RSA denies $10 million NSA payments for backdoor access

Security firm did not allow access to spooks in Bsafe software, it claims.

Encryption

IT security firm RSA was forced to deny reports that it was secretly paid $10 million by the US National Security Agency (NSA) to allow a backdoor in its encryption software.

Accord to reports by Reuters, the company took payment from the NSA to use a flawed random number generator in its products, known as the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRGB). The technology has been part of some RSA products since 2004.

The Reuters' report alleged that the deal was part of a greater effort by the NSA to enhance surveillance by systematically eroding the effectiveness of security tools.

The sum of money represented around a third of its revenue for that year, according to the report. EMC acquired RSA in 2006 for $2.1 billion.

In a blogpost. RSA "categorically" denied all allegations. The firm said that is has "never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential backdoors' into our products for anyone's use."

The vendor said that it included Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. "At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption," the firm stated.

RSA added that the algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been "free to choose whichever one best suits their needs."

It said it only when the US National Institute of Standards and Technology (NIST) recommended no further use of this algorithm in September 2013, did it tell customers to stop using the encryption technology.

"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicised it. Our explicit goal has always been to strengthen commercial and government security,"  the company added.

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

NSA issues guidance on encrypted DNS usage
Domain Name System (DNS)

NSA issues guidance on encrypted DNS usage

15 Jan 2021
How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021
Cyber criminals bypassing MFA to access cloud service accounts
two-factor authentication (2FA)

Cyber criminals bypassing MFA to access cloud service accounts

14 Jan 2021

Most Popular

How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
The fate of Parler exposes the reality of deregulated social media
Policy & legislation

The fate of Parler exposes the reality of deregulated social media

14 Jan 2021
Should IT departments to call time on WhatsApp?
communications

Should IT departments to call time on WhatsApp?

15 Jan 2021