The latest documents leaked by whistleblower Edward Snowden claim the US National Security Agency (NSA) paid a computer security firm $10 million in order to create a secret back door into encryption software. According to Joseph Menn of Reuters, the documents allegedly reveal that the NSA and RSA arranged a secret agreement in which the agency “created and promulgated a flawed formula for generating random numbers” called the Dual Elliptic Curve so they would be able to crack encryption codes and gain entry to “widely used” computer products. It has already been reported that RSA, identified by Reuters as “one of the most influential firms in the computer security industry,” helped the NSA distribute their formula by including it in a software tool known as Bsafe, which is “used to enhance security in personal computers and many other products.” However, Menn said the amount of money that changed hands as part of the lucrative contract had been previously undisclosed. “Although that
sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year,” he added. “The earlier disclosures of RSA’s entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.” Menn attempted to contact RSA, which is now a subsidiary of computer storage giant EMC Corp, and the NSA to discuss the story, but both parties declined to comment. However, the security software firm did release a statement denying they intentionally designed or enabled back-doors in their products, he added. “To what extent RSA management knew of the nature of the NSA’s system is unclear,” said Slashgear’s Chris Davies. He added that, despite the company’s
denials, “several current and former RSA employees said, under anonymity, that the firm’s shift away from pure cryptography products was a likely reason for the deal. “Others, though, argued that the NSA had not been fully open about the purpose of the formula, which was supposedly billed as a key technological advance in security,” he added. “The government officials involved in the negotiations did not reveal that the NSA had back door access to Dual Elliptic Curve, the RSA insiders insist.” According to Davies, sources said RSA management viewed the NSA’s proposal as a chance to keep active in the field of cybersecurity, which was being framed at the time as American firms helping the government protect domestic computer systems against international spies and hackers. Once the RSA adopted the Dual Elliptic Curve, it helped the NSA secure National Institutes of Standards and Technology (NIST) approval for the formula as a “legitimate number generator,” he added. That happened less than a
year before “the system was being cited as significantly flawed,” causing RSA officials to advise customers “to shift away from it as soon as possible,” the Slashgear reporter added.