$10 million seems a paltry amount for a respected security company to sell out its very reason for existence, but in a secret 2006 deal, this is precisely what happened.
US company RSA is the firm behind the world’s most commonly used encryption toolkit, and its deal with the NSA meant that it not only included the NSA engineered Dual Elliptic Curve algorithm into its products, but also made it the default random number generator, fully incorporating it into the Bsafe software tool which also forms the basis of many other security products widely used to protect sensitive information.
Dual_EC_DRGB was engineered by the NSA, who used RSA’s adoption of it to help gain NIST (National Institutes of Standards and Technology) approval. Since 2007 the cryptographic community has known that it contains a backdoor (which we discuss in this article), meaning that a number generated with it is not truly random, and can be discovered by the NSA.
RSA staff have defended their actions, saying that they were misled by the NSA who portrayed the formula as secure, and did not tell them that it knew how to crack it; ‘They did not show their true hand.’
It is bad enough that RSA took the money and allowed a secret government contract to influence their designs and dealings with other customers, but the fact that it continued to use and promote an algorithm known to be flawed for six years is an absolute scandal. It was only after Edward Snowden’s revelations brought the backdoor to public attention in September of this year that RSA urged its customers to stop using the Dual Elliptic Curve number generator.
It has to said that the only new information in the Reuters report is that RSA accepted payment from the NSA. For a company that was in the vanguard of resistance to the Clinton regime’s attempt to compromise all encryption with a so-called ‘clipper box’ back in the ‘nineties, this is a sad come-down. This report also comes in the week when a White House panel charged with reviewing NSA surveillance concluded that ‘encryption is an essential basis for trust on the Internet,’ and that the NSA ‘should be banned from undermining encryption.’