Trust in the security industry has taken a blow with a recent report that RSA was paid by the U.S. National Security Agency to provide a way to crack its encryption.
RSA denies the Reuters report published Friday that said the NSA paid RSA $10 million to use a flawed encryption formula. The agency-developed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) was used in RSA’s BSAFE product.
The report shook up the security industry, because of RSA’s influence. The company’s annual user conference in San Francisco is one of the largest security events of the year. On Monday, Mikko Hypponen, a widely know security expert, sent a letter to RSAcancelling his talk for the 2014 RSA Conference, because of RSA’s dealings with the NSA.
In a statement released last week, RSA said, “We categorically deny this allegation.”
The company went on to say that it had “never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyones use.”
Nevertheless, RSA failed to sway some security experts. “RSA’s response has not instilled confidence in much of the security community,” Carl Livitt, managing security associate for consulting firm Bishop Fox, said.
”RSA’s response is very cagey and blatantly ignores big, important questions,” he said.
Can security firms be trusted?
Matthew Green, a well-known cryptographer and assistant research professor at Johns Hopkins University, said the RSA revelation has threatened the reputation of the security industry.
”Most of the people I’ve spoken to agree that from our point of view, this is like you are a doctor trying to heal patients and you find out someone is making them sick on purpose,” he said. “I think you’d be pretty upset about it.”
Green said the job of security professionals is to make products secure, and the thought of a government agency purposely breaking them is upsetting.
”It makes me pretty angry,” he said.
Also last week, an independent White House Panel released a report that questioned whether the NSA’s massive data collection, brought to light by documents from ex-NSA contractor Edward Snowden, was necessary to prevent terrorist attacks, as the agency claims.
The documents Snowden released to select media described information gathering from Internet and telecommunication companies on Americans and foreigners, including leaders in other countries.
Within the panel’s list of recommendations was one that said efforts to undermine cryptography should be discarded.
Via: PCWorld
Post a Comment