Thales Blog

The Fall-Out From RSA And NSA Collaboration

December 23, 2013

Andy Kicklighter Andy Kicklighter | Director of Product Marketing More About This Author >

Screen Shot 2013-11-21 at 8.56.52 AMI don’t know if you’ve been following the story Reuters broke about RSA and NSA last week based on leaks by Edward Snowden. For those of us in the security community, it's riveting stuff. The substance of the story is that RSA was paid to make an algorithm the NSA had deliberately compromised (Dual EC DRBG) the default selection in BSAFE, a widely used tool for developers.  The tool is used to create secure web sessions (with TLS), and is also embedded in commercial applications, primarily for securing communications.

In RSA’s defense, it's possible the organization was  unaware the standard had been subverted.  In fact, in a recent blog post on the topic, RSA categorically denied that it had entered into any kind of "secret contract" with the NSA. It's true that the contract was not secret — investigators found it in public filings — but the deal certainly looks suspicious. A government entity tasked with espionage offers to pay $10 million (1/3 of the revenue for that division for the year) simply for the "convenience" of making this particular standard the default? You don't have to be overly curious to wonder why the NSA was putting that kind of money behind it…

Now, it might seem that this only the most recent chapter in the ongoing “Snowden and the NSA” story, but I predict that this situation will have far-reaching consequences for a large number of US software and cloud providers (in fact, it has already started to do so).  When the initial story broke in September 2013 about the source of the compromise in Dual EC DRBG, it was "old news" to the global security community. (Way back in 2009 the algorithm was identified as "suspect" by researchers and the security community almost immediately started  using other algorithms.) That said, the news did light a fire under many international customers, forcing them to look at the the business risk  in possible NSA surveillance when they used US software or Cloud provider services.

Now, with hard evidence in hand that the NSA is actively compromising cloud providers, as well as US security software and security standards (with this RSA and NSA incident), there is going to be good reason for even friendly governments to pass legislation requiring local control and locally developed software solutions. It seems inevitable that some form of this will happen during 2014.  I expect our friends in the EU to be leaders here – especially in Germany, where the  NSA tapped the German Chancellor’s phone.  And this is just the government side of the story.  On the business side, international customers MUST consider that US software, hardware and Cloud offerings have an extremely high potential of being compromised.  Yes, I firmly believe that international customers will think long and hard before making business investments in US software and cloud service providers.

It's ironic that US vendors and security analysts have for years whispered, "Don't buy from the Chinese because their products have backdoors," yet here we are, facing exactly the same issue. No two ways about it: the NSA/RSA news is going to have a chilling effect on the top and bottom lines of US companies in some of the fastest-growing segments of high tech. It is already hitting associated areas – Boeing last week lost a $4.5 billion deal to Saab for fighter jets primarily because of “revelations of spying by the U.S. National Security Agency in Brazil.” You can bet that this is only the beginning. And that's a shame.

So what about Vormetric?  I'm happy to say that Vormetric does not use the backdoored standard.  We use the CTR_DRBG method described in NIST SP 800-90, which is widely believed to be safe. From our perspective, this backdoor-in-a-standard fiasco really highlights the advantages of open standards. There are a lot of brilliant cryptographers out there trying to break encryption standards. On the other side, we have the government — with some of the sharpest minds in cryptography behind closed doors — trying to insert a backdoor into standards. Strong, secure encryption based on open standards is what's needed to keep sensitive data safe – from hackers, insider threats, auditors, and yes, even governments.