Partners: RSA Had Trust Issues Even Before NSA Backdoor Report Came To Light

RSA, the security division of EMC, has categorically denied a recent Reuters report that claimed the National Security Agency paid it $10 million to include a backdoor in its encryption products for surveillance purposes.

But it's unclear at this stage whether the denial will be enough to prevent partners and customers from dropping RSA's products, as some have done even before the NSA backdoor issue came to light.

The controversy hinges on RSA's inclusion of a technology called Dual Elliptic Curve Deterministic Random Bit Generator, or Dual EC DRBG, in its Bsafe encryption toolkit. According to Reuters, RSA used Dual EC DRBG at the NSA's behest because it's easy to break, but RSA denied this on Monday.

[Related: RSA Denies Report That NSA Paid It $10 Million For Encryption Back Door ]

Sponsored post

The problem for RSA is that this isn’t the first time trust issues have surfaced for the Bedford, Mass.-based vendor.

In 2011 after hackers compromised RSA’s SecurID two-factor authentication tokens, RSA was criticized for not offering replacement tokens to its customers. Only after Lockheed Martin, Northrop Grumman and L3 Communications were attacked three months later did RSA offer to replace customers' SecurID tokens.

Kevin McDonald, executive vice president of Alvaka Networks, an Irvine, Calif.-based managed service provider and RSA partner, told CRN the SecurID attack was the last straw for his company. "We had recommended RSA a great deal in the past. But we actually made the decision not to recommend any longer when they were hacked in 2011," he told CRN.

McDonald said Alvaka Networks has decided to switch to other security vendors for technology it used to get from RSA. "Whether or not RSA conspired with the NSA, or simply made the poor choice to include Dual EC DRBG technology, we are looking for legitimate alternatives, as RSA will not be in our toolkit," he said.

RSA said it began using Dual EC DRBG in 2004 and felt confident in doing so because it was standardized by the National Institute of Standards and Technology (NIST). The NIST first reported problems with Dual EC DRBG in 2007, and when it warned users about the backdoor in September, RSA said it immediately passed on the message to customers.

Basically, RSA's stance on its use of Dual EC DRBG is that there's nothing to see here, people.

"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it," RSA said Monday in a blog post.

The NSA issue will no doubt be top-of-mind for attendees at RSA's annual security conference in San Francisco, which is being held from Feb. 24-28. The event typically includes sessions on why it's important for vendors to avoid using fear-based marketing to hawk their products, and an expo hall full of vendors ignoring this advice.

NEXT: RSA Marketing Tactics Called Into Question

RSA CEO Art Coviello has also been known to use dramatic speech in his annual keynote to illustrate the seriousness of the threats the security industry is tasked with protecting against.

Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based security consultancy and former RSA partner, will be casting a skeptical eye toward such claims at this year's event.

"At the RSA conference last year, Art Coviello spent a full hour barraging the audience with fear-laden words and imagery. Then at the end of the talk, he had the audacity to say 'Now, I have never used fear to sell,'" Plato said in an email. "That contradiction within RSA says to me that this is a company with some serious trust issues."

RSA couldn't be reached for comment.

To be fair, not all RSA partners are ready to ditch the vendor in the wake of the NSA report. Steve Snider, president of Cadre Information Security, a Cincinnati-based RSA partner, noted that encryption is complex technology that isn't impervious to flaws. He's willing to give RSA the benefit of the doubt for its use of Dual EC DRBG.

"What is part and parcel to any discussion of cryptography, especially Elliptical Curve Encryption, is that the math can be rather dense and it's not unreasonable to say that possible weaknesses were unforeseen," Snider said an email.

Snider thinks the larger public outcry will be focused on the NSA as opposed to RSA. "Following the disclosure that Verizon and others were supplying data to the NSA, I doubt that very many people or organizations dumped their telecommunications provider," Snider said.

As for McDonald, he told CRN Alvaka Networks will be careful in the future to get written assurances from vendors to ensure that their security products are, in fact, secure and free of backdoors. In fact, he believes such a clause should be included in all future vendor partnership contracts.

"The damage to trust by the very idea that any corporation would conspire to undermine fundamental security is sickening," McDonald told CRN. "It is one thing for a corporation to participate in legitimate law enforcement functions under warrant or legal arm-twisting mechanisms. It’s entirely something else to profit from the wholesale destruction of privacy."