Major computer security firm RSA took $10 mln from NSA to weaken encryption – report


 Published time: December 20, 2013 23:48                                                                                                     

RSA SecureID electronic keys (Reuters / Michael Caronna)

RSA SecureID electronic keys (Reuters / Michael Caronna)


The National Security Agency arranged a clandestine US$10 million contract with computer security power RSA that allowed the spy agency to embed encryption software it could use to infiltrate the company’s widely used products, Reuters reported.

  Revelations provided by former NSA contractor Edward Snowden and  first reported  in September showed that the NSA created and perpetuated a  corruptible formula that was ultimately a “back door”   into encryption products.

  Reuters later reported RSA became the lead distributor of the  formula, installing it into a software tool known as BSAFE that  is widely used to boost security in personal computers and other  products.

  Unknown then was the $10 million deal that set the NSA’s formula  as the default method for the security measure – in which random  numbers are generated on a key for access to a product – in  BSAFE, according to Reuters’ sources. Though the sum of money for  the deal seems low, it represented over a third of revenue the  relevant division at RSA had made the previous year, according to  security filings.

  RSA was previously known for its crusading fights to protect  computer security and privacy in the face of government  interests, as it played a major role in blocking an effort by the  NSA in the 1990s to require a special chip that would have  enabled surveillance on many computer and communication products.

  Following the September disclosure, RSA, now a subsidiary of  computer storage company EMC Corp, privately warned thousands of  its customers to immediately discontinue using all versions of  company’s BSAFE toolkit and Data Protection Manager (DPM), both  using Dual_EC_DRNG (Dual Elliptic Curve Deterministic Random Bit  Generator) encryption algorithm to protect sensitive data.

  RSA and EMC would not comment to Reuters about the alleged deal,  but RSA said in a statement: “RSA always acts in the best  interest of its customers and under no circumstances does RSA  design or enable any back doors in our products. Decisions about  the features and functionality of RSA products are our own.”

  The NSA declined to comment.

  Most of the dozen current and former RSA employees interviewed by  Reuters cited the company’s move away from strictly providing  cryptography products as a reason the ill-advised deal was made.  Though several also said government officials deceived RSA by  portraying the corrupt formula as secure.

“They did not show their true hand,” said one source  that knew of the NSA deal.

  RSA’s advocacy for security

  RSA’s history as pioneers of trusted cryptography goes back to  the 1970s. Their encryption tools have been licensed by many  major technology companies, which have used RSA products to  secure hundreds of millions of personal computers around the  world. Their core technology – public key cryptography – uses two  keys rather than one to publicly encode messages, then privately  reveal them.

  Even in the earliest days of RSA’s existence, it quarreled with  US intelligence entities that worried the dual-key format would  block government access. As RSA’s products became more  widespread, the contention rose. In the 1990s, the Clinton  administration pushed the Clipper Chip, a mandatory piece of  hardware in phones and computers that would have enabled  officials to supersede encryption without a warrant. RSA led a  campaign to block the Clipper Chip, arguing products so easily  surveilled would cripple overseas sales of US tech products.

  The White House then moved to advocating stronger export controls  to keep top cryptography in the US, yet RSA again persuaded the  industry to oppose the effort. The export restrictions were  eventually discarded.

  A new era

  But the attacks of September 11, 2001, flipped some of the power  dynamics. In addition, many top engineers of the old fights  against the government left the company, and BSAFE was becoming  an increasingly smaller share of the company’s revenue.

“When I joined there were 10 people in the labs, and we were  fighting the NSA,” said Victor Chan, an top RSA engineer  before he left in 2005. “It became a very different company  later on.”

  By 2006, RSA was considered a prime government partner in the  fight against overseas hackers.

  New RSA Chief Executive Art Coviello, who declined an interview  request with Reuters, signed on to adopt an algorithm called Dual  Elliptic Curve – designed by the NSA – even before the formula  was approved for government use. RSA’s use of the algorithm  actually helped the NSA win approval with the National Institutes  of Standards and Technology, which oversees government tech  product usage.

  RSA’s contract made Dual Elliptic Curve the default formula for  producing random numbers in the company’s encryption tools.  Former employees said given company business leaders approved the  deal rather than technologists, no alarms were raised.

“The labs group had played a very intricate role at BSAFE,  and they were basically gone,” said labs veteran Michael  Wenocur, who left RSA in 1999.

  Though it privately urged customers to stop using the Dual  Elliptic Curve following the September revelations, RSA has been  publicly quiet about its relationship with the NSA.

  The RSA deal again implicates a key strategy the NSA employs for  enhanced surveillance, as shown by Snowden’s leaked documents:  the weakening of security tools as a result of the agency’s   “commercial relationships” with security and tech  companies.

  A review board established by the White House to investigate the  NSA’s controversial surveillance operations said this week it  believes the NSA should make changes to spying protocol,  including measures that have usurped cryptography.

  Among the recommendations,  the panel called for the US government to “fully support and  not undermine efforts to create encryption standards,” and   “not in any way subvert, undermine, weaken or make vulnerable  generally available commercial software.”


Categories: Cyber Security

Tags: , , , , , , ,

%d bloggers like this: