The US National Security Agency (NSA) allegedly paid security firm RSA $10m to open a secret back door into encryption products, new reports from documents obtained from whistleblower Edward Snowden suggest. Earlier leaks had revealed that the NSA created a flawed random number generation system, Dual Elliptic Curve, which RSA used in its Bsafe security tool; now, Reuters reports, the government agency paid RSA to ensure that its formula was set as the default system in Bsafe, making it more likely that the NSA would be able to quietly access systems and documents users thought secured.
RSA had been vocal in advising users of Bsafe to switch away from the formula created by the RSA back when its nature was first revealed in October. However, two insiders close to the alleged negotiations claim that there was a financial deal to set the number generator as the preferred method of encryption.
To what extent RSA management knew of the nature of the NSA’s system is unclear. The company itself, now owned by EMC, says that “under no circumstances” does it include or allow for any back doors into its products, and that it alone is responsible for deciding on features and functionality.
However, several current and former RSA employees said, under anonymity, that the firm’s shift away from pure cryptography products was a likely reason for the deal. Others, though, argued that the NSA had not been fully open about the purpose of the formula, which was supposedly billed as a key technological advance in security.
The government officials involved in the negotiations did not reveal that the NSA had back door access to Dual Elliptic Curve, the RSA insiders insist.
According to the sources, RSA management saw the NSA’s offer of tech assistance as an opportunity to remain at the cutting edge of security, which was increasingly being pitched as US companies fighting against foreign spies. The NSA than cited RSA’s adoption of Dual Elliptic Curve as justification for its National Institutes of Standards and Technology (NIST) approval as a legitimate number generator, it’s said.
Less than a year later, however, the system was being cited as significantly flawed, and RSA was advising people to shift away from it as soon as possible. The NSA has not commented on the reports, though the agency is coming under increasing attention for its behaviors around data collection.