Researchers Uncover Second NSA Link To RSA Encryption Toolkit

Researchers have established a second link to National Security Agency surveillance activities and RSA Security's tool for encryption, supporting the agency's ability to spy on protected communications.

News about the intelligence agency allegedly engaging with security vendors and other technology providers has had systems integrators watching developments closely. They tell CRN that business owners are beginning to ask more questions about the security and quality of the services and systems from U.S. technology vendors during the evaluation process.

RSA has denied that it knowingly selected a contentious encryption algorithm to enable the NSA to view data. RSA Executive Chairman Art Coviello told attendees at the company's annual security conference that RSA has always had close ties with the intelligence community and has been open about the relationship. The company has said it had not intentionally weakened security on any product.

[Related: 10 Ways NSA Surveillance Revelations Could Impact The Channel ]

RSA's BSafe tool supported the Dual EC DRBG encryption algorithm that most cryptographers considered flawed, up until last November when the National Institute of Standards In Technology (NIST) removed it from its list of approved algorithms. The company has been increasingly criticized following a Reuters report that it was paid $10 million to make the algorithm the default in the toolkit.

The encryption algorithm is believed to be widely used or supported in IT products, networking gear and other software. Documents leaked by Edward Snowden revealed that the algorithm may have contained a back door for use by government intelligence gatherers.

A Reuters report this week said a research team uncovered a tool called the "Extended Random" extension for secure websites that was used to help speed up the ability of the intelligence agency to crack the faulty encryption algorithm. The group that made the discovery consists of professors from Johns Hopkins, the University of Wisconsin and the University of Illinois. The group has issued a report about their findings.

Solution providers are increasingly concerned about the implications of the NSA revelations to U.S. technology providers and cloud services firms that hold business data.

Pete Zarras, founder and president of Cedar Knolls, N.J.-based Cloud Strategies, said more questions are being asked about data handling, but his firm turns the conversation around about data security and effective security practices. Customers are becoming more educated, Zarras said in a recent interview. "I think most people want transparency and openness most. Taking measures to properly secure your data and reduce system risks is probably the prudent approach to address data security and privacy concerns," he said.

Other U.S. technology firms also have come under fire, including IBM, Microsoft and Cisco Systems, for working with the government to provide potential back-door access, but solution providers tell CRN that so far the news has not impacted sales domestically.

Clients are frequently asking questions about data access and transparency into the underlying internal processes supporting the cloud services they are evaluating, said Jason Hicks, managing consultant in data security and privacy at FishNet Security. The good news for solution providers is that NSA leaks have not prompted business owners to replace systems or terminate services out of fear of government intrusion, Hicks said.

"In the U.S., a lot of people are under the impression that they didn't have a choice. The government -- much like search warrants and subpoenas -- they come in and they say, 'You do this or else,'" Hicks said. "Where I think people get a little more inquisitive are things that appear to be a voluntary turnover of data or information to the government. That places uncertainty in people's heads."

PUBLISHED APRIL 2, 2014