Security firm RSA is getting dragged back into the NSA scandal after a team of researchers have discovered that it implemented two different encryption tools built by the intelligence agency, both of which were designed to be easily exploited whenever needed.
Reuters reports that the revelations come from professors from multiple universities in the United States. The same news outlet got the RSA at the center of attention last year by reporting that the firm and the NSA had entered into a deal that had the security firm using weak security systems and encryption services put together by the intelligence agency.
The newest discovery puts the RSA in an even worse light. The company supposedly implemented a second security tool called “Extended Random,” which wasn’t used very often compared to others. However, it could be used to easily crack a version of the Dual Elliptic Curve software, which is a random number generator.
The RSA didn’t dispute the results of the research, but said it did not do any of this intentionally to weaken security of any of its products. Furthermore, since “Extended Random” wasn’t actually popular, it hasn’t been in RSA’s catalog for the past six months.
“We could have been more skeptical of NSA’s intentions. We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure,” Sam Curry, RSA chief technologist, said.
His statement echoes previous ones made by the RSA officials who have said several times before that they didn’t know the NSA wasn’t supposed to be trusted. This is true for most companies, who had no idea of the extent of the surveillance practiced by the intelligence agency and its efforts to undermine encryption and system security for its own gains.
The agency has, in fact, been working for decades with private companies to improve cybersecurity, which means that it could have been implementing its own backdoors for longer than originally thought.
In regard to the Dual Elliptic Curve random number generator from the RSA, experts are pretty sure of its safety, coming to the conclusion that only the NSA could break it. Even Bruce Schneier, a renowned security expert and often collaborator on the investigation of the NSA files, believes that the product is one of the better ones.
Cryptography experts became suspicious of the Dual Elliptic Curve following the media reports from last year regarding the NSA’s desire to undermine encryption by building its own backdoors.