Security firm RSA wants to make clear it’s not the NSA’s lackey.
Responding to a Reuters report that it was paid $10 million by the NSA to distribute a flawed encryption algorithm, RSA issued a blog post last night in which it “categorically” denied those claims. It’s the sort of response you’d expect from a company whose reputation depends on the trust of the security community.
“We have worked with the NSA, both as a vendor and an active member of the security community,” the company wrote (for some reason, the blog post wasn’t attributed to any RSA exec). “We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.”
The crux of the controversy centers on the Dual EC DRBG algorithm, which RSA made the default option in its BSAFE toolkit back in 2004. The company notes that, at the time, the NSA was a trusted partner in the security community to “strengthen, not weaken, encyrption.” RSA says it also relied on advice from the National Institute of Stands (NIST) to make the standard its default choice. Issues surrounding the algorithm were known since 2006, and RSA has drawn criticism recently for its prolonged support of it.
In September, documents unearthed by former NSA analyst Edward Snowden revealed that the Dual EC DRBG algorithm had a “backdoor” flaw, which would allow anyone aware of that weakness to decrypt encrypted files. At that point, the NIST pulled support for the algorithm, and RSA followed suit after alerting its customers.
RSA’s statement doesn’t discount the possibility that the NSA paid it $10 million to make the flawed algorithm default in BSAFE — it’s simply stating that it didn’t willingly make a flawed algorithm the default. And of course, the statement still doesn’t answer why the company stuck with the algorithm after issues emerged in 2006.
Reuters reporter Joseph Menn is standing firm on his report: