Pierluigi Paganini
December 21, 2013
Is it possible to insert an encryption backdoor in one of most popular cryptographic products?
Probably it is just a question of money if the request came from the NSA, according a recent report apparently the fee is $10 million. This is our weekly revelation from document leaked by Edward Snowden, a mine of scaring information that is shaking the IT industry and in particular the world of Intelligence and Security.
Reuters agency revealed that as a key part of a campaign to embed encryption backdoor into widely used computer products, the U.S. National Security Agency signed a secret contract with RSA, the cost of the coperation si $10 million.
“Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.” states the Reuters article.
It is a new earthquake, the RSA received $10 million (more than a third of the revenue that the interested division of RSA had earned during the last year) to set the buggy NSA formula as te default method for number generation in the BSafe software.
Two people familiar with RSA’s BSafe application revealed to Reuters that the company had received the money in exchange for making the NSA’s cryptographic formula as the default for encrypted key generation in BSafe.
The reputation of the RSA is seriously impacted, in September Snowden leaked documents that demonstrated that NSA intentionally inserted flaws in RSA’s encryption tokens.
NSA acted by weakening encryption standards, inserting encryption backdoor into encryption products of main vendors, in this way the Agency using supercomputer-backed password crackers is able to break encryption used to back popular technologies including HTTPS and SSH.
“Now we know that RSA was bribed,” “I sure as hell wouldn’t trust them. And then they made the statement that they put customer security first,” is the comment of the popular security expert Bruce Schneier “You think they only bribed one company in the history of their operations? What’s at play here is that we don’t know who’s involved,” he added.
The revelation raise many doubt on the relationship of US Government and private IT companies that provide common used encryption solution like Symantec and Microsoft.
“You have no idea who else was bribed, so you don’t know who else you can trust,” Schneier said.
RSA did not return a request for comment, and did not comment for the Reuters story.
