RSA security has ‘categorically denied’ existence of any contract between the company and National Security Agency (NSA), US stating that the decision of using Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) was made way back in 2004 and not on behest of NSA as recent reports have claimed.
RSA declared through a blog post that recent press reports of existence of a ‘secret contract’ to incorporate a back door into RSA’s encryption products for $10 million are false. The EMC-owned company accepted that it has worked with NSA, but with an explicit goal of strengthening governmental and commercial security and not weaken it.
The security company said that the algorithm is one of the multiple choices that users of BSAFE toolkits have when deciding to go for a random number generator and that users have always been free to decide on what algorithm to use. RSA said that the company continued using the algorithm as it gained NIST approval in 2007 and sent out a recommendation against its use in 2013 soon after NIST issued new guidelines.
“RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use”, stated RSA.
Reports surfaced on Friday that RSA bagged $10 million from NSA to use Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) as its preferred random number algorithm in several of its encryption products. The algorithm has been garnering criticism from security experts around the world that it was week and effectively opened a ‘perfect backdoor’ into secure communication between two parties.
