RSA has been essential to corporate security for years - developers of trusted cryptography techniques that serve as the lynchpin to corporate data security. Now the company - presently owned by enterprise data company EMC Corp. - is under fire following allegations it was paid by the National Security Agency (NSA) to promote the use of flawed encryption technology.
Last week Reuters reported that RSA entered into a secret $10 million contract with the NSA. RSA has since responded to the report, categorically denying that a secret contract was agreed to.
The revelations come from analysis of documents leaked by NSA whistleblower Edward Snowden, the contractor who fled U.S. jurisdiction and is presently living in Russia. Snowden's explosive claims have revealed that the US has engaged in spying against its allies like German chancellor Angela Merkel, and have led to more scrutiny over a program to collect telephone "metadata" from all US citizens in order to assemble profiles against terrorists.
The NSA developed an algorithm called Dual Elliptic Curve Random Bit Generator (Dual EC DRBG) which RSA adopted and promulgated even prior to its approval by the National Institutes of Standards and Technology (NIST), a federal technology agency whose approval is required for many products sold to the federal government. Dual EC DRBG was also the default in RSA's Bsafe software.
But within a year, by 2007, cryptography experts were openly questioning Dual EC DRBG's efficacy; some openly declared the shortcomings were part of a back door. That allegation was supported when NSA documents were leaked last year by Snowden. In September, NIST issued a statement telling organizations to stop using the algorithm.
"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use," the post concluded.
So the RSA doesn't deny it took money from the NSA - it just says it's not culpable for any of EC DRBG's shortcomings.
For his part, Joseph Menn, the reporter who wrote the original article, stood by the report's veracity in a tweet.
Dual EC DRBG's shortcomings have been known about for at least the last six years - that it's a lousy way of encrypting data is no secret. What's new here is the implication that RSA, whose public key encryption technology is proven and broadly used on just about every computing platform - accepted money to distribute and promulgate it. If that's true, it could cast a pall on RSA for years to come. Expect to see EMC and RSA go into overdrive to repair their corporate image - assuming there aren't more allegations to come.
Introducing iPhone 13 VR
As far as concepts go, this is one of the best you'll see for a while.
Someone paid $2700 for an iPhone 11 Pro with a wonky Apple logo
People like rare things but would you spend $2700 on an iPhone with a misaligned icon?
ACNH: Today is the Fishing Tourney
C.J. is a beaver who shows up periodically in Animal Crossing: New Horizons. He'll randomly make visits to your island, but he'll also host various fishing competitions throughout the year where you can earn a ton of Bells and sweet Fish Swag.
Protect your new iPhone SE (2020) screen with a great screen protector
Keep your iPhone SE screen pristine from day one. Here are some of the best screen protectors you can buy.