14 DAY TRIAL // Sources have told Reuters that the NSA paid RSA, EMC Corp’s security division, $10 million (€7.3 million) to have a flawed random number generation algorithm included in the BSAFE encryption libraries. RSA is denying it.
“Recent press coverage has asserted that RSA entered into a ‘secret contract’ with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation,” the company stated.
“We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.”
RSA clarified that it started using the algorithm in question, Dual EC DRBG, back in 2004, when the NSA was still a trusted organization as far as encryption was concerned.
Furthermore, the company says that Dual EC DRBG is only one of the algorithms that BSAFE customers can choose. RSA also points to its recent alert in which it advised customers to stop using the algorithm after NIST deemed it weak.
“RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use,” the statement continues.
The people who spoke with Reuters said the NSA tricked RSA into using the algorithm by advertising it as a technological advancement. The fact that the NSA claimed to be using it inside the government determined the RSA to start utilizing Dual EC DRBG even before NIST approved it.