RSA denies the NSA paid it to ship a deliberately weakened encryption tool to customers
The company warned in September that two of its products had been deliberately weakened by technology created by the NSA, which effectively created a backdoor that would make it easier to access private communications.
According to a Reuters report on Friday, what it didn’t tell customers was that those weaknesses were put there knowingly, in return for a $10 million payment as part of a “secret contract” with the NSA.
Categorical RSA denial
“We categorically deny this allegation,” said an RSA statement. It does do paid work for the NSA on government security, but said it made its own decision to use the technology.
Back in September, leaks from Edward Snowden claimed that the NSA had deliberately weakened a mathematical tool used to provide random numbers called Dual Elliptic Curve Deterministic Random Bit Generation (Dual-EC-DRBG), making it possible to predict the numbers it produces and thereby weakening any encryption which uses the method.
RSA used Dual-EC-DRBG by default in the BSafe toolkit for developers, and Reuters claims RSA sources have told it that NSA paid it $10 million for the service – a figure which represents about a third of the annual revenue from that part of RSA.
In its defence, RSA points out that it adopted the algorithm back in 2004 when everyone still trusted the NSA, Although it is the default option within BSafe, the product has always included multiple options and, it implies, only continued using the method because it was specified in government contracts under the FIPS specifications.
The use of the algorithm is not the heated subject which some reports have implied. In fact, in 2007, it was revealed by researchers Dan Shumow and Niels Ferguson that it effectively had a backdoor allowing the NSA to decode its output (reported in Wired by security expert Bruce Schneier). Since then, security people who keep up have used it only when required to do so in government contracts.
According to RSA, what prompted its advice in September was not any revelations by Snowden, but a change in the US government’s FIPS compliance standard: “When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media,” the RSA statement says.
What do you know about Internet security? Find out with our quiz!
Strangely, the algorithm has not been fully