decided to publicly address recent reports alleging it inked a $10 million contrac
t with the National Security Agency (NSA)
to use what's considered a flawed and broken encryption standard called elliptic curve cryptography. In an attempt to set the record straight, the RSA stated in a blog post that it's all a bunch of hogwash, so to speak.
"Recent press coverage has asserted that RSA entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny these allegations," RSA stated in a blog post.
RSA went on to admit that it's worked with the NSA as a vendor and active member of the security community, but that its relationship has never been a secret and has even been openly publicized. The organization reiterated its goal to strengthen commercial and government security.
If that's the case, then why did RSA make Dual EC DRBG its standard cryptographic algorithm for many of its products over the past few years even though its security has been called into question?
"We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption," RSA explains.
RSA also points out that Dual EC DRBG is one of several choices available within BSAFE toolkits. As for why it remained an option after concerns surfaced in 2007, RSA says it relied upon NIST's judgement, pointing out that it gained acceptance as a NIST standard.