NSA Paid RSA $10 Million to Use Flawed Security Standard

RSA Security was paid $10 million by the National Security Agency (NSA) to fold a deliberately flawed encryption standard into its software, a Reuters report says.

The company, whose SecurID tokens and software are used by millions of smartphone users and corporate employees worldwide, made a pseudo-random number generator called Dual_EC_DRBG the default selection in its BSAFE encryption software toolkit in 2006.

Two sources told Reuters reporter Joseph Menn that setting Dual_EC_DRBG as the default was key to a $10 million contract the company had signed with the NSA that year. The BSAFE division had taken in only $27.5 million in revenue in 2005.

MORE: Should You Trust U.S. Companies With Your Data?

"Now we know that RSA was bribed," security expert Bruce Schneier told CNET following the publication of the Reuters story. "I sure as hell wouldn't trust them."

Some current and former RSA Security employees told Menn the company was duped into trusting the NSA, which sets security standards for companies seeking government contracts.

"They did not show their true hand," one source told Menn.

Other blamed a changing corporate culture. The company, which during the 1990s led the successful fight against the NSA's proposed mandatory Clipper Chip, which would have decrypted cellphone conversations, was by the mid-2000s a much larger corporation, and many key employees had moved on.

"When I joined there were 10 people in the labs, and we were fighting the NSA," an employee who left in 2005 told Menn. "It became a very different company later on."

Random numbers that weren't random at all

BSAFE is used by software developers, chiefly anti-virus software maker McAfee and RSA itself, to secure their products. It is not used in RSA's SecurID tokens or software.

Pseudo-random number generators, or PRNGs, are essential to the encryption methods that underlie most secure electronic communications.

In September of this year, documents revealed by NSA turncoat Edward Snowden showed that the NSA had secretly undermined Dual_EC_DRBG (short for Dual Elliptic Curve Deterministic Random Bit Generation).

MORE: Why the Latest NSA Leak Is the Scariest of All

The revelation greatly upset many in the information-security community who had trusted the agency as a partner in developing encryption standards and security best practices.

Dual_EC_DRBG had been regarded with suspicion by cryptography experts ever since a 2007 paper, written by two Microsoft researchers, showed that it contained hidden mathematical relationships that made presumably random numbers not random at all.

The flaw could be exploited by the holder of a certain number, unknown to the researchers, and amounted to a "backdoor," a secret way to decrypt any information that had been encrypted using Dual_EC_DRBG.

Following the Snowden revelation,RSA Security advised its customers who used BSAFE to switch to another PRNG.

Another stain on a once-stellar reputation

RSA Security is one of the best-known brands in the worldwide security-software field. It was founded in 1982 by three Massachusetts Institute of Technology cryptographers who had created the RSA encryption algorithm five years earlier.

The company, based in the Boston suburbs, was bought by EMC Corporation in September 2006, after the BSAFE contract with the NSA was finalized.

The company's SecurID tokens were fatally compromised in March 2011 following a data breach by Chinese hackers who obtained the "seeds," or secret numbers, for token encryption-key generation.

The company was widely blamed for not disclosing the seriousness of the breach for three months after its initial disclosure, during which time the cracked SecurID tokens were used to steal military blueprints from U.S. defense contractors.

RSA Security hosts the annual RSA Security Conference, a giant week-long industry event held every February in San Francisco.

"If the Reuters story is true, I — for one — will be cancelling my invited talk and my panel participation in the upcoming RSA Conference," tweeted F-Secure researcher Mikko Hypponen, among the most respected people in the information-security industry, after the Reuters story broke.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.