it seems crazy now, but that's because we know a lot | more about the practical applications of malicious RNGs; they | aren't an abstract concern now. But they kind of were when | the big debate was alleged to have happened at RSA. | | Also: I'm naturally going to sound like I'm defending RSA | here, and I am not. I feel like --- I'll probably be proven | wrong by this in time because we live in a fallen world --- | no major company in the world would in 2021 swap out a | crucial cryptographic component for one DOD was demanding | while cryptographers were making noise about how janky it is. | That should have been the standard in 2007 or whatever, too. | wahern wrote: | > I think it seems crazy now, but that's because we know a | lot more about the practical applications of malicious | RNGs; | | RNGs were understood to be the lynchpin of secure systems | for decades, including long before 2007; and it was also | widely assumed both now and then that they were one of the | most common vectors for attack by the NSA. | | Why RSA added Dual_EC_DRBG is easy to explain in dollars & | cents: 1) RSA was literally paid to add it, and 2) most of | RSA's revenue comes, directly or indirectly, through | government contracts (e.g. FIPS compliance, etc). | | As for why RSA insiders didn't speak up: there are | mountains of scholarship explaining why people just keep | their heads down. Even if you were absolutely convinced | beyond a shadow of a doubt that Dual_EC_DRBG was a | backdoor, intelligent people are very good at rationalizing | things. Anybody who has worked at a large company, | including RSA, understands that your day-to-day work and | the company's business is as a practical matter <10% | technical and >90% everything else (sales, profit seeking, | integration, etc, etc). More importantly, if you're a | company doing business in a space dominated by U.S. | government requirements and processes, or even just | patriotic, the NSA having a backdoor is hardly the worse | thing in the world. There are amazing cryptographers in | China. Even the ones who fancy themselves world citizens | and above the fray of nationalism, how many do you think | would stick their head out were they in a position to | identify possible formal government attempts to manipulate | technology? | | Moreover, a backdoor doesn't necessarily mean insecure; | it's not a categorical truth that any backdoor means broken | security, that's just a rule of engineering thumb built on | the experience that securely maintaining the keys to | backdoors is supremely difficult, often more difficult than | any other aspect. Nobody has yet come close to _breaking_ | Dual_EC_DRBG, AFAIU. From a purely technical perspective, | Dual_EC_DRBG is still secure. The keys haven 't leaked, and | the algorithm remains as impenetrable as ever. At the end | of the day, that's all the rationalization most people | would ever need to keep their head down. The "security" of | Dual_EC_DRBG is a socio-political debate, not a technical | one. | tptacek wrote: | I disagree with basically all of this. | | I disagree that cryptography engineers understood | viscerally how good a target RNGs were or how viable a | PKRNG would be (further evidence for that would be the | contortions attackers have to go through to extract | enough wire state from Dual EC to mount the most | straightforward attacks). I think you can formulate an | argument that any major cryptographic primitive is the | "lynchpin", and indeed you see people doing that, for | instance with the SIMON/SPECK block cipher designs --- | block ciphers, after all, are the lynchpin of secure | systems. | | I agree, obviously, that RSA added Dual EC because DOD | demanded it. But most of RSA's revenue didn't come from | BSAFE, or even things that relied on BSAFE. They were a | crappy token company that bought RSA, then built a bunch | of multi-factor authentication stuff that had more to do | with IP reputation than with cryptography. | | I don't really buy that anybody working inside RSA was | absolutely convinced that Dual EC was a backdoor. I sort | of don't buy that anyone was really even seriously paying | attention. I think people think of RSA as a cryptography | company, but that is not at all what RSA was at the time | this happened. | | None of this matters, really. We arrive at the same place | about RSA's culpability. But if you came to HN hoping to | find someone to stick up for RSA's decision here, you | haven't been paying attention to the tenor of this place. | All you're going to get here is hair splitting; that's | the interesting conversation we can actually have. | There's no viable debate about whether adopting Dual EC | was defensible. Even when I was saying I doubted Dual EC | was a backdoor, I still didn't think _using it_ was | defensible. | wahern wrote: | > for instance with the SIMON/SPECK block cipher designs | --- block ciphers, after all, are the lynchpin of secure | systems. | | The lynchpin to ciphers are the keys. That's the very | definition--proof of security reduces to the question of | whether you know the key or not. | | Unless you exchange a database of one-time pads, you | invariably need an RNG to generate keys for your ciphers. | _That 's_ your lynchpin right there. The _key_ is the | lynchpin, and RNGs generate your keys. You don 't need to | feel it; it's cryptography 101. Granted, it's such a | basic and fundamental aspect to secure systems that it | usually gets lost in all the bike shedding. | healsjnr1 wrote: | I've got some direct personal experience in this one. A | few key points from how I saw it play out inside: | | - there was a lot of noise made about this by the bsafe | crypto team when it was first implemented (anecdotal, but | I trust the people that were there and the context below | helps reinforce this). From what I heard there was clear | communication that adding EC drbg to the toolkits the way | nsa wanted was insecure. | | - that happened before my time, but by the time I got | there it was kind of an inside joke that EC drbg was an | NSA backdoor (I think this was around 2010) | | - the above was tempered by the fact that it was so | horrendously slow, no one could imagine it being used | | - even though RSA demanded it was the default RNG for the | toolkit, the first part of documentation strongly | suggested changing this default | | - my memory is that this work on EC drbg funded | development bsafe SSL toolkits. So while the money may | have been relatively small, it opened up a new product | for BSAFE | | The smoking gun and the bit that made it really obvious | that something was off about this came in its use as part | of the TLS toolkits. | | There was an explicit, but unexplained, requirement that | the _first 20 bytes_ of random generated during the | handshake were sent unencrypted as part of the handshake. | | EAY led that crypto team, they knew their stuff and they | knew that this was off and there was no legitimate reason | for doing this. | | My take: this team new what was happening and they made | it clear to management. As a really the people who made | the decision to take NSA money knew what it was and the | implication and went ahead anyway. | | As a foot note, when we did the cleanup on this we found | that in some of the toolkits the way that the 20bytes was | sent was flawed and would have meant that an attempted | backdoor using this would have failed. Whether this was | intentionally or not _shrug_. | tptacek wrote: | This is great. | | Just to be clear: the TLS integration and 20 bytes of | random stuff was definitely a smoking gun; nobody thinks | anything but that Dual EC is a backdoor after learning | about it. | | EAY is Eric A. Young? I didn't realize he'd worked on | BSafe. | AlexCoventry wrote: | > From a purely technical perspective, Dual_EC_DRBG is | still secure. | | I think that depends on the techniques you're thinking | of. The usual way of proving such a system is secure is | to reduce a break to a solution of a bedrock problem like | discrete log, and according to the second reference in | the OP, "Cryptanalysis of the Dual Elliptic Curve | Pseudorandom Generator", no such proof was provided in | this case. I would say that without such a proof, it's | not "technically" secure. | skinkestek wrote: | Just a quick thought: | | I think it wasn't that long before that NSA had warned | against some other crypto that was widely thought to be | safe and everyone later realized that it had been a good | thing. | | Can it be that some people thought NSA were doing them a | favour again? | tptacek wrote: | You're probably thinking of DES, which happened long | before Dual EC (and long before many of the people | working at RSA started their careers). But you can see | that effect even today, for instance with NSA's | "deprecation" of Suite B cryptography and the shade that | cast over conventional elliptic curve cryptosystems. | | I don't think one can reasonably defend adoption of Dual | EC as somehow hedging a bet that NSA had found | vulnerabilities in trivial block-based CSPRNGs, though. I | think that decision was essentially indefensible, even at | the time it was made; it's just more clearly batshit now | than it was then. | skinkestek wrote: | Ok, thanks. I appreciate your opinion on it and guess you | are right. | adyavanapalli wrote: | The link to the keynote wasn't resolving in the article, so | here's the YouTube link: https://youtu.be/aB2gG-cRj10 | sneak wrote: | It's important to remember that RSA received cash payments from | the USG to backdoor this. It wasn't just an "oops, we were | insufficiently vigilant". They actively participated. | elmo2you wrote: | > They actively participated. And that, in my opinion, makes | them a criminal enterprise. | | Maybe not within a US context, for arguable the US government | gave them a mandate for this deception. But within an | international context they should probably be held accountable | and barred from doing business abroad (as they are essentially | an agent/extension of a US intel agency). | | Never going to happen, of course. Not with how that whole | industry operates. But that only shows how little the whole lot | of them and their industry should not be trusted in the first | place. | some_furry wrote: | I feel like this detail isn't emphasized enough in the coverage | of RSA's participation with Dual EC. Wasn't it like $10 | million? | sneak wrote: | This is important to remember when you see industry | professionals paying money to RSA to attend their events, or, | worse yet, speaking at them. | | Supporting those who make us less safe is a clear signal | about where your priorities lie. | nullc wrote: | WHAT DID YOU SAY? I CANT HEAR YOU OVER THE SOUND OF THE $10 | MILLION DOLLARS THAT JUST SPONTANEOUSLY LANDED IN MY LAP. | | CONCERNS? YES I AM CONCERNED THAT IF I AM NOT HELPFUL THE CIA | WILL NOT COLLUDE WITH THE GERMANS TO PURCHASE MY COMPANY OUTRIGHT | AND USE IT FOR DECADES TO SHIP BACKDOORED CRYPTOGRAPHIC PRODUCTS | LIKE THEY DID WITH CRYPTO AG. WHAT WAS THAT YOU WERE SAYING ABOUT | COWS AND FREE MILK? ___________________________________________________________________ (page generated 2021-09-03 23:02 UTC)