Last week, Reuters ran a story claiming the National Security Agency paid security firm RSA $10 million to use a known flawed random number generator in their BSAFE toolkit. The firm has since categorically denied the allegation, saying they have never entered into any contract or engaged in any project with the intent of weakening RSA’s products or introducing backdoors for anyone’s use.
In a blog post on the matter, the company said they have worked with the NSA previously as a vendor and an active member of the security community but the relationship was never kept a secret. Their goal has always been to strengthen commercial and government security, the post stated.
The post outlines the use of Dual EC DRBG, starting in 2004 with the decision to use it as the default in BSAFE toolkits. RSA noted that at the time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
When concerns surfaced about the algorithm in 2007, RSA relied upon the National Institute of Standards (NIST) as the arbiter of the discussion and when the NIST suggested the algorithm should no longer be used in September 2013, they passed along the information to customers and discussed the changes openly in the media.
RSA also points out that the algorithm in question is only one of multiple choices available within BSAFE toolkits and said users have always been free to choose whichever one best suits their needs.