Headline-mongering websites are all yelling about how NSA paid RSA to install a backdoor into their products. There’s less here, and more, than meets the eye.
The news broke when Reuters published an article on how NSA had paid RSA $10million to make the NSA-developed Dual Elliptic Curve algorithm the default random number generator in their BSafe crypto tool. The article does not say, but this was presumably in 2005 or 2006.
In response, the various Internet news sites began running headlines along the lines of RSA took NSA money to put a backdoor in BSafe. Headlines like this gain lots of hits, but are somewhat misleading.
RSA responded by saying:
RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.
This is as careful a case of lawyerly wording as you will see until NSA issues its next denial. Notice the “never divulges details of customer engagements” statement. This is a reasonable policy for a security company, but it shouts that they did take the money. But also notice the “with the intention of weakening” statement. Nothing they did was intended to weaken their product.
My take, which is only alluded to in the various reports, is that NSA, at the time a trusted player in the crypto field — after all one of their missions is Information Assurance, and they regularly provide advice to the private sector — approached RSA management and said they felt strongly enough about secure communications in these post-9/11 days that they’d gladly provide an additional business reason to use the algorithm. So NIST supports the algorithm. NSA is pushing it. And RSA already (they say) made the decision to use it back in 2004. That $10million is just found money.
In other contexts, this is called social engineering. You convince the target that the action you want them to take is the action they want to take. No, not in other contexts. In exactly this context: an evil-doer wants to exploit the gullibility of a trusting person in order to get them to install malware to their system. So, the headlines should say: NSA dupes RSA into installing malware. Or something like that.
By the way, this isn’t the first time that NSA has been under fire for having too much influence on commercial crypto security. Back in the late 1980’s and early 1990’s, before Osama scared us all over a cliff, people were already questioning their actions. RSA will likely take a major business hit because of this, and neither they nor any other security products firm will be free of the taint of NSA manipulation for years to come.