RSA, the security subsidiary of EMC Corporation (NYSE:EMC) denied the allegations that it accepted $10 million from the National Security Agency (NSA) as payment for a ‘secret contract’ that would allow the intelligence agency to use encryption to obtain backdoor access to security software.
In a press statement, RSA categorically denied the allegations that it entered into a secret contract with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.
RSA’s relation with NSA was never a secret
According to RSA, its relationship with NSA as vendor and active member of the security community was never kept secret. The company emphasized that it openly publicized its business association with the agency. “Our explicit goal has always been to strengthen commercial and government security,” said RSA.
In addition, the company said, “RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.”
Secret contract with NSA
Reuters first reported the alleged secret contract between RSA and NSA based on its interviews with dozens of current and former employees of the security company. The report indicated that RSA signed the contract in 2006, and the payment accounted more than one third of the revenue of RSA’s lab division in the year before the signing of the deal.
The news agency reported that the NSA has backdoor access to any of the security products using BSAFE software, which is recommended by RSA as their default security setting. The company stated in its website that the “BSAFE software is embedded and tested in thousands of commercial applications and is available in C/C++ and Java,” as well as in products developed by its parent company, EMC Corporation (NYSE:EMC), BMC Software, Inc. (NASDAQ:BMC), and Datamaxx.
A previous report from the Guardian and The New York Times and other news agencies indicated that Project Bullrun of the NSA was designed to provide intelligence analysts with the ability to circumvent security encryptions for HTTPS, VoIP, and Secure Sockets Layer and other protocols. The information regarding Project Bullrun was obtained from NSA documents leaked by Edward Snowden.
The leaked NSA documents also contained information that some vendors worked with the intelligence agency to make their encryption products “exploitable” or to add back door access to their software and hardware.
In 2004, RSA decided to use the Dual EC DRBG as default for its BSAFE tool kits as part of the industry-wide effort to develop newer and stronger methods of encryption. According to the company, at the time, “NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption”
The company also pointed out that the Dual EC DRB was one of the multiple options available for the BSAFE toolkits and users were free to choose any algorithm that suits their needs. RSA said it continued using the algorithm because it was accepted as a NIST standard and because of its value in FIP compliance.
“When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion. When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media,” said RSA.