The NSA paid RSA, the security subsidiary of tech giant EMC, roughly $10 million to include an agency-generated formula in its software that created a backdoor into RSA encryption products, according to an exclusive Reuters report.
“Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software,” said the newswire, citing two unnamed sources “familiar with the contract.”
In a statement, RSA denied the allegations: “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products.” Any decisions about features and functionality, it added, “are our own.”
But this isn’t the first time allegations have surfaced about vulnerabilities in the algorithms supported by some RSA products. In September, The New York Times published a report suggesting that the NSA had used a combination of supercomputers and coding know-how to subvert the encryption underlying many of the Web’s major tools, including the algorithms that safeguard the world’s banking and e-commerce platforms. The newspaper based those claims on documents provided by government whistleblower Edward Snowden, which suggested the NSA had spent billions of dollars to stealthily install algorithmic backdoors in various encryption platforms.
Around that time, RSA began telling its developers to switch from using the SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation (also known as Dual EC DRBG) algorithm to another supported random-number-generating algorithm, claiming that the former could contain an NSA backdoor. All versions of RSA’s BSAFE Toolkits, along with RSA Data Protection Manager (DPM) server and clients, were apparently subject to the advisory.
There’s quite a bit of difference between a company becoming a victim of a government agency’s secretive attempt to subvert its systems, and a company entering into an agreement with an agency to include a flawed formula in its key platforms. But several sources apparently suggested to Reuters that the NSA never told RSA of its true intentions for the formula. “They did not show their true hand,” one said.
If proven, of course, these allegations could severely damage RSA’s reputation as an IT security powerhouse.
Snowden’s exposures about the extent of NSA spying have ignited a firestorm of controversy over the past few months. In response, President Barack Obama announced earlier in December that he plans on reining in the NSA’s surveillance programs, but those plans won’t be revealed until early next year.
Image: Rena Schild/Shutterstock.com