In September, the Guardian revealed that the National Security Agency intentionally created a flawed formula designed to provide a “back door” into commonly used encryption products. New information shows that the U.S. government paid at least one private security company in exchange for implementing the NSA’s pre-designed flaw into its software.
Reuters reported Friday that RSA Security was awarded a $10 million contract for shipping its software, BSAFE toolkit, with an NSA-engineered vulnerability in the software’s key generation process. The contract was exposed by top-secret NSA documents leaked by whistleblower Edward Snowden.
Encryption keys are created by different mathematical algorithms, which are used to generate random numbers. The algorithm used must be sophisticated enough that the key generation protocol can’t be easily compromised. The NSA documents suggest that a flaw in RSA’s algorithm allowed keys generated by its software to be easily cracked.
The new revelation isn’t that RSA’s algorithm was flawed but that the company was paid, with U.S. tax dollars, to continue implementing it long after its vulnerability was discovered.
In 2007, Wired journalist Bruce Schneier published an article titled, “Did NSA Put a Secret Backdoor in New Encryption Standard?” In it, he revealed that the NSA had championed the use of Dual_EC_DRBG, the algorithm used by RSA, and correctly predicted that it contained a backdoor used by the agency.
“My recommendation, if you’re in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances,” Schneier wrote.
Regardless, RSA continued to implement the flawed encryption as a default for its products. The company’s customers were finally alerted in 2013 and told to use of a different key generator. “To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual_EC_DRBG,” RSA said.
Unfortunately, any flaw in encryption software not only creates a backdoor that can be accessed by U.S. intelligence agencies but anyone with hardware sophisticated enough to crack the weakened encryption. In September, Ars Technica reported that McAfee Security was using Dual_EC_DRBG encryption in some of its products. Ironically, McAfee said its firewall software was only using the flawed encryption “in federal government or government contractor customer environments.”
The NSA has faced intense scrutiny for eroding confidence in both technology manufactured within the U.S. and industry standards, such as those approved of by the NIST. Documents provided by Snowden have revealed a systematic effort by the NSA to undermine the efficiency of encryption featured in consumer products, not only by developing of new code-breaking technology but through direct collaboration with U.S. companies.
Before the 2013 publication of Snowden’s top-secret documents began, only those with knowledge of a highly classified NSA program code-named Bullrun were privy to the details of the agency’s decryption efforts. According to ProPublica, top analysts from the NSA’s counterparts in Britain, Canada, Australia, and New Zealand—collectively known as the Five Eyes—were also granted access to the secretive program.