Bcr8iVW.png (1024×512)
RSA Security was awarded a $10 million contract for shipping its software with an NSA-engineered vulnerability. 

In September, the Guardian revealed that the National Security Agency intentionally created a flawed formula designed to provide a “back door” into commonly used encryption products. New information shows that the U.S. government paid at least one private security company in exchange for implementing the NSA’s pre-designed flaw into its software.

Reuters reported Friday that RSA Security was awarded a $10 million contract for shipping its software, BSAFE toolkit, with an NSA-engineered vulnerability in the software’s key generation process. The contract was exposed by top-secret NSA documents leaked by whistleblower Edward Snowden.

Encryption keys are created by different mathematical algorithms, which are used to generate random numbers. The algorithm used must be sophisticated enough that the key generation protocol can’t be easily compromised. The NSA documents suggest that a flaw in RSA’s algorithm allowed keys generated by its software to be easily cracked.

The new revelation isn’t that RSA’s algorithm was flawed but that the company was paid, with U.S. tax dollars, to continue implementing it long after its vulnerability was discovered.

In 2007, Wired journalist Bruce Schneier published an article titled, “Did NSA Put a Secret Backdoor in New Encryption Standard?” In it, he revealed that the NSA had championed the use of Dual_EC_DRBG, the algorithm used by RSA, and correctly predicted that it contained a backdoor used by the agency.

“My recommendation, if you're in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances,” Schneier wrote.

Regardless, RSA continued to implement the flawed encryption as a default for its products. The company’s customers were finally alerted in 2013 and told to use of a different key generator. “To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual_EC_DRBG,” RSA said.

Unfortunately, any flaw in encryption software not only creates a backdoor that can be accessed by U.S. intelligence agencies but anyone with hardware sophisticated enough to crack the weakened encryption. In September, Ars Technica reported that McAfee Security was using Dual_EC_DRBG encryption in some of its products. Ironically, McAfee said its firewall software was only using the flawed encryption “in federal government or government contractor customer environments.”

The NSA has faced intense scrutiny for eroding confidence in both technology manufactured within the U.S. and industry standards, such as those approved of by the NIST. Documents provided by Snowden have revealed a systematic effort by the NSA to undermine the efficiency of encryption featured in consumer products, not only by developing of new code-breaking technology but through direct collaboration with U.S. companies.

Before the 2013 publication of Snowden’s top-secret documents began, only those with knowledge of a highly classified NSA program code-named Bullrun were privy to the details of the agency’s decryption efforts. According to ProPublica, top analysts from the NSA’s counterparts in Britain, Canada, Australia, and New Zealand—collectively known as the Five Eyes—were also granted access to the secretive program.

Photo by Mike Myers (remix by Dell Cameron)

Promoted Stories Powered by Sharethrough
Layer 8
A female Lebanese news anchor was told to shut up—here's what she did instead
Rima Karaki is a Lebanese TV host who isn't afraid of a fight. Things got heated Monday when Karaki was interviewing Hani Al-Seba'i about the phenomenon of Christians joining Islamic groups like ISIS. Al-Seba’i is a Sunni scholar who fled to London after he was sentenced in an Egyptian court to 15 years in prison for being a part of the Egyptian Islamic Jihad. The United Nations considers the group to be an affiliate of al Qaeda.
nsa
NSA spying costs U.S. a $4.5 billion defense contract with Brazil
The global reach of American spying operations may have just cost the U.S. $4.5 billion.
The Latest From Daily Dot Video
Group

Pure, uncut internet. Straight to your inbox.

Thanks for subscribing to our newsletter!