One thing that was puzzling in the Dec. 20 Reuters report claiming that the National Security Agency paid RSA $10 million dollars, "in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software," was the timing. As noted in RSA's blog entry denying Reuters' claims, RSA adopted the Dual EC random-number-generation standard as a default in 2004, whereas it entered into a contract with the NSA only in 2006.
I don't think there was ever a moment where the NSA said: 'Accept this relatively paltry money and join us in doing all the evil!'
That's a pretty solid reason to think that RSA is (pun intended) in the clear, right? And nobody seems to have taken exception to RSA's claim, a point which commentator Ira Winkler picked up yesterday in a lengthy dismissal of speakers who have opted to boycott the event:
Moreover, RSA claims that it made the algorithm in question the default random-number generator for BSafe in 2004, two years before it supposedly entered into a diabolical conspiracy with the NSA. I have not seen anyone refute RSA's claim, which shouldn't be hard to do if RSA is lying.
Thing is, Winkler's timeline is oversimplified, and lurking in an only slightly more detailed accounting is a fairly plausible explanation for why the NSA would be paying off RSA only in 2006, after the random-number generator was already established as the default. Jeffrey Carr, one of the boycotting speakers, offered a review of the timeline in a comment posted beneath the Winkler commentary:
The NSA approached RSA in 2004 to make Dual EC DRBG the default. Then they went to NIST who approved it with the NSA's help in a draft SP 800-90 in December 2005, which solicited comments. NIST received negative comments about the algorithm (at least three) which were never addressed and which appeared in the final SP in June 2006. More critical research appeared in 2006 and 2007 and still RSA did nothing until the [New York Times] broke the story last September and NIST issued its warning.
So, here's a plausible way to look at the 2004 vs. 2006 discrepancy. RSA may or may not have known that there was a backdoor problem for certain variations of the Dual EC DRBG. Mathematicians knew it would run significantly slower than other algorithms that accomplished the same thing, but the NSA hires more crypto mathematicians than any other organization in the world, and pretty darned good ones too, so it may have convinced RSA that there were perfectly valid reasons to favor this algorithm as the default.
The process of approving the suite that included Dual EC as a NIST standard took time; it was not finalized until 2007. A year earlier, however, research emerged that made it fairly clear that the Dual EC DRBG had significant weaknesses (and then in 2007 the theoretical existence of the specific backdoor was presented publicly). It's because those weaknesses had been out there in full public view that Bruce Schneier blogged, after the standard was approved, that "both NIST and the NSA have some explaining to do."
Isn't it entirely reasonable that RSA, having already been using the Dual EC option as the default in a product for two years, would have asked the NSA for explanations? RSA wouldn't have asked before, back in 2004, because there would have been no reason to. Or perhaps RSA knew in 2004 but would also have known that no one else (besides the NSA) knew.
When 2006 rolled around, they may have been surprised by the emerging reports of problems and started asking the NSA some tough questions. Or RSA may have realized that the general public might be in on the secret and that RSA would be perceived as a co-conspirator with the NSA, the very scenario playing out now.
At that point, it's possible that the NSA said, "Hey, we've got great cryptographers, we're confident about this thing not being 'backdoored,' don't sweat it, and how about if we cement our great working relationship by buying $10 million bucks worth of those cute keyfobs you make?" This seems, at least hypothetically, a lot more consistent with how this kind of "You don't need to look too hard at this, right?" sort of arrangement works. I don't think there was ever a moment where the NSA said, "Accept this relatively paltry money and join us in doing all the evil!"
Obviously I don't know what did or didn't happen (though, like many Americans, I feel like I have a right to know, since that $10 million -- and no one is denying that the money did change hands -- came from our tax dollars), but arguing that RSA couldn't have sold out BSafe to the NSA simply because it made its initial decision in 2004 isn't sufficient proof that RSA didn't collude or have knowledge of the backdoor. There's a reasonably plausible explanation for why the payoff would have come later.
And as a final mental exercise in contemplating what's plausible, have another look at RSA's denial with the above 2006 hypothetical scenario in mind:
We also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use.
Was RSA a victim, a perpetrator or both? We may never know, but the "we'd already picked our default" argument doesn't necessarily settle the debate.
This was first published in January 2014