Some in the security industry are so upset with RSA, or at least its lack of clear explanations about the BSAFE toolkit, NSA and Dual EC DRBG, that they are dropping out as speakers at the RSA Conference in protest. These include Mikko Hypponen of F-Secure, Chris Soghoian of the American Civil Liberties Union, Adam Langley and Chris Palmer of Google, Marcia Hoffman of the EFF, Alex Fowler of Mozilla, and Roel Schouwenberg of Kaspersky Lab.
Thus TrustyCon has sprung to light. Organizer Alex Stamos, CTO at NCC Group's Artemis Internet, says he has mixed emotions about the idea of boycotts, and the TrustyCon conference certainly isn't meant to be anti-RSA. But Stamos does say the theme of what can be trusted is going to be discussed, and he predicts TrustyCon, which will include some RSA Conference protesters, will be held for years to come. When asked whether the NSA can be trusted, Stamos says the agency's dual role makes it hard to know which NSA you're talking to at any given time.
"In its information assurance role, it sets standards for business and keeps the U.S. safe from adversaries," says Stamos. But in a more military role, the NSA is engaging in many practices to gain access to information and collect data that aren't necessarily in the interest of business. Many high-tech companies offering all manner of online services feel rather "betrayed" by the Snowden revelations that the NSA has worked so hard to undermine their security to get to information it wants, he pointed out.
Most security experts today do believe Dual EC DRBG is an NSA backdoor, says Stamos. "The bigger problem to companies is: Can you trust NIST?" They can't, he points out, if NIST -- which works closely with the NSA -- is also countenancing NSA backdoors in standards.
The Dual EC DRBG algorithm, standardized by NIST in 2006, has made its way into many network products, including via the BSAFE toolkit sold by EMC security division RSA. After outrage last fall over news that Dual EC DRBG is likely an NSA backdoor, NIST re-opened the controversial crypto standard for new comments.
Materials in PowerPoint format posted publicly on NIST's website under the name of NIST computer scientist John Kelsey suggest that the institute does believe Dual EC DRBG likely could be an NSA backdoor and that NIST plans to remove it as a standard. Neither Kelsey, who was involved in the original approval process for Dual EC DRBG, nor NIST public affairs, were immediately available for comment, perhaps because it's a snow day in the Washington, D.C. area.
The NIST PTT document, titled "800-90 and Dual EC DRBG, John Kelsey, NIST," says it simply enough about where an NSA trap door may lie.
Sign up for CIO Asia eNewsletters.