Who uses the RSA BSAFE library?

Question

Who uses RSA's BSAFE library? Does anyone know what products use it, or have any statistics on how many end users use something that is built on BSAFE?

Background: BSAFE is one of the oldest cryptography libraries, and among commercially available cryptographic libraries, it is well-respected. However, recent news suggests that BSAFE uses Dual_EC_DRBG as its default pseudorandom number generator. Dual_EC_DRBG, of course, is the algorithm that is suspected to contain a NSA backdoor. Previously, cryptographers had suggested that probably no one uses Dual_EC_DRBG, so the suspected backdoor probably doesn't have much practical impact; however, this news about the BSAFE library suggests we might want to re-examine that conclusion. In particular, it is possible that any backdoor in Dual_EC_DRBG backdoor might affect any products which use the RSA BSAFE library, so to assess the impact of this suspected backdoor, it would be helpful to better understand which products use BSAFE, and how many products and how many people rely upon BSAFE for their cryptography.

My question: Who uses RSA BSAFE? Which products are built on top of RSA BSAFE? How do I tell who might be affected by this issue? There's a big difference between an issue that affects a few internal enterprise tools, vs something that affects products used by millions of end users every day -- I'm trying to get a better sense for the degree of the impact of this issue, and to be in a better position to explain to others whether BSAFE's use of Dual_EC_DRBG is a big deal or not.

Well, I presume RSA uses it in its products. I'll keep this in mind when evaluating products from them for sure. — Maarten Bodewes, Sep 16 '13 at 23:00
This question appears to be off-topic because it is about market penetration of a product, which is only coincidentally a cryptography product. — Gilles 'SO- stop being evil', Sep 18 '13 at 11:46
I think this question would be fine for [security.se], slightly reworded: I suspect that the BSAFE library is insecure, how do I tell which of my applications may be using it so as to know the impact on my systems? — Gilles 'SO- stop being evil', Sep 18 '13 at 11:55
RSA themselves say BSAFE software is embedded and tested in thousands of commercial applications so quick guess would be that the issue affects more than a dozen users. — user4982, Jan 26 '14 at 12:13

score 1 · Answer 1 · answered Mar 08 '14 at 02:41

A lot of companies use BSAFE: for a long time, BSAFE was the most successful supported cryptographic toolkits: it predates the success of open source software, it predates the availability of crypto APIs in operating systems, and it predates the expiration of patents on RSA and public-key cryptography in general. And it's always been a reliable, well-tested, well-documented, portable library from a company that ported it everywhere there was a customer and provided support. So, it garnered a lot of customers. The number of developers using BSAFE has presumably declined as the patents expired, export restrictions relaxed, allowing OS crypto APIs, and open source ate the market, but I'm sure there's still a very large number of products that incorporate BSAFE.

Who uses the RSA BSAFE library?

1 Answers1