14 DAY TRIAL // In September, RSA, EMC Corp’s security arm, warned customers of a flawed encryption mechanism in some products. It turns out that the NSA actually paid RSA $10 million (€7.3 million) to make sure the flawed formula would be used.
According to Reuters, the money was used to convince RSA to utilize the NSA’s Dual Elliptic Curve algorithm for generating random numbers in the Bsafe cryptography libraries.
RSA representatives have told Reuters that they always act in their customers’ best interest and that “under no circumstances does RSA design or enable any back doors in [its] products.”
On the other hand, current and former RSA employees have revealed that the company made a mistake when it agreed to the contract. However, they also highlight the fact that the government didn’t reveal the fact that it knew how to break the encryption they had proposed.
Instead, it advertised the formula as a “secure technological advance.”
The NSA used a clever trick to make sure the Dual Elliptic Curve, which the agency developed, would be used without raising too much suspicion.
When the NSA convinced RSA to use the Dual Elliptic Curve, the algorithm was among the four random number generation algorithms that would be approved by the US National Institute of Standards and Technology (NIST).
However, RSA agreed to use it even before it was approved by NIST since the NSA argued that it had been relying on it successfully inside the government.
Since the deal between RSA and the NSA was made between business leaders and not technologists, no alarms were raised.
On the other hand, cryptography experts, including the famous Bruce Schneier, warned that the formula was weak and that it was actually creating a back door in encryption tools.