Who do you trust? That's a question asked increasingly by a security industry with a growing sense that the National Security Agency (NSA) has sought to weaken encryption or get backdoors into computers, based on documents leaked by Edward Snowden to the media. Now, trust is also the theme of a new conference called TrustyCon that will vie for attention on Feb. 27 in San Francisco while the big RSA Conference for security pros is also taking place in that city.
TrustyCon, organized by iSec Partners, the Electronic Frontier Foundation (EFF) and Defcon, pretty much sold out in a few days after it was announced last week. Microsoft and Cloudflare are sponsoring the event, with others expected to join them, and proceeds go to the EFF. The rise of TrustyCon has been fueled by industry backlash against the NSA, which the security industry widely believes weakened the crypto algorithm called Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) to be a backdoor for the agency.
A document on the National Institute of Standards and Technology (NIST) website suggests computer scientists there, who opened up a review of the NSA-influenced Dual EC DRBG last year, suspect it is a backdoor too, and will recommend removing Dual EC DRBG as a NIST standard.
TrustyCon is also a backlash against security company RSA, which organizes the huge annual RSA Conference. A recent Reuters report said RSA accepted $10 million from the NSA to make Dual EC DRBG as the default in its BSAFE toolkit. RSA in late December awkwardly responded to this investigative news story by saying there was no "'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation." Since the BSAFE topic arose, RSA has emphasized it would not knowingly do anything to hurt its customers.
But RSA didn't -- and still won't -- clearly refute the article's main point that RSA had a contract with the NSA related to Dual EC DRBG in the BSAFE toolkit. RSA's response to the world on Dec. 22 says the company has worked with the NSA "both as a vendor and an active member of the security community. We have never kept this relationship secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security." RSA goes on to say it added Dual EC DRBG into BSAFE in 2004. "At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."
Sources at RSA say this topic of the NSA and trust will be taken up at its conference next month. RSA Executive Chairman Art Coviello typically uses his time in front of thousands of conference attendees to announce new products or strategies, but this year the pressure is on to explain the assertions whirling around BSAFE, Dual EC DRBG and the NSA.
Sign up for CIO Asia eNewsletters.