RSA Denies Claims Regarding "Secret Contract" With NSA
RSA denied a press allegation asserting that the company entered into a "secret contract" with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.
"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security," RSA said.
A Reuters report late last week claimed that RSA was paid $10 million to promote a pseudorandom-number generator, with the payment made in exchange for the crackable generator to be used as the default setting in its Bsafe security tools.
The EMC-owned company asserts that it made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, "in the context of an industry-wide effort to develop newer, stronger methods of encryption." The company says it continued using the algorithm as an option within BSAFE toolkits "as it gained acceptance as a NIST standard and because of its value in FIPS compliance." When concern surfaced around the algorithm in 2007, RSA says it continued to rely upon NIST as the arbiter of that discussion.
In September 2013 NIST issued new guidance recommending no further use of this algorithm. RSA says it adhered to that guidance, communicated that recommendation to its customers and discussed the change openly in the media.
"..we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA?s products, or introducing potential 'backdoors' into our products for anyone?s use," the Security Division of EMC added.
A Reuters report late last week claimed that RSA was paid $10 million to promote a pseudorandom-number generator, with the payment made in exchange for the crackable generator to be used as the default setting in its Bsafe security tools.
The EMC-owned company asserts that it made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, "in the context of an industry-wide effort to develop newer, stronger methods of encryption." The company says it continued using the algorithm as an option within BSAFE toolkits "as it gained acceptance as a NIST standard and because of its value in FIPS compliance." When concern surfaced around the algorithm in 2007, RSA says it continued to rely upon NIST as the arbiter of that discussion.
In September 2013 NIST issued new guidance recommending no further use of this algorithm. RSA says it adhered to that guidance, communicated that recommendation to its customers and discussed the change openly in the media.
"..we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA?s products, or introducing potential 'backdoors' into our products for anyone?s use," the Security Division of EMC added.