RSA Heatedly Denies Secret $10 Million NSA Deal

Written by DH Kass 1
December 24, 2013

In a scenario straight out of a spy novel, RSA, the security division of storage powerhouse EMC (EMC), heatedly denied a Dec. 20 Reuters report that it accepted a clandestine $10 million deal in 2006 with the U.S. National Security Agency to embed known faulty security code into its encrypted products.

In a scenario straight out of a spy novel, RSA, the security division of storage powerhouse EMC (EMC), heatedly denied a Dec. 20 Reuters report that it accepted a clandestine $10 million deal in 2006 with the U.S. National Security Agency (NSA) to embed known faulty security code into its encrypted products.

Reuters reported that RSA, as part of a back-room deal with the NSA, incorporated the agency's Dual Elliptical Curve algorithm, a defective random number generator, into its widely used BSafe security toolkit, potentially leaving personal computers and other gear vulnerable to snooping. The BSafe software is embedded in thousands of commercial products.

The report, which cited two sources familiar with the contract, also referenced “dozens” of current and former RSA staffers who said the company was at fault for agreeing to the deal but also asserted NSA officials had mischaracterized the agency’s intentions.

In a blog posted on Dec. 22, RSA acknowledged it has worked with the NSA, but “categorically” denied that it had built back doors into its products.

Here are some excerpts from RSA’s response:

“Recent press coverage has asserted that RSA entered into a ‘secret contract’ with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation. …”

“… We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security. …”

“… We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption. This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs. …”

“… RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use. …”

Some aspects of this latest skirmish aren’t new. In September, The New York Times reported that documents exposed by former NSA contractor Edward Snowden revealed the agency’s plan to create a backdoor in encrypted products. RSA, citing a National Institute of Standards and Technology (NIST) bulletin, subsequently issued a memorandum cautioning users against using the algorithm option in its BSafe toolkit.

What’s new here, however, is the charge that RSA accepted money from the NSA to leave open an end-around into products used by its customers. To say the least, for a company with a long, vocal history of leading the privacy and security charge in technology, that wouldn’t be good.