Last Friday, The Reuters News Agency accused the Security firm RSA for taking a $10 million ‘bribe’ from the National Security Agency (NSA) in order promote a flawed encryption by including it in its BSAFE product to facilitate NSA spying.
The security people at RSA aren’t a very happy bunch at the moment just days after being accused of taking a $10 million ‘bribe’ from the NSA in order to facilitate it’s spying, the company has hit back with a strongly-worded denial of the allegations.
RSA has categorically denied accusation about any secret partnership with the National Security Agency to insert backdoor. They are announced the statement on their blog.
RSA reported, "We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security."
RSA has issued a response to these allegations, and not surprisingly it’s gone on the offensive, stating that it categorically denies any allegation that it knew the Dual EC DRBG was flawed, offering several reasons why it chose to use it:
We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.
RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
The security people at RSA aren’t a very happy bunch at the moment just days after being accused of taking a $10 million ‘bribe’ from the NSA in order to facilitate it’s spying, the company has hit back with a strongly-worded denial of the allegations.
RSA has categorically denied accusation about any secret partnership with the National Security Agency to insert backdoor. They are announced the statement on their blog.
RSA reported, "We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security."
RSA has issued a response to these allegations, and not surprisingly it’s gone on the offensive, stating that it categorically denies any allegation that it knew the Dual EC DRBG was flawed, offering several reasons why it chose to use it:
We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.
RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.
No comments:
Post a Comment