As a key part of a campaign to embed encryption software that it could
crack into widely used computer products, the U.S. National Security
arranged a secret $10 million contract with RSA, one of the most
influential firms in the computer security industry, Reuters has
Documents leaked by former NSA contractor Edward Snowden show
that the NSA created and promulgated a flawed formula for generating
random numbers to create a "back door" in encryption products, the New
York Times reported in September. Reuters later reported that RSA became
the most important distributor of that formula by rolling it into a
software tool called Bsafe that is used to enhance security in personal
computers and many other products.
Undisclosed until now was that
RSA received $10 million in a deal that set the NSA formula as the
preferred, or default, method for number generation in the BSafe
software, according to two sources familiar with the contract. Although
that sum might seem paltry, it represented more than a third of the
revenue that the relevant division at RSA had taken in during the entire
previous year, securities filings show.
The earlier disclosures
of RSA's entanglement with the NSA already had shocked some in the
close-knit world of computer security experts. The company had a long
history of championing privacy and security, and it played a leading
role in blocking a 1990s effort by the NSA to require a special chip to
enable spying on a wide range of computer and communications products.
now a subsidiary of computer storage giant EMC Corp, urged customers to
stop using the NSA formula after the Snowden disclosures revealed its
RSA and EMC declined to answer questions for this story,
but RSA said in a statement: "RSA always acts in the best interest of
its customers and under no circumstances does RSA design or enable any
back doors in our products. Decisions about the features and
functionality of RSA products are our own."
The NSA declined to comment.
RSA deal shows one way the NSA carried out what Snowden's documents
describe as a key strategy for enhancing surveillance the systematic
erosion of security tools. NSA documents released in recent months
called for using "commercial relationships" to advance that goal, but
did not name any security companies as collaborators.
The NSA came
under attack this week in a landmark report from a White House panel
appointed to review U.S. surveillance policy. The panel noted that
"encryption is an essential basis for trust on the Internet," and called
for a halt to any NSA efforts to undermine it.
(Also see: White House review panel recommends reforms of US surveillance programs)
Most of the dozen
current and former RSA employees interviewed said that the company erred
in agreeing to such a contract, and many cited RSA's corporate
evolution away from pure cryptography products as one of the reasons it
But several said that RSA also was misled by government officials, who portrayed the formula as a secure technological advance.
did not show their true hand," one person briefed on the deal said of
the NSA, asserting that government officials did not let on that they
knew how to break the encryption.
MIT professors in the 1970s and led for years by ex-Marine Jim Bidzos,
RSA and its core algorithm were both named for the last initials of the
three founders, who revolutionized cryptography. Little known to the
public, RSA's encryption tools have been licensed by most large
technology companies, which in turn use them to protect computers used
by hundreds of millions of people.
At the core of RSA's products
was a technology known as public key cryptography. Instead of using the
same key for encoding and then decoding a message, there are two keys
related to each other mathematically. The first, publicly available key
is used to encode a message for someone, who then uses a second, private
key to reveal it.
From RSA's earliest days, the U.S. intelligence
establishment worried it would not be able to crack well-engineered
public key cryptography. Martin Hellman, a former Stanford researcher
who led the team that first invented the technique, said NSA experts
tried to talk him and others into believing that the keys did not have
to be as large as they planned.
The stakes rose when more
technology companies adopted RSA's methods and Internet use began to
soar. The Clinton administration embraced the Clipper Chip, envisioned
as a mandatory component in phones and computers to enable officials to
overcome encryption with a warrant.
RSA led a fierce public
campaign against the effort, distributing posters with a foundering
sailing ship and the words "Sink Clipper!"
A key argument against
the chip was that overseas buyers would shun U.S. technology products if
they were ready-made for spying. Some companies say that is just what
has happened in the wake of the Snowden disclosures.
House abandoned the Clipper Chip and instead relied on export controls
to prevent the best cryptography from crossing U.S. borders. RSA once
again rallied the industry, and it set up an Australian division that
could ship what it wanted.
"We became the tip of the spear, so to speak, in this fight against government efforts," Bidzos recalled in an oral history.
RSA and others claimed victory when export restrictions relaxed.
But the NSA was determined to read what it wanted, and the quest gained urgency after the September 11, 2001 attacks.
meanwhile, was changing. Bidzos stepped down as CEO in 1999 to
concentrate on VeriSign, a security certificate company that had been
spun out of RSA. The elite lab Bidzos had founded in Silicon Valley
moved east to Massachusetts, and many top engineers left the company,
several former employees said.
And the BSafe toolkit was becoming a
much smaller part of the company. By 2005, BSafe and other tools for
developers brought in just $27.5 million of RSA's revenue, less than 9%
of the $310 million total.
"When I joined there were 10 people in
the labs, and we were fighting the NSA," said Victor Chan, who rose to
lead engineering and the Australian operation before he left in 2005.
"It became a very different company later on."
By the first half
of 2006, RSA was among the many technology companies seeing the U.S.
government as a partner against overseas hackers.
New RSA Chief
Executive Art Coviello and his team still wanted to be seen as part of
the technological vanguard, former employees say, and the NSA had just
the right pitch. Coviello declined an interview request.
algorithm called Dual Elliptic Curve, developed inside the agency, was
on the road to approval by the National Institutes of Standards and
Technology as one of four acceptable methods for generating random
numbers. NIST's blessing is required for many products sold to the
government and often sets a broader de facto standard.
the algorithm even before NIST approved it. The NSA then cited the
early use of Dual Elliptic Curve inside the government to argue
successfully for NIST approval, according to an official familiar with
RSA's contract made Dual Elliptic Curve the
default option for producing random numbers in the RSA toolkit. No
alarms were raised, former employees said, because the deal was handled
by business leaders rather than pure technologists.
group had played a very intricate role at BSafe, and they were basically
gone," said labs veteran Michael Wenocur, who left in 1999.
a year, major questions were raised about Dual Elliptic Curve.
Cryptography authority Bruce Schneier wrote that the weaknesses in the
formula "can only be described as a back door."
After reports of the back door in September, RSA urged its customers to stop using the Dual Elliptic Curve number generator.
unlike the Clipper Chip fight two decades ago, the company is saying
little in public, and it declined to discuss how the NSA entanglements
have affected its relationships with customers.
The White House,
meanwhile, says it will consider this week's panel recommendation that
any efforts to subvert cryptography be abandoned.
© Thomson Reuters 2013