Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Alleged NSA Payment to RSA Raises New Fears of Gov’t Undermining Crypto Security

During the past several months, leaks about the NSA’s electronic surveillance operations have pooled into a river that has spilled into calls for reform.

During the past several months, leaks about the NSA’s electronic surveillance operations have pooled into a river that has spilled into calls for reform.

The most recent drop in that river is a report from Reuters that the NSA paid RSA $10 million to ensure a vulnerable encryption algorithm was used by default in RSA’s BSAFE toolkit. RSA, now a division of EMC, denied ever entering into a contract or being involved in any project with the intention of weakening its products. Still, the report, which was based on sources familiar with the contract, has sparked additional questions about collusion between the tech industry and intelligence agencies.

“The bad part is – if the story is true – the very, very large downside is that it’s compromising a security product,” said John Pescatore, director of emerging security trends at SANS Institute. “It’s one thing if somebody buys a switch or a typewriter or whatever you are not expecting it to sort of protect you…crypto, you are. You’re buying security products with the assumption that the company selling them to you is selling the most secure products. So if NSA has been successful at getting companies like RSA or Microsoft or any of them to compromise the security of their products,  that’s sort of taking it to a different level than we have seen in the past.”

In September, leaks by former NSA contractor Edward Snowden led to media reports that the NSA had engaged in an to insert vulnerabilities into commerical encryption systems so that it could more easily decrypt communications. Last week, Reuters reported the agency created a backdoor in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) that could be exploited and then pushed for RSA to adopt it. Problems with the algorithm have been known for several years, though RSA continued to use it in BSAFE until NIST [National Institute of Standards and Technology] withdrew its support for the standard in September in the wake of growing concerns.  

Last week, the Obama administration’s Review Group on Intelligence and Communications Technologies released a report in which recommended the NSA abandon efforts to undermine cryptographic standards.

“The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage,” according to the report.

“Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries,” RSA said in a statement. “We categorically deny this allegation. We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.”

RSA said it made the decision to use Dual EC DRBG back in 2004, two years before NSA entered into a contract with RSA to use BSAFE. 

“We no longer know whom to trust,” blogged noted cryptographer Bruce Schneier today. “This is the greatest damage the NSA has done to the Internet, and will be the hardest to fix.”

Pescatore, who has worked for the NSA and U.S. Secret Service in the past, said it is a mistake for the NSA to be charged with both the offensive and defensive aspects of the cyber-war, and that the conflicting priorities of those roles can create a mindset where injecting security flaws into encryption standards make sense. Currently, both the NSA and the US Cyber Command are under the direction of NSA Director Gen. Keith Alexander. 

The idea of strong encryption getting into the wrong hands however should not be enough of a reason for the intelligence community to undermine encryption, Pescatore said. After all, if the NSA can find the backdoor, others can as well, he argued. 

“I do not think that there needs to be sort of reduced strength [in] security products in case the bad guys get a hold of them any more than I think people’s houses should use easy to pick locks just in case the police need to get in,” he said. 

*This story has been updated.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Cyberwarfare

While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea...