Reuters reporting here....
(Reuters) - As a key part of a campaign to embed encryption software That it could ***** into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.
The claim is
That the NSA paid RSA, a commercial firm
That (among other things) makes
dongles for "secure" logins to places like banks and similar,
to insert a bad random number generator into their reference software
and make it the default.
As a quick refresh public-key cryptography
relies on true random numbers. If you can guess the sequence --
That is, if the numbers aren't truly random -- you can compromise the encryption.
This is much easier than actually trying to break the code itself; think of it as a safe with a big, thick door and a nasty, un-pickable lock -- but because you want to break in you get the owner to install a cheezy $20 screen door on the side of the vault.
This would leave the keys generated by
That software "guessable", and RSA was the publisher and owner of the code in question
That then wound up -- and is probably still in -- hardware and software found basically everywhere.
RSA a few months ago "urged" its customers to stop using the compromised random generator.
But what of all the code
That is out in the "wild"
That has this software in it, and this random number generator,
and is set to use it?
The bombshell isn't
That the flaw was
suspected, it is
That it is **w being alleged
That the NSA
paid RSA to make the code breakable -- on purpose. Whether RSA knew it was breakable at the time is unk**wn, but the NSA sure appears to have been fully-aware of it, and if Reuters' reporting is correct
They basically paid off the firm to insert it into their software
That was then widely distributed to pretty-much
everyone.
So you want to trust companies based here in the US when it comes to cryptography eh?
Sounds like a good idea to me.
أكثر...