Report on NSA 'secret' payments to RSA fuels encryption controversy

Key issue is whether RSA overlooked crypto algorirthm's weaknesses to generate revenue from government contracts

The U.S. National Security Agency (NSA) paid US$10 million to vendor RSA in a "secret" deal to incorporate a deliberately flawed encryption algorithm into widely used security software, according to a Reuters report that is reigniting controversy about the government's involvement in setting security standards.

The contract was part of an NSA campaign to weaken encryption standards in order to aid the agency's surveillance programs, Reuters reported on Friday.

The report, based on two sources that Reuters said were familiar with the contract, has sparked a series of headlines that are stoking the ongoing debate about NSA surveillance tactics. The NSA and RSA, now a part of storage and enterprise software giant EMC, declined to immediately comment on the Reuters story.

In September, articles in ProPublica, The Guardian and The New York Times disclosed that the NSA had been working for years to weaken security standards to help the U.S. government's massive surveillance programs. The articles were based on documents leaked by former government contractor Edward Snowden.

The articles indicated that a crypto random-bit generator known called "Dual Elliptic Curve Deterministic Random Bit Generator," was deliberately subverted by NSA cryptographers working to develop and promulgate standards that would allow the creation of "back doors" in security products.

The RSA took money "secretly" from the NSA to embed the Dual EC DRBG technology into its widely used BSafe toolkit, according to the Reuters report Friday.

At least some commercial dealings between the NSA and RSA are a matter of public record, however. In March 2006, RSA announced that the NSA had selected BSafe encryption software for use in "a classified communications project." The value of the deal was not revealed.

"RSA BSAFE Crypto-C ME software meets the Suite B cryptography requirements issued by the National Security Agency (NSA)," RSA said in its 2006 announcement. "Introduced at RSA Conference 2005, Suite B provides a common set of cryptographic algorithms that the technology industry may leverage to build solutions that meet the security needs of U.S. federal government organizations."

The central question raised by the Reuters report and earlier articles, however, remains: Did RSA use what it knew was deliberately weakened crypto software in BSafe, or at best did it look the other way in the face of expert criticism of Dual EC, in order to make money from U.S. government deals?

The Reuters article Friday suggests that RSA had significant monetary incentive to set Dual EC as the default random number generator in BSafe, reporting that $10 million "represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show."

The inclusion of Dual EC in RSA technology software also helped the NSA convince the National Institute for Standards and Technology (NIST) to approve the software as a method for generating random numbers used by encryption software, the Reuters story noted.

But questions about the efficacy of Dual EC were being raised even as RSA publicly announced its Bsafe deal with the NSA in 2006, and continued for years.

One paper, "Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator," by Berry Schoenmakers and Andrey Sidorenko, published by the Eindhoven University of Technology in May 2006, reported that "our experimental results and also empirical argument show that the DEC PRG is insecure."

Finally, after articles about the NSA's alleged efforts weaken security standards were published this September, NIST issued an advisory recommending that Dual EC not be used, and RSA followed suit.

"Following NIST's decision to strongly recommend against the use of the community developed encryption algorithm standard (known as Dual EC DRBG), RSA determined it appropriate to issue an advisory to all our RSA BSAFE and RSA Data Protection Manager customers recommending they choose one of the different cryptographic Pseudo-Random Number Generators (PRNG) built into the RSA BSAFE toolkit," the RSA advisory said.

RSA CTO Sam Curry publicly defended and explained why RSA originally chose Dual EC in an email published by Ars Technica.

But Curry's statement was dissected and ridiculed by cryptography experts.

Among other statements, Curry said that "Dual_EC_DRBG was an accepted and publicly scrutinized standard."

However, "every bit of public scrutiny said the same thing: this thing is broken! Grab your children and run away!" noted Matt Green, a cryptographer and research professor at Johns Hopkins University, in a careful analysis of Curry's defense.

The Reuters report came at the end of a week of mounting criticism of the government's surveillance programs.

U.S. District Court Judge Richard Leon, in a preliminary ruling in a court case challenging the government's phone records collection program, harshly criticized the agency and suggested the program violates the U.S. Constitution. A report from the Review Group on Intelligence and Communications Technology, appointed by administration of U.S. President Barack Obama, said that the government's spy programs create problems for international commerce and affect the U.S.'s relationship with other countries,

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security AgencyReuterssecurityencryptionrsa

More about EMC CorporationNational Security AgencyNSAReuters AustraliaRSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Marc Ferranti

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts