Security firm RSA has strongly denied reports it signed a “secret contract” with the NSA spying agency. http://www.bbc.co.uk/news/technology-25492461 On December 21, a Reuters report said the NSA paid RSA to use a random number generator now known to be flawed.
The Reuters report said the NSA paid RSA $10m (£6.1m) to use a random number generator that has since been discovered to open a backdoor into any software in which it was used.
Documents released by whistleblower Edward Snowden have confirmed the existence of backdoors in some technologies RSA, and other firms, used in their products.
The random number generator, known as the “Dual Elliptic Curve Deterministic Random Bit Generator” (Dual EC DRBG), became a standard part of some RSA products in 2004.
In 2007 academic research revealed that the number generator had serious weaknessesthat, if exploited, could let eavesdroppers get at data it was supposed to help protect. In its blogpost, RSA explained that it continued to rely on the system in 2007 following advice from the US standards body that oversaw development of such systems.
It also followed the advice of this body when it told users to stop using the module earlier this year.
In addition, RSA added, the Dual EC DRBG was one of several different random number generators available and customers were “free to choose whichever one best suited their needs”.
It concluded: “We also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.”
In response, Reuters reporter Joseph Menn who broke the story said in a tweet “We stand by our RSA story.”