TrustyCon vs. RSA and NSA: New conference pushes trustworthy agenda

Who do you trust? That's a question asked increasingly by a security industry with a growing sense that the National Security Agency (NSA) has sought to weaken encryption or get backdoors into computers, based on documents leaked by Edward Snowden to the media. Now, trust is also the theme of a new conference called TrustyCon that will vie for attention on Feb. 27 in San Francisco while the big RSA Conference for security pros is also taking place in that city.

TrustyCon, organized by iSec Partners, the Electronic Frontier Foundation (EFF) and Defcon, pretty much sold out in a few days after it was announced last week. Microsoft and Cloudflare are sponsoring the event, with others expected to join them, and proceeds go to the EFF. The rise of TrustyCon has been fueled by industry backlash against the NSA, which the security industry widely believes weakened the crypto algorithm called Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) to be a backdoor for the agency.

A document on the National Institute of Standards and Technology (NIST) website suggests computer scientists there, who opened up a review of the NSA-influenced Dual EC DRBG last year, suspect it is a backdoor too, and will recommend removing Dual EC DRBG as a NIST standard.

+ Also on NetworkWorld: President Obama praises NSA, offers little in mass surveillance reform | Reuters story: "Secret contract tied NSA and security industry pioneer" by Joseph Menn | Security researcher cancels RSA Conference speech in protest +

TrustyCon is also a backlash against security company RSA, which organizes the huge annual RSA Conference. A recent Reuters report said RSA accepted $10 million from the NSA to make Dual EC DRBG as the default in its BSAFE toolkit. RSA in late December awkwardly responded to this investigative news story by saying there was no "'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation." Since the BSAFE topic arose, RSA has emphasized it would not knowingly do anything to hurt its customers.

But RSA didn't -- and still won't -- clearly refute the article's main point that RSA had a contract with the NSA related to Dual EC DRBG in the BSAFE toolkit. RSA's response to the world on Dec. 22 says the company has worked with the NSA "both as a vendor and an active member of the security community. We have never kept this relationship secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security." RSA goes on to say it added Dual EC DRBG into BSAFE in 2004. "At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."

Sources at RSA say this topic of the NSA and trust will be taken up at its conference next month. RSA Executive Chairman Art Coviello typically uses his time in front of thousands of conference attendees to announce new products or strategies, but this year the pressure is on to explain the assertions whirling around BSAFE, Dual EC DRBG and the NSA.

Some in the security industry are so upset with RSA, or at least its lack of clear explanations about the BSAFE toolkit, NSA and Dual EC DRBG, that they are dropping out as speakers at the RSA Conference in protest. These include Mikko Hypponen of F-Secure, Chris Soghoian of the American Civil Liberties Union, Adam Langley and Chris Palmer of Google, Marcia Hoffman of the EFF, Alex Fowler of Mozilla, and Roel Schouwenberg of Kaspersky Lab.

Thus TrustyCon has sprung to light. Organizer Alex Stamos, CTO at NCC Group's Artemis Internet, says he has mixed emotions about the idea of boycotts, and the TrustyCon conference certainly isn't meant to be anti-RSA. But Stamos does say the theme of what can be trusted is going to be discussed, and he predicts TrustyCon, which will include some RSA Conference protesters, will be held for years to come. When asked whether the NSA can be trusted, Stamos says the agency's dual role makes it hard to know which NSA you're talking to at any given time.

"In its information assurance role, it sets standards for business and keeps the U.S. safe from adversaries," says Stamos. But in a more military role, the NSA is engaging in many practices to gain access to information and collect data that aren't necessarily in the interest of business. Many high-tech companies offering all manner of online services feel rather "betrayed" by the Snowden revelations that the NSA has worked so hard to undermine their security to get to information it wants, he pointed out.

Most security experts today do believe Dual EC DRBG is an NSA backdoor, says Stamos. "The bigger problem to companies is: Can you trust NIST?" They can't, he points out, if NIST -- which works closely with the NSA -- is also countenancing NSA backdoors in standards.

The Dual EC DRBG algorithm, standardized by NIST in 2006, has made its way into many network products, including via the BSAFE toolkit sold by EMC security division RSA. After outrage last fall over news that Dual EC DRBG is likely an NSA backdoor, NIST re-opened the controversial crypto standard for new comments.

Materials in PowerPoint format posted publicly on NIST's website under the name of NIST computer scientist John Kelsey suggest that the institute does believe Dual EC DRBG likely could be an NSA backdoor and that NIST plans to remove it as a standard. Neither Kelsey, who was involved in the original approval process for Dual EC DRBG, nor NIST public affairs, were immediately available for comment, perhaps because it's a snow day in the Washington, D.C. area.

The NIST PTT document, titled "800-90 and Dual EC DRBG, John Kelsey, NIST," says it simply enough about where an NSA trap door may lie.

In a technical description of Dual EC DRBG's "parameters, P & Q," which came "ultimately from designers of Dual EC DRBG at NSA," the basic question is: "What if you don't trust the people who generated P and Q?"

The NIST document then states, "P and Q can be generated to insert a backdoor," noting this issue was raised years ago. The NIST document says news stories suggesting that Dual EC had a trap door inserted by the NSA "put the discussions in an entirely different light." NIST issued a "bulletin telling everyone to stop using Dual EC DRBG until further notice" back in the fall of last year.

"Our current plan is to remove Dual EC DRBG," the NIST document states. "Its performance is pretty slow; many vendors have already scrambled to remove or disable it in their products." The document says there may be a "phase-out period."

The topic of the NSA and trust keeps grinding along in countless media reports. Today, for instance, at the World Economic Forum Annual Meeting in Davos, Swizerland, Yahoo CEO Marissa Mayer is quoted as saying during a panel discussion that she wants the Obama administration to provide greater transparency on data collected by the NSA. "We need to be able to rebuild trust with our users, not only in the U.S. but internationally," she said.

However, in his speech about the NSA last week, President Obama did not take up the prickly topic of NSA backdoors or weakening encryption, leaving no indication he will.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags DefconNational Security AgencyMicrosoftsecuritynsaWide Area NetworkElectronic Frontier Foundation

More about EFFElectronic Frontier FoundationEMC CorporationF-SecureGoogleIDGKasperskyKasperskyMicrosoftMozillaNational Security AgencyNSAReuters AustraliaRSATechnologyYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place