[148602] in cryptography@c2.net mail archive
[Cryptography] Fwd: [IP] RSA Response to Media Claims Regarding NSA
daemon@ATHENA.MIT.EDU (Kent Borg)
Sun Dec 22 22:55:23 2013
X-Original-To: cryptography@metzdowd.com
Date: Sun, 22 Dec 2013 21:55:51 -0500
From: Kent Borg <kentborg@borg.org>
To: Cryptography List <cryptography@metzdowd.com>
In-Reply-To: <CAKx4trgAXf+-i+_vR-8o5_bahdp58X+XWRvheHyQyWEnVingrA@mail.gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
This is a multi-part message in MIME format.
--===============9153665042544275476==
Content-Type: multipart/alternative;
boundary="------------070608030309020706070009"
This is a multi-part message in MIME format.
--------------070608030309020706070009
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
From Dave Farber's IP list. Stunning. Just stunning.
-kb
-------- Original Message --------
Subject: [IP] RSA Response to Media Claims Regarding NSA Relationship
Date: Sun, 22 Dec 2013 20:18:28 -0500
From: Dave Farber <dave@farber.net>
Reply-To: dave@farber.net
To: ip <ip@listbox.com>
---------- Forwarded message ----------
From: *Richard Forno*
Date: Sunday, December 22, 2013
Subject: RSA Response to Media Claims Regarding NSA Relationship
To: Infowarrior List <infowarrior@attrition.org
<mailto:infowarrior@attrition.org>>
Cc: Dave Farber <dave@farber.net <mailto:dave@farber.net>>
(c/o Jericho)
RSA Response to Media Claims Regarding NSA Relationship
https://blogs.rsa.com/news-media-2/rsa-response/
December 22, 2013
Recent press coverage has asserted that RSA entered into a “secret
contract” with the NSA to incorporate a known flawed random number
generator into its BSAFE encryption libraries. We categorically deny
this allegation.
We have worked with the NSA, both as a vendor and an active member of
the security community. We have never kept this relationship a secret
and in fact have openly publicized it. Our explicit goal has always been
to strengthen commercial and government security.
Key points about our use of Dual EC DRBG in BSAFE are as follows:
• We made the decision to use Dual EC DRBG as the default in
BSAFE toolkits in 2004, in the context of an industry-wide effort to
develop newer, stronger methods of encryption. At that time, the NSA had
a trusted role in the community-wide effort to strengthen, not weaken,
encryption.
• This algorithm is only one of multiple choices available
within BSAFE toolkits, and users have always been free to choose
whichever one best suits their needs.
• We continued using the algorithm as an option within BSAFE
toolkits as it gained acceptance as a NIST standard and because of its
value in FIPS compliance. When concern surfaced around the algorithm in
2007, we continued to rely upon NIST as the arbiter of that discussion.
• When NIST issued new guidance recommending no further use of
this algorithm in September 2013, we adhered to that guidance,
communicated that recommendation to customers and discussed the change
openly in the media.
RSA, as a security company, never divulges details of customer
engagements, but we also categorically state that we have never entered
into any contract or engaged in any project with the intention of
weakening RSA’s products, or introducing potential ‘backdoors’ into our
products for anyone’s use.
---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.
Archives <https://www.listbox.com/member/archive/247/=now>
<https://www.listbox.com/member/archive/rss/247/125678-f3167250> |
Modify
<https://www.listbox.com/member/?member_id=125678&id_secret=125678-586023a8>
Your Subscription | Unsubscribe Now
<https://www.listbox.com/unsubscribe/?member_id=125678&id_secret=125678-9f2875ca&post_id=20131222201900:324A04FA-6B70-11E3-BE49-F5515A2DC128>
[Powered by Listbox] <http://www.listbox.com>
--------------070608030309020706070009
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
From Dave Farber's IP list. Stunning. Just stunning.<br>
<br>
-kb<br>
<div class="moz-forward-container"><br>
<br>
-------- Original Message --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
</th>
<td>[IP] RSA Response to Media Claims Regarding NSA
Relationship</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
<td>Sun, 22 Dec 2013 20:18:28 -0500</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
<td>Dave Farber <a class="moz-txt-link-rfc2396E" href="mailto:dave@farber.net"><dave@farber.net></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Reply-To:
</th>
<td><a class="moz-txt-link-abbreviated" href="mailto:dave@farber.net">dave@farber.net</a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td>ip <a class="moz-txt-link-rfc2396E" href="mailto:ip@listbox.com"><ip@listbox.com></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
<br>
---------- Forwarded message ----------<br>
From: <b>Richard Forno</b> <br>
Date: Sunday, December 22, 2013<br>
Subject: RSA Response to Media Claims Regarding NSA Relationship<br>
To: Infowarrior List <<a moz-do-not-send="true"
href="mailto:infowarrior@attrition.org">infowarrior@attrition.org</a>><br>
Cc: Dave Farber <<a moz-do-not-send="true"
href="mailto:dave@farber.net">dave@farber.net</a>><br>
<br>
<br>
(c/o Jericho)<br>
<br>
RSA Response to Media Claims Regarding NSA Relationship<br>
<a moz-do-not-send="true"
href="https://blogs.rsa.com/news-media-2/rsa-response/"
target="_blank">https://blogs.rsa.com/news-media-2/rsa-response/</a><br>
<br>
December 22, 2013<br>
<br>
Recent press coverage has asserted that RSA entered into a “secret
contract” with the NSA to incorporate a known flawed random number
generator into its BSAFE encryption libraries. We categorically
deny this allegation.<br>
<br>
We have worked with the NSA, both as a vendor and an active member
of the security community. We have never kept this relationship a
secret and in fact have openly publicized it. Our explicit goal
has always been to strengthen commercial and government security.<br>
<br>
Key points about our use of Dual EC DRBG in BSAFE are as follows:<br>
<br>
• We made the decision to use Dual EC DRBG as the default
in BSAFE toolkits in 2004, in the context of an industry-wide
effort to develop newer, stronger methods of encryption. At that
time, the NSA had a trusted role in the community-wide effort to
strengthen, not weaken, encryption.<br>
<br>
• This algorithm is only one of multiple choices available
within BSAFE toolkits, and users have always been free to choose
whichever one best suits their needs.<br>
<br>
• We continued using the algorithm as an option within
BSAFE toolkits as it gained acceptance as a NIST standard and
because of its value in FIPS compliance. When concern surfaced
around the algorithm in 2007, we continued to rely upon NIST as
the arbiter of that discussion.<br>
<br>
• When NIST issued new guidance recommending no further
use of this algorithm in September 2013, we adhered to that
guidance, communicated that recommendation to customers and
discussed the change openly in the media.<br>
<br>
RSA, as a security company, never divulges details of customer
engagements, but we also categorically state that we have never
entered into any contract or engaged in any project with the
intention of weakening RSA’s products, or introducing potential
‘backdoors’ into our products for anyone’s use.<br>
<br>
<br>
---<br>
Just because i'm near the punchbowl doesn't mean I'm also drinking
from it.<br>
<br>
<br>
<div
style="width:auto;margin:0;padding:5px;background-color:#fff;clear:both;border-top:
1px solid #ccc;" bgcolor="#ffffff">
<table style="background-color:#fff" bgcolor="#ffffff"
border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td padding="4px"> <font style="font-family:helvetica,
sans-serif;" color="#333333" size="1"> <a
moz-do-not-send="true"
style="text-decoration:none;color:#669933;border-bottom:
1px solid #444444"
href="https://www.listbox.com/member/archive/247/=now"
title="Go to archives for ip">Archives</a>
<a moz-do-not-send="true" border="0"
style="text-decoration:none;color:#669933"
href="https://www.listbox.com/member/archive/rss/247/125678-f3167250"
title="RSS feed for ip"><img moz-do-not-send="true"
src="https://www.listbox.com/images/feed-icon-10x10.jpg" border="0"></a>
| <a moz-do-not-send="true"
style="text-decoration:none;color:#669933;border-bottom:
1px solid #444444"
href="https://www.listbox.com/member/?member_id=125678&id_secret=125678-586023a8"
title="">Modify</a> Your Subscription | <a
moz-do-not-send="true"
style="text-decoration:none;color:#669933;border-bottom:
1px solid #444444"
href="https://www.listbox.com/unsubscribe/?member_id=125678&id_secret=125678-9f2875ca&post_id=20131222201900:324A04FA-6B70-11E3-BE49-F5515A2DC128"
title="">Unsubscribe Now</a>
</font></td>
<td align="right" valign="top"><a moz-do-not-send="true"
style="border-bottom:none;"
href="http://www.listbox.com">
<img moz-do-not-send="true"
src="https://www.listbox.com/images/listbox-logo-small.png"
title="Powered by Listbox" border="0"></a></td>
</tr>
</tbody>
</table>
</div>
<br>
</div>
<br>
</body>
</html>
--------------070608030309020706070009--
--===============9153665042544275476==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============9153665042544275476==--
