We don’t enable backdoors in our crypto products, RSA tells customers

Statement comes after firm said its products used RNG reported to contain NSA backdoor.

Dan Goodin – Sep 20, 2013 2:13 pm | 47

RSA, the security firm that confirmed two of its products by default use a crucial cryptography component reportedly weakened by the National Security Agency, said such design choices are made independently.

"RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any backdoors in our products," the security division of EMC said in a brief statement published Friday. "Decisions about the features and functionality of RSA products are our own."

The post came a day after RSA advised customers of the BSAFE toolkit and the Data Protection Manager to stop using something called Dual_EC_DRBG, which is the default random number generator (RNG) for creating cryptographic keys for both applications. The New York Times recently reported that the technology contained backdoor weaknesses inserted by the NSA before the National Institute of Standards and Technology formally adopted it as a standard in 2006.

Also on Friday, a person familiar told Ars that the weak RNG "is contained nowhere in RSA SecurID or the RSA Authentication Manager software; it uses a different FiPS-compliant RNG." The clarification is important, since millions of people use the SecureID token to log into sensitive networks operated by the US government and US government contractors.

RNGs, more accurately known as pseudo RNGs, are one of the most crucial parts of an encryption system, because they spawn a random sequence of numbers that form the raw materials of cryptographic keys that secure e-mails, Web sessions, and other sensitive communications. If adversaries can predict the numbers produced by an RNG they can crack the keys in a tiny fraction of the time it would otherwise take.

RSA's confirmation that the Data Protection Manager and particularly BSAFE used Dual_EC_DRBG as the default RNG has angered some cryptographers, who said it never should have been chosen on its technical merits. These critics cited its speed—which is literally hundreds of times slower than typical RNGs—and the well-founded doubts voiced about its security as early as 2007.

In a statement issued to Ars on Thursday, RSA Chief Technology Sam Curry defended the decision-making process. He said:

Plenty of other crypto functions (PBKDF2, bcrypt, scrypt) will iterate a hash 1000 times specifically to make it slower. At the time, elliptic curves were in vogue and hash-based RNG was under scrutiny. The hope was that elliptic curve techniques—based as they are on number theory—would not suffer many of the same weaknesses as other techniques (like the FIPS 186 SHA-1 generator) that were seen as negative, and Dual_EC_DRBG was an accepted and publicly scrutinized standard. SP800-90 (which defines Dual EC DRBG) requires new features like continuous testing of the output, mandatory re-seeding, optional prediction resistance and the ability to configure for different strengths.

The technical accuracy of the statement has been widely criticized by some cryptographers, including Johns Hopkins University professor Matt Green and University of Pennsylvania professor Matt Blaze.

Curry later told Wired that RSA chose Dual_EC_DRBG in 2004, "when elliptic curve algorithms were becoming the rage and were considered to have advantages over other algorithms."

RSA's statement on Friday appears to be intended to respond to critics' speculation echoed on Twitter, in Ars comments, and elsewhere that the RNG was chosen for non-technical reasons.

"Following NIST’s decision to strongly recommend against the use of the community developed encryption algorithm standard (known as Dual EC DRBG), RSA determined it appropriate to issue an advisory to all our RSA BSAFE and RSA Data Protection Manager customers recommending they choose one of the different cryptographic Pseudo-Random Number Generators (PRNG) built into the RSA BSAFE toolkit," the statement said. "We are now working with customers to ensure they are using the strongest and safest cryptographic methods possible."