RSA is one of the first commercial companies to warn about issues with encryption after revelations about the NSA’s meddling with standards
RSA, one of the best known cryptography specialists in the world, has started warning customers about using an encryption algorithm in two of its products due to fears over the activities of US intelligence.
In particular, it is worried about the Dual Elliptic Curve Deterministic Random Bit Generation that is used by default in the BSafe toolkit for developers. There are concerns the National Security Agency (NSA) may have written a backdoor into the number generator, thanks to reports in the New York Times and the Guardian.
The US National Institute of Standards and Technology had already raised its own concerns about the NSA’s activity, after reports indicated the intelligence agency had covertly pushed encryption standards with weaknesses in them. That includes the Dual Elliptic Curve Deterministic Random Bit Generation.
RSA has offered developers ways to change the default encryption used in BSafe and has stopped using the algorithm in question. An internal review is ongoing to see whether the algorithm is in use anywhere else in RSA’s business.
According to leaks from Snowden, the NSA was running a 10-year programme called Bullrun – “an aggressive, multi-pronged effort” to crack various forms of Internet encryption. The UK’s GCHQ has plans to break encryption used by 15 major Internet companies and 300 VPNs by 2015, documents indicated.
Many have lambasted the NSA and GCHQ’s work on embedding backdoors into encryption standards, noting that it weakens the security of the Internet in general. If cyber criminals or any kind of malicious actor learn of the backdoors, they can use them for their own gain.
What do you know about Internet security? Find out with our quiz!