RSA Press Release Denying Alleged NSA Ties Does Little Denying

By Matt Chambers

rsa BSAFE

Three days ago, Reuters had an exclusive report that RSA had received $10 million from the National Security Agency (NSA) in order to make sure that the now known to be flawed Dual_EC_DRBG random number generator was set as the default for their BSAFE toolkit. In essence, the NSA was paying off RSA to make sure that they would have as much access as possible.

RSA’s press release states that

RSA pr1

The issue here is that while RSA is denying any secret contracts, they are not denying that they never had the alleged $10 million contract in the first place. Nothing inside the press release does anything to suggest that RSA did not have that contract. The defense RSA seems to be putting out however, is that they did not know that Dual_EC_DRBG generator was cryptographically unsound. However, that does not seem to hold much water considering that in 2007 a team at Microsoft had found that they could guess any key that had been generated with relative ease.

Where this leaves us is that for over 5 years, RSA continued to promote an unsafe generator in their toolkit until finally, in September 2013, they issued another press release telling users to follow The National Institute for Standards and Technology (NIST) recommendation and stop using Dual_EC_DRBG in their BSAFE toolkit. One saving grace for RSA is that there does seem to be no indication in the Reuters report that they had any prior knowledge that the generator was fatally flawed.