Security firm RSA took $10 million from the NSA to make a flawed cipher the default in one of its security products, which is used by companies all over the world, according to a report by Reuters. The cipher turned out to contain a flaw that made it easier for the NSA to access encrypted information — unbeknownst to RSA, the firm says.
RSA says it did not knowingly introduce a backdoor into its products. “We have worked with the NSA, both as a vendor and an active member of the security community,” the company says in a blog post. “We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.”
At issue is RSA’s BSafe developer toolkit, which up until recently used an algorithm known as Dual Elliptic Curve Deterministic Random Bit Generation (Dual EC DRBG) by default to help developers secure software they created. In September, the New York Times revealed that the NSA inserted a backdoor into the algorithm which would make it easier for the agency to decrypt whatever information it wanted from companies using Dual EC DRBG.
What the Times didn’t reveal then is that the spy agency handed RSA the $10 million sum for its work. According to sources interviewed by Reuters, the NSA wasn’t up front with RSA about the security hole in the algorithm at the time of the contract, and said that the algorithm featured technological advances, which may have contributed to the company’s willingness to accept it.
It seems that may have been a key component of helping the flawed cipher spread. The NSA used RSA’s adoption of Dual EC DRBG as an argument for why the National Institute of Standards and Technology (NIST) would adopt it as a possible encryption standard.
Since the Times’s report in September, RSA has advised its clients not to use Dual EC DRBG, but did not disclose the payment.
The news comes as a panel convened by the White House said this week that the NSA should cease efforts to undermine cryptography. It’s unclear yet whether President Obama will agree to implement any of the panel’s recommendations.
UPDATE: EMC spokesperson Dave Farmer provided the following statement to GeekWire in an email: “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.”
UPDATE (Dec. 22, 7:11 PM): RSA has published the following statement about its relationship with the NSA:
Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.
We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.
Key points about our use of Dual EC DRBG in BSAFE are as follows:
- We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
- This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
- We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
- When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.
RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.
[Updated Dec. 30 to clarify RSA's position on the Reuters report.]