NSA headquarters
NSA headquarters

Security firm RSA took $10 million from the NSA to make a flawed cipher the default in one of its security products, which is used by companies all over the world, according to a report by Reuters. The cipher turned out to contain a flaw that made it easier for the NSA to access encrypted information — unbeknownst to RSA, the firm says.

RSA says it did not knowingly introduce a backdoor into its products. “We have worked with the NSA, both as a vendor and an active member of the security community,” the company says in a blog post. “We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.”

At issue is RSA’s BSafe developer toolkit, which up until recently used an algorithm known as Dual Elliptic Curve Deterministic Random Bit Generation (Dual EC DRBG) by default to help developers secure software they created. In September, the New York Times revealed that the NSA inserted a backdoor into the algorithm which would make it easier for the agency to decrypt whatever information it wanted from companies using Dual EC DRBG.

What the Times didn’t reveal then is that the spy agency handed RSA the $10 million sum for its work. According to sources interviewed by Reuters, the NSA wasn’t up front with RSA about the security hole in the algorithm at the time of the contract, and said that the algorithm featured technological advances, which may have contributed to the company’s willingness to accept it.

It seems that may have been a key component of helping the flawed cipher spread. The NSA used RSA’s adoption of Dual EC DRBG as an argument for why the National Institute of Standards and Technology (NIST) would adopt it as a possible encryption standard.

Since the Times’s report in September, RSA has advised its clients not to use Dual EC DRBG, but did not disclose the payment.

The news comes as a panel convened by the White House said this week that the NSA should cease efforts to undermine cryptography. It’s unclear yet whether President Obama will agree to implement any of the panel’s recommendations.

UPDATEEMC spokesperson Dave Farmer provided the following statement to GeekWire in an email: “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.”

UPDATE (Dec. 22, 7:11 PM): RSA has published the following statement about its relationship with the NSA:

Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.  We categorically deny this allegation.

We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.

Key points about our use of Dual EC DRBG in BSAFE are as follows:

  • We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
  • This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
  • We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
  • When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.

RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.

[Updated Dec. 30 to clarify RSA’s position on the Reuters report.]

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline


  • http://www.techmansworld.com/ Michael Hazell

    This doesn’t surprise me at all. I can’t believe a company would really put its “legit” customers under a bus just for $10 million to make your own product weaker.

  • brian myers

    Interesting. If the allegations are the truth, then RSA and the NSA would be in violation of the Washington Trade Secret Act if the NSA used this backdoor to obtain any corporate information that would fall inside the definition of being a trade secret (i.e. any fact that is non-public and has commercial value). Any affected company might have a case for double damages plus attorneys fees. What a class action that would make.

    Plus perhaps RICO criminal claims: a pre-planned, premeditated, long-term con job of an entire industry by a group of coordinated conspirators with the goal of stealing company secrets. A prosecutor could make a career…or be hounded by the NSA for life.

    • Guest

      Reasons corporations won’t get a dime:
      1) Corporations are horrible about proper disposal and security measures to prevent theft of employee data, especially social security numbers. (HR laptops being stolen with unencrypted data holding thousands of employee records.
      2) Too many top brass at corporations are involved in insider trading, the top brass won’t stick their neck out to save a company while looking at prison and fines.
      3) There will be far too much available to expose the corporations misuse of customer data for their financial benefit.
      4) ARPANET, it’s the backbone to what you’re using right now…guess who created and controls that….ding ding ding!

  • panacheart

    I smell a huge lawsuit coming. The RSA surely knew what was in that algorithm. They have some of the best cryptologists in the world. This constitutes a huge breech of fiduciary duty towards their customers.

    Certainly there’s no way to ever trust RSA security again.

Job Listings on GeekWork