On Sep 23, 2013, at 4:20 AM, ianG <i...@iang.org> wrote:
>>> RSA today declared its own BSAFE toolkit and all versions of its
>>> Data Protection Manager insecure...
>
> Etc. Yes, we expect the company to declare itself near white, and the press
> to declare it blacker than the ace of spaces.
>
> Meanwhile, this list is about those who know how to analyse this sort of
> stuff, independently. So...
Indeed.
>> ... But they made Dual EC DRBG the default ...
>
> I don't see a lot of distance between choosing Dual_EC as default, and the
> conclusion that BSAFE & user-systems are insecure.
The conclusion it leads to is that *if used in the default mode*, it's (well,
it *may be*) unsafe. We know no more today about the quality of the
implementation than we did yesterday. (In fact, while I consider it a weak
argument ... if NSA had managed to sneak something into the code making it
insecure, they wouldn't have needed to make a *visible* change - changing the
default. So perhaps we have better reason to believe the rest of the code is
OK today than we did yesterday.)
> The question that remains is, was it an innocent mistake, or were they
> influenced by NSA?
a) How would knowing this change the actions you take today?
b) You've posed two alternatives as if they were the only ones. At the time
this default was chosen (2005 or thereabouts), it was *not* a "mistake". Dual
EC DRBG was in a just-published NIST standard. ECC was "hot" as the best of
the new stuff - with endorsements not just from NSA but from academic
researchers. Dual EC DRBG came with a self-test suite, so could guard itself
against a variety of attacks and other problems. Really, the only mark against
it *at the time* was that it was slower than the other methods - but we've
learned that trading speed for security is not a good way to go, so that was
not dispositive.
Since we know (or at least very strongly suspect) that the addition of Dual EC
DRBG to the NIST standards was influenced by NSA, the question of whether RSA
was also influenced is meaningless: If NSA had not gotten it into the
standard, RSA would probably not have implemented it. If you're asking whether
NSA directly influenced RSA to make it the default - I doubt it. They had
plenty of indirect ways to accomplish the same ends (by influencing the terms
of government purchases to make that a requirement or a strong suggestion)
without leaving a trail behind.
> We don't have much solid evidence on that. But we can draw the dots, and a
> reasonable judgement can fill the missing pieces in.
And? It's cool for discussion, but has absolutely nothing to do with whether
(a) BSAFE is, indeed, safe if you use the current default (we assume not, at
least against NSA); (b) BSAFE is safe if you *change* the default (most will
likely assume so); (c) users of BSAFE or BSAFE-based products should make sure
the default is not used in products they build or use (if they're worried about
NSA, sure) (d) implementors and users of other crypto libraries should change
what they are doing (avoid Dual EC DRBG - but we already knew that).
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
