RSA received $10 million from the NSA to put the loophole in its product, Reuters reported Friday, citing two unnamed sources familiar with the deal. The report followed earlier stories from Reuters and The New York Times that the NSA created a flawed formula to generate random numbers that was then allegedly inserted into an RSA security product and gave the NSA access to multitudes of computers.
â€œAs you are no doubt aware RSA provides encryption for the House of Commons, including RSA SecurID electronic keys,â€� NDP caucus chair Peter Julian wrote Monday in an official letter to Speaker of the House of Commons Andrew Scheer.
In the letter, a copy of which was obtained by Postmedia News, Julian asks Scheer to look into how much MPs and their staff rely on RSA to secure their devices, and â€œwhat steps have been taken to ensure that communication remains secure in light of this report.â€�
â€œSuch a break in security has implications for the security and confidentiality of members and their staff to conduct business without being monitored by foreign governments or those who could exploit such a loophole,â€� Julian writes.
In a news release issued Sunday, RSA denied the Reuters report that it entered into a â€œsecret contractâ€� with the NSA â€œto incorporate a known flawed random number generatorâ€� into its devices.
â€œWe have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security,â€� the statement read.
â€œRSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSAâ€™s products, or introducing potential â€˜backdoorsâ€™ into our products for anyoneâ€™s use.â€�
Full text of NDP caucus chair Peter Julianâ€™s letter to Speaker of the House of Commons Andrew Scheer:
Dear Mr. Speaker,
On Friday night, media reported that RSA, the computer security firm, had integrated a broken random number generator from the United States National Security Agency into some of its products. Reuters alleges that this was part of a $10 million payment from the NSA to the company. The NSA shares information amongst the Five Eyes signals intelligence agencies of the UK, the United States, Canada, Australia and New Zealand.
As you are no doubt aware RSA provides encryption for the House of Commons, including RSA SecureID electronic keys.
I would like to know to what extent the communications made by Members and staff of the House of Commons rely on security provided by RSA. In addition, I would like to know what steps have been taken to ensure that communication remains secure in light of this report.
Such a break in security has implications for the security and confidentiality of members and their staff to conduct business without being monitored by foreign governments or those who could exploit such a loophole.
Peter Julian, MP
NDP Caucus Chair