After Reuters broke a story that the U.S. National Security Agency (NSA) arranged a secret $10 million contract with RSA, the security division of EMC went on the offense -- and fast.
“Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a ‘back door’ in encryption products, the New York Times reported in September,” Reuters said.
“Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
A Strong Denial
RSA isn’t taking the allegations lying down. “Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSafe encryption libraries,” RSA said in a statement. “We categorically deny this allegation.”
RSA went on to say that the company has worked with the NSA, both as a vendor and an active member of the security community. The firm emphasized that it has never kept this relationship a secret and in fact has openly publicized it. The EMC subsidiary said its explicit goal has always been to strengthen commercial and government security. Then, the firm offered some key points about its use of Dual EC DRBG in BSafe.
RSA said it made the decision to use Dual EC DRBG as the default in BSafe toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the firm said, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
RSA Defends Itself
“This algorithm is only one of multiple choices available within BSafe toolkits, and users have always been free to choose whichever one best suits their needs,” RSA said. “We continued using the algorithm as an option within BSafe toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.”
When the NIST (National Institute of Standards and Technology) issued new guidance recommending no further use of this algorithm in September 2013, RSA said it adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.
The firm concluded, “RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.”