RSA Denies Snowden's Claims That It Accepted $10 Million From The NSA For Promoting Agency's Flawed Encryption Software

   on December 23 2013 2:07 AM
RSA SecurID dongle
An RSA SecurID dongle used for internet VPN tunnelling is seen in Toronto on Dec. 18, 2013. Reuters

RSA, the cybersecurity arm of EMC Corporation (NYSE:EMC), categorically denied claims that it had entered into a $10 million secret partnership with the U.S. National Security Agency, which allowed the NSA to incorporate a bug into the firm's encryption software so that the agency could spy on the company's customers.

According to media reports in September, based on documents leaked by former defense contractor and whistleblower Edward Snowden, the NSA created a flawed encryption formula that could be used to create a “back door” to security products built using that formula.

According to a Reuters report, RSA promoted the flawed formula by including it in its BSAFE product, which is widely used by developers to enhance the security of computer networks and systems. On Friday, a Reuters report, citing persons familiar with the contract, said that RSA, considered as one of the most influential firms in the computer security industry, received $10 million for promoting NSA’s formula as the most preferred, or default, tool for developing encryption software used in millions of computer systems.

“RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use,” the company said, in a strongly worded response to Snowden’s allegations.

In September, after a weakness in BSAFE’s formula encryption algorithm standard -- known as Dual EC DRBG -- was revealed following Snowden's disclosures about the NSA’s extensive penetration into encryptions bases, RSA sent an email to its customers alerting them about the flaw.

A random number generator is used to strengthen encryption, and the flawed software in BSAFE generates random numbers that can be easily predicted, rendering the encryption vulnerable to security breaches. This vulnerability allegedly provides a back door to the NSA and other agencies to break into networks to conduct surveillance.

On Sunday, RSA refuted claims that it accepted a payment for promoting the flawed software, stating that it has worked with the “NSA, both as a vendor and an active member of the security community,” but that it never hid its relationship with the security agency.

The company gave the following four reasons for choosing and promoting the flawed Dual EC DRBG:

"We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.

"This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.

"We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.

"When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media."

Join the Discussion