F-Secure Chief Research Officer Mikko Hypponen said he is cancelling his talk at the upcoming RSA security conference in February due to reports RSA received money from the NSA several years ago to use a flawed algorithm in RSA’s BSAFE encryption product.
The allegation against RSA, now a division of EMC, surfaced last week in a report by Reuters that said the company took $10 million from the security agency to make sure the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) was used by default in BSAFE. The algorithm was found to be flawed as early as 2006. However, the company kept using it by default until September, when the National Institute of Standards and Technology (NIST) advised organizations to stop using it.
In a letter to EMC CEO Joseph M. Tucci and Art Coviello, executive chairman of RSA, Hyponnen said he was backing out of his talk, which ironically was called ‘Governments as Malware Authors.’
“I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA,” Hypponen wrote. “In fact, I’m not expecting other conference speakers to cancel. Most of your speakers are American anyway – why would they care about surveillance that’s not targeted at them but at non-Americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.”
RSA said it had no comment on the matter when contacted by SecurityWeek. However, the company did issue a statement recently saying it had never engaged in any contract or project with the intent of weakening their own products or introducing backdoors for the NSA to use.
“We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption,” according to the company’s statement. “At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.”
The RSA conference runs from Feb 24 to 28 and will be held in San Francisco.