Skip Links

Report on NSA 'secret' payments to RSA fuels encryption controversy

RSA denies report; key issue is whether RSA overlooked crypto algorirthm's weaknesses to generate revenue from government contracts

By , IDG News Service
December 22, 2013 03:20 PM ET

IDG News Service - The U.S. National Security Agency (NSA) paid US$10 million to vendor RSA in a "secret" deal to incorporate a deliberately flawed encryption algorithm into widely used security software, according to a Reuters report that is reigniting controversy about the government's involvement in setting security standards.

The contract was part of an NSA campaign to weaken encryption standards in order to aid the agency's surveillance programs, Reuters reported on Friday.

The report, based on two sources that Reuters said were familiar with the contract, has sparked a series of headlines that are stoking the ongoing debate about NSA surveillance tactics. The NSA declined immediate comment.

RSA, which initially declined to comment, late Sunday denied that it had entered into a secret contract with the NSA.

"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security," RSA said in a statement.

"We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use," the RSA said.

In September, articles in ProPublica, The Guardian and The New York Times disclosed that the NSA had been working for years to weaken security standards to help the U.S. government's massive surveillance programs. The articles were based on documents leaked by former government contractor Edward Snowden.

The articles indicated that a crypto random-bit generator known called "Dual Elliptic Curve Deterministic Random Bit Generator," was deliberately subverted by NSA cryptographers working to develop and promulgate standards that would allow the creation of "back doors" in security products.

The RSA took money "secretly" from the NSA to embed the Dual EC DRBG technology into its widely used BSafe toolkit, according to the Reuters report Friday.

At least some commercial dealings between the NSA and RSA are a matter of public record, however. In March 2006, RSA announced that the NSA had selected BSafe encryption software for use in "a classified communications project." The value of the deal was not revealed.

The central question raised by the Reuters report and earlier articles, however, is: Did RSA use what it knew was deliberately weakened crypto software in BSafe, or at best did it look the other way in the face of expert criticism of Dual EC, in order to make money from U.S. government deals?

In its statement Sunday, RSA said, "We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."

RSA also acknowledged it used Dual EC also because of its "value in FIPS compliance." FIPS, or Federal Information Processing Standards, are computer standards required in government systems.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News