I disagree that cryptography engineers understood viscerally how good a target RNGs were or how viable a PKRNG would be (further evidence for that would be the contortions attackers have to go through to extract enough wire state from Dual EC to mount the most straightforward attacks). I think you can formulate an argument that any major cryptographic primitive is the "lynchpin", and indeed you see people doing that, for instance with the SIMON/SPECK block cipher designs --- block ciphers, after all, are the lynchpin of secure systems.
I agree, obviously, that RSA added Dual EC because DOD demanded it. But most of RSA's revenue didn't come from BSAFE, or even things that relied on BSAFE. They were a crappy token company that bought RSA, then built a bunch of multi-factor authentication stuff that had more to do with IP reputation than with cryptography.
I don't really buy that anybody working inside RSA was absolutely convinced that Dual EC was a backdoor. I sort of don't buy that anyone was really even seriously paying attention. I think people think of RSA as a cryptography company, but that is not at all what RSA was at the time this happened.
None of this matters, really. We arrive at the same place about RSA's culpability. But if you came to HN hoping to find someone to stick up for RSA's decision here, you haven't been paying attention to the tenor of this place. All you're going to get here is hair splitting; that's the interesting conversation we can actually have. There's no viable debate about whether adopting Dual EC was defensible. Even when I was saying I doubted Dual EC was a backdoor, I still didn't think using it was defensible.
I've got some direct personal experience in this one. A few key points from how I saw it play out inside:
- there was a lot of noise made about this by the bsafe crypto team when it was first implemented (anecdotal, but I trust the people that were there and the context below helps reinforce this). From what I heard there was clear communication that adding EC drbg to the toolkits the way nsa wanted was insecure.
- that happened before my time, but by the time I got there it was kind of an inside joke that EC drbg was an NSA backdoor (I think this was around 2010)
- the above was tempered by the fact that it was so horrendously slow, no one could imagine it being used
- even though RSA demanded it was the default RNG for the toolkit, the first part of documentation strongly suggested changing this default
- my memory is that this work on EC drbg funded development bsafe SSL toolkits. So while the money may have been relatively small, it opened up a new product for BSAFE
The smoking gun and the bit that made it really obvious that something was off about this came in its use as part of the TLS toolkits.
There was an explicit, but unexplained, requirement that the _first 20 bytes_ of random generated during the handshake were sent unencrypted as part of the handshake.
EAY led that crypto team, they knew their stuff and they knew that this was off and there was no legitimate reason for doing this.
My take: this team new what was happening and they made it clear to management. As a really the people who made the decision to take NSA money knew what it was and the implication and went ahead anyway.
As a foot note, when we did the cleanup on this we found that in some of the toolkits the way that the 20bytes was sent was flawed and would have meant that an attempted backdoor using this would have failed. Whether this was intentionally or not _shrug_.
Just to be clear: the TLS integration and 20 bytes of random stuff was definitely a smoking gun; nobody thinks anything but that Dual EC is a backdoor after learning about it.
EAY is Eric A. Young? I didn't realize he'd worked on BSafe.
> I don't really buy that anybody working inside RSA was absolutely convinced that Dual EC was a backdoor. I sort of don't buy that anyone was really even seriously paying attention.
I guess the second part is a fair point, but for anyone who was paying attention - who read the spec and knew enough about cryptography to understand it - there was no question; Dual EC was clearly, obviously a backdoor[0].
0: With perhaps the remote possibility of being "not a backdoor" (AKA, a backdoor that NSA (provably?) didn't have keys to) so they could later say "see, you thought Dual EC was a backdoor but it wasn't; clearly people shouldn't believe you when you say we put a backdoor in $LESS_OBVIOUSLY_BACKDOORED_THING".
> for instance with the SIMON/SPECK block cipher designs --- block ciphers, after all, are the lynchpin of secure systems.
The lynchpin to ciphers are the keys. That's the very definition--proof of security reduces to the question of whether you know the key or not.
Unless you exchange a database of one-time pads, you invariably need an RNG to generate keys for your ciphers. That's your lynchpin right there. The key is the lynchpin, and RNGs generate your keys. You don't need to feel it; it's cryptography 101. Granted, it's such a basic and fundamental aspect to secure systems that it usually gets lost in all the bike shedding.
You don't think that the NSA offering $10 million dollars to make it a default shouldn't have been a smoking gun to the staff at RSA that was aware of the payment?
No, I imagine everyone was aware of the payment. I just think doing stupid shit to close GSA and DOD deals is the norm throughout enterprise software development; what I'm more curious about is whether anyone really gave a shit about this particular stupid thing.
I feel like a hurdle that people arguing the other side of this need to clear, and aren't, is that prior to BULLRUN really not many people were making that much noise† about Dual EC. It was not a secret that it was in BSAFE; it was, according to the post upthread, not just in the documentation, but in the documentation with a warning to disable it!
The tenor of the conversation changed sharply after BULLRUN and people connecting the dots on the TLS random data exposure. But the argument I keep seeing, and the one implicit in this post we're commenting on, is that nobody should have needed BULLRUN to start freaking the fuck out. I disagree with that argument, in a sense (obviously: everyone should have been freaking out.)
† Yes, people were making noise, but they made noise (and still do) about _NSAKEY too. There's a difference between then and now, and it's obviously not just because I finally agree with them now.
I disagree that cryptography engineers understood viscerally how good a target RNGs were or how viable a PKRNG would be (further evidence for that would be the contortions attackers have to go through to extract enough wire state from Dual EC to mount the most straightforward attacks). I think you can formulate an argument that any major cryptographic primitive is the "lynchpin", and indeed you see people doing that, for instance with the SIMON/SPECK block cipher designs --- block ciphers, after all, are the lynchpin of secure systems.
I agree, obviously, that RSA added Dual EC because DOD demanded it. But most of RSA's revenue didn't come from BSAFE, or even things that relied on BSAFE. They were a crappy token company that bought RSA, then built a bunch of multi-factor authentication stuff that had more to do with IP reputation than with cryptography.
I don't really buy that anybody working inside RSA was absolutely convinced that Dual EC was a backdoor. I sort of don't buy that anyone was really even seriously paying attention. I think people think of RSA as a cryptography company, but that is not at all what RSA was at the time this happened.
None of this matters, really. We arrive at the same place about RSA's culpability. But if you came to HN hoping to find someone to stick up for RSA's decision here, you haven't been paying attention to the tenor of this place. All you're going to get here is hair splitting; that's the interesting conversation we can actually have. There's no viable debate about whether adopting Dual EC was defensible. Even when I was saying I doubted Dual EC was a backdoor, I still didn't think using it was defensible.