SAN FRANCISCO
A National Security Agency (NSA) data
gathering facility is seen in Bluffdale, about 25 miles (40 km) south of
Salt Lake City, Utah, December 16, 2013. Jim Urquhart/
Credit: Reuters
(Reuters) - As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
The earlier disclosures of RSA's entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.
RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to stop using the NSA formula after the Snowden disclosures revealed its weakness.
RSA and EMC declined to answer questions for this story, but RSA said in a statement: "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own."
The NSA declined to comment.
The RSA deal shows one way the NSA carried out what Snowden's documents describe as a key strategy for enhancing surveillance: the systematic erosion of security tools. NSA documents released in recent months called for using "commercial relationships" to advance that goal, but did not name any security companies as collaborators.
The NSA came under attack this week in a landmark report from a White House panel appointed to review U.S. surveillance policy. The panel noted that "encryption is an essential basis for trust on the Internet," and called for a halt to any NSA efforts to undermine it.
Most of the dozen current and former RSA employees interviewed said that the company erred in agreeing to such a contract, and many cited RSA's corporate evolution away from pure cryptography products as one of the reasons it occurred.
But several said that RSA also was misled by government officials, who portrayed the formula as a secure technological advance.
"They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption.
STORIED HISTORY
Started by MIT professors in the 1970s and led for years by ex-Marine Jim Bidzos, RSA and its core algorithm were both named for the last initials of the three founders, who revolutionized cryptography. Little known to the public, RSA's encryption tools have been licensed by most large technology companies, which in turn use them to protect computers used by hundreds of millions of people.
Read More Here
.....
NBC News Technology
Snowden disclosures prompt warning on widely used computer security formula
Sep. 20, 2013 at 11:46 AM ET
SAN FRANCISCO (Reuters) - In the latest fallout from Edward Snowden's intelligence disclosures, a major U.S. computer security company warned thousands of customers on Thursday to stop using software that relies on a weak mathematical formula developed by the National Security Agency.
RSA, the security arm of storage company EMC Corp, told current customers in an email that a toolkit for developers had a default random-number generator using the weak formula, and that customers should switch to one of several other formulas in the product.
Last week, the New York Times reported that Snowden's cache of documents from his time working for an NSA contractor showed that the agency used its public participation in the process for setting voluntary cryptography standards, run by the government's National Institute of Standards and Technology, to push for a formula that it knew it could break.
NIST, which accepted the NSA proposal in 2006 as one of four systems acceptable for government use, this week said it would reconsider that inclusion in the wake of questions about its security.
But RSA's warning underscores how the slow-moving standards process and industry practices could leave many users exposed to hacking by the NSA or others who could exploit the same flaw for years to come.
RSA had no immediate comment. It was unclear how the company could reach all the former customers of its development tools, let alone how those programmers could in turn reach all of their customers.
Read More Here
.....
Related articles
No comments:
Post a Comment
Hello and thank you for visiting my blog. Please share your thoughts and leave a comment :)