RSA denies existence of $10m secret deal with NSA
Security vendor hits back at allegations it took money to create a back door into its encryption software
Security vendor RSA has moved to strenuously deny a report that it was secretly paid $10m to help the US National Security Agency (NSA) create a "back door" in its encryption software.
Documents leaked by NSA whistleblower Edward Snowden to three newspapers in September already showed that the NSA created and promulgated a flawed formula for generating random numbers to create a back door in encryption products. The story was then picked up by Reuters, which reported that RSA became the most important distributor of that formula by rolling it into its Bsafe software tool.
Published on Friday, a fresh report - again from Reuters- alleges that the EMC-owned security vendor bagged $10m for setting the NSA formula - the so-called Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRGB) - as the default method for number generation in Bsafe.
The secret deal formed part of the NSA's wider strategy to enhance surveillance by systematically eroding security tools, the article alleged.
Although that may seem a trifling sum given the $2.1bn EMC acquired RSA for in 2006, it represented a third of the revenue the relevant division of RSA had generated during the previous year, the report added.
Just how complicit RSA was in the nature of the deal supposedly struck between the duo is unclear, however, with several sources saying government officials had misled the vendor by portraying the formula as a secure technological advance.
But in a blog post this morning, RSA "categorically denied" the existence of any covert contract between the two parties, emphasising that it made the decision to use Dual EC DRBG as the default in Bsafe toolkits way back in 2004.
The algorithm is only one of multiple choices available within Bsafe, it added, meaning users are free to choose whichever best suits their need.
"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicised it," RSA stated. "Our explicit goal has always been to strengthen commercial and government security."