I had the pleasure and privilege of attending the RSA security conference in San Francisco last week. With 25,000 attendees it was the biggest RSA conference ever. There were so many exhibitors that they opened up a second building for the booths.
When I asked around why it was so busy this year I got two answers:
- The economy must be improving because it costs a lot to exhibit at these shows
People didn’t come to the conference to debate if Snowden was right or wrong but rather to address the fallout of his revelations. Art Coviello, Executive Chairman of RSA, kicked off the conference addressing one of those revelations in his keynote. He defended RSA’s co-operation with the NSA and the inclusion of an iffy NSA promoted random number generator as the default for their BSafe tool kits (WinMagic doesn’t use the RSA toolkit or the random number generator in question). The NSA has two sides of the house; one to fulfil the mandate of signals intelligence (i.e. spying) and the other is information assurance via the IAD (Information Assurance Directorate). It is the IAD that does a lot of good work that industry can leverage. The selection of Rijndael for the AES (Advanced Encryption Standard) is an example of that good work, and I did not hear one person question the integrity of the AES algorithm at the conference. However, Art said, “When or if the NSA blurs the line between its defensive and intelligence gathering roles, and exploits its position of trust within the security community, then that’s a problem. If we can’t be sure which part of the NSA we’re actually working with, and what their motivations are, then we should not work with the NSA at all.” He went on to say he supports splitting off of IAD from the NSA to address the dual mandate problem.
The great thing about the conference is that the sessions allow you to delve deeper into technical detail on the issues at hand. I attended one session on the Cryptography Track titled “The PRNG Debate”. The abstract reads “Several high profile failures of Pseudo-Random Number Generators have recently been reported. In this panel four top experts in the area separate the facts from the hype and discuss promising solutions.” One panelist, Dan Shumow from Microsoft who originally noted the theoretical possibility of a trap door in the NSA random number generator said there was no real scientific proof that it actually has a backdoor. On the other hand Adi Shamir, professor of Computer Science, Weizmann Institute of Science, and the “S” in the famous RSA algorithm said that if it looked and smelt like a trap door then it was probably a trap door. Even Dan Shumow recommended not using it despite the lack of scientific proof that it is rigged.
So as I first wrote in a blog, “The End Of Trust” after the Trusted Computing Conference I don’t know how to gauge how real these concerns are but “trust” has definitely been weakened. Spending on IT security will increase 10 fold as stakeholders work to re-establish trust with new algorithms, infrastructure, products etc. I think next year’s RSA conference is going to be even busier.