In September, Snowden documents showed that the NSA had been implicit in creating and getting NIST to approve the SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation, which later became the default PRNG within RSA's BSAFE suite of crypto algorithms. The algorithm has long been suspect. In 2007 Bruce Schneier wrote in Wired, "the algorithm contains a weakness that can only be described a backdoor;" adding, "both NIST and the NSA have some explaining to do." The Snowden documents proved him right.
Reuters' explicit accusation, however, is that RSA then accepted $10 million from the NSA to make that backdoored algorithm its default offering within BSAFE. "Undisclosed until now," reported the news agency, "was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract."
RSA released its formal statement on the accusation on Sunday. "Recent press coverage has asserted that RSA entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation."
This was enough to prompt a new article from The Register: "Snowden is A LIAR and we never fiddled crypto says RSA." But this isn't what RSA has said. It says it didn't enter a contract to incorporate a 'known' flawed RNG into BSAFE; and it then goes into some detail to demonstrate that it could not have known it was flawed.
Two statements are particularly worth considering. First, it says, "At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption." Secondly it says, "When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion."
The first is surprising since the Crypto AG scandal had erupted across Europe more than a decade earlier. According to generally accepted accusations, the NSA (through the German intelligence service and Siemens) had succeeded in placing a back door in Crypto AG's encryption products. As a neutral Swedish firm, Crypto AG was widely trusted by the very nations the NSA most wished to monitor – such as Iran. The effect of the backdoor was to place the decryption key hidden within the encrypted ciphertext – which meant that anyone who knew where to look could easily decrypt any message intercepted.
This scandal was less reported in the US, but even so the Baltimore Sun wrote at the beginning of December 1995, "For years, NSA secretly rigged Crypto AG machines so that U.S. eavesdroppers could easily break their codes, according to former company employees whose story is supported by company documents... The extraordinary story of Crypto AG is only one example of NSA's 40-year campaign to bypass, break or steal the foreign codes that are the main obstacle to the agency's eavesdropping."
With such accusations that were widely accepted by security professionals it is curious for a major crypto company to say that the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
The second statement is that RSA allowed NIST to be the arbiter of value, even after the serious doubts of independent cryptographers were raised in 2007. This may be true, but should not have been. RSA is one of the primary cryptography companies in the world. It has its own specialist cryptographers. The RSA statement implies that the company either didn't bother investigating the published concerns, or weren't able to. The reality is that RSA should have evaluated the algorithm before accepting it into BSAFE, and that had they done so, they would surely have found the weaknesses.
If this whole episode sounds incredible, perhaps it shouldn't. Infosecurity asked Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory and himself a renowned cryptographer, for his take on the incident. "We now know they [the NSA] were spending $250 million a year on a program to weaken crypto standards and products," he replied, "and that as a result (for example) all commercial VPNs are 'click to decrypt.' So this should surprise nobody."