RSA Security received $ 10 million from the NSA for using a knowingly leaky pseudo random number generator

    On Habré it was already written how RSA Security announced the presence of an NSA backdoor in its products; now, information has appeared that it was Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generation) that prompted them to use pseudo random numbers as their generator bribe from the US National Security Agency.

    According to Reuters sources, the NSA paid RSA Security $ 10 million to the company in exchange for guarantees that it uses the default in its cryptographic products deliberately unreliable algorithm for generating pseudorandom numbers. Such an amount may seem insignificant, but in fact, it amounted to more than a third of the income of the corresponding division of the company at that time. In 2005, sales of BSAFE libraries brought the company only $ 27.5 million of the $ 310 million in revenue for RSA Security. And in 2006, the company was acquired by technology giant EMC for $ 2.1 billion.

    Already in 2007, researchers from Microsoft (Dan Shumow and Niels Ferguson) noticedthat the generator contains disadvantages that can be applied as a "perfect back door" in any encryption algorithm that uses Dual_EC_DRBG.

    All suspicions remained the lot of a narrow circle of cryptography experts, until secret documents from Snowden leaked to the press in September 2013 and the manufacturer himself recommended stopping the use of products containing the Dual_EC_DRBG generator.

    For its part, the RSA claims that they never conspired with the NSA to jeopardize the security of their products and if the government knows how to break their encryption, then they have nothing to do with it. “RSA always acts in the interests of its customers and under no circumstances does it develop or implement backdoors in its products,” the company said.

    This case confirms the information from the documents of Edward Snowden, which mentioned such subversive activities of the NSA aimed at weakening the widely used algorithms and encryption standards.

    Also popular now: