Last week Reuters had reported about NSA paying RSA $10 million for embedding an algorithm in its security software, Bsafe. RSA has has denied entering into a contract with NSA and any knowledge of NSA’s backdoor access.
However the company said that it has worked with NSA, only with the “explicit goal” of strengthening security and the relationship never being a secret.
RSA has revealed the details of the backdoor fiasco in its blog post. The firm claims it had used the random number generator DUAL EC DRBG after being advised by the National Institute of Standards (NIST) that the generator was safe. The post mentions that the algorithm was “only one of multiple choices available within BSafe toolkits”, though there were concerns of a possible backdoor in the algorithm.
RSA had notified customers after NIST advised against the DUAL EC DRBG in September. The company concludes by saying that its had never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.
Though RSA claims innocence, it has never denied the fact that NSA had paid $10 million to include the backdoor algorithm in BSafe. Even though RSA was aware of the claims by NIFT, it never advised customers against using the software. The company could also have chosen an optional algorithm as it had mentioned there were “multiple choices available”. These points raises doubts about the company’s denial of entering into a contract with NSA.