Revealed: RSA offered more than one NSA-designed security tool
A team of researchers has found that the American security firm RSA implemented two different encryption tools built by the National Security Agency, both of which were designed to be exploited easily for surveillance purposes.
According to Reuters, the revelation was made by professors from multiple universities – including the University of Wisconsin and the University of Illinois – and indicates the NSA was able to infiltrate the company’s security systems even more than previously believed.
Last year, Reuters also reported that RSA entered into a clandestine deal with the NSA, in which it was given $10 million in exchange for promoting the use of weak security systems and encryption services. At the time, it was revealed that RSA made a specific algorithm – Dual Elliptic Curve DRGB – the default option in its BSAFE security toolkit.
The latest discovery by university researchers alleges that RSA also implemented a second security tool, known as the “Extended Random” extension. As noted by Reuters, this tool was not used very often compared to others, but it “could help crack a version of RSA's Dual Elliptic Curve software tens of thousands of times faster” than others.
"Adding it doesn't seem to provide any security benefits that we can figure out," Thomas Ristenpart, one of the researchers at the University of Wisconsin, told the news service.
When contacted about the new information, RSA did not deny the allegation that it incorporated Extended Random into its portfolio of security tools. It did state, however, that the tool was removed sometime in the past six months, and that it has done nothing to deliberately weaken its security software.
The company also did not comment on whether or not it was paid to offer the tool as an option alongside other programs.
"We could have been more skeptical of NSA's intentions," RSA Chief Technologist Sam Curry said to Reuters. "We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure."
In December, RSA also released a statement denying it was hiding its involvement with the NSA, denying that it entered into a secret contract to make Dual EC the default algorithm, but notably it did not push back against the claim that it accepted money to do so.
As RT noted then, Microsoft researched had exposed several weaknesses in the code back in 2007, but RSA continued to list Dual EC as the default choice for another five years. Only after Edward Snowden leaked documents revealing the NSA’s campaign to embed weak encryption services into security software did the company remove the algorithm.
The situation also represents a notable shift for the company, which established closer ties to the government after the 2001 World Trade Center attacks and made it more susceptible to federal influence. During the Clinton era, RSA successfully defended against government attempts to embed chips in computers that would allow it to easily avoid encryption protections.