RSA 'categorically denies' secret ties with NSA

RSA says it has not "intentionally" weakened any of its products or taken payments to introduce weaknesses

Security software vendor RSA has "categorically denied" reports that suggested it entered into a "secret contract" with the US National Security Agency (NSA).

Reports that surfaced on Friday, alleged that the security software company had taken payments of $10m from the NSA to use compromised cryptography in its products.

The payments related to RSA's Bsafe software tool, which was found in September to use cryptography compromised by the NSA. The technology used in the software was reported to have deployed standards developed by standardisation bodies in which the NSA had infiltrated agents for the deliberate purpose of pushing through a compromised standard.

RSA had blamed the problem on the compromised standard, but did not state its alleged complicity in taking payhe standard being compromised and its own software being compromised as a result.

In response to the media claims, RSA has said that it has worked with the NSA, as a vendor and as an active member of the security community.

"We have never kept this relationship secret and in fact have openly publicised it. Our explicit goal has always been to strengthen commercial and government security," it said.

"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use," it added.

The security firm explained that when it made its decision to use Dual EC ERBG as the default in Bsafe toolkits in 2004, the NSA had "a trusted role in the community-wide effort to strengthen, not weaken, encryption".

It said that the algorithm was only one of many choices available for use with the Bsafe toolkit, and that it had gained acceptance as a National Institute of Standards and Technology (NIST) standard and complied with the US Federal Information Processing Standard (FIPS).

Concern had surfaced around the algorithm in 2007 and RSA claimed that when NIST issued guidance recommending that the algorithm shouldn't be used in September 2013, it adhered to that guidance.