Over the weekend, further details came to light about the U.S. National Security Agency’s attempts to break the encryption schemes that protect personal communications and financial transactions on the Internet.
Reuters reported on Friday that RSA, one of the major Internet encryption firms, may have accepted $10 million to weaken its services. Specifically, claimed the report, it incorporated a random number generator vulnerable to NSA attack.
The NSA’s efforts to weaken Internet encryption either by direct attack or through agreements with various Internet firms apparently began after September 11, 2001.
On Sunday, RSA denied taking any money from the agency to weaken its encryption. “We categorically deny this allegation,” RSA wrote in a blog post. “We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it.”
While RSA didn’t deny working with the spy agency, they point out that back when they apparently entered into contract together, “the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.”
Indeed it was only in September of 2013 that the New York Times revealed that the NSA had intentionally weakened the random number generator used by some of RSA’s tools. Once the Times story came out, RSA agreed that the generator should not be used. “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any backdoors in our products,” the firm wrote at the time.
The Times story, like Friday’s Reuters story, was based on secret documents leaked to the press by former intelligence contractor Edward Snowden.
Photo by torkildr/Flickr