RSA Denies Report That NSA Paid It $10 Million For Encryption Back Door


RSA, the security division of EMC, on Sunday "categorically" denied a recent Reuters report that claims it has worked with the National Security Agency to include a backdoor in its widely used encryption toolkit.

On Friday, Reuters reported that RSA had inked a "secret $10 million contract" with the NSA, under which the vendor would include intentionally flawed encryption as the default option in its Bsafe developer toolkit, to make it easier for the agency to conduct surveillance.

The NSA isn't saying anything about the report, but RSA says it isn't accurate.

"We also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone’s use," RSA said in a Monday statement.

The New York Times broke news of the NSA's encryption back door in September, citing documents leaked by former NSA contractor Edward Snowden. The same month, Reuters reported that RSA was supporting the NSA encryption scheme by default in Bsafe, and RSA issued a bulletin warning customers not to use it.

What's new is the allegation that RSA was paid for helping the NSA spy on its customers. If true, this could do further damage to a company whose reputation was already tarnished by its handling of a March 2011 attack on its SecurID two-factor authentication products.

Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based security consultancy, told CRN he thinks RSA's Bsafe denial sounds "weak and reactionary."

"If you parse the language of their denial, they do not actually deny putting in backdoors," Plato said. "They deny their relationship with the NSA was secret. OK, so it wasn’t that secret, but what about those backdoors?"

The SecurID hack, which was later found to be a coordinated, targeted type of attack known as an Advanced Persistent Threat, was a disaster for RSA. Not only was it costly for RSA to remediate, it also gave hackers the world over a how-to guide on how to attack networks protected by SecurID authentication.

Indeed, in June of 2011, a series of high-profile attacks on Lockheed Martin, Northrop Grumman and L3 Communications prompted RSA to replace some customers' SecurID tokens. RSA was criticized for taking more than two months after the initial attack to offer this option.

Damage from the SecurID attack is still being felt today. In July, Joe Stewart, director of malware research at Dell SecureWorks, told CRN the SecureID attacks are connected to at least 64 active attacks on companies in the U.S., Europe and Asia.

RSA has clearly learned from the SecurID experience and appears to be doing everything it can to get ahead of the Bsafe issue. But just as the NSA scandal is causing U.S. citizens to question how they're being governed, some RSA developer customers are taking a closer look at the apps they've built using the Bsafe encryption toolkit.

"If the toolkit was used in the past, software developers should go check and make sure they change it," security expert Gary McGraw told CRN in September. "Businesses need to be aware of this and be asking more questions."

Could this have a long term impact on RSA's business? Plato said his customers' opinion of RSA has been "gloomy" for a while now, and he thinks the Bsafe issue could make things worse. "This could just alienate RSA farther from the industry," he said.