Did NSA bribe security industry pioneer RSA $10 mn to make weak encryption?

The National Security Agency (NSA) might cause the Obama administration another headache if the latest reports are true - sources familiar to the matter have revealed to Reuters that the NSA sealed a $10 million deal with computer security firm RSA so that the latter will use flawed security algorithm which it can crack to snoop on target data.

The controversy stems from the documents leaked by Edward Snowden showing that the NSA was the mastermind in the creation of a flawed algorithm of encryption that exposes a weak point or backdoor to penetrate computer systems. The RSA spread this formula through its "Bsafe" software that is commonly used for securing personal computers and mobile devices.

While $10 million may sound meager, security filings show it represented over a third of the earnings of the RSA division responsible for the crypto library.

RSA, which now operates under the umbrella of EMC Corp, did not comment about the latest report but issued a statement.

"RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own," the RSA told Reuters.

"The RSA deal shows one way the NSA carried out what Snowden's documents describe as a key strategy for enhancing surveillance: the systematic erosion of security tools. NSA documents released in recent months called for using "commercial relationships" to advance that goal, but did not name any security companies as collaborators," Joseph Menn of Reuters wrote.

According to the same report, interviewed employees think that the RSA made a mistake with the contract and that the company's evolution to diversify from just cryptography tools might be cited as one of the reasons why the company agreed to the contract. Others say that the government misled the firm.

RSA had advised its customers not use the flawed security tool when the Snowden leaks hinted about its weakness.

"With so much suspicion about Dual_EC_DRBG, RSA quickly recommended that BSafe users switch away from the use of Dual_EC_DRBG in favor of other pseduorandom number generation algorithms that its software supported. This raised the question of why RSA had taken the unusual decision to use the algorithm in the first place given the already widespread distrust surrounding it," wrote Peter Bright of Ars Technica.

NSA has not commented on the issue.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics