The National Security Agency paid $10 million to the security firm RSA to
implement intentionally flawed encryption, according to a new report.
 |
| An RSA SecurID key fob |
What's an encryption backdoor cost? When you're the NSA, apparently the fee
is $10 million.
Intentional flaws created by the National Security Agency in RSA's encryption
tokens werediscovered in September, thanks to documents released by
whistleblower Edward Snowden. It has now been revealed that RSA was paid $10
million by the NSA to implement those backdoors, according to a new report in
Reuters.
Related stories:
In most-anticipated SXSW talk in years, Snowden fires up Austin
WikiLeaks'
Julian Assange: NSA critics got lucky because agency had no PR strategy
Kill
the Snowden interview, congressman tells SXSW
Edward Snowden to speak at
South by Southwest
Klocwork: Our source code analyzer caught Apple's
'gotofail' bug
Two people familiar with RSA's BSafe software told Reuters that the company
had received the money in exchange for making the NSA's cryptographic formula as
the default for encrypted key generation in BSafe.
"Now we know that RSA was bribed," said security expert Bruce Schneier, who
has been involved in the Snowden document analysis. "I sure as hell wouldn't
trust them. And then they made the statement that they put customer security
first," he said.
RSA, now owned by computer storage firm EMC Corp, has a long history of
entanglement with the government. In the 1990s, the company was instrumental in
stopping a government plan to include a chip in computers that would've allowed
the government to spy on people.
It has also had its algorithms hacked before, as has RSA-connected
VeriSign.
The new revelation is important, Schneier said, because it confirms more
suspected tactics that the NSA employs.
"You think they only bribed one company in the history of their operations?
What's at play here is that we don't know who's involved," he said.
Other companies that build widely-used encryption apparatus include Symantec,
McAfee, and Microsoft. "You have no idea who else was bribed, so you don't know
who else you can trust," Schneier said.
In a statement issued Sunday, RSA said it "categorically" denied recent
reports.
"We have worked with the NSA, both as a vendor and an active member of the
security community. We have never kept this relationship a secret and in fact
have openly publicized it," the company said in a statement. "Our explicit goal
has always been to strengthen commercial and government security."
The statement goes on to rebut a number of claims, including that the company
knowingly introduced a flawed numbers generator into its encryption
libraries.
No comments:
Post a Comment