NSA Paid Security Company to Adopt Weakened Encryption Standards
A few months ago, we learned via the Snowden leaks that the NSA had been busily at work trying to undermine public cryptography standards. One in particular was a random number generator used for creating encryption keys in RSA's BSafe software. But Reuters reports there's more to the story:
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
....Most of the dozen current and former RSA employees interviewed said that the company erred in agreeing to such a contract, and many cited RSA's corporate evolution away from pure cryptography products as one of the reasons it occurred.
But several said that RSA also was misled by government officials, who portrayed the formula as a secure technological advance. "They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption.
Well, look. There are a very limited number of reasons that the NSA would be so eager for you to use their encryption software that they'd be willing to pay you $10 million to do it. Surely someone at RSA must have had some inkling of what was going on.
Probably more than an inkling, if I had to guess. But this certainly goes to show just how serious and relentless the NSA has been about crippling the public use of cryptography. The president's surveillance commission recommended on Friday that this stop, and since trustworthy encryption is critical to trust in the internet as a whole, it would sure be nice if President Obama put a stop to this.