NSA contracted RSA to use flawed algorithm, leaks reveal

Share this article:
A secret contract reportedly tied the NSA and security firm RSA.
A secret contract reportedly tied the NSA and security firm RSA.

Leaked classified documents, detailed in a Friday Reuters article, show that the National Security Agency (NSA) arranged a $10 million deal with RSA that ultimately led to the security firm using a “flawed” encryption formula in its products.

According to Reuters, the contract set an “NSA formula as the preferred, or default, method for number generation in the BSAFE software.”

It was revealed in September that all versions of RSA's BSAFE Toolkits were impacted by a community-developed encryption algorithm that was believed to contain an NSA backdoor.

The algorithm in question was Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), which both RSA and the National Institute of Standards and Technology (NIST) recommended the industry not use at the time.

Reuters reported that while the $10 million deal “might seem paltry” for a major company such as RSA – which serves as the security division for the global data storage corporation EMC – it actually accounted for “more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year."

Dual_EC_DRBG was adopted by RSA before NIST's approval, and to help spur NIST's endorsement of its use, NSA shared that the government had already used the algorithm for some time, Reuters revealed.

“RSA's contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit,” the article said. “No alarms were raised, former [RSA] employees said, because the deal was handled by business leaders rather than pure technologists.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.