Security chiefs and researchers say the best way to send a message to RSA is to stop using its products
Allegations that security firm RSA is colluding with the National Security Agency (NSA) have led several security professionals to cancel their talks at February’s RSA Conference in San Francisco. Now, some are calling for a complete boycott of the EMC-owned company’s technology.
Jeffrey Carr, author and founder of security firm Taia Global, was outraged by a Reuters article in December that alleged RSA had accepted $10 million from the NSA to include a deliberately-weakened encryption scheme, based on Dual Elliptic Curve Deterministic Random Bit Generation (Dual-EC-DRBG) in its products.
RSA said it would never “design or enable any back doors” in its products, but has not explained why it accepted $10 million from the intelligence agency. The firm said it continued to use Dual-EC-DRBG in its BSafe line of products even after concerns were raised about it in 2007 as the US National Institute of Standards and Technology (NIST) had not recommended any changes to the algorithms.
After leaks from Edward Snowden revealed the NSA had placed a backdoor in Dual-EC-DRBG, the security firm removed the standard from its product line.
RSA ‘cannot escape responsibility’
But Carr, who had already pulled out of the RSA Conference alongside F-Secure’s Mikko Hypponen and Josh Thomas from Atredis Partners, said changes needed to be forced at the EMC division, which was responsible for some of the most widely-used, effective encryption standards in the world.
“RSA cannot escape responsibility for offering a compromised BSafe product for the last 9 years by saying ‘we just followed NIST’ and ‘our customers had a choice’,” Carr said in a blog post.
“This is a gross violation of its own mission statement not to mention its own illustrious history of defending the integrity of encryption against government attempts to weaken it.
“There needs to be an industry-wide boycott of RSA products. It’s not enough to just talk about how bad this is.”
Professor Ross Anderson, head of cryptography at Cambridge University, told TechWeekEurope a boycott of RSA technology was “absolutely fair”. “If you find your wife has been selling sex on the side, then your next call may be to a divorce lawyer,” he said.
“There is abundant precedent. At the end of the Iran-Iraq war, it emerged that the NSA secretly owned Crypto AG, a Swiss firm that sold cipher machines to non-aligned governments. The Iranians worked this out after they noticed that the Iraqis were reading all their traffic (Rumsfeld was a good friend of Saddam in those days). As a result, some governments changed suppliers.”
Anderson pointed to the claim of security researcher and activist Jake Appelbaum that NSA Trojans have been spotted using ciphers from RSA, RC6, to encrypt the data they steal. RC6 is still owned by RSA and is not open source. Anyone who uses it may have to pay a fee.
Peter Sommer, a digital forensics expert, told TechWeek “it is only right that security researchers demand answers from RSA – I’d put Cisco in the same category.”
Boycotting RSA Conference pointless?
Security evangelist at Akamai Martin McKeay, speaking on his personal blog not expressing the views of his employer, said anyone who wanted to send RSA a message should “quit buying their products and tell them why” adding: “That’s a message they’ll hear loud and clear.”
Yet he said the RSA Conference is actually a different company from RSA, so boycotting the event will do little.
“It has its own management structure, its own bottom line, its own profit and loss reporting. And it’s only a small fraction of the overall revenue stream of the corporation,” McKeay wrote. “As such, any impact that boycotting the conference might have is going to be highly diluted when it reaches the management of the central corporation.
“It would take a huge number of attendees failing to show up in order to make an impact.”
RSA had no comment on the calls to boycott its technology and conference.
Are you a security expert? Try our quiz!