The NSA arranged a secret $10 million deal with security firm RSA that ultimately resulted in the company incorporating a flawed algorithm for generating random numbers into its products, creating a backdoor into encrypted communications.
That’s the claim being made in an exclusive Reuters report likely to make some question whether the security industry colluded with the authorities to assist in the surveillance of the public.
Earlier this year documents released by NSA whistleblower Edward Snowden showed that the NSA was promoting deliberately weakened or vulnerable cryptography, and influencing standards.
In the spotlight was a flawed algorithm known as Dual_EC_DRBG, or the Dual Elliptic Curve Deterministic Random Bit Generator. (Read Martijn Grooten’s post “How the NSA cheated cryptography” for more information about it.)
The deliberately crippled Dual_EC_DRBG algorithm was being used as the default pseudo-random number generator – a crucial component – in RSA’s BSAFE toolkit.
In September, as the revelations about the NSA meddling with encryption standards become public, RSA issued an advisory to its BSAFE customers telling them to ditch the use of Dual_EC_DRBG inside its BSAFE toolkit, and use an alternative pseudo-random number generator instead.
In addition, RSA’s advisory said:
“RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.”
What wasn’t known until Reuters reported it was that RSA had been paid by the NSA to set the backdoored algorithm as the default method of random number generation.
RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
Some in the security industry view the payment as little more than a bribe.
For instance, in its report, CNET quotes cryptography veteran Bruce Schneier, who is clearly unimpressed:
“Now we know that RSA was bribed,” said security expert Bruce Schneier, who has been involved in the Snowden document analysis. “I sure as hell wouldn’t trust them. And then they made the statement that they put customer security first,” he said.