Skip to main content

RSA denies secret ties to NSA

Security software provider RSA has denied claims that it entered into a "secret contract" with the US National Security Agency.

It was alleged last Friday that the NSA paid the security firm $10 million (£6.1 million) in order to gain access to data protected products like Bsafe.

"We categorically deny this allegation," RSA said in a blogpost. "We have worked with the NSA, both as a vendor and an active member of the security community.

"We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security."

According to Reuters, RSA had built in a random number generator known as the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) to its encryption products that allowed the NSA a "back door" to the data.

The news agency reported that RSA "was misled by government officials, who portrayed the formula as a secure technological advance".

In its defence, RSA stated: "We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."

The flaws in the random number generator were first confirmed in September, at which point RSA instructed users to stop using the code.

"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use," the security firm concluded.

Following the publication of the RSA blogpost, Reuters reporter Joseph Menn tweeted: "We stand by our RSA story".