15

According to this article from Reuters

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.

However, later in the article they quote RSA as denying this:

RSA and EMC declined to answer questions for this story, but RSA said in a statement: "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own."

Did the NSA pay 10 million dollars to the RSA to weaken their systems?

Note: I know this is closely linked to Does the NSA build backdoors into encryption algorithms? However, I think this is a different question, because it's a specific algorithm here, and a more specific allegation (and the accepted answer there, which talks about the same algorithm doesn't answer my question).

Community
  • 1
ike
  • 4,950
  • 1
  • 20
  • 52
  • I presume for the purposes of this question we are assuming that the answer to the other linked question is "yes". – Ladadadada Mar 04 '14 at 17:57
  • @Ladadadada Not necessarily. If the answer is no, then obviously the answer here is no, but that's the only correlation. – ike Mar 04 '14 at 21:10
  • 1
    A better way to word this might be 'Did the NSA pay RSA $10 million to make Dual_EC_DRBG the default?' That question isn't reliant on knowing whether Dual_EC_DRBG is actually backdoored by the NSA or not. – Michael Kohne Mar 06 '14 at 02:21

1 Answers1

2

You've got two questions there:

1) Did the NSA pay RSA Security $10 million to make Dual_EC_DRBG the default?

Quite likely. The way the statement by RSA Security is worded does not deny the core allegation of the Reuters report:

RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software

2) Did the NSA pay 10 million dollars to the RSA to weaken their systems?

Probably not. The statement explicitly denies this (emphasis mine):

Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation...

and

...but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.

The two answers are not contradictory. In 2004, when the contract was reportedly signed, Dual_EC_DBRG was not known to be flawed. The first paper showing a weakness in the algorithm was published in 2006, and the first paper demonstrating that it could have a backdoor was published in 2007, although the theoretical possibility of an attack was known in 1997. It's virtually certain that, if the contract exists, it makes no mention of the algorithm being flawed or weak, or incorporating a backdoor.

Mark
  • 2,755
  • 22
  • 25
  • [Welcome to Skeptics!](http://meta.skeptics.stackexchange.com/questions/1505/welcome-to-new-users). While I agree the wording of the statement was unfortunate, in that it didn't address the key allegation, your interpretation that this implies the allegation is true is an opinion, not a definitive, referenced statement. – Oddthinking Jul 25 '14 at 09:32
  • However there already has been an example of the NSA knowing a weakness before the public. When DES was developed the NSA meddled with the Algorithm and faced severe criticism over their changes to it (It still was used with those changes). Only _20_ years later differential cryptanalysis was made known to the public (In that case the changes done by the NSA actually improved DES). So it is certainly not far-fetched to say that if the NSA payed to make one algorithm used more widely which has been proven to be weak that they knew about the weakness earlier and planned to capitalize on it. – user45891 Jul 28 '14 at 21:31