RSA has been essential to corporate security for years - developers of trusted cryptography techniques that serve as the lynchpin to corporate data security. Now the company - presently owned by enterprise data company EMC Corp. - is under fire following allegations it was paid by the National Security Agency (NSA) to promote the use of flawed encryption technology.
Last week Reuters reported that RSA entered into a secret $10 million contract with the NSA. RSA has since responded to the report, categorically denying that a secret contract was agreed to.
The revelations come from analysis of documents leaked by NSA whistleblower Edward Snowden, the contractor who fled U.S. jurisdiction and is presently living in Russia. Snowden's explosive claims have revealed that the US has engaged in spying against its allies like German chancellor Angela Merkel, and have led to more scrutiny over a program to collect telephone "metadata" from all US citizens in order to assemble profiles against terrorists.
The NSA developed an algorithm called Dual Elliptic Curve Random Bit Generator (Dual EC DRBG) which RSA adopted and promulgated even prior to its approval by the National Institutes of Standards and Technology (NIST), a federal technology agency whose approval is required for many products sold to the federal government. Dual EC DRBG was also the default in RSA's Bsafe software.
But within a year, by 2007, cryptography experts were openly questioning Dual EC DRBG's efficacy; some openly declared the shortcomings were part of a back door. That allegation was supported when NSA documents were leaked last year by Snowden. In September, NIST issued a statement telling organizations to stop using the algorithm.
"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use," the post concluded.
So the RSA doesn't deny it took money from the NSA - it just says it's not culpable for any of EC DRBG's shortcomings.
For his part, Joseph Menn, the reporter who wrote the original article, stood by the report's veracity in a tweet.
Dual EC DRBG's shortcomings have been known about for at least the last six years - that it's a lousy way of encrypting data is no secret. What's new here is the implication that RSA, whose public key encryption technology is proven and broadly used on just about every computing platform - accepted money to distribute and promulgate it. If that's true, it could cast a pall on RSA for years to come. Expect to see EMC and RSA go into overdrive to repair their corporate image - assuming there aren't more allegations to come.
Phenomenal iOS 16 concept has all of the features you've been dreaming of
With Apple keeping its iOS 16 plans close to its chest, we already know that we'll be very happy indeed if it turns out to be anything like this new concept.
Review: SANDMARC's Macro Lens easily beats the native iPhone macro mode
While the iPhone 13 Pro is capable of Macro mode photography, it is far from perfect. With SANDMARC's 25mm Macro Lens, you can get even better macro photos with your iPhone 13 Pro, or even with older iPhones.
Woman's lost Apple Watch costs her $40K in fraudulent Apple Pay charges
A woman who says she dropped and lost her Apple Watch at the EPCOT Center has now filed a police report saying that she is on the hook for $40,000 in fraudulent credit card charges as a result.
New iPad (2020)? Pick up a case and protect it from the start!
Looking for the best iPad 2020 case? We've rounded up some of the best cases for Apple's 8th generation iPad here.