RSA has "categorically" denied reports of a secret contract with the National Security Agency to include a backdoor in its widely used encryption toolkit.
A Reuters report revealed RSA had inked a "secret US$10 million contract" with the NSA, under which the vendor would include intentionally flawed encryption as the default option in its Bsafe developer toolkit, to make it easier for the agency to conduct surveillance.
The NSA has declined to comment, but RSA said called the report inaccurate.
"We also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone’s use," RSA said in a Monday statement.
News of the NSA's encryption back door was first broken in September, citing documents leaked by former NSA contractor Edward Snowden. The same month, reports emerged that RSA was supporting the NSA encryption scheme by default in Bsafe. RSA later issued a bulletin warning customers not to use it.
The new allegation that RSA was paid to help the NSA spy on its customers could do further damage to a company whose reputation was already tarnished by its handling of a March 2011 attack on its SecurID two-factor authentication products.
The SecurID hack, which was later found to be a coordinated, targeted type of attack known as an Advanced Persistent Threat, was a disaster for RSA. Not only was it costly for RSA to remediate, it also gave hackers the world over a how-to guide on how to attack networks protected by SecurID authentication.
In June of 2011, a series of high-profile attacks on Lockheed Martin, Northrop Grumman and L3 Communications prompted RSA to replace some customers' SecurID tokens. RSA was criticised for taking more than two months after the initial attack to offer this option.
Damage from the SecurID attack is still being felt today. In July, Joe Stewart, director of malware research at Dell SecureWorks, told CRN the SecureID attacks are connected to at least 64 active attacks on companies in the US, Europe and Asia.
RSA has clearly learned from the SecurID experience and appears to be doing everything it can to get ahead of the Bsafe issue. But just as the NSA scandal is causing US citizens to question how they're being governed, some RSA developer customers are taking a closer look at the apps they've built using the Bsafe encryption toolkit.
"If the toolkit was used in the past, software developers should go check and make sure they change it," security expert Gary McGraw told CRN in September. "Businesses need to be aware of this and be asking more questions."