Earlier this week we reported that Mikko Hypponen, chief research officer of Finland-based antivirus provider F-Secure, had publicly canceled a talk (entitled, "Governments as Malware Authors") at the upcoming RSA Conference USA 2014 in protest of news that the RSA received $10 million to make an NSA-favored random number generator the default setting in its BSAFE crypto tool.
Today we learn from The Register that the RSA has issued a carefully worded statement on the matter denying at least parts of a Reuters report revealing the $10 million deal.
On its official blog, the RSA said that "we categorically deny [the] allegation" that it "entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator."
The company went on to offer four reasons for its choice of random number generator, namely:
We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.
The post from the RSA avoids discussing the elephant in the room: the money.
"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."
Joseph Menn, the Reuters journalist who broke the original news last Friday, said that he stands by his story.