Security industry tainted in latest RSA revelations

Report indicates that RSA was paid by NSA to provide means to crack its own encryption


Trust in the security industry has taken a blow with a recent report that RSA was paid by the U.S. National Security Agency to provide a way to crack its encryption.

[Lessons for CSOs in Snowden exploit of NSA networks]

RSA denies the Reuters report published Friday that said the NSA paid RSA $10 million to use a flawed encryption formula. The agency-developed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) was used in RSA's BSAFE product.

The report shook up the security industry, because of RSA's influence. The company's annual user conference in San Francisco is one of the largest security events of the year. On Monday, Mikko Hypponen, a widely know security expert, sent a letter to RSA cancelling his talk for the 2014 RSA Conference, because of RSA's dealings with the NSA.

In a statement released Sunday, RSA said, "We categorically deny this allegation."

The company went on to say that it had "never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyones use."

Nevertheless, RSA failed to sway some security experts. "RSA's response has not instilled confidence in much of the security community," Carl Livitt, managing security associate for consulting firm Bishop Fox, said Monday.

"RSA's response is very cagey and blatantly ignores big, important questions," he said.

Matthew Green, a well-known cryptographer and assistant research professor at Johns Hopkins University, said the RSA revelation has threatened the reputation of the security industry.

"Most of the people I've spoken to agree that from our point of view, this is like you are a doctor trying to heal patients and you find out someone is making them sick on purpose," he said. "I think you'd be pretty upset about it."

Green said the job of security professionals is to make products secure, and the thought of a government agency purposely breaking them is upsetting.

"It makes me pretty angry," he said.

Last week, an independent White House Panel released a report that questioned whether the NSA's massive data collection, brought to light by documents from ex-NSA contractor Edward Snowden, was necessary to prevent terrorist attacks, as the agency claims.

The documents Snowden released to select media described information gathering from Internet and telecommunication companies on Americans and foreigners, including leaders in other countries.

[NSA spreading malware to further goals for more power]

Within the panel's list of recommendations was one that said efforts to undermine cryptography should be discarded.

In the RSA case, the company embedded in 2004 the NSA-developed algorithm in its BSAFE product, which is software used to encrypt data in business applications. The National Institutes of Standards and Technology eventually approved the technology for use.

Once it was discovered the Dual EC DRBG was developed to be cracked, NIST recommended it not be used. RSA then dropped the technology from BSAFE.

Because the NSA is a top-secret organization with the job of supporting national security, companies are legally bound to remain silent on any dealings they may have with the agency. Given the tight restrictions, there is nothing a company can do if asked to cooperate with the NSA, which can only be reigned in through new laws passed by Congress.

Therefore, a company has to accept the risk when choosing a security vendor.

"The reality is that at some point you're going to have to trust someone; what you need to be careful of is who you trust, how much, and for how long," Joseph DeMesy, senior security analyst for Bishop Fox, said.

Copyright © 2013 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.