RSA Responds to Claim that it Gave NSA Back Door Access in Exchange for $10M
December 23, 2013 11:43 AM
comment(s) - last by
RSA responded saying that it had no idea the NSA algorithm was flawed
Former U.S. National Security Agency (NSA) contractor
has brought many NSA secrets to light this year, the most recent being a "secret" contract between the agency and security industry leader RSA.
According to more documents leaked by Snowden, the NSA entered into a $10 million contract with RSA to place a flawed formula within encryption software (which is widely used in personal computers and other products) to obtain "back door" access to data.
The RSA software that contained the flawed formula was called Bsafe, which was meant to increase security in computers. The formula was an algorithm called Dual Elliptic Curve, and it was created within the NSA. RSA started using it in 2004 even before the National Institutes of Standards and Technology (NIST) approved it.
According to the RSA, it had no idea that the algorithm was flawed, or that it gave the NSA back door access to countless computers and devices. The NSA reportedly sold the algorithm as an enhancement to security without letting the RSA in on its real intentions.
In fact, RSA responded to media reports about its contract with the NSA, saying it was never secret at all. It said the fact that RSA worked with NSA was always made public, but that RSA had no idea the government agency was actually sabotaging its encryption product.
"Recent press coverage has asserted that RSA entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation," said RSA in a
"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security."
Many in the security community were surprised at RSA's entanglement with the NSA, but the latest news of a $10 million contract as well has really shocked the industry.
RSA is known as a pioneer in the realm of computer security, and has notoriously fought off the NSA in previous attempts at breaking encryption.
Back in the 1990s, RSA -- which was started by MIT professors in the 1970s and is now a subsidiary of EMC Corp. -- rallied against the Clinton administration's "Clipper Chip," which was supposed to be a required component in computers and phones that would allow government officials to bypass encryption with a warrant.
RSA created a public campaign against the Clipper Chip, and it was eventually tossed out. However, it resorted to export controls to stop enhanced cryptography from crossing U.S. borders, and RSA fought further. RSA then established an Australian division that could ship the products it wanted.
RSA told customers to stop using the NSA formula in Bsafe when NIST issued new guidance in September 2013.
This article is over a month old, voting and posting comments is disabled
12/23/2013 5:16:27 PM
The NSA had a history (at the time) for being a very positive source of security practices and standards/software. Dual Elliptical at the time was considered pretty solid, although some researchers were studying it and raising questions. Obviously the NSA knew more. It will be very interesting to see if more information comes out indicating at what point and under who's authority the NSA went 'bad'.
12/24/2013 6:11:56 AM
This. Back in the 1970s, the cryptography community made DES the standard encryption scheme for a multitude of government and private applications. The NSA was involved in its development and at one point they said "don't use keys within this range of numbers." They didn't explain why, they just said not to use those keys.
That led to some speculation that NSA knew how to crack DES except for keys in that range. But 15 years later the public cryptographic community discovered differential crytanalysis. And lo and behold, the keys within that range were vulnerable to attack by differential crytanalysis.
So what had happened was that NSA had discovered differential crytanalysis long before the public. And when DES was being standardized, they made sure the keys which were weak to it were excluded from the possible key base of DES. They
DES, not weakened it.
That earned them a lot of street cred with the cryptography community, and until recently there was very little evidence to counter that good karma NSA had built up. While some people questioned dual elliptical curves, you have to remember that there are always people who question anything. Without evidence to the contrary, you have to go with what history says. And history said NSA was trying to strengthen crytographic standards, not weaken them.
It will indeed be interesting to see who was responsible for this within NSA. This isn't something you can keep secret forever. Eventually public research would have figured it out, probably within a decade or two. And at that point your credibility is shot, perhaps forever. That's an awfully big price to pay for something of time-limited value.
"I'd be pissed too, but you didn't have to go all Minority Report on his ass!" -- Jon Stewart on police raiding Gizmodo editor Jason Chen's home
Is Microsoft Trojan Horsing Itself? CEO Candiate Elop Reportedly Wants to Break up Company
November 8, 2013, 12:30 PM
FCC Orders Advertisers to Cut Out That Racket, Turn Down Commercials
August 29, 2014, 12:49 PM
Dropbox Bows to Competitive Pressure, Provides 1TB of Storage for $10/Month
August 27, 2014, 11:17 AM
Amazon Acquires Twitch for $970 Million
August 25, 2014, 4:37 PM
Facebook Adds Satire Tags to Its Auto-Generated "Related News" Posts
August 18, 2014, 10:43 AM
Comcast, TWC Pull Dinner Gift for FCC Commissioner... Sort Of
August 15, 2014, 1:10 PM
Comcast Accused of Wooing FCC Commissioner w/ $110K Dinner
August 13, 2014, 8:20 PM
Most Popular Articles
Microsoft's Surface 2 Tablet Family Gets a $100 Price Cut
August 25, 2014, 1:16 AM
Owner of "Decepticon" Maserati Ordered to Appear in Court This Thursday
August 25, 2014, 7:55 AM
LG Posts Teaser Video of Its “Round Face” G Watch R Smartwatch, Set for IFA Lauch
August 24, 2014, 2:49 PM
Windows 9: "Upgrade Now" Button Coming for Enterprise Updates, ARM Preview in H1 2015
August 26, 2014, 8:00 PM
Second ZMapp-Treated Patient Dies of Ebola, Supplies Run Out
August 25, 2014, 7:03 PM
Latest Blog Posts
Space Terrorism is a Looming Threat For the United States
Apr 23, 2014, 7:47 PM
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information