According to Reuters: “Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a ‘back door’ in encryption products. RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation.”
Not a bad deal for RSA, since the company’s total revenue for the previous year was less than $30 million. Needless to say, RSA went into damage control mode by vehemently denying that it ever was in cahoots with the NSA.
RSA did admit that it had worked with the NSA, both as a vendor and an active member of the security community. The EMC-subsidiary emphasized that as a trusted member of the security community, it wants to strengthen, not weaken, encryption.
RSA stated: “This algorithm is only one of multiple choices available within BSafe toolkits. Users have always been free to choose whichever toolkit best suits their needs".
RSA continued using the algorithm as an option within BSafe toolkits as it gained acceptance as a NIST (National Institute of Standards and Technology) standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, RSA continued to rely upon NIST as the arbiter of that discussion.
The EMC-subsidiary concluded by stating that RSA, as a security company, never divulges details of customer engagements, but “we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.”
The fallout of the RSA scandal might be too much for RSA (and EMC). Both companies are at risk to remain tainted by the revelations of Reuters. What RSA and EMC need now is some excellent PR to repair their brand damage – the sooner the better!
No comments:
Post a Comment