The National Security Agency arranged a clandestine US$10 million contract with computer security power RSA that allowed the spy agency to embed encryption software it could use to infiltrate the company’s widely used products, Reuters reported.
Revelations provided by former NSA contractor Edward Snowden and first reported in September showed that the NSA created and perpetuated a corruptible formula that was ultimately a “back door” into encryption products.
Reuters later reported RSA became the lead distributor of the formula, installing it into a software tool known as BSAFE that is widely used to boost security in personal computers and other products.
Unknown then was the $10 million deal that set the NSA’s formula as the default method for the security measure – in which random numbers are generated on a key for access to a product – in BSAFE, according to Reuters’ sources. Though the sum of money for the deal seems low, it represented over a third of revenue the relevant division at RSA had made the previous year, according to security filings.
RSA was previously known for its crusading fights to protect computer security and privacy in the face of government interests, as it played a major role in blocking an effort by the NSA in the 1990s to require a special chip that would have enabled surveillance on many computer and communication products.
Following the September disclosure, RSA, now a subsidiary of computer storage company EMC Corp, privately warned thousands of its customers to immediately discontinue using all versions of company’s BSAFE toolkit and Data Protection Manager (DPM), both using Dual_EC_DRNG (Dual Elliptic Curve Deterministic Random Bit Generator) encryption algorithm to protect sensitive data.
RSA and EMC would not comment to Reuters about the alleged deal, but RSA said in a statement: “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.”
The NSA declined to comment.
Most of the dozen current and former RSA employees interviewed by Reuters cited the company’s move away from strictly providing cryptography products as a reason the ill-advised deal was made. Though several also said government officials deceived RSA by portraying the corrupt formula as secure.
“They did not show their true hand,” said one source that knew of the NSA deal.
RSA’s history as pioneers of trusted cryptography goes back to the 1970s. Their encryption tools have been licensed by many major technology companies, which have used RSA products to secure hundreds of millions of personal computers around the world. Their core technology – public key cryptography – uses two keys rather than one to publicly encode messages, then privately reveal them.
Even in the earliest days of RSA’s existence, it quarreled with US intelligence entities that worried the dual-key format would block government access. As RSA’s products became more widespread, the contention rose. In the 1990s, the Clinton administration pushed the Clipper Chip, a mandatory piece of hardware in phones and computers that would have enabled officials to supersede encryption without a warrant. RSA led a campaign to block the Clipper Chip, arguing products so easily surveilled would cripple overseas sales of US tech products.
The White House then moved to advocating stronger export controls to keep top cryptography in the US, yet RSA again persuaded the industry to oppose the effort. The export restrictions were eventually discarded.