Sign in with
Sign up | Sign in

NSA Paid RSA $10 Million to Use Flawed Security Standard

By - Source: Tom's Guide US | B 28 comments
Tags :

RSA Security was paid $10 million by the National Security Agency (NSA) to fold a deliberately flawed encryption standard into its software, a Reuters report says.

The company, whose SecurID tokens and software are used by millions of smartphone users and corporate employees worldwide, made a pseudo-random number generator called Dual_EC_DRBG the default selection in its BSAFE encryption software toolkit in 2006.

Two sources told Reuters reporter Joseph Menn that setting Dual_EC_DRBG as the default was key to a $10 million contract the company had signed with the NSA that year. The BSAFE division had taken in only $27.5 million in revenue in 2005.

MORE: Should You Trust U.S. Companies With Your Data?

"Now we know that RSA was bribed," security expert Bruce Schneier told CNET following the publication of the Reuters story. "I sure as hell wouldn't trust them."

Some current and former RSA Security employees told Menn the company was duped into trusting the NSA, which sets security standards for companies seeking government contracts.

"They did not show their true hand," one source told Menn.

Other blamed a changing corporate culture. The company, which during the 1990s led the successful fight against the NSA's proposed mandatory Clipper Chip, which would have decrypted cellphone conversations, was by the mid-2000s a much larger corporation, and many key employees had moved on.

"When I joined there were 10 people in the labs, and we were fighting the NSA," an employee who left in 2005 told Menn. "It became a very different company later on."

Random numbers that weren't random at all

BSAFE is used by software developers, chiefly anti-virus software maker McAfee and RSA itself, to secure their products. It is not used in RSA's SecurID tokens or software.

Pseudo-random number generators, or PRNGs, are essential to the encryption methods that underlie most secure electronic communications.

In September of this year, documents revealed by NSA turncoat Edward Snowden showed that the NSA had secretly undermined Dual_EC_DRBG (short for Dual Elliptic Curve Deterministic Random Bit Generation).

MORE: Why the Latest NSA Leak Is the Scariest of All

The revelation greatly upset many in the information-security community who had trusted the agency as a partner in developing encryption standards and security best practices.

Dual_EC_DRBG had been regarded with suspicion by cryptography experts ever since a 2007 paper, written by two Microsoft researchers, showed that it contained hidden mathematical relationships that made presumably random numbers not random at all.

The flaw could be exploited by the holder of a certain number, unknown to the researchers, and amounted to a "backdoor," a secret way to decrypt any information that had been encrypted using Dual_EC_DRBG.

Following the Snowden revelation,RSA Security advised its customers who used BSAFE to switch to another PRNG.

Another stain on a once-stellar reputation

RSA Security is one of the best-known brands in the worldwide security-software field. It was founded in 1982 by three Massachusetts Institute of Technology cryptographers who had created the RSA encryption algorithm five years earlier.

The company, based in the Boston suburbs, was bought by EMC Corporation in September 2006, after the BSAFE contract with the NSA was finalized.

The company's SecurID tokens were fatally compromised in March 2011 following a data breach by Chinese hackers who obtained the "seeds," or secret numbers, for token encryption-key generation.

The company was widely blamed for not disclosing the seriousness of the breach for three months after its initial disclosure, during which time the cracked SecurID tokens were used to steal military blueprints from U.S. defense contractors.

RSA Security hosts the annual RSA Security Conference, a giant week-long industry event held every February in San Francisco.

"If the Reuters story is true, I — for one — will be cancelling my invited talk and my panel participation in the upcoming RSA Conference," tweeted F-Secure researcher Mikko Hypponen, among the most respected people in the information-security industry, after the Reuters story broke.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Display all 28 comments.
This thread is closed for comments
Top Comments
  • 17 Hide
    WhoMovedMyFreedom , December 21, 2013 9:29 AM
    Thanks to the heroic freedom-fighter and whistle-blower Edward J. Snowden we now know that an army of private contractors and the US Military unlawfully monitors everyone’s telephone traffic, all your contact lists, text messages, passwords, GPS locations with dates and time, FaceBook posts & pictures, LinkedIn pages & pictures, your search engine keywords entered (yes – even the keywords typed in but you don’t press the enter key), all web sites visited, all your credit card numbers, all your inbound and outbound e-mail messages, your voice-print, and facial image (for facial recognition devices planted around the world used to identify your movement). They have also now installed traffic cameras in a ll major metro areas and on police cars that scan license plate tags and store that information in databases. I believe those databases are shared with the NSA. They store all that information permanently, under your name, at the US Military’s new massive Utah Data Center and can pull it up at any time in the future. They can even freely tap into the microphone and/or camera on your smart phone, tablet, laptop, PC, automobile’s OnStar system, xBox and similar Internet connected devices. Rest assured – if it connects to the Internet – the US Military can tap into it and illegally monitor you. And now we have learned they have back door access into all of RSA's encryption tools.
  • 12 Hide
    MaxTesla , December 21, 2013 9:25 AM
    The NSA shills are out in full swing I see

    We have documents that prove that the nsa paid to put in a back door, and and the nsa shills turn right up denying it
Other Comments
  • 12 Hide
    MaxTesla , December 21, 2013 9:25 AM
    The NSA shills are out in full swing I see

    We have documents that prove that the nsa paid to put in a back door, and and the nsa shills turn right up denying it
  • 17 Hide
    WhoMovedMyFreedom , December 21, 2013 9:29 AM
    Thanks to the heroic freedom-fighter and whistle-blower Edward J. Snowden we now know that an army of private contractors and the US Military unlawfully monitors everyone’s telephone traffic, all your contact lists, text messages, passwords, GPS locations with dates and time, FaceBook posts & pictures, LinkedIn pages & pictures, your search engine keywords entered (yes – even the keywords typed in but you don’t press the enter key), all web sites visited, all your credit card numbers, all your inbound and outbound e-mail messages, your voice-print, and facial image (for facial recognition devices planted around the world used to identify your movement). They have also now installed traffic cameras in a ll major metro areas and on police cars that scan license plate tags and store that information in databases. I believe those databases are shared with the NSA. They store all that information permanently, under your name, at the US Military’s new massive Utah Data Center and can pull it up at any time in the future. They can even freely tap into the microphone and/or camera on your smart phone, tablet, laptop, PC, automobile’s OnStar system, xBox and similar Internet connected devices. Rest assured – if it connects to the Internet – the US Military can tap into it and illegally monitor you. And now we have learned they have back door access into all of RSA's encryption tools.
  • 3 Hide
    Anonymous , December 21, 2013 10:40 AM
    "Thanks to the heroic freedom-fighter and whistle-blower Edward J. Snowden we now know that an army of private contractors and the US Military unlawfully monitors everyone’s telephone traffic, all your contact lists, text messages, passwords, GPS locations with dates and time, FaceBook posts & pictures, LinkedIn pages & pictures, your search engine keywords entered (yes – even the keywords typed in but you don’t press the enter key), all web sites visited, all your credit card numbers, all your inbound and outbound e-mail messages, your voice-print, and facial image (for facial recognition devices planted around the world used to identify your movement). They have also now installed traffic cameras in a ll major metro areas and on police cars that scan license plate tags and store that information in databases. I believe those databases are shared with the NSA. They store all that information permanently, under your name, at the US Military’s new massive Utah Data Center and can pull it up at any time in the future. They can even freely tap into the microphone and/or camera on your smart phone, tablet, laptop, PC, automobile’s OnStar system, xBox and similar Internet connected devices. Rest assured – if it connects to the Internet – the US Military can tap into it and illegally monitor you. And now we have learned they have back door access into all of RSA's encryption tools."

    +1 rep. That's a nice post you got there. Yes, it's obviously biasd but at least you didn't attempt to fake it. It's a useful viewpoint to dwell on.
  • 5 Hide
    Anonymous , December 21, 2013 10:48 AM
    "
    Great another troll complaining about the loss of freedoms and who doesn't understand how the technology works (excepting instant searches)."

    Have you not heard of the massive data mapping programs? It has been semi-exposed for years now. I can fully believe that any data available has been collected, including 'illegal' data, which is just traded between foreign partners to circumvent the law.

    The whole point of the science is to paint an accurate picture of all connections and persons of interest in such a way that you can know exactly what they are doing, and know it indirectly, by monitoring thousands of relative data points that ARE NOT directly related to them. It's very good theory, and military policy, but I don't support a military/defense state. I don't want to live in a 'safe' world where we are owned and manipulated by other humans who happen to be in the seats of power.

    Hopefully one day society will ascend to a higher moral or perhaps an AI will rise that we can trust (or will be forced to trust), whom can run the world.. but as it is we can not accept a structured and controlled society. Humans can not unbiasdly rule over them selves, and power must remain dispursed and balanced.. as unlikely as that sounds.
  • 1 Hide
    Anonymous , December 21, 2013 10:50 AM
    "
    Great another troll complaining about the loss of freedoms and who doesn't understand how the technology works (excepting instant searches)."

    Have you not heard of the massive data mapping programs? It has been semi-exposed for years now. I can fully believe that any data available has been collected, including 'illegal' data, which is just traded between foreign partners to circumvent the law.

    The whole point of the science is to paint an accurate picture of all connections and persons of interest in such a way that you can know exactly what they are doing, and know it indirectly, by monitoring thousands of relative data points that ARE NOT directly related to them. It's very good theory, and military policy, but I don't support a military/defense state. I don't want to live in a 'safe' world where we are owned and manipulated by other humans who happen to be in the seats of power.

    Hopefully one day society will ascend to a higher moral or perhaps an AI will rise that we can trust (or will be forced to trust), whom can run the world.. but as it is we can not accept a structured and controlled society. Humans can not unbiasdly rule over them selves, and power must remain dispursed and balanced.. as unlikely as that sounds.
  • 4 Hide
    oj88 , December 21, 2013 10:51 AM
    RSA should have renamed herself to NRSA or RNSA.
  • 0 Hide
    wdmfiber , December 21, 2013 11:32 AM
    This is huge news! Thanks for the article Tom's.

    Getting away from RSA for minute, but staying on the subject of encryption... is anyone at Tom's aware of the Truecrypt audit? I think it's goal to examining the code for "backdoor" is important and could use some more publicity(& "digging" by Tom's).
    http://istruecryptauditedyet.com/
    http://www.pcworld.com/article/2061285/is-your-encryption-truly-secure-truecrypt-audit-effort-smashes-fundraising-goals.html
  • 4 Hide
    Pailin , December 21, 2013 12:55 PM
    SPAMMERS...

    Seriously Toms... they are getting out of hand now.

    PLEASE do something or I am gone to Ars Technica despite being such a long term member here and recommending your site to so many people...

    (is the Reporting function "broken/disabled" to avoid dealing with the Large Qty of reported spammers???)
  • 4 Hide
    MultiplAds , December 21, 2013 2:15 PM
    Nobody trusts US companies anymore
  • 4 Hide
    brandonjclark , December 21, 2013 5:29 PM
    We should all write a nasty email to RSA. Here, just visit their site at rsa.GOV.
  • 1 Hide
    eriko , December 21, 2013 5:38 PM
    This is truly shocking.

    It just goes to show the depth of law breaking the government and corporations are willing to goto to spy on innocent citizens.
  • 1 Hide
    rwinches , December 21, 2013 6:18 PM
    I have always been wary of backdoors, because it means instead of having to 'break the code' for each message you are looking for this shortcut which then gives you all access.
  • 0 Hide
    seinfeld , December 21, 2013 7:12 PM
    this doesnt make sense. the NSA bought a contract to use these. so they had a backdoor built in? for what purpose? and then chinese hackers got into the secured files. the NSA did that to themselves essentially by allowing the back door? this is weird!
  • 0 Hide
    brandonjclark , December 21, 2013 10:10 PM
    We should all write a nasty email to RSA. Here, just visit their site at rsa.GOV.
  • 0 Hide
    Shaun o , December 21, 2013 11:50 PM
    Democracy !
    Amazing, funny thing is your all considered as an enemy of the state.

    I`m afraid it`s the paranoia of terrorism.
    So every one is classed as a potential threat.
  • 0 Hide
    Adroid , December 21, 2013 11:50 PM
    It's frustrating that not only do our tax dollars fund organizations that at the highest level have blatant disregard for the will of the majority or due process of law, but further the class action lawsuits that will continue to be filed for illegal and heinous actions of the same, which our tax dollars indefinitely go to.

    America is suffering cancers of many different types. Lawbreaking within the goverment should be dealt with swiftness and finality. People within this organization should lose their jobs for this type of nonsense.

    We should cut funding of the NSA and have organizations that are more closely monitored by the law abiding citizens of this country. And while Security organizations might be necessary, there is currently an imbalance of power, and a complete absence of checks and balances within these types of organizations.
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter