RSA chief believed cryptographers’ warnings on Dual EC DRBG lacked merit (2014)

Two things real quick:<p>Art Coviello is a salesman who headed the company that <i>bought</i> RSA and took the name. It would be a little weird to expect him to meaningfully know what a cryptographer even is. The idea that Coviello would himself be weighing NIST against crypto eprints is pretty silly.<p>And, more importantly, the only important cite here is Shumow and Ferguson. Schneier didn&#x27;t analyze Dual EC (he never did work in elliptic curves at all, and claimed not to trust their math); here, he&#x27;s simply reporting on Shumow and Ferguson&#x27;s paper, and he doesn&#x27;t even say Dual EC was backdoored. Nor, for that matter, do the cites before Shumow and Ferguson.<p>(Before anyone jumps on my back about this: I basically shared Schneier&#x27;s take on this, that Dual EC was too conspicuous to really be a backdoor, and that the right response was to ignore and never use it. I was wildly wrong about how prevalent Dual EC was --- I couldn&#x27;t imagine any sane engineer adopting it, because it&#x27;s slow and gross. If I&#x27;d known before the BULLRUN revelations that, for instance, every Juniper VPN box was using Dual EC, I&#x27;d have been a lot more alarmed and a lot less charitable about it. Oh well, live and learn.)

Reading about this saga in Ben Buchanan&#x27;s book &quot;The Hacker and the State&quot; made me realize how every government agency (NIST in this case) seems to be always second fiddle to the &quot;needs&quot; of the NSA&#x2F;national security apparatus. It seems clear from the book that there was a point in time when they essentially just left it in the NSA&#x27;s hands to develop, knowing it was probably not secure. Not exactly some huge revelation that the national security apparatus can exert power and leverage over other government groups, or even private companies, but the extent to which it happens was surprising.

It is difficult to get a man to understand something when his salary depends upon his not understanding it.<p>— Upton Sinclair

nullc&#x27;s flagged comment may not have been the best way to get the point across, but it&#x27;s an important point nevertheless. Conversations about the US intelligence community&#x27;s repeated attempts to suppress and subvert modern encryption standards never seem to mention Crypto AG, perhaps the most egregious example we know about. A great article just came out that highlights some of the shenanigans:<p><a href="https:&#x2F;&#x2F;spectrum.ieee.org&#x2F;the-scandalous-history-of-the-last-rotor-cipher-machine" rel="nofollow">https:&#x2F;&#x2F;spectrum.ieee.org&#x2F;the-scandalous-history-of-the-last...</a><p><pre><code> ... In 1966, the relationship among CAG, the NSA, and the CIA went to the next level. That year, the NSA delivered to its Swiss partner an electronic enciphering system that became the basis of a CAG machine called the H-460. Introduced in 1970, the machine was a failure. However, there were bigger changes afoot at CAG: That same year, the CIA and the German Federal Intelligence Service secretly acquired CAG for US $5.75 million. </code></pre> I&#x27;m surprised no one has submitted this one, actually.

From the wonderful fortune(6) database:<p><pre><code> Anyone who is capable of getting themselves made President should on no account be allowed to do the job. -- Douglas Adams, &quot;The Hitchhiker&#x27;s Guide to the Galaxy&quot; </code></pre> I think the RSA chief can be trusted to do what&#x27;s in the best financial interest of the RSA, even when that is in contradiction of the correct thing, so long as there&#x27;s plausible deniability.<p>I&#x27;m glad this is being brought up and not forgotten.

It&#x27;s important to remember that RSA received cash payments from the USG to backdoor this. It wasn&#x27;t just an &quot;oops, we were insufficiently vigilant&quot;. They actively participated.

We keep having this come up with some of the EC curves like NIST P-256 for example. There&#x27;s no evidence that it is actually backdoored, but the consensus seems to be that the construction is suspicious, unlike the construction for SHA-2.<p>What do we do with it? Not many in a product development team that is interacting with other companies or organizations can meaningfully defend not using a NIST curve because it looks suspicious.

The link to the keynote wasn&#x27;t resolving in the article, so here&#x27;s the YouTube link: <a href="https:&#x2F;&#x2F;youtu.be&#x2F;aB2gG-cRj10" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;aB2gG-cRj10</a>

My explanation of the backdoor: <a href="https:&#x2F;&#x2F;youtu.be&#x2F;OkiVN6z60lg" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;OkiVN6z60lg</a>

RSA, being American company, cannot refuse NSA’s backdoors. Discovery of the backdoor hurt RSA’s business, so it’s understandable RSA has beef with them.