RSA Denies Trading Security For NSA Payout

EMC security subsidiary accused of accepting $10 million from the NSA to purposefully use encryption for which the intelligence agency enjoyed backdoor access.

RSA was put on the defensive on Friday, after a report surfaced suggesting that the EMC-owned security firm accepted a $10 million payment from the National Security Agency (NSA) to select a weak random number generator as the default for its BSAFE encryption libraries.

That allegation was first reported by Reuters, which said it based its report on interviews with a dozen current and former employees of RSA. The alleged "secret" $10 million contract, signed in 2006, would have represented more than one third of the annual revenue of RSA's labs division the year prior to the contract being signed.

On Sunday, RSA issued a statement denying that it had "entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries."

The company added that at no point had it built backdoors into its products. "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products," it said. "Decisions about the features and functionality of RSA products are our own."

[Google's biannual report points to an increase in government efforts to erase content that's critical of it. Read Google Says Governments Fight Transparency.]

But according to the Reuters report, the NSA has enjoyed backdoor access to any of those BSAFE-using products for which administrators employed RSA's recommended -- or default -- security settings. How many products would have been vulnerable? According to RSA's website, "BSAFE software is embedded and tested in thousands of commercial applications and is available in C/C++ and Java," including products made by BMC, Datamaxx, and EMC.

The allegations contained in the Reuters report follow the Guardian and The New York Times, among other publications, which detailed in September documents leaked by former agency contractor Edward Snowden concerning Project Bullrun. The NSA project appeared to be designed to give the intelligence agency's analysts the ability to do an end-run around the crypto that's supposed to secure HTTPS, VoIP, and Secure Sockets Layer, among other protocols.

"Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies," read a leaked NSA document.

But the documents also documented how the NSA worked with some vendors of commercial encryption products "to make them exploitable," as well as required other U.S. vendors -- in what were described as "commercial relationships with industry partners" -- to add backdoor access to their software and hardware.

According to the Friday report in Reuters, in 2006, RSA's new CEO, Art Coviello, accepted a pitch from the NSA that the security company adopt its Dual Elliptic Curve algorithm (a.k.a. Dual EC DRBG), which is supposed to generate random numbers.

But according to RSA, the choice to select the algorithm dated from 2004. "We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption," said the company's statement. "At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."

It added that customers have always been free to select from multiple algorithms. "This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs," RSA said.

Earlier this year, in the wake of ongoing disclosures by Snowden, both NIST and RSA began recommending that organizations discontinue using the Dual Elliptic Curve algorithm. But concern over the Dual Elliptic Curve algorithm began in 2006, and was followed by a 2007 Crypto conference revealing what Bruce Schneier, chief security technology officer of BT, described at the time as "a weakness that can only be described as a backdoor."

"This is scary stuff," he said at the time, and recommended that no one use Dual EC DRBG "under any circumstances."

But until September 2013, RSA continued to offer the algorithm as its BSFAFE toolkit library's default option. "We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS [Federal Information Processing Standards] compliance," read RSA's Sunday statement. "When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion."

Documents leaked earlier this year by Snowden have suggested that NIST worked with NSA to actively weaken the encryption protocols used in commercial products.

"We no longer know whom to trust," Schneier said in a Monday blog post. "This is the greatest damage the NSA has done to the Internet, and will be the hardest to fix."

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)