Non-denying denial? RSA aims to distance itself from NSA scandal

24 Dec, 2013 18:42 / Updated 11 years ago

Security firm RSA denies accusations that it entered into a secret contract with the National Security Agency to promote the use of weak security algorithms. The denial comes after a media report detailed information of the alleged hush-hush deal.

Last week, Reuters reported that RSA accepted $10 million from the National Security Agency in exchange for making a specific algorithm - Dual EC DRGB - the default option in its BSAFE security toolkit, which is used to enhance security in many computer products.

The deal was allegedly part of the NSA’s attempts to embed weak encryption software - also created by the agency - in security systems so that it could easily gain access to them later.

In a press release issued on Sunday, RSA denied allegations that it was hiding its involvement with the NSA.

“Recent press coverage has asserted that RSA entered into a ‘secret contract’ with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries,” the statement read. “We categorically deny this allegation."

“We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security," the statement continued.

"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use," the firm stated.

Notably, the company did not deny allegations that it accepted money from the NSA to make its preferred algorithm the default option in BSAFE. It only explicitly pushed back against the claim that its partnership with the NSA was made secret.

The press release also stated that RSA’s intention was never to weaken its products; the original report suggested the company may have been deceived by the NSA. It added that multiple outlets have taken issue with the company’s actions following the 2004 debut of Dual EC DRGB.

Researchers at Microsoft revealed glaring weaknesses in the code in 2007, yet RSA continued to list the software as its default option for another five years – until reports based on revelations by Edward Snowden shed light on the NSA’s campaign to embed weak encryption software into security systems.

As The Verge noted, RSA’s insistence that it relied on guidance from the National Institute of Standards when it came to recommending Dual EC DRGB suggests the company recognized the software was weak, yet declined to address the issues in question. The press release notes that the algorithm was “only one of multiple choices available,” but RSA continued to list the algorithm as the default choice despite its vulnerabilities.

The situation is a marked turnaround from RSA’s previous position concerning NSA involvement in personal computing software. As RT reported last week, RSA was able to successfully fend off attempts by the Clinton administration to embed chips in computers that would enable the government to easily bypass encryption.

Following the 2001 attacks on the World Trade Center, however, RSA established closer ties to the government, which ultimately allowed the NSA to influence the weakening of third-party security systems.