RSA has been essential to corporate security for years - developers of trusted cryptography techniques that serve as the lynchpin to corporate data security. Now the company - presently owned by enterprise data company EMC Corp. - is under fire following allegations it was paid by the National Security Agency (NSA) to promote the use of flawed encryption technology.
Last week Reuters reported that RSA entered into a secret $10 million contract with the NSA. RSA has since responded to the report, categorically denying that a secret contract was agreed to.
The revelations come from analysis of documents leaked by NSA whistleblower Edward Snowden, the contractor who fled U.S. jurisdiction and is presently living in Russia. Snowden's explosive claims have revealed that the US has engaged in spying against its allies like German chancellor Angela Merkel, and have led to more scrutiny over a program to collect telephone "metadata" from all US citizens in order to assemble profiles against terrorists.
The NSA developed an algorithm called Dual Elliptic Curve Random Bit Generator (Dual EC DRBG) which RSA adopted and promulgated even prior to its approval by the National Institutes of Standards and Technology (NIST), a federal technology agency whose approval is required for many products sold to the federal government. Dual EC DRBG was also the default in RSA's Bsafe software.
But within a year, by 2007, cryptography experts were openly questioning Dual EC DRBG's efficacy; some openly declared the shortcomings were part of a back door. That allegation was supported when NSA documents were leaked last year by Snowden. In September, NIST issued a statement telling organizations to stop using the algorithm.
"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use," the post concluded.
So the RSA doesn't deny it took money from the NSA - it just says it's not culpable for any of EC DRBG's shortcomings.
For his part, Joseph Menn, the reporter who wrote the original article, stood by the report's veracity in a tweet.
Dual EC DRBG's shortcomings have been known about for at least the last six years - that it's a lousy way of encrypting data is no secret. What's new here is the implication that RSA, whose public key encryption technology is proven and broadly used on just about every computing platform - accepted money to distribute and promulgate it. If that's true, it could cast a pall on RSA for years to come. Expect to see EMC and RSA go into overdrive to repair their corporate image - assuming there aren't more allegations to come.
Apple launches redesigned online store with dedicated Store tab
After temporarily taking down the Apple online store, the company launched a redesigned store with its own dedicated Store tab.
Google is coming for the iPhone 13 with the Pixel 6 and Pixel 6 Pro
Google teased the Pixel 6 and the Pixel 6 Pro today and it finally appears that the company is getting into the flagship phone space.
Apple TV+ nabs eight Imagen Award nominations across five Apple Originals
Apple TV+ is in the running for as many as eight different Imagen Awards across five different Apple Originals, with Ghostwriter, Little Voice, and Ted Lasso among the nominees.
Webcam hacking is real, but you can protect yourself with a privacy cover
Worried people might be looking in through your webcam on your MacBook? No worries! Here are some great privacy covers that will protect your privacy.