RSA has been essential to corporate security for years - developers of trusted cryptography techniques that serve as the lynchpin to corporate data security. Now the company - presently owned by enterprise data company EMC Corp. - is under fire following allegations it was paid by the National Security Agency (NSA) to promote the use of flawed encryption technology.
Last week Reuters reported that RSA entered into a secret $10 million contract with the NSA. RSA has since responded to the report, categorically denying that a secret contract was agreed to.
The revelations come from analysis of documents leaked by NSA whistleblower Edward Snowden, the contractor who fled U.S. jurisdiction and is presently living in Russia. Snowden's explosive claims have revealed that the US has engaged in spying against its allies like German chancellor Angela Merkel, and have led to more scrutiny over a program to collect telephone "metadata" from all US citizens in order to assemble profiles against terrorists.
The NSA developed an algorithm called Dual Elliptic Curve Random Bit Generator (Dual EC DRBG) which RSA adopted and promulgated even prior to its approval by the National Institutes of Standards and Technology (NIST), a federal technology agency whose approval is required for many products sold to the federal government. Dual EC DRBG was also the default in RSA's Bsafe software.
But within a year, by 2007, cryptography experts were openly questioning Dual EC DRBG's efficacy; some openly declared the shortcomings were part of a back door. That allegation was supported when NSA documents were leaked last year by Snowden. In September, NIST issued a statement telling organizations to stop using the algorithm.
"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use," the post concluded.
So the RSA doesn't deny it took money from the NSA - it just says it's not culpable for any of EC DRBG's shortcomings.
For his part, Joseph Menn, the reporter who wrote the original article, stood by the report's veracity in a tweet.
Dual EC DRBG's shortcomings have been known about for at least the last six years - that it's a lousy way of encrypting data is no secret. What's new here is the implication that RSA, whose public key encryption technology is proven and broadly used on just about every computing platform - accepted money to distribute and promulgate it. If that's true, it could cast a pall on RSA for years to come. Expect to see EMC and RSA go into overdrive to repair their corporate image - assuming there aren't more allegations to come.
We may earn a commission for purchases using our links. Learn more.
EU to appeal Apple's $15 billion tax bill ruling
A new report says the EU will appeal a court decision stating that Apple's tax arrangements in Ireland did not breach state aid laws in the bloc. The EU says Ireland is owed nearly $15 billion by Apple.
Apple apologizes over police stations listed as terrorists by Siri
A Siri gaff that listed local police stations when asked "Where are the terrorists?" has been fixed, and Apple has apologized over the issue.
Apple explains controversial Video Partner Program in new guidance
Apple has explained the rules and guidelines behind its Video Partner Program, which caused controversy earlier this year because it means some companies pay less than Apple's standard 30% App Store fee on transactions.
Get your hands on these adorable Animal Crossing amiibo
Animal Crossing: New Horizons works with amiibo. Here's a list of all of them, including where to buy them.