How the NSA Paid Security Firm $10 Million to Promote Flawed Encryption

Stories documenting the NSA’s intentional attempt to weaken encryption standards have been floating around for months now, but Reuters put out a story Friday that documents just how far the out of control agency has gone to weaken security for hundreds of millions of computer users.

RSA has been a leader in cryptography ever since it revolutionized the field after its genesis in the 1970s from three MIT professors. The company actually provided a lot of successful pushback against the NSA and the Clinton Administration’s push to introduce the Clipper Chip in the 1990’s, but has completely sold out in recent years as it became more corporatized and many of the technology leaders left. If it is true that the only received $10 million from the NSA, they sold out the American public very cheaply. RSA is now owned by EMC

From Reuters:

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

The earlier disclosures of RSA’s entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.

Started by MIT professors in the 1970s and led for years by ex-Marine Jim Bidzos, RSA and its core algorithm were both named for the last initials of the three founders, who revolutionized cryptography. Little known to the public, RSA’s encryption tools have been licensed by most large technology companies, which in turn use them to protect computers used by hundreds of millions of people.

From RSA’s earliest days, the U.S. intelligence establishment worried it would not be able to crack well-engineered public key cryptography. Martin Hellman, a former Stanford researcher who led the team that first invented the technique, said NSA experts tried to talk him and others into believing that the keys did not have to be as large as they planned.

The stakes rose when more technology companies adopted RSA’s methods and Internet use began to soar. The Clinton administration embraced the Clipper Chip, envisioned as a mandatory component in phones and computers to enable officials to overcome encryption with a warrant.

RSA led a fierce public campaign against the effort, distributing posters with a foundering sailing ship and the words “Sink Clipper!”

A key argument against the chip was that overseas buyers would shun U.S. technology products if they were ready-made for spying. Some companies say that is just what has happened in the wake of the Snowden disclosures.

The White House abandoned the Clipper Chip and instead relied on export controls to prevent the best cryptography from crossing U.S. borders. RSA once again rallied the industry, and it set up an Australian division that could ship what it wanted.

Doesn’t seem to me the NSA is doing any protecting whatsoever. On the contrary, it appears they are merely doing a lot of harm to computer security.

Full article here.

In Liberty,
Mike

Follow me on Twitter.