[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Exclusive: Secret contract tied NSA and security industry pioneer

To: "[email protected]" <[email protected]>
Subject: Exclusive: Secret contract tied NSA and security industry pioneer
From: [email protected] (Jim Bell)
Date: Sun, 22 Dec 2013 16:03:57 -0800 (PST)

http://news.yahoo.com/exclusive-secret-contract-tied-nsa-security-industry-pioneer-001729620--finance.html

By Joseph Menn
SAN FRANCISCO (Reuters) - As a key part of a campaign to embed encryption software
that it could crack into widely used computer products, the U.S.
National Security Agency arranged a secret $10 million contract with
RSA, one of the most influential firms in the computer security
industry, Reuters has learned.
Documents leaked by former NSA contractor Edward Snowden show that the
NSA created and promulgated a flawed formula for generating random
numbers to create a "back door" in encryption products, the New York
Times reported in September. Reuters later reported that RSA became the
most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal
computers and many other products.
Undisclosed until now was that RSA received $10 million in a deal that
set the NSA formula as the preferred, or default, method for number
generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more
than a third of the revenue that the relevant division at RSA had taken
in during the entire previous year, securities filings show.
The earlier disclosures of RSA's entanglement with the NSA already had
shocked some in the close-knit world of computer security experts. The
company had a long history of championing privacy and security, and it
played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and
communications products.
RSA, now a subsidiary of computer storage giant EMC Corp, urged
customers to stop using the NSA formula after the Snowden disclosures
revealed its weakness.
RSA
and EMC declined to answer questions for this story, but RSA said in a
statement: "RSA always acts in the best interest of its customers and
under no circumstances does RSA design or enable any back doors in our
products. Decisions about the features and functionality of RSA products are our own."
The NSA declined to comment.
The RSA deal shows one way the NSA carried out what Snowden's documents describe as a key strategy for enhancing surveillance: the systematic
erosion of security tools. NSA documents released in recent months
called for using "commercial relationships" to advance that goal, but
did not name any security companies as collaborators.
The NSA came under attack this week in a landmark report from a White
House panel appointed to review U.S. surveillance policy. The panel
noted that "encryption is an essential basis for trust on the Internet," and called for a halt to any NSA efforts to undermine it.
Most of the dozen current and former RSA employees interviewed said
that the company erred in agreeing to such a contract, and many cited
RSA's corporate evolution away from pure cryptography products as one of the reasons it occurred.
But several said that RSA also was misled by government officials, who portrayed the formula as a secure technological advance.
"They did not show their true hand," one person briefed on the deal
said of the NSA, asserting that government officials did not let on that they knew how to break the encryption.
STORIED HISTORY
View gallery
A National Security Agency (NSA) data gathering facility is seen in Bluffdale, about 25 miles (40 kmÂ â?¦
Started by MIT professors in the 1970s and led for years by ex-Marine Jim Bidzos, RSA and its
core algorithm were both named for the last initials of the three
founders, who revolutionized cryptography. Little known to the public,
RSA's encryption tools have been licensed by most large technology
companies, which in turn use them to protect computers used by hundreds
of millions of people.
At
the core of RSA's products was a technology known as public key
cryptography. Instead of using the same key for encoding and then
decoding a message, there are two keys related to each other
mathematically. The first, publicly available key is used to encode a
message for someone, who then uses a second, private key to reveal it.

Follow-Ups:
- Exclusive: Secret contract tied NSA and security industry pioneer
  - From: [email protected] (Juan Garofalo)

Prev by Date: Vegetation Comsec
Next by Date: Exclusive: Secret contract tied NSA and security industry pioneer
Previous by thread: ECDHE-RSA-CHACHA20-POLY1305-SHA256 server side support in OpenSSL / Nginx
Next by thread: Exclusive: Secret contract tied NSA and security industry pioneer
Index(es):
- Date
- Thread