NSA Allegedly Paid RSA $10M To Implement Flawed Cryptography Standard
The practical fallout from this news is likely to be relatively small. The standard in question is called Dual_EC_DRBG. It was first put forward as a standard for performing elliptic curve cryptography. It came under suspicion almost immediately -- of the four algorithms the National Institute of Standards and Technology recommended for cryptography at the time, Dual_EC_DRBG was three orders of magnitude slower than the other three. Researchers suspected as early as 2006 that the code contained a back door and proved it was statistically flawed by 2007.
None of that, however, stopped the RSA from making Dual_EC_DRBG its standard cryptographic algorithm for many of its products over the past few years. What that means, in essence, is that the standard was deliberately broken and the NSA could trivially penetrate any data secured with it. Being caught flat-footed was bad enough for RSA -- once news of the backdoor was confirmed, the firm quickly warned its customers to cease using the encryption method with its bSafe line of products.
Bad cryptographic recommendations are one thing. Accepting $10M to deliberately implement a flawed standard is something else altogether. As you can imagine, the RSA is tripping over itself to disclaim the allegations, telling Reuters "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own."
Others have claimed that RSA Security was fooled by the NSA, and that the organization didn't show its true hand when it paid RSA to implement the flawed standard. Normally, that would be little more than an exceptionally convenient excuse -- but there's historical reasons to think it might be true.
A Different Era
Back in the 1970s, when the encryption standard DES (Digital Encryption Standard) was being developed, the NSA stepped in and made certain recommendations and changes to the proposed implementation. For decades, cryptographers suspected that the NSA had used its knowledge of the cipher to weaken the DES standard. In the mid-1990s, research emerged proving that the opposite was true.
By the late 1970s, the NSA was aware of a then-new type of cryptographic attack called differential cryptanalysis. DES, in its original form, was highly vulnerable to this new attack vector. The NSA patched the standard to harden it, and then told no one what it knew. Code that looked suspicious, to outside analysis, was actually proven to be tremendously helpful.
Given this, it's not hard to see how the RSA might have thought that the NSA was offering improvements that actually were improvements, even if they looked suspicious. Whether the company was actually hoodwinked or is falling back on an excuse is still unknown. And regardless of the RSA's complicity, it shows the shift in mentality at the NSA. Over the space of 30 years, the organization went from securing America's cryptographic standards to actively working against them.