Documents leaked by former NSA contractor Edward Snowden show that
the NSA created and promulgated a flawed formula for generating
random numbers to create a "back door" in encryption products, the
New York Times reported in September. Reuters later reported that
RSA became the most important distributor of that formula by rolling
it into a software tool called Bsafe that is used to enhance
security in personal computers and many other products.
Undisclosed until now was that RSA received $10 million in a deal
that set the NSA formula as the preferred, or default, method for
number generation in the BSafe software, according to two sources
familiar with the contract. Although that sum might seem paltry, it
represented more than a third of the revenue that the relevant
division at RSA had taken in during the entire previous year,
securities filings show.
The earlier disclosures of RSA's entanglement with the NSA already
had shocked some in the close-knit world of computer security
experts. The company had a long history of championing privacy and
security, and it played a leading role in blocking a 1990s effort by
the NSA to require a special chip to enable spying on a wide range
of computer and communications products.
RSA, now a subsidiary of computer storage giant EMC Corp, urged
customers to stop using the NSA formula after the Snowden
disclosures revealed its weakness.
RSA and EMC declined to answer questions for this story, but RSA
said in a statement: "RSA always acts in the best interest of its
customers and under no circumstances does RSA design or enable any
back doors in our products. Decisions about the features and
functionality of RSA products are our own."
The NSA declined to comment.
The RSA deal shows one way the NSA carried out what Snowden's
documents describe as a key strategy for enhancing surveillance: the
systematic erosion of security tools. NSA documents released in
recent months called for using "commercial relationships" to advance
that goal, but did not name any security companies as collaborators.
The NSA came under attack this week in a landmark report from a
White House panel appointed to review U.S. surveillance policy. The
panel noted that "encryption is an essential basis for trust on the
Internet," and called for a halt to any NSA efforts to undermine it.
Most of the dozen current and former RSA employees interviewed said
that the company erred in agreeing to such a contract, and many
cited RSA's corporate evolution away from pure cryptography products
as one of the reasons it occurred.
But several said that RSA also was misled by government officials,
who portrayed the formula as a secure technological advance.
"They did not show their true hand," one person briefed on the deal
said of the NSA, asserting that government officials did not let on
that they knew how to break the encryption.
STORIED HISTORY
Started by MIT professors in the 1970s and led for years by
ex-Marine Jim Bidzos, RSA and its core algorithm were both named for
the last initials of the three founders, who revolutionized
cryptography. Little known to the public, RSA's encryption tools
have been licensed by most large technology companies, which in turn
use them to protect computers used by hundreds of millions of
people.
At the core of RSA's products was a technology known as public key
cryptography. Instead of using the same key for encoding and then
decoding a message, there are two keys related to each other
mathematically. The first, publicly available key is used to encode
a message for someone, who then uses a second, private key to reveal
it.
From RSA's earliest days, the U.S. intelligence establishment
worried it would not be able to crack well-engineered public key
cryptography. Martin Hellman, a former Stanford researcher who led
the team that first invented the technique, said NSA experts tried
to talk him and others into believing that the keys did not have to
be as large as they planned.
The stakes rose when more technology companies adopted RSA's methods
and Internet use began to soar. The Clinton administration embraced
the Clipper Chip, envisioned as a mandatory component in phones and
computers to enable officials to overcome encryption with a warrant.
RSA led a fierce public campaign against the effort, distributing
posters with a foundering sailing ship and the words "Sink Clipper!"
[to top of second column] |
A key argument against the chip was that overseas buyers would shun
U.S. technology products if they were ready-made for spying. Some
companies say that is just what has happened in the wake of the
Snowden disclosures.
The White House abandoned the Clipper Chip and instead relied on
export controls to prevent the best cryptography from crossing U.S.
borders. RSA once again rallied the industry, and it set up an
Australian division that could ship what it wanted.
"We became the tip of the spear, so to speak, in this fight against
government efforts," Bidzos recalled in an oral history.
RSA EVOLVES
RSA and others claimed victory when export restrictions relaxed.
But the NSA was determined to read what it wanted, and the quest
gained urgency after the September 11, 2001 attacks.
RSA, meanwhile, was changing. Bidzos stepped down as CEO in 1999 to
concentrate on VeriSign, a security certificate company that had
been spun out of RSA. The elite lab Bidzos had founded in Silicon
Valley moved east to Massachusetts, and many top engineers left the
company, several former employees said.
And the BSafe toolkit was becoming a much smaller part of the
company. By 2005, BSafe and other tools for developers brought in
just $27.5 million of RSA's revenue, less than 9% of the $310
million total.
"When I joined there were 10 people in the labs, and we were
fighting the NSA," said Victor Chan, who rose to lead engineering
and the Australian operation before he left in 2005. "It became a
very different company later on."
By the first half of 2006, RSA was among the many technology
companies seeing the U.S. government as a partner against overseas
hackers.
New RSA Chief Executive Art Coviello and his team still wanted to be
seen as part of the technological vanguard, former employees say,
and the NSA had just the right pitch. Coviello declined an interview
request.
An algorithm called Dual Elliptic Curve, developed inside the
agency, was on the road to approval by the National Institutes of
Standards and Technology as one of four acceptable methods for
generating random numbers. NIST's blessing is required for many
products sold to the government and often sets a broader de facto
standard.
RSA adopted the algorithm even before NIST approved it. The NSA then
cited the early use of Dual Elliptic Curve inside the government to
argue successfully for NIST approval, according to an official
familiar with the proceedings.
RSA's contract made Dual Elliptic Curve the default option for
producing random numbers in the RSA toolkit. No alarms were raised,
former employees said, because the deal was handled by business
leaders rather than pure technologists.
"The labs group had played a very intricate role at BSafe, and they
were basically gone," said labs veteran Michael Wenocur, who left in
1999.
Within a year, major questions were raised about Dual Elliptic
Curve. Cryptography authority Bruce Schneier wrote that the
weaknesses in the formula "can only be described as a back door."
After reports of the back door in September, RSA urged its customers
to stop using the Dual Elliptic Curve number generator.
But unlike the Clipper Chip fight two decades ago, the company is
saying little in public, and it declined to discuss how the NSA
entanglements have affected its relationships with customers.
The White House, meanwhile, says it will consider this week's panel
recommendation that any efforts to subvert cryptography be
abandoned.
(Reporting by Joseph Menn; editing by Jonathan Weber and Grant
McCool)
[© 2013 Thomson Reuters. All rights
reserved.] Copyright 2013 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
|