The RSA Conference Boycott is Nonsense

The outrage is more about media hype, hypocrisy and grandstanding than firm principles.

By Ira Winkler
Tue, January 14, 2014

Computerworld — Some people are boycotting the RSA Conference. What is that all about?

Ostensibly, it is about the revelations made in a December story from Reuters that claimed that RSA was paid $10 million by the National Security Agency to use a flawed encryption algorithm in its BSafe product, giving the NSA a back door.

But the boycott effort is really about many other things. Things like erroneous assumptions, misguided outrage, hypocrisy, grandstanding and media hype.

It's the media hype that bothers me most really, but I'll get to that later. First, let me fill in some of the details.

Erroneous assumptions

The Reuters story sprang from a September report in The New York Times that said that documents leaked by former NSA contractor Edward Snowden showed that the NSA was able to implement a back door in encryption products by creating a flawed algorithm for generating random numbers. What was new in the Reuters report was the claim that in 2006, the NSA paid RSA $10 million to make that flawed algorithm the default option in its BSafe encryption product.

This alleged complicity in a spying program sparked outrage in certain quarters of the information security community. But the conspiracy theory has several holes.

First, BSafe users were free to choose other random-number generators included with the product. True, most people will never opt out of the default algorithm, but you would think the NSA would get something more for its money than just the possibility that people will deploy the algorithm with the back door.

More seriously, though, how can it be assumed that RSA adopted the flawed algorithm with full knowledge that it was flawed? The algorithm was approved by the National Institute of Standards and Technology (NIST) up until September 2013, when the flaw was discovered. Is it likely that the NSA would have volunteered the information that the algorithm provided a back door? That doesn't sound like the NSA we're familiar with.

Moreover, RSA claims that it made the algorithm in question the default random-number generator for BSafe in 2004, two years before it supposedly entered into a diabolical conspiracy with the NSA. I have not seen anyone refute RSA's claim, which shouldn't be hard to do if RSA is lying.

And to get back to the NIST, it made the algorithm in question a standard, qualifying the BSafe product for FIPS compliance. That means BSafe was deemed safe to use within critical U.S. government operations. My guess is that the U.S. government and its contractors are probably the largest segment of BSafe's customer base. Now, the NIST first had warnings about potential flaws in the algorithm in 2007, but it did not believe there was a significant concern until 2013. That means that U.S. government operations were vulnerable to attack for several years, all because of a deliberately flawed algorithm the NSA is alleged to have introduced into the market.

Continue Reading

Originally published on www.computerworld.com. Click here to read the original story.
Our Commenting Policies