The RSA has angrily denied a claim that it secretly took $10 million from the NSA to use the buggered up Dual Elliptic Curve Deterministic Random Bit Generator in its encryption products.
RSA, which is owned by EMC, started using Dual EC DRBG by default in 2004, before the generator was standardised.
In 2007 a backdoor in the algorithm weakened the strength of any encryption that relied on it. It was only in September 2013, RSA told its customers to stop using the algorithm.
The NSA is also accused of weakening the random number generator during its development.
However written in its bog, the RSA said that it categorically denied the allegation that it knew Dual EC DRBG was “flawed” when it started using the algorithm.
It said it made sense to use the random number generator in the context of an industry-wide effort to develop newer, stronger methods of encryption.
At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
The RSA used the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance.
“When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion,” the blog said.
And what about the $10 million figure which appeared in an Edward Snowden report? The RSA forgot to mention that. It just said that it had “never entered into any contract or engaged in any project with the intention of weakening RSA’s products”.