Tuesday, Feb 25 2013-Today, RSA opened their annual security security and Restore the Fourth SF was there to protest. RSA’s history of bad actions are beyond the pale and could not go unanswered.
- In 2004, RSA selected an elliptic curve random number generator called DUAL_EC_DRBG as the default in their products.
- In 2007, two Microsoft Researchers discovered that DUAL_EC_DRBG has predictable output known only to the designer of the algorithm. This would world permit the NSA to discover secret cryptographic keys generated by this random number generator.
- In September 2013, the revelations about mass NSA surveillance made the situation with DUAL_EC_DRBG untenable and RSA changed their guidance to customers.
- In December 2013, Reuters obtained the original contract between RSA and the NSA that specified the selection of DUAL_EC_DRBG and a payment of $10 million dollars.
These questions are a matter of public record. The fundamental question ignorant of the state of the art in cryptography research and thus grossly negligent or were the co conspirators with the NSA?
- Was RSA aware of patent US2007189527 that discloses the backdoor in DUAL_EC_DRBG?
- Was RSA aware of publication of the backdoor by Dan Shumow and Niels Ferguson from Microsoft?