The NSA's $10 million 'bribe' to get RSA to use backdoored encryption algorithm

NSAThe NSA arranged a secret $10 million deal with security firm RSA that ultimately resulted in the company incorporating a flawed algorithm for generating random numbers into its products, creating a backdoor into encrypted communications.

That's the claim being made in an exclusive Reuters report likely to make some question whether the security industry colluded with the authorities to assist in the surveillance of the public.

Earlier this year documents released by NSA whistleblower Edward Snowden showed that the NSA was promoting deliberately weakened or vulnerable cryptography, and influencing standards.

Part of leaked document

In the spotlight was a flawed algorithm known as Dual_EC_DRBG, or the Dual Elliptic Curve Deterministic Random Bit Generator. (Read Martijn Grooten's post "How the NSA cheated cryptography" for more information about it.)

The deliberately crippled Dual_EC_DRBG algorithm was being used as the default pseudo-random number generator - a crucial component - in RSA's BSAFE toolkit.

In September, as the revelations about the NSA meddling with encryption standards become public, RSA issued an advisory to its BSAFE customers telling them to ditch the use of Dual_EC_DRBG inside its BSAFE toolkit, and use an alternative pseudo-random number generator instead.

In addition, RSA's advisory said:

"RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own."

RSAWhat wasn't known until Reuters reported it was that RSA had been paid by the NSA to set the backdoored algorithm as the default method of random number generation.

RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

Some in the security industry view the payment as little more than a bribe.

For instance, in its report, CNET quotes cryptography veteran Bruce Schneier, who is clearly unimpressed:

"Now we know that RSA was bribed," said security expert Bruce Schneier, who has been involved in the Snowden document analysis. "I sure as hell wouldn't trust them. And then they made the statement that they put customer security first," he said.

Ouch.

Further reading: RSA attempts (and fails) to refute claims it helped NSA weaken encryption

Tags: , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , , ,

2 Responses

  1. William Yee

    December 21, 2013 at 11:38 am #

    Random numbers for the $650,000,000.00 lottery?

  2. JeremyTesla

    October 31, 2014 at 4:35 am #

    Our government runs a Modern-Day Stasi State and thanks to the heroic freedom-fighter and whistle-blower Edward J. Snowden we now know that an army of private contractors working for the NSA and the US Military unlawfully collects and stores everyone’s IP addresses, e-mail addresses, telephone traffic, all your contact lists, all your text messages, passwords, GPS locations with dates and time, Facebook posts & pictures, LinkedIn pages & pictures, your search engine keywords entered (yes – even the keywords typed in but you don’t press the enter key), all web sites visited, all your credit card numbers, all your inbound and outbound e-mail messages, your voice-print, and facial image (for facial recognition devices planted around the world used to identify your movement). They have also now installed ultra-high resolution traffic cameras in US cities and on police cars that scan our license plate tags and store that information in databases and those databases are shared with the NSA. They store all that information forever, under your name, at the US Military’s new massive Utah Data Center and can pull it up at any time and look back in time at all your data. They can even freely tap into the microphone and/or camera on your smart phone, tablet, laptop, PC, and your automobile’s OnStar system, your xBox, capture live video chats, and any other similar Internet connected devices. Rest assured – if it connects to the Internet – the US Military can tap into it and illegally monitor you. And now we have learned the NSA has back door access into the entire line of RSA's encryption tools.

    From Edward's vantage point he learned that the NSA monitors Americans “even if you’re not doing anything wrong.” From “just sitting at my desk” Snowden said he had the “authority to wiretap anyone …” … “If I wanted to see your e-mail or your wife’s phone, all I have to do is use intercepts. I can get your e-mails, passwords, phone records, credit cards.” He also discovered that the NSA is “using the system to go back in time to discover everything you’ve done.”

    All of this is terrifying stuff that confirms much of what has been revealed about NSA surveillance by Bill Binney and his fellow NSA whistle-blowers Tom Drake and Kirk Wiebe.

    Snowden said: “I am not here to hide from justice; I am here to reveal criminality.”

    America is becoming scary … a N,a.z,i kind of scary.

Leave a Reply