RSA Denies Taking $10m NSA Bribe To Install Crypto Backdoor

RSA has responded angrily to allegations that it was paid by the US National Security Agency (NSA) to include deliberately-weakened encryption the security vendor’s products.

The company warned in September that two of its products had been deliberately weakened by technology created by the NSA, which effectively created a backdoor that would make it easier to access private communications.

According to a Reuters report on Friday, what it didn’t tell customers was that those weaknesses were put there knowingly, in return for a $10 million payment as part of a “secret contract” with the NSA.

Categorical RSA denial

“We categorically deny this allegation,” said an RSA statement. It does do paid work for the NSA on government security, but said it made its own decision to use the technology.

Back in September, leaks from Edward Snowden claimed that the NSA had deliberately weakened a mathematical tool used to provide random numbers  called Dual Elliptic Curve Deterministic Random Bit Generation (Dual-EC-DRBG), making it possible to predict the numbers it produces and thereby weakening any encryption which uses  the method.

RSA used Dual-EC-DRBG by default in the BSafe toolkit for developers, and Reuters claims RSA sources have told it that NSA paid it $10 million for the service – a figure which represents about a third of the annual revenue from that part of RSA.

In its defence, RSA points out that it adopted the algorithm back in 2004 when everyone still trusted the NSA, Although it is the default option within BSafe, the product has always included multiple options and, it implies, only continued using the method because it was specified in government contracts under the FIPS specifications.

The use of the algorithm is not the heated subject which some reports have implied. In fact, in 2007, it was revealed by researchers Dan Shumow and Niels Ferguson that it effectively had a backdoor allowing the NSA to decode its output (reported in Wired by security expert Bruce Schneier). Since then, security people who keep up have used it only when required to do so in government contracts.

According to RSA, what prompted its advice in September was not any revelations by Snowden, but a change in the US government’s FIPS compliance standard: “When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media,” the RSA statement says.

What do you know about Internet security? Find out with our quiz!

Strangely, the algorithm has not been fully

Peter Judge

Peter Judge has been involved with tech B2B publishing in the UK for many years, working at Ziff-Davis, ZDNet, IDG and Reed. His main interests are networking security, mobility and cloud

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago