As a key part of a campaign to embed encryption software that it could
crack into widely used computer products, the U.S. National Security
Agency arranged a secret $10 million contract with RSA, one of the most
influential firms in the computer security industry, Reuters has
learned.
Documents leaked by former NSA contractor Edward Snowden show that
the NSA created and promulgated a flawed formula for generating random
numbers to create a "back door" in encryption products, the New York
Times reported in September. Reuters later reported that RSA became the
most important distributor of that formula by rolling it into a software
tool called Bsafe that is used to enhance security in personal
computers and many other products.
Undisclosed until now was that RSA received $10 million in a deal
that set the NSA formula as the preferred, or default, method for number
generation in the BSafe software, according to two sources familiar
with the contract. Although that sum might seem paltry, it represented
more than a third of the revenue that the relevant division at RSA had
taken in during the entire previous year, securities filings show.
The earlier disclosures of RSA's entanglement with the NSA already
had shocked some in the close-knit world of computer security experts.
The company had a long history of championing privacy and security, and
it played a leading role in blocking a 1990s effort by the NSA to
require a special chip to enable spying on a wide range of computer and
communications products.
RSA, now a subsidiary of computer storage giant EMC Corp, urged
customers to stop using the NSA formula after the Snowden disclosures
revealed its weakness.
RSA and EMC declined to answer questions for this story, but RSA said
in a statement: "RSA always acts in the best interest of its customers
and under no circumstances does RSA design or enable any back doors in
our products. Decisions about the features and functionality of RSA
products are our own."
STORIED HISTORY
Started by MIT professors in the 1970s and led for years by ex-Marine
Jim Bidzos, RSA and its core algorithm were both named for the last
initials of the three founders, who revolutionized cryptography. Little
known to the public, RSA's encryption tools have been licensed by most
large technology companies, which in turn use them to protect computers
used by hundreds of millions of people.
At the core of RSA's products was a technology known as public key
cryptography. Instead of using the same key for encoding and then
decoding a message, there are two keys related to each other
mathematically. The first, publicly available key is used to encode a
message for someone, who then uses a second, private key to reveal it.
From RSA's earliest days, the U.S. intelligence establishment worried
it would not be able to crack well-engineered public key cryptography.
Martin Hellman, a former Stanford researcher who led the team that first
invented the technique, said NSA experts tried to talk him and others
into believing that the keys did not have to be as large as they
planned.
The stakes rose when more technology companies adopted RSA's methods
and Internet use began to soar. The Clinton administration embraced the
Clipper Chip, envisioned as a mandatory component in phones and
computers to enable officials to overcome encryption with a warrant.
RSA led a fierce public campaign against the effort, distributing
posters with a foundering sailing ship and the words "Sink Clipper!"
A key argument against the chip was that overseas buyers would shun
U.S. technology products if they were ready-made for spying. Some
companies say that is just what has happened in the wake of the Snowden
disclosures.
The White House abandoned the Clipper Chip and instead relied on
export controls to prevent the best cryptography from crossing U.S.
borders. RSA once again rallied the industry, and it set up an
Australian division that could ship what it wanted.
"We became the tip of the spear, so to speak, in this fight against government efforts," Bidzos recalled in an oral history.
0 comments :
Post a Comment