The central question raised by the Reuters report and earlier articles, however, is: Did RSA use what it knew was deliberately weakened crypto software in BSafe, or at best did it look the other way in the face of expert criticism of Dual EC, in order to make money from U.S. government deals?
In its statement Sunday, RSA said, "We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."
RSA also acknowledged it used Dual EC also because of its "value in FIPS compliance." FIPS, or Federal Information Processing Standards, are computer standards required in government systems.
The Reuters article Friday suggests that RSA had significant monetary incentive to set Dual EC as the default random number generator in BSafe, reporting that $10 million "represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show."
The inclusion of Dual EC in RSA technology software also helped the NSA convince the National Institute for Standards and Technology (NIST) to approve the software as a method for generating random numbers used by encryption software, the Reuters story noted.
But questions about the efficacy of Dual EC were being raised even as RSA publicly announced its Bsafe deal with the NSA in 2006, and continued for years.
One paper, "Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator," by Berry Schoenmakers and Andrey Sidorenko, published by the Eindhoven University of Technology in May 2006, reported that "our experimental results and also empirical argument show that the DEC PRG is insecure."
Finally, after articles about the NSA's alleged efforts to weaken security standards were published this September, NIST issued an advisory recommending that Dual EC not be used, and RSA followed suit.
"Following NIST's decision to strongly recommend against the use of the community developed encryption algorithm standard (known as Dual EC DRBG), RSA determined it appropriate to issue an advisory to all our RSA BSAFE and RSA Data Protection Manager customers recommending they choose one of the different cryptographic Pseudo-Random Number Generators (PRNG) built into the RSA BSAFE toolkit," the RSA advisory said.
RSA CTO Sam Curry publicly defended and explained why RSA originally chose Dual EC in an email published by Ars Technica.
But Curry's statement was dissected and ridiculed by cryptography experts.
Among other statements, Curry said that "Dual_EC_DRBG was an accepted and publicly scrutinized standard."
However, "every bit of public scrutiny said the same thing: this thing is broken! Grab your children and run away!" noted Matt Green, a cryptographer and research professor at Johns Hopkins University, in a careful analysis of Curry's defense.
The Reuters report came at the end of a week of mounting criticism of the government's surveillance programs.
U.S. District Court Judge Richard Leon, in a preliminary ruling in a court case challenging the government's phone records collection program, harshly criticized the agency and suggested the program violates the U.S. Constitution. A report from the Review Group on Intelligence and Communications Technology, appointed by administration of U.S. President Barack Obama, said that the government's spy programs create problems for international commerce and affect the U.S.'s relationship with other countries,