NSA contracted RSA to use flawed algorithm

By

Leaks reveal $10m contract.

Leaked classified documents show the National Security Agency (NSA) arranged a US$10 million deal with RSA that ultimately led to the security firm using a “flawed” encryption formula in its products.

NSA contracted RSA to use flawed algorithm

The contract set an “NSA formula as the preferred, or default, method for number generation in the BSAFE software", according to Reuters.

It was revealed in September that all versions of RSA's BSAFE Toolkits were impacted by a community-developed encryption algorithm that was believed to contain an NSA backdoor.

The algorithm in question was Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), which both RSA and the National Institute of Standards and Technology (NIST) recommended the industry not use at the time.

Reuters reported while the $US10 million deal “might seem paltry” for a major company such as RSA – which serves as the security division for the global data storage corporation EMC – it actually accounted for “more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year."

Dual_EC_DRBG was adopted by RSA before NIST's approval, and to help spur NIST's endorsement of its use, NSA shared that the government had already used the algorithm for some time, according to the report.

RSA today "categorically" denied entering into the secret contract.

It said it had never engaged in any project to intentionally weaken its products or introduce backdoors.

"The [Dual EC DRBG] algorithm is only one of multiple choices available within Bsafe toolkits, and users have always been free to choose whichever one best suits their needs," it said in a statement.

"When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.

"When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media," it said.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
algorithmcontractencryptionflawit trendsnswrsasecurity

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?