Reports that the NSA’s involvement with RSA Security’s cryptographic tools was greater than first claimed raise many questions. The issue is complicated and requires a detailed look.
In December 2013, a Reuters report alleged that RSA Security had accepted $10 million from the U.S. National Security Agency (NSA) in an effort that ultimately served to weaken security in components of the RSA BSAFE encryption tools. On March 31, Reuters published a new report alleging that NSA involvement affected a wider number of RSA BSAFE cryptographic components.
The report on the second NSA-related RSA vulnerability is based on newly published research from professors working at Johns Hopkins, the University of Wisconsin and the University of Illinois. The tool in question is called the Extended Random extension, and could potentially be used to crack the RSA Dual Elliptic Curve (EC) pseudo-random-number generator that is widely used in the security world today.