The One Big Question About RSA and Its Relationship With the NSA

[Commentary] The Internet security world was jolted by a Reuters report detailing a secret $10 million payment to the security company RSA from the National Security Agency.

RSA, a division of storage and IT giant EMC best known for its widely used security tokens, denied the report. It said that it has worked with the NSA for years and has never kept the relationship a secret, doing so with the intent of strengthening security products used in both the government and private sectors. But its explanation is incomplete -- RSA’s statement has been attacked by many -- and leaves many questions. Among them is one big one that hangs above all the others: What did RSA know about the algorithm that was ultimately found to contain the “back door,” and, perhaps more importantly, if it did have some idea, why did it say nothing about it for six years? According to RSA, the NSA continued to defer to NIST as to whether Dual EC DRBG was still reliable. As long as NIST maintained its approval, which it did even after the findings of the Microsoft researchers became public, RSA continued to stand behind Dual EC DRBG, considered products using the algorithm to be secure, and represented that to its customers. The bigger question lies at RSA’s door. Once NIST acted, RSA quickly followed suit. As it says in its statement: “When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.”

[Dec 24]