Security firm RSA "categorically denies" accepting money from NSA to use flawed crypto code

By Shawn Knight ยท 5 replies
Dec 23, 2013
Post New Reply
  1. Last week, Reuters ran a story claiming the National Security Agency paid security firm RSA $10 million to use a known flawed random number generator in their BSAFE toolkit. The firm has since categorically denied the allegation, saying they have...

    Read more
  2. David Friedman

    David Friedman TS Rookie

    Reading the RSA blog post, I note that they do not deny receiving a ten million dollar payment from NSA, nor do they admit it and say what it was for, nor do they say when they received it. The only thing they say is that they did not deliberately make a weak pseudorandom number the default for their software and that they continued using that generator as the default for years after security experts had pointed out problems with it because they trusted the NIST.

    The post amounts to "we are not guilty," with no evidence offered and no explanation or denial of the purported evidence that they are.
  3. dms96960

    dms96960 TS Addict Posts: 297   +59

    Nor, of course, are they under oath. Why would anyone believe any self-serving statement that they made?
  4. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,745   +3,710

    It is not in either ones best interest to use flawed code. I don't believe the accusation against RSA.
  5. I think RSA's response has told us everything we need to know. Unwaveringly non-committal, less than 300 words in total, denies absolutely nothing and eschews the risk of difficult questions from the press by being presented as a blog post instead of a proper response to the many media outlets that have requested comment.

    Quite simply, they knew exactly what the money was for. They try to claim that they chose the most appropriate algorithm, but presumably they would have done that without a $10m bribe so the argument falls flat on its face. They were complicit to the end and they surely knew the massive risk it exposed them to, but they probably reasoned that the NSA of all people would be competent enough to keep their clandestine subversion of security protocols a secret. How wrong they were.

    RSA, formally one of the world's most trusted IT security companies, is dead - they will never regain that trust and without it they have nothing. I'm sure EMC are hard at work on a strategy, whether it be a simple rebrand (works on most people most of the time but probably not going to cut it this time round) or a full restructure of assets ahead of the formal termination of the "RSA" brand name.

    So long RSA, rot in hell with your NSA handlers.
  6. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,813   +473

    That they didn't know isn't unbelievable or unreasonable. Getting paid to use a certain algorithm is a bit odd but in this field and with this tech there is seriously no way you could possibly know all the weaknesses of any number gen technique. What I would expect is the publicly known weaknesses are not present. The NSA obviously wouldn't make a weakness of that random number generator public. Why would they - they want a hush hush exploit? How/why could the RSA be crucified for this?

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...