December 23, 2013
RSA Denies Accusations That It Created Secret Backdoor For NSA Spying
Peter Suciu for redOrbit.com - Your Universe Online
Security firm RSA, a division of EMC, denied on Sunday that it had deliberately provided the NSA with a backdoor into some of its popular encryption libraries. This followed Friday’s revelation that the NSA had paid the computer security firm $10 million in order for it to create an alleged secret backdoor into RSA’s encryption software.
According to a Reuters story published late last week, documents leaked by former NSA contractor turned whistleblower Edward Snowden suggested that the NSA and RSA arranged a secret agreement. Through this agreement the agency “created and promulgated a flawed formula for generating random numbers” called Dual Elliptic Curve, which allowed it to crack encryption codes and gain entry to a number of computer products.
The random number generator is – at least in theory – used to strengthen encryption, but the flaw in the software could make those seeming random numbers much easier to predict, and that allowed the NSA and other agencies to break into the networks and conduct surveillance.
On Monday the firm responded to the allegations and fired back, saying that it categorically denied the allegations, while at the same time admitting that it had “worked with the NSA, both as a vendor and active member of the security community.”
“We have never kept this relationship a secret and in fact have openly publicized it,” the company posted on its website on Sunday. “Our explicit goal has always been to strengthen commercial and government security.”
“RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use,” the company reaffirmed.
The company further clarified its decision to use the Dual_EC_DRBG random number generator, which is what allegedly provided the NSA with the backdoor.
While the US National Institute of Standards and Technology (NIST) gave this generator a green-light, technology blog website, Gigaom, noted on Monday that “few security companies actually went with Dual_EC_DRBG because it was slow, but RSA did in 2004, making it the default random number generator in its widely-used BSAFE encryption libraries. After the Snowden revelations, NIST suddenly advised against the generator’s use, and RSA followed suit.”
For its part, RSA claimed that it had used the Dual_EC_DRBG as a default in BSAFE toolkits back in 2004, but only in the context of an industry-wide effort to develop newer and, more importantly, stronger methods of encryption. The firm noted then that the NSA had a trusted role in industry efforts to strengthen, not weaken, encryption.
Furthermore, NSA responded that “we continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.”
When the NIST issued new guidance recommendations against the Dual_EC_DRBG’s use in September of this year, RSA said it adhered to this guidance, while also communicating this decision to its customers.