The NSA story keeps breaking, with the latest revelation that the NSA paid RSA, a subsidiary of EMC, with a deep history in computer and internet security to implement and sell faulty encryption technology to its own clients. The December 2013 Reuters story has sent companies here and abroad scrambling to distance themselves from RSA and has seriously undermined consumer confidence in U.S.-based data encryption software providers at-large.
In September 2013, The New York Times released a statement from the NSA which confirmed that the agency was working to, “break widely used Internet encryption technologies.” That admission wasn’t the kicker, but rather that the agency had resorted to buying the complicity of a company dedicated to protecting customer data security. Moreover, the story of RSA’s involvement has a bright patina of irony to it in that in the 1990s the company successfully prevented NSA from embedding a sophisticated “spying chip” in all computing hardware.
The software used, Bsafe, was a landmark in data encryption, in that it was the first to successfully implement two-key encryption. In a secret deal with the NSA, RSA was paid $10 million to inculcate an algorithm - called Dual Eliptic Curve - that generates flawed, random numbers in its Bsafe technology, and, get this, call it the “preferred” option. This gave NSA a backdoor into the company’s tokens.
The Cost of Giving It UP
The company denies direct complicity, alleging that they were “duped”, and advised its customers to stop using the corrupt algorithm (after the story leaked), but the damage is, as they say, done. The RSA sponsored cyber security-conference to be held in San Francisco this February continues to lose keynote speakers. Boeing lost a multi-billion dollar contract with Brazil, as a result of the NSA’s spying. And across the cyber-sphere, analysts predict a tsunami backlash from European businesses with customers that expect their data to adhere to the EU’s considerably greater regard for individual privacy.
A Firefox executive recently encouraged security researchers to regularly audit Firefox’s source code, which is open source, in the hopes that the global community will help catch and arrest attempts to insert surveillance code into its browser. If this sounds paranoid, it’s worth noting that a small email company named Lavabit recently revealed that the U.S. government had requested information on its customers and then silenced them with a gag order.
Blocking the Backdoor
Most data encryption providers work with the National Institute of Science and Technology (NIST), an agency which provides industry-leading guidance on data encryption security, to ensure their cryptographic engines are safe to the highest industry standards (i.e., FIPS validated), but recent revelations are putting a spotlight on the nature of the relationship between NIST and data encryption providers, in no small part because another revelation from former NSA contractor, Edward Snowden, suggest that random number generators used in a 2006 NIST standard — contains a back door for the N.S.A.
Winmagic (a private Canadian company), looked into the implicated NIST standard (Dual EC DRBG) and determined it had not, which was a welcome relief to the company and its customers. That notwithstanding, speculation about the NSA’s ability to hack into the data encryption industry’s toughest fortresses, such as 256-bit AES encryption, run rampant. Fortunately, the degree of layered encryption this provides would require the kind of effort that could take years to complete. And now that data encryption companies are on to the NSA’s latest backdoor trick, they are focusing their efforts on staying one step ahead of the curve.