When leaked documents claimed to have caught the NSA inserting bad protocols into the national standards board NIST, it raised more questions than answers. Why would the NSA go to the trouble of inserting a inferior standard into NIST's set of four, when most cryptographers would simply ignore the bad algorithm in favor of the others? Even if foul play had occurred, what was the agency getting out of the deal?
The NSA could subvert the encryption whenever they needed to
Now, a Reuters exclusive report is showing the other side of the story. The report details a secret deal between the NSA and respected encryption company RSA, in which the agency paid $10 million for RSA to incorporate the weaker algorithm into an encryption product called BSafe. Because of the earlier work, the algorithm had been approved by NIST, so RSA could claim their encryption used only nationally certified protocols. At the same time, BSafe's encryption was defaulting to a fundamentally flawed encryption algorithm, which the NSA could subvert whenever they needed to.
Anyone who knows the right numbers can decipher the resulting cryptotext
The bad program in question is known as DUAL_EC_DRBG, and cryptographers have found it suspicious for years. The program has a random number generator, but there are a number of fixed, constant numbers built into the algorithm that can function as a kind of skeleton key. Anyone who knows the right numbers can decipher the resulting cryptotext — a feature that leaked Snowden documents confirm was installed by the NSA. The algorithm is also more than a hundred times slower than the alternative random number generators, which has led almost all major encryption programs to abandon the program. However, since BSafe is based on closed-source protocols, RSA was able to implement DUAL_EC_DRBG as a default setting effectively in secret.
In a statement to Reuters, RSA denied the allegations it had implemented the backdoor. "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products," a spokesman said. "Decisions about the features and functionality of RSA products are our own."