Security firm RSA has categorically denied colluding with the US National Security Agency (NSA) after allegations that the company accepted $10m of government cash in order to make compromised code its default. Reports late last week suggested RSA had been paid by the NSA to adopt a random number generator that the agency had purposefully left backdoor access to, something the company strenuously denies.
Chatter of a “secret contract” is patently false, RSA says, pointing out that any collaboration between it and the agency has ben openly publicized.
In fact, RSA reminds, back when the contentious code – known as Dual EC DRBG – was first implemented as the default in its BSAFE toolkit, in 2004, the NSA’s role in the security sector was seen very differently. Then, the company says, the NSA was considered trustworthy and as aiming to “strengthen, not weaken, encryption” by security firms.
Contrary to some claims, RSA insists that it has never knowingly worked to introduce backdoor access into any of its products.
It’s unclear whether the denials will satisfy those now doubtful of RSA’s security credibility. Some sources last week claimed that the NSA had not been upfront about its intentions with – and the flawed nature of – Dual EC DRBG, arguing at the time that it was a legitimate tool rather than a compromised one.
RSA says it relied on the National Institutes of Standards and Technology (NIST) for guidance as to whether to continue to use the code, with the decision to drop it coming in September this year on the Institute’s advice despite concerns initially arising back in 2007.
However, sources last week claimed that the NSA had used RSA’s early adoption of Dual EC DRBG as a prime argument for accelerating NIST approval in the first place.