RSA, the security division of EMC, has categorically denied a recent Reuters report that claimed the National Security Agency paid it $10 million to include a backdoor in its encryption products for surveillance purposes.
But it's unclear at this stage whether the denial will be enough to prevent partners and customers from dropping RSA's products, as some have done even before the NSA backdoor issue came to light.
The controversy hinges on RSA's inclusion of a technology called Dual Elliptic Curve Deterministic Random Bit Generator, or Dual EC DRBG, in its Bsafe encryption toolkit. According to Reuters, RSA used Dual EC DRBG at the NSA's behest because it's easy to break, but RSA denied this on Monday.
The problem for RSA is that this isn’t the first time trust issues have surfaced for the Bedford, Mass.-based vendor.
In 2011 after hackers compromised RSA’s SecurID two-factor authentication tokens, RSA was criticized for not offering replacement tokens to its customers. Only after Lockheed Martin, Northrop Grumman and L3 Communications were attacked three months later did RSA offer to replace customers' SecurID tokens.
Kevin McDonald, executive vice president of Alvaka Networks, an Irvine, Calif.-based managed service provider and RSA partner, told CRN the SecurID attack was the last straw for his company. "We had recommended RSA a great deal in the past. But we actually made the decision not to recommend any longer when they were hacked in 2011," he told CRN.
McDonald said Alvaka Networks has decided to switch to other security vendors for technology it used to get from RSA. "Whether or not RSA conspired with the NSA, or simply made the poor choice to include Dual EC DRBG technology, we are looking for legitimate alternatives, as RSA will not be in our toolkit," he said.
RSA said it began using Dual EC DRBG in 2004 and felt confident in doing so because it was standardized by the National Institute of Standards and Technology (NIST). The NIST first reported problems with Dual EC DRBG in 2007, and when it warned users about the backdoor in September, RSA said it immediately passed on the message to customers.
Basically, RSA's stance on its use of Dual EC DRBG is that there's nothing to see here, people.
"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it," RSA said Monday in a blog post.
The NSA issue will no doubt be top-of-mind for attendees at RSA's annual security conference in San Francisco, which is being held from Feb. 24-28. The event typically includes sessions on why it's important for vendors to avoid using fear-based marketing to hawk their products, and an expo hall full of vendors ignoring this advice.
NEXT: RSA Marketing Tactics Called Into Question