SECURITY FIRM RSA has been accused of compromising its integrity for the US National Security Agency (NSA) for the second time, each time giving the NSA access to place backdoors in its software.
In December we learned that RSA apparently charged the NSA $10m for the privilege of placing a backdoor in a default encryption scheme.
Then the firm disputed the allegation. "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products," it said in a statement. "Decisions about the features and functionality of RSA products are our own."
Then Reuters was first with the news, and apparently it has shamed RSA again. It spoke with researchers who have published a report saying that RSA repeated what it did with the Dual Elliptic Curve encryption algorithm in the "Extended Random" extension for secure websites.
The researchers from Johns Hopkins University, the University of Wisconsin, Eindhoven University of Technology, the University of Illinois and the University of California revealed evidence of backdoor access in a white paper entitled "On the Practical Exploitability of Dual EC in TLS Implementations" [PDF].
RSA told Reuters that it no longer uses the extension, because it was unpopular, but it did not deny the allegations.
"We could have been more skeptical of NSA's intentions," RSA chief technologist Sam Curry told the news agency.
"We trusted them because they are charged with security for the US government and US critical infrastructure."